Posts

VMware ESXi 5.5 and LSI RAID monitoring

Adding LSI RAID controller status to VI client and connecting to ESX using MSM (Megaraid Storage Manager) running on Windows.

Adding pagespeed module to nginx 1.7.8 on Ubuntu 14.04

Wanted run fresh nginx version with Google Pagespeed on Ubuntu 14.04.

Installing Ubuntu 14.04 LTS with Cacti 0.8.8c

Ubuntu provides only Cacti 0.8.8b so we need to compile our own package with 0.8.8c after installing OS.

Virtualizing old Centos 5 server with software RAID disks

VMware Converter does decent job converting old physical servers to virtual machines, but it refuses to do anything to servers using software RAID. I really don't get why such arbitary limitation is in place. It really doesn't matter if physical server used RAID, software or not, because everything is copied by Converter on file lever rather than block level.

Remapping bad sectors with Linux and dd

I have one faulty non-RAID disk on server which I can't replace right now so I wanted to see if I could mask problems by manually triggering bad sector reallocation.

Using Sonera 6rd IPv6 with Cisco IOS router

Sonera recently started offering 6rd tunnels to their customers in Finland. Based on this Comcast example it was easy to get Sonera 6rd up with Cisco 892 running IOS 15.5(1)T.

Prefer IPv4 over IPv6 on CentOS 6

To prefer IPv4 (A) addresses over IPv6 (AAAA) on CentOS 6 you need to add new file named /etc/gai.conf with following content. Last line is what controls if IPv4 or IPv6 should be tried first.

Enable UserDir with Centos 6 and SELinux

I had unfortunate opportunity to play with RedHat / Fedora / CentOS distribution today. I have to say that as much as I hate Ubuntu, CentOS is even worse than it was few years ago when CentOS5 was still current. And now we're ignoring RHEL7 / CentOS7 where headless server installer requires GUI that's optimized for touch screen and tries to imitate Ipad. Recommended solution? Use VNC to connect installer. Aargh! I should probably have Ipad to run that VNC client - for improved user experience you know.

Remote conversion of 64-bit CentOS 6.5 to 64-bit Ubuntu 14.04

For 32-bit source to 64-bit see my older post . Old install was using software RAID-1, but did not have LVM. Small 200MB /boot partition, 8GB swap and rest as one root partition. We're redoing it completely so what it used to be doesn't really matter. All existing data on root will be lost.

Oddities of dnsmasq when used with IPv6 resolvers

# dnsmasq --version Dnsmasq version 2.68 Copyright (c) 2000-2013 Simon Kelley Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth # md5sum dnsmasq* 8a704b6aa977df9485b3faf940cc5e35 dnsmasq_2.68-1_all.deb 60bafb9b863671bb02595505a447270c dnsmasq-base_2.68-1_amd64.deb There was odd " [icmp6 sum ok] ICMP6, destination unreachable, unreachable port " going out from my server every time DNS reply was received. Turns out it was because dnsmasq IPv6 support is buggy .

Headless Ubuntu 14.04 Server with full disk encryption, remote unlock, software RAID, LVM and EFI for over 2TB disk support

Image
Headless Ubuntu 14.01 LTS server with full disk encryption, remote unlock over SSH, software RAID, LVM and support for over 2TB disks with EFI and BIOS MBR boot. That's what this post is about. Oh, and pics are at the end.

Cisco EEM applet to monitor and repair broken DHCP leases

Dirty hack to renew DHCP lease on Cisco 881 if Internet access is lost. This can happen when Cisco has valid DHCP lease from ISP and then cable modem or DSL router is power cycled but switch between Cisco and upstream device keeps link-state up. Options are either to fix it manually (pull cable / change config / reboot Cisco) or hack something like below. I'm also pinging over VPN tunnel to Intranet as it would be shame to break this due Level 3 and Google blocking ICMP which might happen one day.

/31 aka 255.255.255.254 netmask with Windows

Windows GUI prevents you from setting this with helpful error message of "All of the bits in the host address portion of the IP address are set to 0". IP stack seems to be fine with /31 networks so just set it from CLI. netsh interface show interface netsh interface ip set address name="Local Area Connection" source=static addr=10.71.219.238 mask=255.255.255.254 gateway=10.71l.219.239

Moving VMs between datastores with free ESXi (and very fast GhettoVCB restores)

Trying to move virtual machine between datastores (local or remote) can be painful without vCenter and SVmotion. Easy and fast way is to use traditional VI Client to move contents of virtual machine directory via datastore browser (Move To feature). Processing stays within ESXi and goes quickly. VMware converter could also be used, but it's SLOOOOOW and everything goes via management PC which is dumb design. GhettoVCB restores aren't fastest either. This is quite obvious workaround, but I have to admit didn't realize this until today. Since backups are NFS mounted I can simply import VMX file from backup directory using datastore browser. Yes, this will result in changes to backup which is not that great, but at least it's quick - even biggest VM can be restored in couple minutes. And that issue with changes to backup could be easily solved with ZFS snapshots.

Making Intel 910 PCIe SSD bootable

Recently market has been flooded with 400GB and 800GB versions of Intel 910 Enterprise PCIe SSD priced just one tenth of original cost. Downside of this device is its inability to boot requiring separate SSD for system files and software RAID0 support from OS. Both obvious downsides for my intended use with ESXi.

Topfield TF500PVRc with TF510PVRc or TF520PVRc firmware

Latest firmware for Topfield TF500PVRc is 3.56 from 2010 while for TF510PVRc and TF520PVRc there's 3.96 from 2013. Can you flash Topfield TF510PVRc / TF520PVRc firmware to older TF500PVRc? Yes, yes you can after changing SysID with VegaPack and it will start and appear to work just fine. However since TF500PVRc has only 32MB RAM system will quickly run out of memory. First menus will disappear and soon entire system crashes. Flashing newer model firmware "works" only for DVB-C models. In DVB-T models (TF500PVRt / TF510PVRt / TF520PVRt) tuner was changed and while OS will run it won't be able to receive any channels.

Buffalo WLAE-AG300N, OpenWrt Barrier Breaker and auto power on

While looking for something else I spotted Buffalo WLAE-AG300N "range extender" in our IT "treasure room". Noticing it's OpenWrt supported decided to give it try.

Cisco CSR1000v 3.13 finally working on VMware ESXi 5.1

After many, many months of waiting Cisco finally managed to build new version of CSR1000v 3.13 that is compatible with VMware ESXi 5.1. Another quiet release without release notes. As with earlier 3.13 versions this new 03.13.01S build is available only in OVA format without purchasing license (csr1000v-universalk9.03.13.01.S.154-3.S1-ext.ova). Not to worry as you can extract ISO image and even BIN images if needed for upgrading older install from OVA. If you're coming from 3.12 or older with eval license (which allowed creation of eval license locally) you'll need new licenses. Usual two month license is available from Cisco portal  but it's extra step compared to 3.12.  Another difference is performance levels for unlicensed and eval licensed modes. Unlicensed 3.12 is 2,5Mbit/s, eval licensed 3.12 is 50Mbit/s, unlicensed 3.13 is 0,1Mbit/s and eval licensed 3.13 is 10Gbit/s.

Upgrading HP Proliant firmware is easy... NOT!

Server in question was HP Proliant DL320 G6 from 2010 without any firmware upgrades ever made. Those old versions have multiple known issues, both usability, stability and hardware component compatibility related. Downtime required to perform these steps will be around 3 hours.

LTE 450MHz performance

Seems Ukkomobile has fixed their provisioning setup. LTE network itself came up last week, but only DNS traffic was allowed and all tcp/80 traffic was hijacked to infinite 302 redirect loop between www.ukkoverkot.fi and www.ukkomobile.fi.

Inside Ukkomobile 450MHz LTE router - Huawei B593s-31A

Image
450MHz LTE is alive!

Cisco CSR1000v 3.13 crashes on VMware ESXi 5.1

Initial version of Cisco CSR1000v 3.13 (csr1000v-universalk9.03.13.00.S.154-3.S-ext) was broken and kept crashing while booting on VMware ESXi 5.1, but apparently does work on ESXi 5.5. Cisco has silently replaced it with 3.13S0a version (csr1000v-universalk9.03.13.00a.S.154-3.S0a-ext) without providing any release notes or even updating filedates. Which is exactly as broken as old one - stuck in infinite reboot loop. Download is here , but for some reason for 3.13 only OVA packaged one is available after free registration. If you need ISO simply unpack OVA with 7zip and use ISO you can find inside for install. And then it will fail. Perhaps something to do with crazy nested virtualization CSR uses. Thanks guys.

Export all SMTP addresses from Exchange using PowerShell

Tested with Exchange 2010. You'll need Exchange Management shell but no need for exchange admin rights. Get-Recipient -ResultSize unlimited | Select Name -ExpandProperty EmailAddresses | Where-Object {$_.SmtpAddress -ne $null} | Select Name,SmtpAddress,IsPrimaryAddress | Export-csv -Encoding unicode -NoTypeInformation AllEmailAddress.csv

How to change Atheros AR9xxx aka ath9k EEPROM values

One of my Atheros AR9280 minipcie cards had some odd undefined regulatory domain (0x6B) configured. This caused even latest Linux ath9k driver to break so I wanted to change it to valid regdom. Which ath9k developers think is sin and are trying to prevent people from doing, but luckily our old friend iwleeprom has Atheros support letting us to fix this.

Modifying Huawei B593u firmware images using FMK

Nothing special here in my opionion, but I've seen few comments saying that FMK  doesn't work with Huawei B593u. Just follow instructions below and you end up with normal firmware image having one important difference - you can telnet in as admin from LAN side of device.

Inside old Motorola (Symbol) AP-5131 access point

Image
I found couple Motorola AP-5131 802.11a/g access points today. It's old design from Symbol Technologies dating back to 2005 with manufacturing date from 2010.

Netdisco2 on Ubuntu 14.04

Netdisco is neat tool to collect layer-2 forwarding database from switches, match MACs with layer-3 ARP table from router and present it over searchable webui. Old "Netdisco 1" was quite horrible to setup, but it did still do its job. Recently "Netdisco 2" was released making admins life much easier and also bringing fancy new look for webui. So here's my notes about installing new virtual machine with Netdisco 2.

Huapwn - Backdoor on your Huawei B593u

Public Huawei document I linked couple days ago mentioned factory diagnostics tool called  " Huawei deviceLocker V0.1" that will grant access to root shell on router. I got curious on how this would actually work and came to conclusion it must be something extremely simple and insecure, it IS Huawei after all. Did some poking around /bin/web process I figured this out - it's all there in clear-text for anyone to read. And that admin password is in Huawei docs, not exactly secret either. In case you didn't realize there's no need for authentication to exploit this. Protip: Try to hide you backdoors a bit better next time.

Persistent customizations to Huawei B593u with stock firmware

Perhaps you're fairly satisfied with Huawei stock firmware but would like to fix some security problems and remove spyware installed by factory. There's fairly easy way to do this.

Unpacking Huawei B593u compressed Broadcom CFE bootloader

Sorry, one more B593u post but felt this is worth documenting. While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.

Latest modem.bin LTE dongle firmware for Huawei B593u-12

Latest modem.bin firmwares currently available are T-Mobile customized 11.533.03.03.748 (2013-09-30) from SP105 and generic 11.433.61.00.00 (2012-12-04) from Polkomtel SP103. While these are customized for EM920u according to few forum posts I've found they work equally with Huawei USB LTE dongles such as E392 part of same MDM9200 family.

Differences of Huawei B593u and B593s

I got few B593u models and it's pretty straight forward Broadcom BCM5358 based router with Linux. As usual GPL sources were never published by Huawei crooks. LTE modem side is simply Qualcomm MDM9200 based Huawei USB dongle connected internally to Broadcom SoC over USB.

How to capture LTE WAN traffic for diagnostic purposes on Huawei B593u and not so much of security

Found this document on Huawei webpage you might be interested. It's in Microsoft Word .docx format. http://www.huawei.com/ecommunity/3msimage/download-10060827-10000297-9bca6ae8ffa54796a5245e6650b0e607.bin?type=bbs

Serial console on Huawei B593u

Image
Here's location of Huawei B593u TTL serial console. Settings are usual 115200 8N1.