Compiling a kernel module on and for the raspberry pi

May 18th, 2016

So in order to compile a module for a precompiled version of the raspberry pi linux kernel, some quirks were necessary. The goal was to not build the kernel fully (which is also possible after these steps) but to rebuild a module for the currently running kernel after modifying its source.

If you have seen

Error: could not insert module drivers/w1/slaves/w1_therm.ko: Invalid module format

while trying to insmod and

[ 5697.914596] w1_therm: no symbol version for module_layout

in dmesg or

ERROR: could not insert 'w1_therm': Exec format error

after modprobe, then stick around.

My script with explanations is available over at

https://github.com/x29a/kernel/blob/master/rpi/prepare.sh

so hopefully all that needs to be done on the rpi is (as root, sudo -i)

# mkdir -p /root/kernel
# cd /root/kernel
# wget https://raw.githubusercontent.com/x29a/kernel/master/rpi/prepare.sh

then check if the defaults in the script are fine for you, like location for source and kernel branch, then execute

# bash prepare.sh

and follow the instructions. Each new message expects a keypress to continue.

Following is some additional info i found handy on my journey to a loadable module.

If you have used rpi-update by accident and got on an experimental kernel (remember, new kernels are now installed via apt-get!) you can revert to a stock kernel by forcing a reinstall via

apt-get install --reinstall raspberry-bootloader

When is Module.symvers generated.

How to get the right kernel version for a running setup without recompiling kernel.

Crosscompile a kernel module.

General information on building the rpi kernel and general kernel module building and contribution infos.

Blackberry OS 10 and LetsEncrypt

March 19th, 2016

The great service at https://letsencrypt.org offers certificates for everybody to encrypt their websites with (meaning to offer HTTPS).

Unfortunately, the Blackberry OS 10 Browser does not yet ship with the certificates used to sign the websites so you either have to go back to unsecure HTTP or in case of HSTS you are unable to view the webpage.

Hopefully, there will be an update to BBOS 10 soon to fix this issue.

Luckily, one does not have to wait for the update but can manually import the needed certificates.

Head over to https://letsencrypt.org/certificates/ and download the PEM format of:

  • ISRG Root X1
  • Let’s Encrypt Authority X1 (IdenTrust cross-signed) and Signed by ISRG Root X1
  • Let’s Encrypt Authority X2 (IdenTrust cross-signed) and Signed by ISRG Root X1
  • Also get the DST Root CA X3 by copying the text to a textfile, remove the whitespace at the end and surround it by

    -----BEGIN CERTIFICATE-----

    copied text here

    -----END CERTIFICATE-----

    each on a new line. Save that file as dst_root_ca_x3.pem

    After copying all files to the device (e.g. via SD card), go to Settings -> Security and Privacy

    Securiy and Privacy

    -> Certificates

    Certificates

    and Import

    Import

    all 6 files (5 from LetsEncrypt and 1 from IdenTrust).

    Thats it, open your browser and try it out.

    Access samsung phone with hardware issues

    January 18th, 2016

    So recently i fiddled with a broken partition table in a somewhat working Samsung Galaxy S3 Mini phone.

    Now imagine the phones looks like this:

    broken_mini

    Dropped like it’s hot, landed flat on the screen. But of course contains very important pictures without backup somewhere else. For the fun of it, lets assume the power button is broken as well.

    Software configuration: stock rom, stock bootloader, stock recovery. ADB disabled.

    With a combination of the following steps, it should be possible to get access to the internal memory and backup important data via ADB.

    USB Jig
    A custom recovery image like TWRP enables ADB access, so by flashing TWRP, we get root access to the phone and can backup the data. For flashing the recovery, you need either heimdall or odin and the images, all are linked in my previous post.

    Normally you can get any turned off samsung phone into download (also called odin) mode by pressing VOLUME DOWN + HOME + POWER.

    Now if some button is not working, this is a little trickier. The trick is a tool called samsung 300k or a little piece of hardware. Since the tool is windows only and didnt work for me, i had to go the hardware way.

    There are multiple videos on youtube that describe how to modify an usb connector.

    If you have a “power only” micro-USB cable that you can spare, things are a bit easier. These feature most likely already a resistor of around 200kOhm, so when you connect the cable only to your phone (USB end is loose) the phone will boot up. Unfortunately, with the resistor at 200kOhm, it will perform a normal boot.

    So cut off the wire near the connector and carefully pry the connector open on its side with a sharp knife.

    connector_01

    The rubber sides now should be removable, careful not to rip any of the small cables or connectors inside.

    connector_02

    connector_03

    Now depending if your connector already features a resistor you need to add a resistor in series (one after the other) or you need to add a new resistor so that the summed up value equals 300kOhm. Since my connector came equipped with 200kOhm, i just added another 100kOhm and soldered it in between.

    connector_04

    Of the micro-USB B connector, pin 4 and 5 should be connected via 300kOhm.

    When inserting the connector into the phone, it should vibrate (if the vibrator still works) and boot into download mode. Now connect a working data cable and use heimdall or odin to flash TWRP with ADB enabled.

    Look Ma, no power button!
    But with the powerbutton not working, how can one boot the phone (hopefully into recovery)?

    You could try to clean or fix the button.

    If that doesnt work, there are multiple different approaches and while the ones from the videos did not work, the one in the comments worked for me:

    1. remove battery and power cable
    2. insert battery – insert power cable
    3. wait until you see the first battery logo, and the second battery logo with animation
    4. wait again, until it goes completely black. (power saving)
    5. remove your battery, reinsert your battery, take off usb cable (quickly!)

    Unfortunately, there seem to be some phones which can not be boot into recovery by holding the buttons and plugging the cable in or which dont boot into recovery after flashing from download mode. In this case, you can rename the recovery.img to boot.img and flash it via heimdall/odin into the bootloader partition. This way, the system wont boot android anymore, but straight to the recovery with ADB enabled.

    Once all data is retrieved, one has to replace the recovery in the bootloader partition again with a real bootloader. This must fit to the android system, so might as well wipe everything and start from scratch.

    OpenWRT as internet filter for e.g. kids

    January 18th, 2016

    The internet is for porn.

    Therefor, when some content should to be blocked from somebody (e.g. kids), an internet filter is required. If course, primarily this should be handled by talking to the kids and trust! And im not promoting monitoring!

    A technical filter solution can be implemented with OpenWRT (15.05 and up). It is an open linux plattform for various WLAN routers, e.g. the TP-Link WR841ND or its bigger brother TP-Link WR1043ND (moar power!).

    After following the wiki pages on where to download and how to install the firmware, OpenWRT boots on the router. On first access, the webinterface asks for a password to be set. After setting the password, one can configure the device via ssh as user “root”.

    In the default configuration, the LAN ports and the WLAN is put together into a virtual network called “lan”. The WAN port represents another network called “wan”. The internet filter will be set-up between those two, so that every package from the “lan” is checked against a set of criteria and then allowed (or not) to go into the “wan”. For this to work, the WAN port should be connected to the home network with internet access, the to-be-filtered clients can connect via WLAN or LAN.

    First step after connecting via SSH is to install the required software (note: the WR841ND will be pretty full so if you want to install more software, get a bigger model or do some USB tricks):

    # opkg update && opkg install ipset tinyproxy

    Tinyproxy is used to allow access to some defined HTTP sites. It has to be enabled so /etc/config/tinyproxy has to be changed to contain option enabled 1 and it has to be started via /etc/init.d/tinyproxy start.

    Next is the firewall. I am sticking to the configuration via /etc/config/firewall, although iptables can be used directly. This has the advantage of being able to use the webinterface as well to change the rules.

    The order of the rules is important, as traffic is checked against all traffic until it finds a matching rule. See the attached file for reference. Some pieces are explained in more detail now.

    To turn off the internet at certain times:

    config rule
            option name             'time based morning'
            option src              'lan'
            option dest             'wan'
            option start_time       '00:00'
            option stop_time        '07:00'
            option weekdays         'mon tue wed thu fri'
            option proto            all
            option extra		'--kerneltz'
    	option target           REJECT
            option enabled          '1'
    
    config rule
            option name             'time based evening'
            option src              'lan'
            option dest             'wan'
            option start_time       '21:00'
            option stop_time        '00:00'
            option weekdays         'mon tue wed thu sun'
            option proto            all
            option extra		'--kerneltz'
            option target           REJECT
            option enabled          '1'

    The option “–kerneltz” will make the firewall use the kernel timezone instead of the default, UTC. The kernel timezone is configured in /etc/config/system.

    To redirect all webtraffic (port 80) to tinyproxy running on the router (whose ip is 172.29.0.1 here):

    config redirect
            option name 		'redirect 80 to proxy'
            option src 		'lan'
            option dest 		'wan'
            option src_dport 	'80'
            option dest_ip 		'172.29.0.1'
            option dest_port 	'8888'
    	option proto		'tcp'
    	option target		'DNAT'

    Tinyproxy can than be configured to (see option Filter) to allow certain pages. It is not possible to filter HTTPS (SSL) pages this way (as transparent proxy), recompilation of the packages with SSL support and some more tinkering is required. Squid can also be used.

    For specific services, it is easier to make an ip whitelist:

    config rule
            option name             'whitelist'
            option src              'lan'
            option dest             'wan'
            option proto            'tcpudp'
            option ipset            'wl'
            option target           'ACCEPT'
    	option enabled		'1'
    
    config ipset
            option external         'wl'
            option storage          'hash'
            option match            'dest_net'

    This references an ipset with ips where traffic to is allowed. For this to work, /etc/rc.local should contain the following

    # load the ipset for whitelisting 
    /etc/init.d/firewall stop
    ipset flush
    ipset destroy
    ipset restore < /etc/config/ipset.save
    /etc/init.d/firewall start
    
    exit 0

    This script stops the firewall during startup, loads the list of ips and restarts the firewall. The ips are saved in /etc/config/ipset.save which could look like

    create wl hash:net family inet hashsize 8192 maxelem 165536
    add wl 127.0.0.1
    add wl 172.29.0.1
    add wl ......

    Some companies provide their ip networks for easy addition, e.g. BlackBerry and WhatsApp.

    The last rule should disallow all traffic (or make it the default behaviour).

    Remember, when the “client” has physical access to the router, the failsafe mode can be used to gain access and change the config so disable it (note: be careful not to lock yourself out now).

    How to fix Android Market when installed a .apk via adb

    January 18th, 2016

    This post is a draft from back in 2010 and assuming that you are the owner of a rooted Android device that just installed a bunch of applications (.apk) via the adb tool. This might be the case if you have a lot of packages (.apk) on your pc, and just install them via usb like:

    find . -iname “*.apk” -exec adb install ‘{}’ \;

    Remember that you will have to download the Android SDK for the adb tool and start the adb server as root before using it (sudo adb start-server).

    Now the problem: the Android Market doesnt see your installed apps, so it wont look for updates and you cant easily remove/handle them. But there is an easy fix.

    The Android Market keeps a list (more specific: a database, sqlite3) in

    /data/data/com.android.vending/databases/assets.db

    Weird thing, after looking with SQLite Browser into the database, all applications installed via adb where present. The only problem was the “install_time” value of the apps, beeing 0.

    So you could either adb pull the assets.db to your PC, edit the values (e.g. UNIX timestamp of now), and push it back or use a script on the phone to do the job for you.

    For the script, you will need root access, a busybox version with sqlite3 (just execute “sqlite3” on a phone shell and see if it recognizes the command)

    # sqlite3 /data/data/com.android.vending/databases/assets.db
    sqlite> UPDATE ASSETS SET install_time = CURRENT_TIMESTAMP WHERE install_time = 0;
    sqlite> .exit
    # exit