OpenWRT as internet filter for e.g. kids

January 18th, 2016

The internet is for porn.

Therefor, when some content should to be blocked from somebody (e.g. kids), an internet filter is required. If course, primarily this should be handled by talking to the kids and trust! And im not promoting monitoring!

A technical filter solution can be implemented with OpenWRT (15.05 and up). It is an open linux plattform for various WLAN routers, e.g. the TP-Link WR841ND or its bigger brother TP-Link WR1043ND (moar power!).

After following the wiki pages on where to download and how to install the firmware, OpenWRT boots on the router. On first access, the webinterface asks for a password to be set. After setting the password, one can configure the device via ssh as user “root”.

In the default configuration, the LAN ports and the WLAN is put together into a virtual network called “lan”. The WAN port represents another network called “wan”. The internet filter will be set-up between those two, so that every package from the “lan” is checked against a set of criteria and then allowed (or not) to go into the “wan”. For this to work, the WAN port should be connected to the home network with internet access, the to-be-filtered clients can connect via WLAN or LAN.

First step after connecting via SSH is to install the required software (note: the WR841ND will be pretty full so if you want to install more software, get a bigger model or do some USB tricks):

# opkg update && opkg install ipset tinyproxy

Tinyproxy is used to allow access to some defined HTTP sites. It has to be enabled so /etc/config/tinyproxy has to be changed to contain option enabled 1 and it has to be started via /etc/init.d/tinyproxy start.

Next is the firewall. I am sticking to the configuration via /etc/config/firewall, although iptables can be used directly. This has the advantage of being able to use the webinterface as well to change the rules.

The order of the rules is important, as traffic is checked against all traffic until it finds a matching rule. See the attached file for reference. Some pieces are explained in more detail now.

To turn off the internet at certain times:

config rule
        option name             'time based morning'
        option src              'lan'
        option dest             'wan'
        option start_time       '00:00'
        option stop_time        '07:00'
        option weekdays         'mon tue wed thu fri'
        option proto            all
        option extra		'--kerneltz'
	option target           REJECT
        option enabled          '1'

config rule
        option name             'time based evening'
        option src              'lan'
        option dest             'wan'
        option start_time       '21:00'
        option stop_time        '00:00'
        option weekdays         'mon tue wed thu sun'
        option proto            all
        option extra		'--kerneltz'
        option target           REJECT
        option enabled          '1'

The option “–kerneltz” will make the firewall use the kernel timezone instead of the default, UTC. The kernel timezone is configured in /etc/config/system.

To redirect all webtraffic (port 80) to tinyproxy running on the router (whose ip is 172.29.0.1 here):

config redirect
        option name 		'redirect 80 to proxy'
        option src 		'lan'
        option dest 		'wan'
        option src_dport 	'80'
        option dest_ip 		'172.29.0.1'
        option dest_port 	'8888'
	option proto		'tcp'
	option target		'DNAT'

Tinyproxy can than be configured to (see option Filter) to allow certain pages. It is not possible to filter HTTPS (SSL) pages this way (as transparent proxy), recompilation of the packages with SSL support and some more tinkering is required. Squid can also be used.

For specific services, it is easier to make an ip whitelist:

config rule
        option name             'whitelist'
        option src              'lan'
        option dest             'wan'
        option proto            'tcpudp'
        option ipset            'wl'
        option target           'ACCEPT'
	option enabled		'1'

config ipset
        option external         'wl'
        option storage          'hash'
        option match            'dest_net'

This references an ipset with ips where traffic to is allowed. For this to work, /etc/rc.local should contain the following

# load the ipset for whitelisting 
/etc/init.d/firewall stop
ipset flush
ipset destroy
ipset restore < /etc/config/ipset.save
/etc/init.d/firewall start

exit 0

This script stops the firewall during startup, loads the list of ips and restarts the firewall. The ips are saved in /etc/config/ipset.save which could look like

create wl hash:net family inet hashsize 8192 maxelem 165536
add wl 127.0.0.1
add wl 172.29.0.1
add wl ......

Some companies provide their ip networks for easy addition, e.g. BlackBerry and WhatsApp.

The last rule should disallow all traffic (or make it the default behaviour).

Remember, when the “client” has physical access to the router, the failsafe mode can be used to gain access and change the config so disable it (note: be careful not to lock yourself out now).

How to fix Android Market when installed a .apk via adb

January 18th, 2016

This post is a draft from back in 2010 and assuming that you are the owner of a rooted Android device that just installed a bunch of applications (.apk) via the adb tool. This might be the case if you have a lot of packages (.apk) on your pc, and just install them via usb like:

find . -iname “*.apk” -exec adb install ‘{}’ \;

Remember that you will have to download the Android SDK for the adb tool and start the adb server as root before using it (sudo adb start-server).

Now the problem: the Android Market doesnt see your installed apps, so it wont look for updates and you cant easily remove/handle them. But there is an easy fix.

The Android Market keeps a list (more specific: a database, sqlite3) in

/data/data/com.android.vending/databases/assets.db

Weird thing, after looking with SQLite Browser into the database, all applications installed via adb where present. The only problem was the “install_time” value of the apps, beeing 0.

So you could either adb pull the assets.db to your PC, edit the values (e.g. UNIX timestamp of now), and push it back or use a script on the phone to do the job for you.

For the script, you will need root access, a busybox version with sqlite3 (just execute “sqlite3” on a phone shell and see if it recognizes the command)

# sqlite3 /data/data/com.android.vending/databases/assets.db
sqlite> UPDATE ASSETS SET install_time = CURRENT_TIMESTAMP WHERE install_time = 0;
sqlite> .exit
# exit

Odyssey to revive Samsung S3 mini (GT-I8190)

January 8th, 2016

The Samsung GT-I8190 (S3 mini) is a decent android phone which has been around for a while. In order to see if it can handle a current 5.1.1 android, i wanted to install a custom rom.

The phone was rooted and had an old version of TWRP installed. Fortunately, there is a big community for the phone, so instructions to root and install a custom recovery are all over the internet.

When holding Volume Up + Home + Power, the phone boots into recovery (Volume Down + Home + Power for download mode). From there i wanted to install SlimLP when things went wrong.

Suddenly, the recovery could not mount any partitions anymore, the problem is well described over on StackExchange.

Since i had a fairly old version of TWRP installed, ADB was not available directly. Luckily, when switching to “ADB Sideload” under “Advanced” and canceling that, ADB was possible. From there, i verified the situation was exactly like that on StackExchange linked above. When running fdisk /dev/block/mmcblk0 i could see, that no partition information was available (unlike on StackExchange).

Next i created a partition spanning the entire internal memory with type “ee” (EFI GPT) while still in fdisk. The commands would be:

- n
- p
- 1
- enter (default)
- enter (default)
- t
- ee
- p (to verify)
- w (to write)

Then i tried to restore the partition information via the PIT file using Heimdal, the opensource alternative to samsungs Odin software. Odin and the download mode are somewhat similar to what elsewhere is called fastboot. Its a mechanism to restore pretty much everything, so as long as the download mode works, the phone is not bricked.

Unfortunately, even when compiling heimdal from git (version 1.41), running it as superuser (for USB permissions), it could not write the PIT file, i got:

Uploading PIT
ERROR: Failed to unpack received packet.
ERROR: Failed to unpack received packet.
ERROR: Failed to confirm end of PIT file transfer!
ERROR: Failed to confirm end of PIT file transfer!
ERROR: PIT upload failed!

ERROR: PIT upload failed!

Writing the custom recovery worked with heimdal, just the PIT upload wouldnt work.

Luckily, i had a windows machine nearby, where i could run Odin to repartition with the PIT file. I had to use Odin v1.85 because the v3.x versions did not work properly. On windows, be sure to install the Samsung USB drivers properly!

Back to Heimdal, i first flashed the stock recovery because it would try to setup the partitions again. It booted up but had a problem with the encryption, offering a “system reset”. Which would loop all over, so i then flashed TWRP 2.8.6.1(mirror) (note: the partition is not called “recovery” but “Kernel2”) via:

heimdall flash --pit i8190_goldenxx.pit --verbose --stdout-errors --Kernel2 ./GT-I8190_TWRP_2.8.6.1/recovery.img

Beware, the GT-I8190 and GT-I8190N models use different PIT files.

After booting back into TWRP 2.8.6.1 (where ADB works right away btw) an advanced wipe and “Format Data” brought back the desired partitions (no errors anymore mounting them).

From there, installing the custom rom was a breeze.

Debian on a Lenovo x121e

May 4th, 2014

I was looking for an ultramobile notebook with the following requirements:

  • Smaller than the Lenovo Thinkpad x230
  • Trackpoint
  • Decent hardware (especially RAM)
  • Long battery

and finally found a good contester: Lenovo Thinkpad x121e.

Since barely any models with a compatible formfactor feature a trackpoint, the alternatives like the Edge E135 or E145 were also from lenovo.

The decision towards the x121e was made because of the supposedly more sturdy housing, the still decent hardware and the lower price.

I didnt find a well priced model with the Intel i3, so i got one with the AMD 450 and the RAM upgraded to 8GB. Instead of the 320GB harddrive, i invested in a Samsung 840 Evo SSD with 120GB.

Operating System Install
The OS should be a Debian, so i got the 7.4 amd64 netinstall CD and connected an external USB-CDROM drive to the x121e. As always with no-drive notebooks, installing the OS could be also done by putting the SSD into a different computer or booting via network.

Wired network is required anyway though, since the driver for the wireless adapter is not included. Also make sure the battery is fully charged or use the power adapter.

The install procedure itself is pretty straight forward, once booted from the CD, i basically just did:

  1. in the inital boot menu, select expert install
  2. Choose language and keyboard
  3. choose extra packages: network console to continue via ssh (optional)
  4. detect network (only finds wired connection), rtlwifi/rtl8192cfw.bin for wireless is missing (will install later)
  5. configure network: dhcp or static, according to network infrastructure
  6. continue installation remotely (define a password and note the ip adress, optional)
  7. partition disks: guided encrypted lvm (but deleted logical volumes to change sizes), 4.4GB (swap), 10GB (root), 105GB (home) to 8GB, 20GB, 91GB (/boot is not encrypted at around 250MB)
  8. linux-kernel-amd64 and targeted
  9. deselect desktop environment, choose ssh-server to continue install remotely (see screenshot)
  10. install bootloader (grub) and finish installation
Selection in Debian Installer

Selection in Debian Installer

Some information could be used from a similar device/OS description from debian wiki.

Directly after basic install:

root@x121e:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
rootfs 19223252 1154332 17092436 7% /
udev 10240 0 10240 0% /dev
tmpfs 778596 368 778228 1% /run
/dev/mapper/x121e-root 19223252 1154332 17092436 7% /
tmpfs 5120 0 5120 0% /run/lock
tmpfs 1557180 0 1557180 0% /run/shm
/dev/sda1 233191 10600 210150 5% /boot
/dev/mapper/x121e-home 88123672 188124 83459032 1% /home

root@x121e:~# free -m
total used free shared buffers cached
Mem: 7603 250 7353 0 26 147
-/+ buffers/cache: 76 7527
Swap: 7719 0 7719

Additional packages
Packages needed to tweak the performance, silence the fan and get a GUI are the following (root required)

apt-get update

apt-get install i3 firmware-realtek thinkfan lm-sensors lightdm lxterminal

and packages i like to have as well

apt-get install screen sudo htop powertop vim xinput wicd chromium xfce4-power-manager alsa

Configure Thinkfan
Without thinkfan, the fan is quite noisy. There are a couple of resources for thinkfan thinkwiki.org or in german on thinkwiki.de. Also, more specifically for the x121e, i found descriptions at kernelconcepts.de and solutionlocker blog.

Watch out, if the x121e has an AMD CPU, there is no coretemp module, instead its called ‘k10temp’.

Configure Graphics Card
To get the most out of the graphics hardware, the proprietary “fglrx” drivers worked for me. The performance of “flg_glxgears” improved from around 40FPS to 330FPS. Instructions on how to install the drivers can be found in debian WIKI. It basically boils down to the following

sudo apt-get install fglrx-drivers

sudo aticonfig –initial

Attention, this way will download quite some packages in order to compile the drivers via DKMS.

Other Notes

  • with xinput installed, disable touchpad:

    xinput –list && xinput set-prop ID “Device Enabled” 0

  • suspend/hibernate just worked out of the box via xfce4-power-manager, otherwise extra packages might have to be installed