I own the domain lowtek.ca and host a couple of personal projects as well as this blog on it. One of the areas is behind a password and that part of the site I redirect over to https to ensure that the communication is encrypted. While the whole Certificate Authority infrastructure has currently become questioned, the value of having a SSL connection between your browser and (hopefully) a specific destination machine still has value. I found a humorous youtube video that describes SSL basics if this is new to you.

If you were watching the tech news, you’ll have seen several of the CA’s had security breaches. Even StartSSL which this post will talk about using had some issues, but it seems that it wasn’t as bad as the others. There has even been some research into how to attack / break SSL entirely. The web is a scary place if you think too much about this stuff. Today SSL is the most convenient web security story there is, and for the most part it works well enough.

For most people hosting personal websites the simple path is to use a self signed certificate.  The one downside to this is that whatever browser you are using will not recognize the certificate as valid, you’ll either be prompted to download and remember it – or just trust it for this one session. The manner in which browsers trust commercial web sites https connections is the certificates are issued by one of the root CA’s (Certificate Authority). The CA is a trusted 3rd party which the browser can check with to validate the certificate the website is offering up.

Ubuntu has some guides on creating certificates. What I’ll try to do here is provide a specific example of using StartSSL to generate a free certificate that is accepted by most web browsers. Much of the details come from another blog that I referenced when creating my StartSSL certificate.

You’ll probably want to use FireFox. The web interface at StartSSL.com can be a bit finicky and FireFox is known to work – I used the somewhat old 3.6.25 version. Of course the first step is to sign-up and create an account on StartSSL. They use email confirmation and my greylisting caused a bit of a hiccup here, waiting a few minutes and resubmitting the sign-up succeeded just fine. Then there will be a wizard that takes you through the rest of the sign-up process.

At the end of your account sign up you’ll be encouraged to back up the client certificate that has been installed into your browser. As I understand it, they use the client certificate as a form of authentication that it is really you they are connected to. The FAQ has details on backing up the client certificate. If for some reason you lose your client certificate they have a FAQ for that too.

Next we want to return to the “Control Panel” and use the “Validations Wizard” to do the “Domain Name Validation”. This will require another email validation to ensure that you are the owner of the domain (you’ll need to be able to receive email for that domain).

Now we can actually create a certificate. There are pay options for certificates, but we want to use the free version. Use the “Certificates Wizard” to create a “Web Server SSL/TLS Certificate”. Again I’ll reference the very useful blog post from jasoncodes.com that describes this set of steps (I will replicate here for completeness).

The first step of creating a certificate we can skip, as we plan to create our own Certificate Signing Request (CSR) locally. Execute the follwoing on your server, obviously replacing mydomain.ca with your domain name:

openssl req -new -newkey rsa:4096 -days 380 -nodes -keyout mydomain.ca.key -out mydomain.ca.csr

There will be several questions posed to you during this, here is a dump of the questions and some example answers:

Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:YourStateOrProvince
Locality Name (eg, city) []:YourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SomeName
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mydomain.ca
Email Address []:secret_email@mydomain.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Some of the answers can be blank as should be evident above. If you’re having trouble with the 2 letter country codes, check on wikipedia. I did find a reference that suggested that the common name must exactly match the host name of your server, you might note that I’m not using a www prefix here. This will allow me to re-use this same certificate for email and other things in theory, it also follows the no-www approach. I opted to leave the challenge password blank.

The second step of the wizard on StartSSL for creating a certificate will ask for a cut & paste of the mydomain.ca.csr we just created. Paste the entire contents of the file in, and move on to the next step where you should see that the request was received.

Moving along the next step is to “Add Domains”, since we’ve only validated one domain this should be easy. As part of this process it will ask for one sub domain. I used “www” since that will still resolve correctly to the lowtek.ca domain.

The remainder of the steps should be straight forward, you’ll arrive at the “Save Certificate” screen. You’ll want to save three things: 1) Text box contents as mydomain.ca.crt, then save-as the 2) intermediate and 3) root CA certificates (last two should be sub.class1.server.ca.pem and ca.pem respectively).

Now we need to install into Apache2. I’ll assume you’re running Ubuntu.

We’ll start by copying the .crt and .pem files we saved from the final step on StartSSL into the /etc/apache2/ssl directory. We also want the .key file that was created when we made our CSR copied to the same directory.

Again I must credit jasoncodes.com, this is almost verbatim from his site. Run the following as root.

cd /etc/apache2/ssl
mv ca.pem startssl.ca.crt
mv sub.class1.server.ca.pem startssl.sub.class1.server.ca.crt
cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
cat mydomain.ca.{key,crt} startssl.chain.class1.server.crt > mydomain.ca.pem
ln -sf mydomain.ca.pem apache.pem
chown root:root *.crt *.key *.pem
chmod 640 *.key *.pem

Now we need to modify the apache config file /etc/apache2/sites-available/ssl and add the following within the <VirtualHost> block:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/mydomain.ca.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.ca.key
SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt

Check that your Apache config parses as valid:

apache2ctl -t

And then restart Apache with the new config:

sudo /etc/init.d/apache2 reload

Here is the the verification process verbatim from jasoncodes.com:

Run the following after restarting Apache to check the certificate chain:

echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null

You should see something like:

depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

A depth of 2 and a return value of 0 is good. If the certificate chain is wrong, you’ll probably see something like:

depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=21:unable to verify the first certificate
verify return:1

I was pleased to see that it all verified correctly for me. Visiting https://lowtek.ca resulted in a green lock icon under Google Chrome.

The StartSSL certificate expires in 1 year, so next year around this time I’ll be doing the same process. There is another CA (AffirmTrust) I came across that offers free 3 year certificates, I have no experience with them but would be interested to hear if anyone tries them out. There is CACert as well, but it doesn’t appear to be included in any of the browsers – limiting the usefulness of a certificate from them.

I’ve been a big fan of unlocked GSM phones since my first one back in 2009. I’ve also been through a surprising number of different phone since then, but all of them have been 2nd (or 3rd) hand and have been a good price for a phone that still has lots of use left in it. My latest phone the Samsung Galaxy S Vibrant (i9000m) is no different, but it came to me locked to Bell.

I purchased the i9000m knowing it could be easily unlocked if you had the right magic. With the stock firmware, if you don’t have the phone unlocked you’ll see what’s pictured at the top of this post when you install a SIM card.

It turns out the forums have a great how to guide, with pointers to an app on the Android Market if you’re afraid of a little bit of hex editing. It should go without saying that I selected the hex editing route. I’ll describe the steps I used here, but  all credit to the folks in the forums for figuring this out.

I will assume that you’ve rooted your i9000m and you’re not incapable of using a hex editor.

Step 1: We’re going to copy some non-volatile memory off the phone that contains the ‘lock’. Perform the following commands on the phone (probably via ADB).

$ su
# cat /efs/nv_data.bin >> /sdcard/nv_data.bin


Now copy that file onto your PC for editing. Make a backup of the original before step 2.

Step 2: Edit that file, I used hexedit on Ubuntu. The lock bit is inside of the byte at 0x181469 in the file. See the green circle below, change that 01 into a 00 and save the file.

Starting at offset 0x181468 you should see the series of digits: ff 01 00 00 00 00 46 46

The XDA post describes it as follows:

There are 5 different types of locks in 5 different bytes

the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone

Step 3: Use the modified file to update your phone. Let’s assume you copied the modified file to /sdcard/nv_data.bin on the phone, and again the commands below are executed on the phone.

$ su
# rm /efs/nv_data.bin
# rm /efs/nv_data.bin.md5
# cat /sdcard/nv_data.bin >> /efs/nv_data.bin
# chmod 755 /efs/nv_data.bin
# chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
# reboot


That’s it, you’re unlocked. The unlock should persist across ROM (firmware) changes.

References: a great article with pointers to valuable information on the i9000 series.

I had setup a RAID1 system using two 1TB volumes, I had decided to split the 1TB mirrored volume into 300Gb/700Gb so I could limit the space used by backups to 300Gb. In hindsight this was a silly idea, and it also made the migration process more complicated. If I had placed the 300Gb volume second, it might have been feasible to move that data somewhere then expand the 700Gb volume to fill the remainder of the drive – but I had put the 300Gb volume first. One day someone will write the utility to allow you to shift the start of a volume to the left (towards the start of a drive).

Instead of sticking with a RAID1 setup, I decided to move to RAID5. While there is a little less redundancy with RAID5, the additional flexibility seems like a good trade off to me at this point. I’ll avoid getting into the religious debate over which type of RAID you should use, or if RAID makes sense at all with large sized drives. Also there are some good off the shelf solutions now such as Drobo or QNAP.

With a project like this it is a good idea to make a plan in advance, then log your steps as you go along. Migration of 100′s of Gb of data will take time, lots of time. I did the work over about 5 days, some of it while on a trip outside the country (remote access!). Here was my plan:

1. install new drive – ensure system is happy
2. break mirrored set – run in degraded mode
3. repartition new drive & unused mirrored drive
4. create degraded raid 5 (2 drives only)
5. copy data from degraded mirror onto degraded raid5
6. decommission degraded mirror & repartition
7. add volume to raid5 set

I also was careful to check that the new volume had the same capacity as the other two having been bit by that in the past. (I used fdisk -l /dev/sde to get the stats of the drive)(...)
Read the rest of How To: Migrate from Raid1 to Raid5 (535 words)

My brother in-law’s BlackBerry 9700 suffered a new problem this time JVM Error 102. A quick google search turns up more 600,000 results – so this is I assume a pretty common problem. In his case it seems entirely random – he had it plugged in to charge and when he went to unplug it, it was stuck on an all white screen with JVM Error 102 with one choice: reboot. It seemed the device was stuck in a reboot cycle, always hitting the same error.

I followed the instructions on this page, but I’ll also repeat them here to cover exactly what I did. Sadly this requires a Windows machine (I used XP).

If you don’t already have the BlackBerry Desktop Software installed and running, you’ll need that. If you’ve never had the BlackBerry connected to your Windows machine, it may also need to install some USB drivers, my Windows XP was able to figure out what was needed automatically. Hopefully you’ll be in a state as shown in the picture at the top of this post, able to see the device but not able to do anything.

Now you need the JL_cmder utility. The utility is just a script driving the JavaLoader program. With the BlackBerry Desktop Software running, also run this script. If you are having trouble with this part, I’d advise you to stop trying to solve this yourself and get some help. You’ll need to be comfortable with command line programs to succeed.

If you see some output like the following when using JL_cmder:

RIM Wireless Handheld Java Loader
Copyright 2001-2007 Research In Motion Limited
Connecting to device...debug: HRESULT error dur
ing Open: 80040154
Error: unable to open port

Then you’ve probably failed as I had to install the BlackBerry Desktop Software, or it isn’t running, or you’ve got a driver problem, or maybe there is a more serious problem with your BlackBerry. Once I had installed and was running the BlackBerry Desktop Software this problem went away for me.

Now you want to grab the eventlog. This will open a notepad with the contents of your log. In my case there had been many failed boots, so the error was repeated many times. Here is the last complete entry:

guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:System Startup
guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:VM:FSNHv=1
guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:VM:CVER=5.0.0.351
guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:VM:PSIDv=266951
guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:CMM: verifyHash failed for net_rim_device_apps_games_wordmole_graphics_480x360-6(3437)
guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:VM:+BORK
guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:JVM Error 102
guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:Invalid code in filesystem
guid:0x97C9F5F641D25E5F time: Wed Dec 31 19:00:00 1969 severity:0 type:2 app:System data:JVM:INFOp=21e0b6b1,a='5.0.0.351',o='5.1.0.98',h=4001507

You can see there is a verifyHash failure in the log, I’ve marked the file name of the offending file in bold (your log won’t have the bold marking in it – that’s your job, to identify the problematic file). So there isn’t any good reason this file was corrupted and not another, but luckily it is clearly a non-critical file. I was amused by the appearance of the Unix epoc in the log file.

Now that we know what the problem is, we’ll just remove the file. I’ll stress that the filename is going to be unique to your problem. Reading the error log is a critical step. Using a command shell we’ll execute the following:

JavaLoader.exe -u erase -f net_rim_device_apps_games_wordmole_graphics_480x360-6


Doing this caused the device to reboot. If it doesn’t reboot on it’s own, you might need to manually reboot/reset the device. That’s it you’re done – you should have a working BlackBerry at this point.

Follow up steps – you should synchronize with the desktop software to back up your device. It may be wise to push a firmware upgrade to the device, even the same version you had (assuming you were fully up to date) – this will replace all other files which may have been corrupted. I didn’t do this, but I’d hope the desktop software makes this a straight-forward process.

I’m always a little amazed at how much people pay monthly for TV service. We ran for years with no TV at all, and all the money we “saved” I easily spent on DVDs (and more I’m sure). Several year ago we decided that some amount of TV wasn’t a bad thing, it also gave me a great excuse to build a PVR based on MythTV. After shopping around StarChoice (now ShawDirect) seemed like the right fit. The basic package was cost effective and gave us enough TV. I liked the fact that we got HDTV in the base package, and that meant high definition hockey games and special events like the Olympics.

ShawDirect has a great policy (pdf) that lets you schedule seasonal breaks in service. I’ve been using one of those to try out using over the air (OTA) TV as our only source. We haven’t really noticed the lack of TV, even through the Stanley Cup finals (but our team wasn’t in it).

To move to OTA I needed two things: 1) a PC capture device for HDTV and 2) a set top box to convert the signal for use with my projector. The PC side of things came along as a deal from Dell – the Hauppauge WinTV HVR-950Q was on sale one day ($54.99). This came along with a tiny little antenna which surprisingly pulled several stations. The projector has no HDTV tuner (unlike most HDTV flat panel sets) and so it was off to eBay to get a set top box. This was the first time I had used the “Make an Offer” option on eBay and I was quite pleased with the price we negotiated. The tv tuner is known by several different brands: Centronics ZAT 502 HD / RTC DTA1100HD / Digiwave DTV5000HD.

On the 2nd floor of the house I could easily pull in CBC to watch hockey using the dinky little antenna that came with the 950Q. To route the signal to the projector I needed to get a little creative and pull some RG6 from the attic to the basement, the MythTV box is also downstairs. In many situations almost anything will work as an antenna, and the simple bow-tie version I built with mostly stuff I had around already is pretty close to that.

My build was inspired by a write up I found using simple materials, the antenna I built is a Gray-Hoverman. I used a scrap of 1×3, some 14 gauge (2 conductor #14) electrical wire, some screws and fender washers. The only part I needed was a matching transformer. You can see the end result in the picture at the top of this post.

I have this antenna attic mounted, with 100ft of cable between it and the tv tuner. It works well, pulling in 5 HDTV stations all with little to no drop outs. I’d like to try to get PBS HD, but that may require a bigger antenna or an amplifier (a project for later).

(...)
Read the rest of OTA HDTV in Ottawa (95 words)

It took about a year to drain the toner down to the level where it needed a refill. So it was off to eBay to look for a deal. In 2009, refill kits were available and were about $100 for all four colors. By 2011 the price had dropped to $50 for all four colors, including reset chips and the cutting tool. I bought mine from easycartridgerefill and had a good buying experience. At the top of this post is a picture of everything that was shipped in the box: toner, cutting tool, instructions, funnel tips, sealing tape, gloves, microfiber cloth, and reset chips.

Step 1 – RTFM. The instructions are 2 pages of fairly detailed instructions. Having refilled toner before I just skimmed them, that was a mistake. The photo above you can see I’ve used the hole cutting tool on the wrong part of the cartridge.

Step 2 – We need to use the hole cutting tool to make a hole in the correct part of the cartridge (see below). For your first refill you only need one hole, the instructions cover a 2nd area to make a hole if you need to empty the ‘wastebin’ – as this was the 1st time I was doing a refill I skipped that part having already made enough extra holes.

Step 3 – Empty the toner cartridge prior to refilling. The instructions warn that mixing old toner with new is likely to result in less optimal results.

Step 4 – Fill using the new toner. If you look at the picture of the yellow toner bottle, you can see quite clearly that it is no where near close to full. This picture was taken before I used any toner, the bottles are quite over-sized. You may need to gently swirl the bottle around to loosen the toner prior to trying to pour it. Use the entire bottle, this may take some effort and patience.

Step 5 – Seal the hole with the provided tape. The tape provided was simply metallic duct work tape that you can get at HomeDepot. Toner is a very, very fine dust – it will leak out any tiny hole or gap.

Step 6 – Now we need to swap the tiny chip that provides status on the cartridge to the printer. Sadly, this chip also prevents the printer from continuing to use a toner cartridge after you’ve passed the estimated number of pages. The original chip is pictured on the left, and the refill (reset) chip on the right. The chip swap is very easy.

That’s it, we’re done – install your newly filled cartridge and start printing.

A quick visit to the web-ui shows a full yellow cartridge with 1400 page capacity.

There are some folk who apparently run the toner down to nothing by buying new reset chips only and swapping those until they are low on toner. This could save you a little money in the long run – but at $50 for a full refill kit it is hard to argue that you need to be that frugal. Sadly, the reset chips are not reusable.

I had a few mishaps on the way to complete success..

(...)
Read the rest of HP Color Laser Printer (CP1518NI) Refill (351 words)