I’ve been a fan of DD-WRT for some time, a Linksys WRT54GL is the heart of my home network. While I don’t have an immediate need for a new router, I’ve been thinking for some time that I should pick up a reasonable backup in case the WRT54GL fails. There are also some really interesting projects you can do with a modified router, and having a spare will let me tinker with some of those.

I came across a good deal on a refurbished Netgear WNR3500L, it was about half the price of a new unit. This was too tempting: N networking (I don’t really need it, but why not stay current?), gigabit wired networking (a must have), USB port (I wanted this for expansion options), but the feature that really sold me was 64MB RAM and 8MB ROM – more than enough for DD-WRT with all the features.

This particular router is also supported by Tomato another very popular firmware. There is also a somewhat suspect Netgear sponsored open firmware, the site seems to have instructions for installing an older version of Tomato – personally I’d steer clear of this. Unfortunately the other popular router firmware OpenWRT doesn’t currently support this router. Of course, I prefer DD-WRT which does support this router.

One of the reasons that I blog is to have a record of what I did, far too often I end up needing to do something again, or refer back when I’m doing an upgrade. Another reason is to help me get organized to do some of these things – finding the instructions is usually easy, understanding them and what you’re about to do takes some time. I probably spent 2hrs reading through forums and searching various things before I leapt in to flash the router, I strongly recommend you do the same. Also this write-up skips over some of the frustrating head scratching I do when things don’t work, that’s part of the learning process.

There is a v2 of this router, and v2 is NOT supported by DD-WRT. Apparently the boxes they come in are identical, but the router itself has a v2 marking. I did find a wiki that documents the v1 and the v2, I was able to match the FCC numbers listed to confirm I had a v1. For what it’s worth, my stock firmware was V1.0.2.50_31.1.25NA.

The DD-WRT site has some excellent instructions on doing the installation, I’ll avoid repeating those but will document the steps I took. I will repeat some of the cautions from the site:

• The WNR3500L requires a NEWD-2, K2.6 build of DD-WRT
• You will first need to upload a special .chk build (also K2.6) of DD-WRT to the router to go from Netgear’s factory firmware. Then you may install a .bin build of DD-WRT.
• Spend some time browsing the DD-WRT Forums. There’s a lot of chaotic information to ingest.
• Read the peacock thread.

Before we get started, let’s talk about the 30/30/30 reset. Yes, it’s over the top and very conservative. Weigh those 90 seconds against the potential problems you might run into trying to by rushing through this, sure building a JTAG connector to resurrect a bricked router might be interesting but it’s going to take you a lot more than 90 seconds.

The following steps should not be considered an alternate installation procedure, please use the official DD-WRT instructions – consider this a walk through of the official instructions:

1. Power on the device. Give it a minute to finish booting, the front panel LEDs should stabilize.
2. Plug in your linux box, it’ll automatically get an IP address (192.168.1.2)
3. Perform a 30/30/30 reset
   a) With unit powered on, press and hold the reset button for 30s
   b) Without releasing the reset button, unplug the router, wait 30s
   c) Still holding the reset button, plug the router in and wait 30s
4. Now wait for the PC to get an IP address assigned to it, this may take a minute or two be patient.
5. As I’m using Linux Firefox will be the browser of choice
   Connect to 192.168.1.1
   user: admin
   password: password
   (the default user and password)
6. Since the router isn’t connected to anything except my PC the automatic upgrade process will fail due to no internet connection, that’s fine.
7. Click on “Router Upgrade” in the menu on the left side.
8. Choose the .chk file you downloaded as per the DD-WRT site
9. You will get a warning: “Warning! You are trying to download the firmware which the region is different from the current firmware you had.” – this is ok, continue.
10. Wait for the upload process to complete.
    Once the upload is done, it will automatically move on to updating settings.
    A minute or so more it will show a DD-WRT screen.
11. Start a timer for 5 minutes and wait. Yes, likely paranoid as we could have probably started the timer when we started the upload process, but again this isn’t something you really want to rush. Time for coffee.
12. At this point we’re running DD-WRT, just not the version we want.
13. Do another 30/30/30 reset
14. It took my system about 2 minutes to get an IP address (192.168.1.101)
15. DD-WRT will force us to set a username and password, for now I suggest the same as stock.
16. Click on the Administration tab, followed by the Firmware Upgrade sub-tab.
17. I set ‘After flashing, reset to’ ->  ”Reset to Default settings”
    Pick the big file you downloaded as per the DD-WRT site.
18. It will flip to a reset screen once the firmware has been installed
19. Wait 5 minutes. If you’re really paranoid perform another 30/30/30 reset after that.
20. Done. Configure you’re new router.

I primarily use Chrome, but have experienced problems with DD-WRT and Chrome in the past. It turns out this time that FireFox was unable to configure the router (but it did handle the firmware install just fine). Consider this a caution, if you’re having trouble with this process it might be your browser.

When I got my Galaxy Tab 7″ one of the first things I did was to see if I could collect the stock firmware in a format that was useful in case I ever wanted to restore the tablet back to it’s stock form. It turned out that the 2.2 based firmware was not easily available on the net, and neither was the 2.3 version.

The results of my work are captured in an XDA thread, but restoring from those captures was an exercise left to the reader. The 2.2 (froyo) image is captured directly from the device, I first rooted the tablet with SuperOneClick then used rotobackup to capture a heimdall friendly set of files for flashing. The original work was tracked in another XDA thread where you can read the blow by blow if you’re interested. For 2.3 (gingerbread) I was able to grab the intermediate files from Kies during the normal upgrade process – the rest of this post will talk about how to use those files to restore the P1000R to a stock 2.3 state.

I’m using heimdall version 1.3.1 on Linux, but other versions and platforms should work fine. I particularly like using Linux to flash the GalaxyTab as it doesn’t suffer the same driver madness that Windows seems to have, USB devices just work. I’ll assume you can find the download and extract the files.

You’ll want to specify the PIT file – gt-p1000_mr.pit, it’s safe to select the repartition box as we’ll be doing the full monty here [sharp eyed readers will notice that the picture at the top of this post doesn't have the box checked, that's a mistake on my part - go ahead and check it]. The files map to the heimdall partition names as follows:

MODEM -> modem.bin
CACHE -> cache.rfs
KERNEL -> zImage
FACTORYFS -> factoryfs.rfs
PARAM -> param.lfs
IBL+PBL -> boot.bin
SBL -> sbl.bin

So click on the Add button and specify the partition type and files from the downloaded and extracted ROM.

Next you need to get your device into download mode. My preferred approach is to hold the power+volume down buttons until the download screen appears (yellow triangle with android digging). Now you can click start on heimdall.

Under Linux at least , this will hit 100% and then fail to reboot. That’s ok. Wait a minute or two to make sure it’s really done, then force it to reboot into recovery mode by holding power+volume up until you see the recovery screen.

Assuming the flash has gone well, the stock recovery will start up and automatically try to install some updates. You should see:

-- Updating filesystem...
E:failed to mount /dbdata (Invalid argument)
E:discard_filesystem_for_rfs:Can't mount /dbdata

-- Wiping cache...
Formatting /cache
Cache wipe failed.

Don’t panic. Remember that this update was expecting to have come from a properly installed 2.2 stock, we’re leaping into the middle of the process.

Using the recovery menus, select ‘factory reset + wipe data’ followed by ‘wipe cache’. One hint for those not used to the stock recovery image, the capacitive home button is used to select entries and volume up/down for navigation.

Now you can reboot. The first boot will take a while as it sorts things out and rebuilds the cache(s).  All should go well and you’ll be greeted by the stock home screen.

Like many geeks, I’m the family tech support. Somehow my nephew’s Windows Vista laptop had stopped booting. You’d get the blue screen of death (BSoD) on boot. Using F8 on boot also resulted in a BSoD. I even tried using a Vista recovery disk and it too crashed and burned in the same way.

My first thought was to check that the hardware was ok. Running some diagnostics from an Ubuntu live CD indicated that side of things looked fine.

So I tracked down the Vista Install disks, maybe I’d need to do a full re-install or at least it’d give me a way to move forward. What? Another BSoD?! This time instead of ignoring the data on the BSoD I wrote some of it down, it the main error code was: 0x0000C1F5. Searching for this turns up the specific problem, there is even a Microsoft knowledge base article. Of course the fix that is supplied by Microsoft won’t help you until you can actually boot Vista again.

I though I could solve the issue using Linux as was described in one of the forums. While I could easily boot Linux and poke around, there was no sign of a $TxfLog log file. I suspect in this particular case there was some other file that was corrupted, but which one? A bit more digging around and I found another Microsoft knowledge base article.

This ended up being the solution: Windows 7 knows how to recover from this type of filesystem corruption. The knowledge base article suggests that you use a Windows 7 Beta installation disk – I wasn’t able to find one of these. What I did find was some Windows 7 recovery images, these will work for what we need to do.

Burn the image to a CD or DVD. Boot the Windows 7 Recovery disk to the point where it’s going to try to recover, now shut down and cancel the recovery. The Windows 7 Recovery disk should have repaired the Vista filesystem so we can now boot from the hard drive into recovery mode and the system will perform it’s “self repair” fixing things up.

So while the BSoD screen can be intimidating, taking a bit of time to read the screen and take note of some of the magic numbers can help guide you to the right solution. Or just call up the geek in your family and get them to fix it.

I own the domain lowtek.ca and host a couple of personal projects as well as this blog on it. One of the areas is behind a password and that part of the site I redirect over to https to ensure that the communication is encrypted. While the whole Certificate Authority infrastructure has currently become questioned, the value of having a SSL connection between your browser and (hopefully) a specific destination machine still has value. I found a humorous youtube video that describes SSL basics if this is new to you.

If you were watching the tech news, you’ll have seen several of the CA’s had security breaches. Even StartSSL which this post will talk about using had some issues, but it seems that it wasn’t as bad as the others. There has even been some research into how to attack / break SSL entirely. The web is a scary place if you think too much about this stuff. Today SSL is the most convenient web security story there is, and for the most part it works well enough.

For most people hosting personal websites the simple path is to use a self signed certificate.  The one downside to this is that whatever browser you are using will not recognize the certificate as valid, you’ll either be prompted to download and remember it – or just trust it for this one session. The manner in which browsers trust commercial web sites https connections is the certificates are issued by one of the root CA’s (Certificate Authority). The CA is a trusted 3rd party which the browser can check with to validate the certificate the website is offering up.

Ubuntu has some guides on creating certificates. What I’ll try to do here is provide a specific example of using StartSSL to generate a free certificate that is accepted by most web browsers. Much of the details come from another blog that I referenced when creating my StartSSL certificate.

You’ll probably want to use FireFox. The web interface at StartSSL.com can be a bit finicky and FireFox is known to work – I used the somewhat old 3.6.25 version. Of course the first step is to sign-up and create an account on StartSSL. They use email confirmation and my greylisting caused a bit of a hiccup here, waiting a few minutes and resubmitting the sign-up succeeded just fine. Then there will be a wizard that takes you through the rest of the sign-up process.

At the end of your account sign up you’ll be encouraged to back up the client certificate that has been installed into your browser. As I understand it, they use the client certificate as a form of authentication that it is really you they are connected to. The FAQ has details on backing up the client certificate. If for some reason you lose your client certificate they have a FAQ for that too.

Next we want to return to the “Control Panel” and use the “Validations Wizard” to do the “Domain Name Validation”. This will require another email validation to ensure that you are the owner of the domain (you’ll need to be able to receive email for that domain).

Now we can actually create a certificate. There are pay options for certificates, but we want to use the free version. Use the “Certificates Wizard” to create a “Web Server SSL/TLS Certificate”. Again I’ll reference the very useful blog post from jasoncodes.com that describes this set of steps (I will replicate here for completeness).

The first step of creating a certificate we can skip, as we plan to create our own Certificate Signing Request (CSR) locally. Execute the follwoing on your server, obviously replacing mydomain.ca with your domain name:

openssl req -new -newkey rsa:4096 -days 380 -nodes -keyout mydomain.ca.key -out mydomain.ca.csr

There will be several questions posed to you during this, here is a dump of the questions and some example answers:

Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:YourStateOrProvince
Locality Name (eg, city) []:YourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SomeName
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mydomain.ca
Email Address []:secret_email@mydomain.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Some of the answers can be blank as should be evident above. If you’re having trouble with the 2 letter country codes, check on wikipedia. I did find a reference that suggested that the common name must exactly match the host name of your server, you might note that I’m not using a www prefix here. This will allow me to re-use this same certificate for email and other things in theory, it also follows the no-www approach. I opted to leave the challenge password blank.

The second step of the wizard on StartSSL for creating a certificate will ask for a cut & paste of the mydomain.ca.csr we just created. Paste the entire contents of the file in, and move on to the next step where you should see that the request was received.

Moving along the next step is to “Add Domains”, since we’ve only validated one domain this should be easy. As part of this process it will ask for one sub domain. I used “www” since that will still resolve correctly to the lowtek.ca domain.

The remainder of the steps should be straight forward, you’ll arrive at the “Save Certificate” screen. You’ll want to save three things: 1) Text box contents as mydomain.ca.crt, then save-as the 2) intermediate and 3) root CA certificates (last two should be sub.class1.server.ca.pem and ca.pem respectively).

Now we need to install into Apache2. I’ll assume you’re running Ubuntu.

We’ll start by copying the .crt and .pem files we saved from the final step on StartSSL into the /etc/apache2/ssl directory. We also want the .key file that was created when we made our CSR copied to the same directory.

Again I must credit jasoncodes.com, this is almost verbatim from his site. Run the following as root.

cd /etc/apache2/ssl
mv ca.pem startssl.ca.crt
mv sub.class1.server.ca.pem startssl.sub.class1.server.ca.crt
cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
cat mydomain.ca.{key,crt} startssl.chain.class1.server.crt > mydomain.ca.pem
ln -sf mydomain.ca.pem apache.pem
chown root:root *.crt *.key *.pem
chmod 640 *.key *.pem

Now we need to modify the apache config file /etc/apache2/sites-available/ssl and add the following within the <VirtualHost> block:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/mydomain.ca.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.ca.key
SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt

Check that your Apache config parses as valid:

apache2ctl -t

And then restart Apache with the new config:

sudo /etc/init.d/apache2 reload

Here is the the verification process verbatim from jasoncodes.com:

Run the following after restarting Apache to check the certificate chain:

echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null

You should see something like:

depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

A depth of 2 and a return value of 0 is good. If the certificate chain is wrong, you’ll probably see something like:

depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=21:unable to verify the first certificate
verify return:1

I was pleased to see that it all verified correctly for me. Visiting https://lowtek.ca resulted in a green lock icon under Google Chrome.

The StartSSL certificate expires in 1 year, so next year around this time I’ll be doing the same process. There is another CA (AffirmTrust) I came across that offers free 3 year certificates, I have no experience with them but would be interested to hear if anyone tries them out. There is CACert as well, but it doesn’t appear to be included in any of the browsers – limiting the usefulness of a certificate from them.

I’ve been a big fan of unlocked GSM phones since my first one back in 2009. I’ve also been through a surprising number of different phone since then, but all of them have been 2nd (or 3rd) hand and have been a good price for a phone that still has lots of use left in it. My latest phone the Samsung Galaxy S Vibrant (i9000m) is no different, but it came to me locked to Bell.

I purchased the i9000m knowing it could be easily unlocked if you had the right magic. With the stock firmware, if you don’t have the phone unlocked you’ll see what’s pictured at the top of this post when you install a SIM card.

It turns out the forums have a great how to guide, with pointers to an app on the Android Market if you’re afraid of a little bit of hex editing. It should go without saying that I selected the hex editing route. I’ll describe the steps I used here, but  all credit to the folks in the forums for figuring this out.

I will assume that you’ve rooted your i9000m and you’re not incapable of using a hex editor.

Step 1: We’re going to copy some non-volatile memory off the phone that contains the ‘lock’. Perform the following commands on the phone (probably via ADB).

$ su
# cat /efs/nv_data.bin >> /sdcard/nv_data.bin


Now copy that file onto your PC for editing. Make a backup of the original before step 2.

Step 2: Edit that file, I used hexedit on Ubuntu. The lock bit is inside of the byte at 0x181469 in the file. See the green circle below, change that 01 into a 00 and save the file.

Starting at offset 0x181468 you should see the series of digits: ff 01 00 00 00 00 46 46

The XDA post describes it as follows:

There are 5 different types of locks in 5 different bytes

the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone

Step 3: Use the modified file to update your phone. Let’s assume you copied the modified file to /sdcard/nv_data.bin on the phone, and again the commands below are executed on the phone.

$ su
# rm /efs/nv_data.bin
# rm /efs/nv_data.bin.md5
# cat /sdcard/nv_data.bin >> /efs/nv_data.bin
# chmod 755 /efs/nv_data.bin
# chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
# reboot


That’s it, you’re unlocked. The unlock should persist across ROM (firmware) changes.

References: a great article with pointers to valuable information on the i9000 series.

I had setup a RAID1 system using two 1TB volumes, I had decided to split the 1TB mirrored volume into 300Gb/700Gb so I could limit the space used by backups to 300Gb. In hindsight this was a silly idea, and it also made the migration process more complicated. If I had placed the 300Gb volume second, it might have been feasible to move that data somewhere then expand the 700Gb volume to fill the remainder of the drive – but I had put the 300Gb volume first. One day someone will write the utility to allow you to shift the start of a volume to the left (towards the start of a drive).

Instead of sticking with a RAID1 setup, I decided to move to RAID5. While there is a little less redundancy with RAID5, the additional flexibility seems like a good trade off to me at this point. I’ll avoid getting into the religious debate over which type of RAID you should use, or if RAID makes sense at all with large sized drives. Also there are some good off the shelf solutions now such as Drobo or QNAP.

With a project like this it is a good idea to make a plan in advance, then log your steps as you go along. Migration of 100′s of Gb of data will take time, lots of time. I did the work over about 5 days, some of it while on a trip outside the country (remote access!). Here was my plan:

1. install new drive – ensure system is happy
2. break mirrored set – run in degraded mode
3. repartition new drive & unused mirrored drive
4. create degraded raid 5 (2 drives only)
5. copy data from degraded mirror onto degraded raid5
6. decommission degraded mirror & repartition
7. add volume to raid5 set

I also was careful to check that the new volume had the same capacity as the other two having been bit by that in the past. (I used fdisk -l /dev/sde to get the stats of the drive)(...)
Read the rest of How To: Migrate from Raid1 to Raid5 (535 words)