I was back at my parents’ over Christmas, like usual. Before I got back my Dad had mentioned they’d been having ADSL stability issues. Previously I’d noticed some issues with keeping a connection up for more than a couple of days, but it had got so bad he was noticing problems during the day. The eventual resolution isn’t going to surprise anyone who’s dealt with these things before, but I went through a number of steps to try and improve things.

Firstly, I arranged for a new router to be delivered before I got back. My old Netgear DG834G was still in use and while it didn’t seem to have been the problem I’d been meaning to get something with 802.11n instead of the 802.11g it supports for a while. I ended up with a TP-Link TD-W8980, which has dual band wifi, ADSL2+, GigE switch and looked to have some basic OpenWRT support in case I want to play with that in the future. Switching over was relatively simple and as part of that procedure I also switched the ADSL microfilter in use (I’ve seen these fail before with no apparent cause).

Once the new router was up I looked at trying to get some line statistics from it. Unfortunately although it supports SNMP I found it didn’t provide the ADSL MIB, meaning I ended up doing some web scraping to get the upstream/downstream sync rates/SNR/attenuation details. Examination of these over the first day indicated an excessive amount of noise on the line. The ISP offer the ability in their web interface to change the target SNR for the line. I increased this from 6db to 9db in the hope of some extra stability. This resulted in a 2Mb/s drop in the sync speed for the line, but as this brought it down to 18Mb/s I wasn’t too worried about that.

Watching the stats for a further few days indicated that there were still regular periods of excessive noise, so I removed the faceplate from the NTE5 master BT socket, removing all extensions from the line. This resulted in regaining the 2Mb/s that had been lost from increasing the SNR target, and after watching the line for a few days confirmed that it had significantly decreased the noise levels. It turned out that the old external ringer that was already present on the line when my parents’ moved in was still connected, although it had stopped working some time previously. Also there was an unused and much spliced extension in place. Removed both of these and replacing the NTE5 faceplate led to a line that was still stable. At the time of writing the connection has been up since before the new year, significantly longer than it had managed for some time.

As I said at the start I doubt this comes as a surprise to anyone who’s dealt with this sort of line issue before. It wasn’t particularly surprising to me (other than the level of the noise present), but I went through each of the steps to try and be sure that I had isolated the root cause and could be sure things were actually better. It turned out that doing the screen scraping and graphing the results was a good way to verify this. Observe:

The blue/red lines indicate the SNR for the upstream and downstream links - the initial lower area is when this was set to a 6db target, then later is a 9db target. Green are the forward error correction errors divided by 100 (to make everything fit better on the same graph). These are correctable, but still indicate issues. Yellow are CRC errors, indicating something that actually caused a problem. They can be clearly seen to correlate with the FEC errors, which makes sense. Notice the huge difference removing the extensions makes to both of these numbers. Also notice just how clear graphing the data makes things - it was easy to show my parents’ the graph and indicate how things had been improved and should thus be better.

My laptop is just over 3 years old, which is about the point I start to think about a replacement. At present there’s nothing that’s an obvious contender so I’ve been looking at an SSD to prolong it by another year or two.

One of the other thoughts I had is that I currently use dm-crypt under Linux to provide whole disk encryption for everything except the boot partition - I have a bunch of my personal financial and immigration documents stored that I’d prefer not to get disclosed if my laptop is stolen. Modern drives have started offered integral AES encryption options, so perhaps I could offload that to the drive (my i5 470UM lacks the hardware instructions for this).

General consensus in the pub (where all the best security advice is to be found) is that no one present trusted SSD firmware authors to not use some badly chosen AES crypto mode, or leave the key lying around plain text in easily readable flash, or some other implementation mishap.

So how hard would it be to retrofit reliable (or at least source verifiable and thus more reliable) crypto to an SSD? There was an impressive article recently about reverse engineering the firmware of a HDD, to the point of modifying data returned to the host and also running Linux on the controller. It seems that SSD firmware should be easier - NAND is simpler to talk to than motors and magnetic sensors, right? It’s a case of gluing together a SATA interface, a NAND controller and an AES offload engine, yes?

Aside from the minor matter of finding a suitable drive with an available JTAG interface, a controller with docs (or more likely that can be reverse engineered) and enough time to produce a replacement open firmware, that is.

Alternatively can anyone provide some idea of how secure the available laptop SSDs on the market actually are? I’m fine with “the NSA can read your data if they want” because a determined attacker will be able to find other ways to get my data anyway, but I don’t want “anyone who finds the drive can use this loophole in the firmware by wiggling some bits with jtag to dump the key and read all your data”.

I’ve moved (only a couple of blocks from where I was before), and as the new place has Webpass I’ve reluctantly given up my Sonic.net connection, along with its static IPv4 address and ISP IPv6 tunnel. Hard to resist a 200Mb/s ethernet connection for the same price I was paying for 18Mb/s ADSL2 though.

However that leaves my DGN3500 router somewhat inappropriate for providing my net connection. Freed from the need for an ADSL/cable router I decided it was time to build an all in one house server (I’m a believer in as few always on boxes as possible). I already had a nettop acting as a media box, but wanted to build something that would handle:

• Gateway for the external network connection
  • Routing to internal ethernet
  • 2.4GHz wifi router
  • 5GHz wifi router
• Printer server
• House NAS
  • Backup server (syncing externally as well)
  • DLNA server
• mpd server
• ATSC based PVR

Probably in that order if it turns out I’m asking too much. The intention is the box is the only one that always needs to be on, so I wanted it to be low power consumption. I also wanted the option of hooking it up to the TV if it turned out to have enough grunt, so the case needed to be something suitable for the living room.

I like Intel’s approach to graphics drivers, in particular the existence of Free video acceleration support, so I went with an Intel Core i3-3220T as the processor. It’s a 35W Ivybridge processor with HD 2500 graphics, plus I got it for a decent price.

For the case I chose a CFI A2059. There’s a local supplier I was able to pick it up from, it has a couple of large fans which helps keeps the noise down while keeping things cool and as I was aiming for backup / file sharing being more important than a media box the 2 hot swap bays tipped the balance away from an AV style case.

The small case limits the motherboard options. I wanted twin GigE ports so the external was entirely separate from the internal (my switch does VLANs so I could have made do with a single port, but with a 200Mb/s connection I didn’t really want to share the port). The Gigabyte GA-H77N-WIFI seemed to fit the bill, with the added advantage of a built in WiFi card (an Intel 2230 in a mini PCI-E slot) which leaves the PCI-E slot free for either a TV tuner or a second WiFi card to cover 5GHz.

I maxed out the board with 2 8G G.SKILL DDR3-1600 DIMMs. I normally go Crucial because I’ve found them reliable, but these were slightly cheaper and available from the same place as the motherboard.

Finally I added a Seagate ST4000DM000 for storage. It actually came from a Backup Plus that Costco were selling for about $20 less than the bare drive sells for. The plan is to add at least another 1T drive to RAID1 the most important bits (or possibly a 2T - it depends which of my existing drives I can tidy stuff off most easily).

Of course it’s running Debian and I took the opportunity to try out the RC1 Wheezy image. For extra giggles I did an EFI install; this all worked fine except I didn’t end up with grub-efi installed at the end, instead I had grub-pc. I booted with legacy BIOS enabled and followed Tanguy’s switch to UEFI boot instructions.

Further notes on software setup to follow…

(This is something I did a few months ago, and I really should have noted down all the details then so I covered everything. However hopefully these notes will remind me enough next time.)

When I first wanted to reverse engineer a USB device that only had Windows drivers the “easy” option was to take a Windows machine, install usbsnoop on it and capture the traffic as a bunch of verbose text files. It was a cumbersome procedure.

Recently I wanted to do a firmware upgrade of a ZTE 3G modem dongle, partly to provider unlock it and partly to try and enable some voice functionality. I was also hoping to sniff the traffic to see how to drive the voice side of things. These days I don’t have a dedicated Windows box, but I do have a Windows 7 KVM virtual machine. I hadn’t yet used the USB support in this, but I thought I’d see what it was capable of.

Firstly I had to explicitly enable USB2 - the device wasn’t happy with the default USB1 only stack that KVM enabled. That involved passing -usb -device usb-ehci,id=ehci to KVM. I also told KVM to grab all the ZTE devices with -device usb-host,bus=ehci.0,vendorid=0x19d2. I dropped a udev rules file into /etc/udev/rules.d to ensure any device nodes created belonged to my normal user.

This gave me a Windows setup that could see the USB dongle and install the appropriate drivers. It was also happy to do the firmware update (along with various device resets on the way as it changed USB ID - this is why I needed the udev rule, to ensure every time the device re-appeared it would be seen by the KVM instance without manual intervention).

After that was complete I investigated usbmon. modprobe usbmon created the appropriate /dev/usbmon<n> files and I chowned the appropriate bus to my normal user. Once this was done I was able to start Wireshark which rather nicely has full USB decoding support. Firing up the custom app in the Windows KVM guest I could see the traffic going back and forth to each of the device endpoints and work out what was going on.

All of this was much more flexible than using a standalone Windows box. Once I figured out that I needed to explicitly enable USB2 I was quite pleased with how simple USB access under KVM was. I also used lvm to create a snapshot of the Windows guest so at the end I could roll back all of the drivers I’d installed for the dongle. And being able to use Wireshark instead of trawling through dense text files helped a lot in seeing the command stream.

The SPI 2012 board election voting opened up on Sunday and is open until the end of Saturday 28th July. My 3 year term has come to an end, so I’m standing for re-election. Michael Schultheiss (our current treasurer) is also standing again. There are also 2 new candidates in the shape of Gregers Petersen and Selena Deckelmann.

My nomination statement doesn’t have anything earth shattering in it. I’m largely of the opinion that SPI itself should be a boring organization, dealing with the common admin tasks of its associated projects and letting them get on with the job of changing the world. There are some challenges about how we scale larger that I’d like to see solved, but on the whole I see my role as a board member as being one of ensuring that SPI continues to function in a sensible fashion, rather than one of engaging in altering it in any serious fashion.

If you’re an SPI contributing member please vote - obviously I’d like you to vote for me if you think I’ve done a decent job over the past 3 years, but even if you don’t I’d still like you to take the time to be involved and vote.