Baofeng Antenna Hacking

The infamous Baofeng. Specifically, I have the UV-5RA model. This is a lot of new hams' first handheld radio, and perhaps first radio period. I picked this one up because it was half the price of paying for a new battery to get my Yaesu VX-7R back on the air, and I had to get a reliable handheld radio quickly. I've had this one for about a year. I'm not sure I'd recommend it as a first radio unless you're really on a budget, but for what it is, I've been pretty happy with it. Lack of features compared to my Yaesu radios aside, my only complaints are that it poor intermod rejection, and the receive CTCSS squelch frequently fails to keep RF noise from coming through the speaker when there's not a real carrier there.

One thing that a lot of people complain about is the OEM antenna, but people complain about stock antennae on all handhelds. I stay pretty close to the repeaters I use frequently, so mine hadn't given me any problems until recently. A few weeks ago, I noticed that I had trouble picking up a repeater that's REALLY close during the weekly storm spotter net. Checking into these discussions weekly, even in the off-season, is one way to check that your equipment works. Mine wasn't. After testing everything else, the OEM antenna turned out to be the culprit. I cut it open to see what's inside. In my case, the wire going from the center SMA pin to the antenna coil had broken loose. You can see the antenna guts below.

I have a lot of antennae with male SMA connectors for my Yaesu handheld radios. A lot of these inexpensive Chinese radios (Baofeng included) use a female SMA antenna for whatever reason. Instead of coughing up $20-$40 at the local candy store for a new antenna that works with my Baofeng, I picked up an SMA coupler similar to one you can find at Radio Shack. It has flats on the sides, so I used a pair of needle nose pliers to screw it tightly into the Baofeng. You don't want to strip the coupler or the radio's connector, but it should be pretty snug there, so that it'll stay in the radio when you unscrew antennae from it. I had this Comet SMA-24 laying around, and chose to use it on the Baofeng. It comes with a rubber spacer, which comes in handy for this install. The new antenna fits on nicely with the addition of the spacer. Without it, a little section of the coupler shows through. The end result is that all my other HT antennae now work perfectly on this radio.


Using the Intel Play QX3 with the newer gspca driver and v4l

Years ago Mattel released an educational toy microscope called the Intel Play QX3, and later the QX5. This particular microscope has a CMOS imaging chip with a lower lamp for transmitted light to come through a specimen and an upper lamp for light to be reflected off of it, each of which is independently toggled on and off by software. The resolution and speed of the CMOS chip in the QX3 is quite poor by modern standards but it does function adequately for a basic educational model. Some samples of image quality attainable can be found. I happen to own a QX3 and in the past was able to use the old guides for the old driver to turn the illuminator lamps on and off in older releases of various Linux distros. As time moved on driver rewrites began and things got shuffled around. Instead of using the old CPiA driver modern distros use the gspca driver framework which still operates under Video4Linux. V4L has a control command that allows regular users to send commands to the driver via their API, available in the v4l-utils package. The old method involved sending commands directly to the device driver module as a user with root privileges.

Plugging the microscope in shows the following:
jon@leon:~$ lsusb 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub 
Bus 005 Device 002: ID 0813:0001 Mattel, Inc. Intel Play QX3 Microscope 
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub 
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub 
Bus 003 Device 003: ID 046d:c063 Logitech, Inc. DELL Laser Mouse 
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub 
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub 
jon@leon:~$ dmesg
[101645.604019] usb 5-1: new full-speed USB device number 2 using uhci_hcd
[101645.811040] usb 5-1: New USB device found, idVendor=0813, idProduct=0001
[101645.811045] usb 5-1: New USB device strings: Mfr=2, Product=1, SerialNumber=0
[101645.811048] usb 5-1: Product: Intel Play QX3 Microscope
[101645.811050] usb 5-1: Manufacturer: Mattel Inc.
[101645.830281] Linux video capture interface: v2.00
[101645.833059] gspca_main: v2.14.0 registered
[101645.835930] gspca_main: cpia1-2.14.0 probing 0813:0001
[101646.140126] input: cpia1 as /devices/pci0000:00/0000:00:1d.3/usb5/5-1/input/input11
[101646.140262] usbcore: registered new interface driver cpia1

To talk to the camera driver module use v4l2-ctl to list and change the various settings it has available.
jon@leon:~$ v4l2-ctl -l

User Controls

                     brightness (int)    : min=0 max=100 step=1 default=50 value=50 flags=slider
                       contrast (int)    : min=0 max=96 step=8 default=48 value=48 flags=slider
                     saturation (int)    : min=0 max=100 step=1 default=50 value=50 flags=slider
           power_line_frequency (menu)   : min=0 max=2 default=1 value=1
                  illuminator_1 (bool)   : default=0 value=0
                  illuminator_2 (bool)   : default=0 value=1
             compression_target (menu)   : min=0 max=1 default=0 value=0

Flipping the lights on/off involves setting the illuminator_n controls with bool values. illuminator_1 is the lower, transmissive, light source. illuminator_2 is the upper, reflective, light source.

It is easy to turn them on/off at will from a command line.
v4l2-ctl -c illuminator_1=0
v4l2-ctl -c illuminator_2=1
v4l2-ctl -c illuminator_2=0
v4l2-ctl -c illuminator_2=1

To get the microscope working I installed Camorama and it saw the QX3 when run. A bit of twiddling with the sticky and twitchy focus controls brought in a good view of some wear on a coin, illuminated by the upper lamp. Finally, science!


Trade Wars 2002 contest starting Feb. 1

Trade Wars 2002. Remember it?

HiR is hosting a TW2002 contest. Fire up your telnet clients, pick a throwaway password you'll never use for anything else, and join us.

The contest game (Game B) is a TW2002 Gold game with very few modifications, a 5,000 sector universe and 1,000 turns per day. 5 deaths eliminates you. The contest opens on February 1st, with a 14 day entry window. No admittance after that. No prizes other than bragging rights, but it should be fun.

In the meantime, a sandbox (Game A) is in session for your amusement and a bit of practice. It offers 5,000 turns per day to really give you a lot of time to explore and get your bearings straight with how the game works. I'm sure some of you are kind of rusty.  I'll probably reset it in about two weeks when the entry period for the contest game closes.

You can get to the games via telnet on tw2002.h-i-r.net port 2002/tcp

All of the "Forgotten Ages" verbiage is a hold-over from the telnet MUD/BBS my wife ran back in the early 2000s. We've had licenses for Trade Wars and TWGS for a long time, and decided to finally put them to use.

Play clean, or play dirty. There are a lot of glitches and loopholes in this relic of a game. They're yours to use if you can find them.


OpenVAS on BlackArch Linux: Installation Notes

OpenVAS can be tricky to set up. Once OpenVAS packages are installed, there's a bunch of steps you need to perform, and in a pretty specific order, to turn it into a working vulnerability scanner. There are four parts to OpenVAS: The Scanner service, the Manager service, the Administrator service, and then some front-end client. In this case, I'm demonstrating Greenbone Security Assistant, which is yet another service, an SSL web UI that you can access locally, or from another computer, for managing OpenVAS.

I recommend using sudo instead of doing everything as root, but you're obviously not obliged to do it that way. These instructions presume you are using sudo, though. Sudo isn't in the Arch base distribution, but you can add it with:

[root@spx ~]# pacman -S sudo

First, install all the packages. gsa is the web UI, while gsd is a graphical client that runs under X11. You don't need to install both of them, but I usually do. A bunch of dependencies will be added with these packages. Stuff in bold is what I typed. Everything else is terminal output. Most of the really verbose output is truncated and noted with my own commentary in ellipses.

[axon@spx ~]$ sudo pacman -S openvas-administrator openvas-manager openvas-scanner gsa gsd
resolving dependencies...

Packages (75): alsa-lib-  cmake-  damageproto-1.2.1-2
               openvas-administrator-1.3.2-4  openvas-manager-4.0.4-3

Total Download Size:    73.21 MiB
Total Installed Size:   338.56 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages ...

Next, download all the OpenVAS NVT scripts. These are updated frequently. By default, OpenVAS doesn't ship with any scripts, so you need to download them. If there are no NVTs, OpenVAS scanner service doesn't like to start.

[axon@spx ~]$ sudo openvas-nvt-sync
... lots of text while the NVT scripts download ...
[i] Download complete
[i] Checking dir: ok
[i] Checking MD5 checksum: ok

Next, make the SSL Cert for OpenVAS with this handy script:

[axon@spx ~]$ sudo openvas-mkcert
Answer each prompt if you want, but as this is a private-use certificate, I usually just hit enter at all the prompts to accept the defaults. We also need to make a Client Cert for OpenVAS-Manager (om) like this:  

[axon@spx ~]$ sudo openvas-mkcert-client -n om -i
Write out database with 1 new entries
Data Base Updated
User om added to OpenVAS.

Start the OpenVAS Scanner service. This can take a really long time, and consumes a lot of RAM.

[axon@spx ~]$ sudo openvassd
Loading the OpenVAS plugins...base gpgme-Message: Setting GnuPG homedir to '/etc/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '2.0.22'
Loading the plugins... 1887 (out of 33836)

The OpenVAS Manager service requires an SQLite database, but none is created during package installation. Use the following command to create the database. It will sit there for a few minutes and return to the command line without saying anything. This is normal. 
[axon@spx ~]$ sudo openvasmd --rebuild

Start the OpenVAS Manager service. This runs quickly. 
[axon@spx ~]$ sudo openvasmd

Add a user to OpenVAS. You'll log into OpenVAS with these credentials. Pick a strong password, not the one I use here.
[axon@spx ~]$ sudo openvasad -c 'add_user' -n adminusername -w adminpassword
ad   main:MESSAGE:4484:2014-01-28 14h31.41 CST: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:4484:2014-01-28 14h31.41 CST: User adminusername has been successfully created.

Start the OpenVAS Administrator service.
[axon@spx ~]$ sudo openvasad

I'm usually paranoid, and at this step, I check the process list for "openvas" services. You should see openvassd, openvasad and openvasmd all running. If not, look at the logs in /var/log/openvas to give you some hints, or check to make sure you performed each step necessay. If that all checks out, start a client, such as Greenbone Security Assistant.

[axon@spx ~]$ sudo gsad

Now just browse to https://localhost (or your BlackArch's network IP). You'll need to accept the self-signed certificate. Generating a new SSL cert for GSA is beyond the scope of this article.


Introducing: BlackArch Linux

I've always admired Arch Linux, the spartan and light-weight Linux distro with its rolling release and clever package management system. At the same time, a lot of the security tools I know and love are difficult to compile, and found in few package repositories outside of Kali Linux, the Debian-derived distro that comes packed with pretty much every open-source security and penetration-testing tool that's relevant to today's researchers... and that's part of the problem. It's fun to play with new tools on occasion, but I rarely want or need all that stuff installed at once. Also, while I've spent more than enough time on Debian-family Linux distros thanks to a job managing Ubuntu LTS servers and hand-holding various friends and family through Ubuntu on desktops, it never quite felt like home as much as Arch does.

Enter BlackArch Linux, a package repository for arming your Arch Linux box to the teeth with all our favorite tools. There's also a collection of Live images to play with if that's more your style, but this relatively young project offers an appealing choice to those who prefer Arch. Getting BlackArch up and running is pretty straightforward.

I prefer to start with a basic Arch Linux installation. For the command-line adept and those familiar with Arch, the Arch Installation Guide is a no-nonsense checklist of things you need to do, while the Beginners' Guide offers a bit more hand-holding. I used both when getting back into Arch Linux a while ago. You'll need to partition your drive, format the filesystems, pacstrap it, set up the network, add a user, and some other basic things that are outlined in the guides. Installation difficulty is on par with OpenBSD, but with a little less guidance from a dedicated install script. Don't forget to set up a boot loader!

You'll probably want to customize your Arch Linux install, which may include setting up X11, a Display Manager and a Window Manager or Desktop Environment (handy for using a graphical web browser or GUI-driven tools such as BurpSuite). That's all covered in the Beginners' guide as well. I'm pretty fond of OpenBox with Conky, so I ended up with a pretty minimalist desktop, shown here.

Once you have Arch installed and a comfortable userland configured, you'll want to make sure it's up to date by running "pacman -Syu" and then you should install wget before moving on to installing BlackArch, if you haven't already:

pacman -S wget 

From there, you can simply follow the instructions on the BlackArch Download page. This will just add the repositories to your Arch Linux installation, and doesn't actually install the packages. You can opt to install all the packages at once with:

pacman -S blackarch

But in my opinion, the fact that you can pick and choose which tools to install makes it quite nice for devices like netbooks or other machines that you really don't want bogged down with hundreds of tools you don't need. The BlackArch download page outlines how to peruse their repository for the stuff you want, or installing groups of similar packages, such as "blackarch-scanner" and "blackarch-networking"

In my next post, I'll explain how to configure OpenVAS, and get it up and running on BlackArch. I frequently set this up in my security lab when introducing interns to vulnerability scanning, and it's usually a bit tricky to get running for the first time.


I am really tired of this 'eco-friendly' (and useless) gas can.

A few years ago, I bought a new gas can. I noticed it doesn't have a ventilation hole, but I figured there was some magic in the bizarre spout design that made ventilation unnecessary. I figured wrong. It takes several minutes to empty two gallons into a vehicle. I got tired of it today.

Step 1: Acquire useless gas can.
Step 2: Drill a small pilot hole in the handle, somewhere that won't leak when the can is full or in use.
Step 3: Plug said hole with a thumscrew, wing bolt or other suitable, secure device.

Loosely illustrated in attached photos. This works much better, but 1) might not be as safe for transporting gasoline, 2) might get you in trouble with some all-seeing government agency. As always: We're not responsible for problems caused by people who try this at home.


OpenBSD 5.4 Released. OAMP/ONMP walk-throughs updated

OpenBSD 5.4 was released on November 1st. Some new features include:
  • Support for BeagleBone and BB Black
  • Some much-needed improvements to dhclient
  • OpenSSH 6.3 with some new features
Of course, the nginx and Apache MySQL/PHP walk-throughs have been updated and tested. Enjoy:

OpenBSD/Apache/MySQL/PHP guide
OpenBSD/nginx/MySQL/PHP guide