2010-01-30

Memories of a Timex Sinclair 1000

Someone brought this wonderful pile of memorabilia to CCCKC last week.




This is a Sinclair ZX81. It was introduced to England in 1981. It was a Zilog Z80-powered entry-level computer that used a cassette tape (remember those?) for storage of data, and hooked up to a TV for a monitor. The ZX81 used the european PAL standard, so this machine won't work on normal analog TVs here in the US.

The ZX81 features a whopping 1kB of built-in RAM, and a CPU clock speed of 3.25 MHz, or for you kids out there that don't know what a kB or a MHz is: It had about 0.0000001 GB of RAM or about 1,024 characters, and ran at 0.00325 GHz. It could be purchased pre-assembled, or in kit form, which required soldering.

The version that made it stateside -- the Timex Sinclair 1000 -- was my very first computer. It was a slightly modified version of the ZX81. Mostly, it featured twice the RAM (still not enough to hold the typed text from a single page of a paperback book) and an NTSC modulator that was compatible with our television sets. Graphics were mostly block characters on the screen, and if you wanted a program with much power behind it, you had to use Z80 assembly language, if for no better reason than more efficient use of the RAM.

My Sinclair died sometime in the early 90s. It still powers on (if I can find it) but the membrane keyboard's ribbon cable became brittle and broke, mostly due to the heat sink inside that sits very close to... well... everything, since the machine itself is so tiny. I'm wondering if I could get away with using my small portable "watchman" style pocket TV as the monitor and a voice greeting card to store a program or two. I have a few ideas about fixing the keyboard's ribbon cable. If I can unearth my old Sinclair, I'll see if I can get it fixed up. Until then, I'll just gawk at these pictures and remember with fondness the days that kick-started my interest in computers.

What was your first computer? Do you still have it?

2010-01-27

Remapping the MacBook Keyboard

I love OS X, and I also have this thing for Apple hardware, especially their laptops. You can rant and rave about "Apple Tax" until you're blue in the face. You won't sway me. One thing that kind of irks me, though, is the keyboard on the MacBook series.



While the sunken, chicklet-style keyboard garnered much criticism in 2006, I like the feel of it. As you can probably tell from the title of this article, my primary complaint isn't in the style of the keyboard. It's in the keys that seem to be missing. In OS X, the MacBook's scant 78-key input device makes sense. Other keys are nice, and are provided on the full-size keyboards for the desktop behemoths, but as a general rule, the slimmed-down laptop keyboard gets things done.

Being an Operating System Junkie, however, I often find a need for some oddball key that's nowhere to be found. In Linux and BSD (or when SSH-ing) from Windows using PuTTY, Shift-Insert pastes text to the terminal. There's no Insert key. In Windows, I'd rather not install vestigial bloatware to grab screen shots. Alt-PrintScreen is the old standby. There's no PrintScreen button, either.

At the same time, there are keys I rarely use in OS X, and they become completely useless on any other platform. They also happen to be near the places that I expect Insert and PrintScreen to be on a full-size keyboard.

There are registry hacks to remap keys on Windows. RandyRants has a great write-up on this, and wrote SharpKeys to help people easily re-map their keyboards. In my case, I wanted to remap F12 to function like PrintScreen, and the Keypad Enter key (next to the arrows, shown prominently in the photo above) to function as the Insert key.


The resulting registry patch is included so that you need not install vestigial bloatware just to remap your MacBook keyboard. Save the text below to a file called "remap.reg" and import it to your Windows Registry -- usually, by double-clicking it. Still, SharpKeys a nice utility to know about, particularly if you have any portable computers lacking a full set of keys.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
"Scancode Map"=hex:00,00,00,00,00,00,00,00,03,\
00,00,00,37,e0,58,00,52,e0,1c,e0,00,00,00,00

On Linux and BSD, xmodmap will do the same thing, a lot easier. I didn't bother remapping Print Screen, but getting Enter to function as Insert was important. Create a file called ".xmodmaprc" in your home directory, and add the following content to it:
keysym KP_Enter = Insert Insert Insert Insert
The next time you log in to Ubuntu, you'll get a dialog asking what you want to do with this file:


Load the .xmodmaprc file, and if you wish, choose to not show the dialog again. Click OK.

On BSD and perhaps many Linux flavors, you may have to manually edit some files to load xmodmap. You can usually put this line at the beginning of your .xsession or .xinitrc file to load the .xmodmaprc file when X starts. Alternatively, you can run it in an xterm to make sure it works:
xmodmap .xmodmaprc
These tricks work just as well on bare metal as they do in a virtual machine, or at least as tested in VirtualBox. That's a major annoyance out of the way for me!

2010-01-26

Getting the Lock Code on an LG Mobile Phone



A few weeks ago, my trusty LG Env3 met its untimely demise in a washing machine. I immediately yanked the battery out first. None of the usual tricks worked. I tried many of them, but here are a few that HAVE worked for me in the past with other peoples' phones:

  • Take it apart and blow-dry the electronics
  • Seal it in a container of uncooked rice or other desiccant overnight



This isn't about drying a phone out, though. I surfed eBay and was taken aback by the prices for used but working Env3's. So I decided to buy a broken one. Preferably one with a mechanical problem where the non-damaged mechanical parts from my electronically-fried phone could be put to good repair use. Like this one:


Lo and behold, the case was pretty well damaged and the ribbon cables joining the two halves had been severed. Otherwise, the phone seemed to be in okay shape. Commence repair. We are Env3 of Borg. Parts everywhere, mix and match a frankenphone. What a mess!


There's not much I can teach you about this. If you have the know-how to disassemble the pieces of two nearly-identical non-working objects and you know which parts are bad, you can probably assemble one good working unit. That's not what this is about, either.

This is about what happened to me once I powered on the resulting piecemeal ware -- something that happens probably more often than you'd think, whenever you buy a used phone from someone you don't know: The Lock Code... OF DOOM.




By default, the lock code is the last-four digits of the phone's programmed phone number during initial programming. This is different than the SERVICE CODE which is usually six zeroes. In the case of the eBay phone, though, we don't know the phone number. The easiest way to find out is to access the service menu. On newer LG phones, you enter "##PROGRAM" followed by the VX- model number, and hit send. The model number can usually be found inside the phone behind the battery compartment.


If it's a QWERTY clamshell like mine, the phone must be opened and the code must be entered on the QWERTY keyboard. Example: The Env3 is a VX-9200 and the service menu is accessed by hammering in [Sym]3[Sym]3PROGRAM9200[SEND] which shows on the screen as "##77647269200"


A prompt will show up for the service code. Again, this is 000000 by default.


Access the "Service Programming" menu, usually the first option. And don't change anything.


You'll see the Mobile Equipment ID and ESN on the first screen...


...and the Phone Number on the second screen. Write the phone number down. Exit the service programming menu. This will usually cause the phone to turn off or reboot.



Try the last four digits of the phone number as the unlock code. Usually, this works. When you call your provider to activate your phone, this unlock code should be changed to the last four digits of your phone number, and you're in the clear. Consult your user manual if you wish to de-activate locking.

In my case, however, the user was savvy or paranoid enough to know that friends who know the mobile number could probably guess the lock code. That is to say, the lock code on this phone was NOT the last four digits, and I was still locked out of the phone I paid for. At this point, I'm thinking that it'd have been nice for the seller to remember there was a lock code and to provide it. Oh well. Who am I to let a little 4-digit code get in my way? Not bloody likely.

Most phone service techs will charge $30 to $50 to remove the lock code. Highway robbery is somewhat expected with these guys, though. Enter my good old friend: QPST. Officially for service technician use only, QPST is a suite of programs for troubleshooting and programming phones using Qualcomm's lineup of mobile baseband processors. I used QPST in an article just over 2 years ago when discussing tethering.

The same thing applies. You can't buy QPST, but it's "out there" and you can easily download it or get it from a friend who works in the industry. You also have to run it on Windows, or at least in a virtual machine. If you do try to get it "in the wild" you should probably have a good anti-virus solution installed. You'll also need a data cable for your phone. LG's newer phones ship with a data cable and a USB Wall-Wart, so you probably already have a data cable.

Once you have the phone hooked up and the drivers installed, you should be able to see the phone in the QPST Configuration tool. If not, click "Add Port" and add one of the USB Serial ports. Select the phone from the list and launch the "Service Programming" tool from the "Start Clients" menu.

Flip over to the "1X/HDR Security" Tab and click the "Read From Phone" button. Voila. You've found the lock code! Below, you can see it was set to 4776. You should also be able to change it from this menu, but I didn't bother trying.


While there are some pretty cool things you can do with QPST aside from the things I have covered on HiR, you can also brick or damage your phone when you mess with it at this level, so think before you act.

2010-01-24

Fixing Windows: NTLDR missing, install CD won't boot

I ran across a bizarre Windows issue today on a friend's laptop. It appears to be relatively common, but the answers seem to be elusive, or all over the map. Not only was there an "NTLDR Missing" error, but in trying to access the Recovery Console, the Windows XP Install CD was halting as a blank screen right after "Setup is inspecting your computer's hardware..."

The short answer:
The partition table or boot sector is corrupt and it's messing with Setup when it scans your hard drive and causing the lock up before the installer starts. You are going to have to delete the partition and re-install Windows from scratch. I hope you have backups! Of course, if you prefer, now's a good time to try some other Operating Systems. ;)

The long answer:
Normally, "NTLDR Missing" errors are easy to fix with the recovery console of the Windows install CD or with 3rd party tools like FixNTLDR, UBCD or BartPE (builds a live-CD from your Windows install CD)

The first things to try are replacing the core boot files from the pristine versions on the XP CD (as per the Microsoft KB article) -- ntdetect.com, ntldr, and verify that the syntax of boot.ini is valid. Also, running fdisk /mbr can fix certain boot problems. These should be non-damaging to the data on your drive. You should try to fix it before you go blowing away the partition table.

In my case, none of the third party tools were working, and all the Windows XP CDs I have failed to boot past the "Setup is inspecting..." screen on this machine. The screen went dark and the CD stopped spinning, the system hung and refused to boot. No boot means no recovery console. I tried using the Windows 7 CD, too. It would boot but couldn't find a valid windows partition to repair.

My next step was to boot into Backtrack 4 Final from USB, and try to replace the files as one would from the Windows Recovery Console. I was able to write to the hard drive, and get the files off the OEM Restore CD just fine. Boot.ini was also intact. Still, the system wouldn't boot from the hard drive or the XP install CD.

As mentioned above, it was time to blow away the partition table and start over. Fortunately, my friend had good backups on an external hard drive. I opted to use BackTrack 4 Final to perform the partition-ectomy. Several boot CDs can do this, too. YMMV.

Deleting the partition with BackTrack is simple. Once you have booted backtrack, execute "cfdisk /dev/hda" - This assumes you have only one hard drive in the machine, and that there's only Windows XP installed.


Select the partition using the up/down arrow keys and navigate with the left/right arrow keys to the "Delete" menu option. You may be wondering what I'm doing with a scant 2GB hard drive. This is actually a Windows XP Virtual machine, used for lab testing.


Then, use the arrow keys to navigate to the "Write" option.


Quit cfdisk, then reboot with your Windows CD to start the installation process.

2010-01-23

Review: Master 1500iD "Speed Dial" lock

On a whim, I picked up a Master Lock 1500iD a few weeks ago. Mostly, this was for physical security research because I was bored at the time. Well, and I wanted a new lock for keeping my bike locked up at the job I used to have.


I had been using a derivative of the somewhat vulnerable Master 175 Padlock. I have always been a proponent of security in depth, so a somewhat chintzy lock combined with a very sturdy bike rack, a length of towing chain, and a parking garage with patrolling officers and cameras everywhere provided adequate layered protection. Also, in fair weather, several other lesser-secure bikes would be parked with mine, adding a layer of Darwinian Bicycle Security.

Advantages that made me choose this lock were many. First, the shrouded hasp meant it was likely to be resistant to shimming. Also, the "combination" could be entered in low-light conditions and while wearing gloves. This is important, because the parking facility I was using at the time was not heated (so it was cold!) and they'd switched to fluorescent lights that never really warmed up or achieved full brightness whenever it was below freezing. On REALLY cold days, some of the lights would refuse to turn on. All of these factors made this lock look like a solid winner for the situation.

Note: This lock is meant to keep your mobile phone and sunglasses safe in the locker room at the gym. It's meant to keep middle-school kids from stealing your homework. Alone, it's not the best tool for locking up a bicycle or anything valuable.

One of the first things I wanted to know was how it worked inside. I also wanted to know how difficult a task it was to get it open without completely destroying it. To the first end, I stumbled on Michael Huebler's 1500iD visualization flash simulator, and subsequently the PDF breaking down most of the facts on this lock.

In fact, Michael had covered most of the angles I was hoping to discover on my own, and did a better job than I could've done here. Therefore, it's worth the read if you're interested in locks, locksport or mechanical things.

By the way, with a good set of drill bits meant for cutting steel, it took me about 7 minutes to get into the lock on my workbench without completely destroying anything. In practice, an attacker would use a large set of bolt cutters since the hasp isn't completely shrouded. This should make short work of a lock like this one in just a few seconds.

I noticed a few collisions, another point that mh's article brought to attention. The lock opens when the four wheels are in the correct state, and every movement of the joystick changes the state of three out of the four wheels. It is for this reason that there is more than one way to get to almost any given state. Using the state in the screenshot above, Right-Left-Down-Left is the combination shown. The same state can be accomplished with Up-Right-Down-Left.

In short: The number of combinations is unlimited, but the number of mechanically-possible states is markedly finite: 7,501 to be exact. mh likens this to the mechanical version of a hash function. I can't think of a more concise allegory for it.

Mechanically, I think Master did a lot of stuff right. First off, the hasp acts as the wheel reset mechanism. This allows the hasp to be locked with a gate that doesn't rely on a spring. Even without the hasp shroud, there is no way to shim this lock. The best you could hope for is to wiggle a very thin wire in through the reset slot on the back to probe for the various gate positions.

If nothing else, the inner workings are innovative. It's simultaneously bizarre but fitting that Master would test new technology in a "toy" lock like this one. Perhaps there's a way to make it scale, either via more positions per wheel, or more wheels to gain more state space.

2010-01-12

Flexible operating systems

A while ago, John from TAOSSA mentioned something under his breath (or as much as one can do so with a keyboard) about Gentoo Linux. I replied with the fact that I learned the (very) hard way that if you think you want to play with Gentoo, you actually want to play with Arch Linux.


Gentoo is flexible -- perhaps maybe a bit too much so for most people. And it requires a lot of setup. Arch starts small, but it's not minimalist. There's a specific philosophy to most distribution families. It so happens that Arch Linux' philosophy is similar to that of another OS that I love: OpenBSD.

Arch values code correctness and cleanliness over convenience. They start you out with a small but powerful core that doesn't have a GUI or many fancy apps installed, but they provide you with everything you need in order to have your ideal setup running pretty quickly. While most Linux distributions make broad-sweeping assumptions about what the end-user will want or need to do. Flexible operating systems do no such thing. They might require a little bit more work to get set up, but what you end up with will be precisely what you want, not just something that you can make work.

Also, HiR got about 3.5 seconds of fame via Mubix on Hak 5 Episode 621 (a little after the 3:00 mark). Mubix mentioned most of what he was doing with FreeBSD was shell stuff. All of the BSDs require some work to get all configured and ready to use with a GUI, they don't go too overboard on assumptions.

For example, the things I do first on both ArchLinux and OpenBSD:
  • Set up package repositories. In OpenBSD, set PKG_PATH to the URL of a package mirror. In Arch, un-comment some lines in /etc/pacman.d/mirrorlist
  • Install sudo and give the %wheel group sudo access.
  • Create a user-level account, place it in the wheel group.
  • Log off, log on with my user-level account
  • Start adding packages and setting things up!
It's up to you to figure out what packages you want. X.org, a window manager, web browser, IM client, a word processor, and your favorite CLI tools are probably the first things you'll want to set up. Or maybe you just want an AMP web server. Flexible OSes do both of these things well and without much fanfare. Truly, you make your own distribution with every install.

Arch Linux is interesting in that there is no "release" schedule. You just perform "pacman -Syu" to upgrade all the packages to the latest stable version. Upgrading OpenBSD can be a bit more of a pain, so I genuinely like how Arch handles it.

Minimalist distributions (DSL, TinyCore and Puppy Linux come to mind) still make too many assumptions. Although they're tuned for systems that have limited resources and they can be tweaked and expanded quite a bit, you may find that the partitions aren't configured the way you want, that the organizer included applications that you don't need, or worse: they compete with the applications you'd rather be using.

2010-01-09

New year, new opportunities. Want to hire me?

I am officially on the prowl for a new job. I have many passions related to technology, security, and writing. I'm currently in Kansas City and if the deal is sweet enough, I'd be willing to relocate. I have a quiet, distraction-free home office that's perfect for telecommuting if you're not in the area. If you know someone who could put my skills to good use, let me know. I can be reached via e-mail at ax0n (at) h-i-r.net or via GVoice: 913-259-4HiR. Full Resume available upon request.

I'm genuinely jazzed about what opportunities lie ahead for 2010!