June 2026
M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Archive for the ‘Hardware’ Category

Forced routing of selective emails to ISP SMTP via Mikrotik Routing | Syed Jahanzaib Personal Blog to Share Knowledge !

Posted by jpluimers on 2021/01/14

For my link archive: [WayBack] Forced routing of selective emails to ISP SMTP via Mikrotik Routing | Syed Jahanzaib Personal Blog to Share Knowledge !

–jeroen

Posted in Development, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

OKI C332/MC342 – reset (short) device name, location, asset number and contact name

Posted by jpluimers on 2021/01/08

I’ve found out that the only way to reset the below fields on an OKI printer is to

go to the printer main page at http://192.168.124.34 (use the IP address of your own printer here)
logon as Administrator (on an OKI C332 that’s user admin which has default password 999999, on an OKI MC342 the password is aaaaaa)
go to the page http://192.168.124.34/setupfrm.htm (use the IP address of your own printer here) as that page can potentially be skipped during login
update these fields:
- Device Name
- Short Device Name
- Asset Number
- Contact Name – Administrator

Image source: [Archive.cs] Checking or Changing the Settings of This Machine from a Computer (MC853, MC873)

–jeroen

Posted in OKI C332, OKI Printers, Power User, Printers | Leave a Comment »

Fiber cables: speed and connectors

Posted by jpluimers on 2021/01/07

Similar to the CAT# designation for speed categories, fiber cables have an OM# designation. [WayBack] OM1 fiber, OM2 fiber, OM3 fiber and OM4 fiber overview explain this well, and has this quote and image tables:

There are four kinds of multimode fibers: OM1 fiber, OM2 fiber, OM3 fiber and OM4 fiber. The letters “OM” stand for optical multi-mode.

Both OM1 and OM2 work with LED based equipment that can send hundreds of modes of light down the cable, while OM3 and OM4 are optimized for laser (eg. VCSEL) based equipment.

I have combined the tables in html as:

OM1 OM2 OM3 OM4

Maximum distance for 100 Mbit/s 2000m 2000m 2000m 2000m 100BASE -FX

Maximum distance for 1 Gbit/s 275m 550m 550m 1000m 1000BASE-SX

Maximum distance for 10 Gbit/s 33m 82m 300m 550m 10GBASE-SR

Maximum distance for 40 Gbit/s not specified not specified 100m 150m 40GBASE-SR4

Maximum distance for 100 Gbit/s not specified not specified 100m 150m 100GBASE-SR10 / 100GBASE-SR4

Diameter 62.5/125µm 50/125µm 50/125µm 50/125µm

Jacket coulors (often also cable colours) Orange Orange Aqua Aqua

Optical source LED LED VCSEL VCSEL

Bandwidth 200MHz*km 500MHz*km 2000MHz*km 4700MHz*km

	OM1	OM2	OM3	OM4
Maximum distance for 100 Mbit/s	2000m	2000m	2000m	2000m	100BASE -FX
Maximum distance for 1 Gbit/s	275m	550m	550m	1000m	1000BASE-SX
Maximum distance for 10 Gbit/s	33m	82m	300m	550m	10GBASE-SR
Maximum distance for 40 Gbit/s	not specified	not specified	100m	150m	40GBASE-SR4
Maximum distance for 100 Gbit/s	not specified	not specified	100m	150m	100GBASE-SR10 / 100GBASE-SR4
Diameter	62.5/125µm	50/125µm	50/125µm	50/125µm
Jacket coulors (often also cable colours)	Orange	Orange	Aqua	Aqua
Optical source	LED	LED	VCSEL	VCSEL
Bandwidth	200MHz*km	500MHz*km	2000MHz*km	4700MHz*km

Unlike CAT cabling, fiber cables can have various connectors, of which SC and LC are the most common as explained in [WayBack] SC vs LC—What’s the difference? which has this quote and image table:

Size: LC is half the size of SC. Actually, one SC-adapter is exactly the same size as a duplex LC-adapter. Therefore LC is more and more common in central offices where packing density (number of connections per area) is an important cost factor

Handling: SC is a true “push-pull-connector” and LC is a “latched connector”, although there are very innovative, real “push-pull-LCs” available which have the same handling capabilities like SC.

The History of Connector: The LC is the “younger” connector of the two, SC is wider spread around the world but LC is catching up. Both connectors have the same insertion loss and return loss capabilities. Generally, it depends where in the network you want to use the connector, no matter SC or LC, even the other different kinds of connector.

In html:

Name Mating
cycles Ferrule
size Typical
insertion loss
(dB) IEC
specification Cost Ease
of
use Application
features

SC 1000 Ø 2.5mm
ceramic 0.25-0.5 61754-4 $$ ••••• Mainstream, reliable, fast deployment, field fit

LC 500 Ø 1.25mm
ceramic 0.25-0.5 61754-20 $$ ••••◦ High density, cost effective, field fit

Name	Mating cycles	Ferrule size	Typical insertion loss (dB)	IEC specification	Cost	Ease of use	Application features
SC	1000	Ø 2.5mm ceramic	0.25-0.5	61754-4	$$	•••••	Mainstream, reliable, fast deployment, field fit
LC	500	Ø 1.25mm ceramic	0.25-0.5	61754-20	$$	••••◦	High density, cost effective, field fit

–jeroen

Posted in Ethernet, Network-and-equipment, Power User | Leave a Comment »

Automating the closing of the Creative Cloud signing and ABBY FindReader for ScanSnap 5.0 dialogs

Posted by jpluimers on 2021/01/06

Every time my scan VM logs on I get the dialog on the right.

Every time I finish an OCR scan, I get the dialog below.

There are two reasons I want to close the ABBY dialog:

While open, it will keep both the original PDF and OCR PDF files alive.When after a while, Windows updates auto-reboots the machine, before clicking the OK buttons I have to manually check if the conversion succeeded before removing the non-OCR PDF.This is time consuming.
While open, it still consumes a lot of system resources: about 100 megabyte for a simple single monochrome A4 page. Much more for complex, multi-page or colour documents.When scanning a lot of document this causes the system to run out of memory, after becoming much much slower because the truckload of Window handles and underlying threads drags Windows down.

I do not want to fully get rid of these dialogs, as often being aware of the progress is important, and I always forget how to re-enable things. If you can do without the dialogs, then try these:

Finding the Windows and controls

I did use one nice feature of AutoHotKey: their Windows Spy utility, which is implemented as a AHK script: [WayBack] AutoHotKey-scripts/WindowSpy.ahk at master · elig0n/AutoHotKey-scripts · GitHub. In the past this was a separate executable, so do not start looking for that any more. You can get it either after a full install of the [WayBack] Releases · Lexikos/AutoHotkey_L · GitHub, or by extracting from the most current AutoHotKey.zip from [Archive.is] AutoHotkey Downloads.

Related:

[WayBack] Changes & New Features | AutoHotkey

1.1.27.00 – December 25, 2017

Changes:

Replaced AU3_Spy.exe with WindowSpy.ahk.

…

[WayBack] autohotkey – What is AU3_Spy.exe? Where can I find it? – Stack Overflow

Search for Spy in

[WayBack] AutoHotkey_L/script2.cpp at master · Lexikos/AutoHotkey_L · GitHub

[WayBack] AutoHotkey_L/script_autoit.cpp at master · Lexikos/AutoHotkey_L · GitHub

[WayBack] AutoHotkey_L/script_gui.cpp at master · Lexikos/AutoHotkey_L · GitHub

This gets these for the Create Cloud and ABBY windows:

Automating the click

I contemplated about using AutoIt (freeware, but closed source) or AutoHotKey_L (the current active fork of AutoHotKey).

AutoIt is now closed source, forked in the past as AutoHotKey, which has a lot of half backed – usually poorly documented – scripts needing you to learn a new API wrapper around existing Windows API functionality.

So I reverted back to using the Windows API using Delphi: a simple repeat loop, to check for the existence of the underlying processes, windows and controls, plus some logic to terminate then the user stops the application (Ctrl-C, Ctrl-Break), logs off, or Windows shuts down.

Releated Windows API keywords and posts:

Terminating in time:
- SetConsoleCtrlHandler and HandlerRoutine parameter dwCtrlType values CTRL_C_EVENT, CTRL_BREAK_EVENT, CTRL_CLOSE_EVENT, CTRL_LOGOFF_EVENT and CTRL_SHUTDOWN_EVENT.
  - Remember that the HandlerRoutine is called in a separate thread, implying you should be very careful with what you do. Best is to only set some flags. Worst is to go GUI handling (DO NOT CALL ShowMessage HERE!)
- Delphi related:
- [WayBack] Handling the OS shutdown event using WinAPI describes the SetConsoleCtrlHandler for console applications, the service related RegisterServiceCtrlHandler and RegisterServiceCtrlHandlerEx calls and the Windows messages to watch for GUI applications: WM_QUERYENDSESSION and WM_POWERBROADCAST.
Checking for processes, windows and controls:
- FindWindow
- a

I could have used AutoHotKey with these hints to get it working:

[Archive.is/WayBack] ControlClick – Syntax & Usage | AutoHotkey: The ControlClick command sends a mouse button or mouse wheel event to a control.
- [WayBack] How to click a specific button on a window with autohotkey? – Stack Overflow
- [WayBack] Locating/Clicking buttons in a Windows Application – Ask for Help – AutoHotkey Community
[WayBack] AutoHotkey Webinar- Various ways to use AHK to automate tasks in Windows (videos below the fold)
[Archive.is/WayBack] OnExit() – Syntax & Usage | AutoHotkey: The OnExit function specifies a callback function or subroutine to run automatically when the script exits.
[WayBack] AutoHotKey: Introduction
[WayBack] Repeating things
[WayBack] Category:AutoHotkey – Rosetta Code
[WayBack] Wait for window to open then use WinGetTitle. – Ask for Help – AutoHotkey Community
[WayBack] Wait for a window to finish loading – AutoHotkey Community
[WayBack] How to wait for a window to appear – Ask for Help – AutoHotkey Community
[Archive.is/WayBack] Process – Syntax & Usage | AutoHotkey
[WayBack] AutoHotKey script to automatically close a window when it opens – Super User
[WayBack] Waiting for a button – Ask for Help – AutoHotkey Community
[WayBack] wait till window opens then wait till it closes – Ask for Help – AutoHotkey Community
[WayBack] windows – AutoHotKey – ellegant way of waiting until a system dialog box becomes able to accept keystrokes? – Super User
[WayBack] I want to create an AutoHotKey script that waits for a window and sends some keystrokes to it, but the keystrokes are repeating by default – Super User

MacOS

Note that when you run on MacOS, you need an alternative like for instance the video below shows via [WayBack] Stop ScanSnap From Prompting You When You Scan.

–jeroen

Read the rest of this entry »

Posted in Development, Fujitsu ScanSnap, Hardware, ix100, ix500, Power User, Scanners, Scripting, Software Development, Windows, Windows 10, Windows 8.1 | Leave a Comment »

Electronics-Salon DIN Rail Mount +/-20Amp AC/DC Current Sensor Module, based on ACS712: Amazon.com: Industrial & Scientific

Posted by jpluimers on 2020/12/24

For my link archive (this DIN rail device allow sensing current used by a circuit; models for 5A/20A/30A).

Thanks Matthijs ter Woord for pointing me to this.

Schematics show it uses an LM317 linear voltage regulator (to get 5V out of a 8V-35V range) next to the ACS712 current sensor (based on the [WayBack] Hall effect) available in 5A, 20A and 30A varieties.

Documentation:

Schematics:

Read the rest of this entry »

Posted in Development, Hardware, Hardware Development, Hardware Interfacing | Leave a Comment »

Mikrotik Remote Access via Multiple WAN Links | Syed Jahanzaib Personal Blog to Share Knowledge !

Posted by jpluimers on 2020/11/04

Multi-WAN routing always involves marking incoming connections to the replies go out on the same connection: [WayBack] Mikrotik Remote Access via Multiple WAN Links | Syed Jahanzaib Personal Blog to Share Knowledge !

# Mirkotik IP Firewall Mangle Section

/ ip firewall mangle

# Mark traffic coming via WAN-1 link

add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_incoming_conn

# Mark traffic coming via WAN-2 link

add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_incoming_conn

# Mark traffic routing mark for above marked connection for WAN-1 , so that mikrotik will return traffic via same interface it came in

add chain=output connection-mark=WAN1_incoming_conn action=mark-routing new-routing-mark=to_WAN1

# Mark traffic routing mark for above marked connection for WAN-2, so that mikrotik will return traffic via same interface it came in

add chain=output connection-mark=WAN2_incoming_conn action=mark-routing new-routing-mark=to_WAN2

# Finally Add appropriate routes in ROUTE section

/ ip route

add dst-address=0.0.0.0/0 gateway=1.1.1.2 routing-mark=to_WAN1 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=to_WAN2 check-gateway=ping

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

Making Fujitsu ix500 scanner’s CardMinder Viewer not globally steal the Alt-F3 shortcut

Posted by jpluimers on 2020/10/30

I hate applications that globally install Windows shortcut keys without the setup/install either warn about it or make it configurable.

In this case it is about CardMinder Viewer that ships with the Fujitsu ix500 scanner and installs a global shortcut, by default Alt-F3.

CardMinder Viewer is especially bad because the “settings” are not in the application: the settings are part of the Windows notification area (usually on the lower left of your screen; many people call it “the tray” as it was called tray in the Cairo research that led to Windows 95 and Windows NT 3.5).

So here is how to get rid of the Alt–F3 shortcut to be stolen:

Read the rest of this entry »

Posted in Fujitsu ScanSnap, Hardware, ix500, Power User, Scanners, Windows | Leave a Comment »

pfSense OpenVPN server configuration steps

Posted by jpluimers on 2020/09/28

Saving an initial configuration without changing anything gives these errors:

Self signed certificate

If you are OK with self-signed certificates, then the first is solved by using this as the Server certificate:

Certificate authority

The second needs an additional step: you have to select or create a certificate authority first at hostname/system_camanager.php?act=new where hostname is the hostname or IP address of your pfSense configuration.

This order is actually explained in [WayBack] OpenVPN – The Open Source VPN: HOWTO and [WayBack] OpenVPN Configuration (pfSense) – ELITS, but I like stronger security.

For the Internal Certificate Authority (CA), use at least these settings:

“Key length (bits)” at least 2048 bits, but I prefer 3072 bits (to be safe after about 2030) as per
- Key size: Asymmetric algorithm key lengths – Wikipedia via
- Let’s Encrypt supports it for local certificates, but are more flexible for their CA as you have to renew at least every 90 days; Support for >4096 bit keys – Feature Requests – Let’s Encrypt Community Support
“Digest Algorithm” at least sha256, but I prefer sha512 as it will be safe for a longer period of time.
“Lifetime” by default is 3650 (10 years); can you keep your VM safe for that long? If longer, you can increase the lifetime, but also have to ensure you take large enough values for the Key length and Digest Algorithm.

You can view the possible settings in [WayBack] pfsense/system_camanager.php at master · pfsense/pfsense · GitHub.

Straightforward parameters

Use a TLS Key
- Enabled
TLS Key
- Generated by OpenVPN
TLS Key Usage Mode
- TLS Authentication
Peer Certificate Authority
- Name of your pfSense device
Peer Certificate Revocation list
- N/A: handled in System -> Certification Manager
Use a TLS Key
- Enabled
Use a TLS Key
- Enabled
ECDH Curve
- Use Default (as we do not use Elliptic Curve)
Hardware Crypto
- If the RDRAND instruction is available, this choice allows to use it. I think OpenVPN (via OpenSSL) on BSD uses this in a similar way as Linux: i.e. not as the only source for randomness. See [WayBack] Torvalds shoots down call to yank ‘backdoored’ Intel RdRand in Linux crypto • The Register
- You can check if RDRAND is available in OpenSSL using the /usr/bin/openssl engine -t -c command:
  
  Via: [WayBack] Are cryptographic accelerators supported – pfSense Documentation

Further encryption hardening

DH Parameter Length
- One problem here is that pfSense ships with pre-generated Diffie Helman (DH) parameters:
  
  This means they can potentially be re-used as an attack-vector, so you need to manually re-generate them as per [WayBack] DH Parameters – pfSense Documentation by using /usr/bin/openssl dhparam
  
  In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools and rebooting.
  
  This can take quite some time as it depends on /dev/random as a pure random number source, which will wait if there is not enough initial entropy available yet (see [WayBack] prng – differences between random and urandom – Stack Overflow).
  
  In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools and rebooting.
  
  On a single-coreIntel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz, the timings of these
  
  /usr/bin/openssl dhparam -out /etc/dh-parameters.1024 1024 /usr/bin/openssl dhparam -out /etc/dh-parameters.2048 2048 /usr/bin/openssl dhparam -out /etc/dh-parameters.4096 4096
  
  using the [WayBack] FreeBSD Manual Pages: time command are (each measured twice):
  - ~4.5 seconds for 1024 bits:
  - ~23 seconds for 2048 bits:
  - ~150 seconds for 4096 bits:
  - You see that even within the same length, the duration varies highly.
- Given you already burned those CPU cycles, choose the largest one: 4096
Encryption Algorithm
- This comes down into selecting a algorithm-length-mode combination, so
  - There are three parts in the choice
    - Algorithm: in my configuration, I could choose between algorithms based on AES, CAMELLIA, CAST5, DES, DESX, IDEA, RC2 and SEED.
      - IDEA, DES, RC2, …. are considered insecure (see the above links).
      - DESX is considered insecure if you know enough plain-texts.
      - Triple-DES (of which DES-EDE3 is is a mode) slow and only used for compatibility with legacy applications, see [WayBack] block cipher – Modes of Triple DES – When to use each? – Cryptography Stack Exchange
      - SEED is hardly used outside South Korea.
      - AES, CAMELLIA and CAST5 are considered very strong, with Intel and AMD processors having CPU support for AES**, so I prefer AES.
    - Length: AES has these parameters of which I choose the largest ones:
      - Key sizes128, 192 or 256 bits^[1]
        Block sizes128 bits^[2]
    - Mode: There are so many three-letter-acronym encryption modes that this area is very confusing.
      [WayBack] How to choose an AES encryption mode (CBC ECB CTR OCB CFB)? – Stack Overflow helps a lot. [WayBack] php – Is there any difference between aes-128-cbc and aes-128 encryption? – Stack Overflow does not.
      From what I have read so far, GCM (Galois/Counter Mode) is the best mode at the time of writing, but by the time you read this, ensure you find a post containing all the TLA in the presented list.
  - All in all, I end up at AES-256-GCM (256 bit key, 128 bit block)
    - Note this is supposed to be the OpenVPN 2.4 default ([WayBack] Authentication Algorithm and Encryption Cipher Algorithm · Issue #276 · kylemanna/docker-openvpn · GitHub), but at 2.4.3 it is AES-128-GCM.
Enable NCP(Negotiable Cryptographic Parameters)
- I enabled this, because I consider the ones below safe enough. If you just want to go for one algorithm, then disable this.
NCP Algorithms
- See the previous one; only list the algorithm-length-mode combinations that you want to allow.. Since I am on AES, prefer GCM, and all key sizes are considered safe, my list is the one on the right:
  
  This is in decreasing order of secureness:
  - AES-256-GCM
  - AES-192-GCM
  - AES-128-GCM
Auth digest algorithm
- Starting from scratch (when you have to configure clients), SHA512 (which I use) or SHA256 is fine. Do not use SHA1 unless you need backward compatibility with pre 2.4 OpenVPN installations or pre-configured clients. See [WayBack] How safe to change default SHA1 to other encryption algorithm?
Certificate depth
- For now it is 1 (as it is self-signed)
- In the future I will experiment with proper (hopefully Let’s Encrypt) signed certificates. I am not yet sure if that might need a larger depth.

Other settings

All networks are in CIDR notation, like 192.168.3.0/24.

IPv4 Tunnel network
- Choose from Private network: Private IPv4 address spaces – Wikipedia.
  I usually pick 172.x.y.0 networks as they are far less used than 192.168.x.0 and 10.x.y.0 networks. Note that some networks starting with 172 are in public use, so limit yourself to 172.16.0.0 – 172.31.255.255.
IPv6 Tunnel network
- I still need to implement IPv6 in full, so that is empty for now.
IPv4 Local networks
- These are my local networks. Still need to test how well routing works, but given the default gateway knows about them too, I do not suspect problems.
IPv4 Remote networks
- Empty as I do not use site-to-site VPN yet.
IPv4 Remote networks
- I still need to implement IPv6 in full, so that is empty for now.
Concurrent connections
- Still need to measure performance, so empty for now.
Compression
- I kept the default “Omit Preference (Use OpenVPN Default)”.
- I might choose compression lz4 or compression lz4-v2 in the future.
Push compression
- Kept to unchecked: I dislike other VPN connections to push settings to me, so I do not want to push settings to others.
Type-of-Service
- Kept to unchecked, although I might opt for checked later on: need to do some testing first.
Inter-client communication
- Kept to unchecked: I do not want clients to talk to each other in this particular network, though I might for some specific OpenVPN setup
Duplicate Connection
- Kept to unchecked
Dynamic IP
- I have enabled this as I expect clients to switch IP addresses because of switching between networks
[WayBack] Topology: choose subnet (use net30 only for old 2.0.9 client compatibility on Windows; use p2p if you only have non-Windows clients)

Advanced client options
- All defaults, as currently I do not run an internal DNS, but those will probably change in the future:
  - DNS Default Domain
  - DNS Server enable
  - DNS Server 1..4
  - Force DNS Cache Update

Custom options
- None, but I will need to do some deeper reading on the possibilities here
UDP Fast I/O
- Disabled as experimental
Send/Receive Buffer
- Default, although I might increase this if speed is too slow.
Gateway creation
- I choose the default Both
Verbosity level
- Default

Enabling AES

Even if the underlying Intel/AMD processor supports AES, it is not enabled by default in pfSense as per web UI home page:

Intel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz
AES-NI CPU Crypto: Yes (inactive)

I was quite surprised, but then remembered that enabling RDRAND in the OpenVPN settings was also non-default and dug a bit deeper into ….

There I found you have to go to the System menu, choose Advanced, then the Miscellaneous tab:

From there, browse down (or search for Hardware) to “Cryptographic & Thermal Hardware”, then enable the CPU based accelleration:

After pressing the Save button at the bottom, you are done:

AES-NI CPU Crypto: Yes (active)

I got this via [WayBack] AES-IN Inactive?, which also mentions this:

AES-NI loads aesni.ko

BSD Crypto loads cryptodev.ko

AES-NI and BSD Crypto loads both

Note that AES – as of FreeBSD-10 – AES-NI and other hardware implementations are only indirectly incorporated into /dev/random. The Linux kernel already did this in an indirect way. I think that is a good idea as when multiple entropy sources are merged together, it makes it much harder to influence to total entropy. FreeBSD implemented this using the Yarrow algorithm – Wikipedia and now has moved to a successor, the Fortuna (PRNG) – Wikipedia.

More background information:

padlock ACE support

Note there is a message about ACE support on the console and in the boot log that is related to AES:

padlock0: No ACE support.
aesni0: <AES-CBC, AES-XTS, AES-GCM, AES-ICM> on motherboard

The cause is that in the past, VIA PadLock Advanced Cryptography Engine (ACE) in the mid 2000s introduced encryption acceleration (see [WayBack] VIA PadLock support for Linux) a few years before AES-NI, so ACE is incompatible with AES-NI. AES-NI is now much more widespread than ACE, even the wikipedia VIA page padlock information has been removed.

An odd thing: unlike AES-NI which needs to be specifically enabled, VIA Padlock is always enabled, see

OpenVPN Client Export Package

Ensure you install the (optional, but highly recommended) [WayBack] OpenVPN Client Export Package:

Allows a pre-configured OpenVPN Windows Client or Mac OS X’s Viscosity configuration bundle to be exported directly from pfSense.

These config files work with Tunnelblick as well, which is a great free and open source OpenVPN tool on Mac OS X / MacOS:

Creating and exporting users

I have yet to cover these two; for now read [WayBack] How to setup OpenVPN on pFSense? | IT Blog and [WayBack] OpenVPN Remote Access Server – pfSense Documentation.

During pfSense boot: syslogd “operation not supported by device” messages

Posted by jpluimers on 2020/09/25

If during a pfSense reboot you get one or more messages from syslog about “operation not supported by device” on various log files, then they are likely corrupt.

I had this when a pfSense 2.4.x RELEASE version VM was accidentally power-cycled during initial setup.

A side effect was that no logs showed in the web UI either, nor would clog on any file in the /var/log directory.

The solution was to choose option 8 (Shell), then in the /var/log directory, remove all files with extension .log, then reboot.

Now the messages were gone and the web UI showed logs. clog /var/log/system.log showed content as well.

Solution based on these posts:

[WayBack] [SOLVED] pfSense SG-1000 lan-interface missing IP with snapshot 20171007
[WayBack] pfsense on Hyper-v 2016 no system logs. (Resolved)
[WayBack] Bug #4768: Operation not supported by device – pfSense – pfSense bugtracker (a simple reboot did NOT resolve the issue)
[WayBack] Bug #7919: Logging not working – pfSense – pfSense bugtracker

–jeroen

Posted in Internet, pfSense, Power User, routers | Leave a Comment »

Supermicro Bios Update – YouTube

Posted by jpluimers on 2020/09/14

I needed to get myself an OOB license for the BIOS update over the IPMI console or SUM (Supermicro Update Manager). An IPMI update can be done without an OOB license from the IPMI console, but the BIOS requires a license.

Links that initially helped me with that to get a feel for what I needed:

I thought that likely I need to purchase a key for it:

[WayBack] FAQ Entry | Online Support | Support – Super Micro Computer, Inc. – I need to update my BIOS to support my CPU. I know I can do this through IPMI. Do I need to purchase a license?

Obtain the license code from your IPMI BMC MAC address

But then I found out the below links on reverse engineering.

From those links, I checked both the Perl and Linux OpenSSL versions. Only the Perl version works on MacOS.

Then I fiddled with the bash version: unlike the OpenSSL version above, this one printed output. It wrongly printed the last groups of hex digits instead of the first groups of hex digits that the Perl script prints.

Here is the corrected bash script printing the first groups of hex digits (on my systems, I have an alias supermicro_hash_IPMI_BMC_MAC_address_to_get_OOB_license_for_BIOS_update for it):

#!/bin/bash
function hash_mac {
  mac="$1"
  key="8544e3b47eca58f9583043f8"
  sub="\x"
  #convert mac to hex
  hexmac="\x${mac//:/$sub}"
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  #DEBUG
  echo "$mac"
  echo "$hexmac"
  echo "$code"

  echo "${code:0:4}-${code:4:4}-${code:8:4}-${code:12:4}-${code:16:4}-${code:20:4}"
}

Steps

run this script (with the MAC address of your IPMI BMC controller, usually at a URL like http://192.168.71.96/cgi/url_redirect.cgi?url_name=mainmenu)
copy the generated license code

Reverse engineering links

[WayBack] The better way to update Supermicro BIOS is via IPMI – VirtualLifestyle.nl

Another way to update the BIOS via the Supermicro IPMI for free is simply calculating the license key yourself as described here: https://peterkleissner.com/2018/05/27/reverse-engineering-supermicro-ipmi/ [WayBack].
- [WayBack] Reverse Engineering Supermicro IPMI – peterkleissner.com
  Algorithm:
  
  MAC-SHA1-96(INPUT: MAC address of BMC, SECRET KEY: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8)
  
  Update 1/14/2019: The Twitter user @astraleureka posted this code perl code which is generating the license key:
```
#!/usr/bin/perl
use strict;
use Digest::HMAC_SHA1 'hmac_sha1';
my $key  = "\x85\x44\xe3\xb4\x7e\xca\x58\xf9\x58\x30\x43\xf8";
my $mac  = shift || die 'args: mac-addr (i.e. 00:25:90:cd:26:da)';
my $data = join '', map { chr hex $_ } split ':', $mac;
my $raw  = hmac_sha1($data, $key);
printf "%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX\n", (map { ord $_ } split '', $raw);
```
  Update 3/27/2019: There is also Linux shell version that uses openssl:
```
echo -n 'bmc-mac' | xxd -r -p | openssl dgst -sha1 -mac HMAC -macopt hexkey:8544E3B47ECA58F9583043F8 | awk '{print $2}' | cut -c 1-24
```
- [WayBack] Modular conversion, encoding and encryption online — Cryptii
  
  Web app offering modular conversion, encoding and encryption online. Translations are done in the browser without any server interaction. This is an Open Source project, code licensed MIT.
  
  Steps:
  1. In the left pane, select the “View” drop-down to be “Bytes”, then paste the HEX bytes of your IPMI MAC address there (like 00 25 90 7d 9c 25)
  2. In the middle pane, select the drop-down to become “HMAC” followed by the radio-group to be “SHA1“, then paste these bytes into the “Key” field: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8
  3. In the right pane, select the drop-down to become “Bytes”, then the “Group by” to become “2 bytes”, which will you give the output (where the bold part is the license key: 6 groups of 2 bytes): a7d5 2201 4eee 667d dbd2 5106 9595 2ff7 67b8 fb59
  Result:
- Michael Stapelberg’s private website, containing articles about computers and programming, mostly focused on Linux.[WayBack] Securing SuperMicro’s IPMI with OpenVPN
- [WayBack] GitHub – ReFirmLabs/binwalk: Firmware Analysis Tool

[WayBack] The better way to update Supermicro BIOS is via IPMI – VirtualLifestyle.nl

Ahh…..a few corrections :-P

#!/bin/bash
function hash_mac {
  mac="$1"
  key="8544e3b47eca58f9583043f8"
  sub="\x"
  #convert mac to hex
  hexmac="\x${mac//:/$sub}"
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  #DEBUG
  echo "$mac"
  echo "$hexmac"
  echo "$code"
  echo "${code:9:4} ${code:13:4} ${code:17:4} ${code:21:4} ${code:25:4} ${code:29:4}"
}
#hex output with input
hash_mac "$1"

#Look out for the quotes, they might get changed by different encoding

[WayBack] The better way to update Supermicro BIOS is via IPMI – VirtualLifestyle.nl

Thanks Peter. For anyone interested, here’s a bash script that takes the MAC as the only argument and outputs the activation key:

#!/bin/bash
function hash_mac {
  mac="$1"
  key="8544e3b47eca58f9583043f8"
  sub="\x"
  #convert mac to hex
  hexmac="\x${mac//:/$sub}"
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  ## DEBUG
  echo "$mac"
  echo "$hexmac"
  echo "$code"
  echo "${code:9:4} ${code:13:4} ${code:17:4} ${code:21:4} ${code:25:4} ${code:29:4}"
}
## hex output with input
hash_mac "$1"

–jeroen

Read the rest of this entry »

Posted in Development, Encoding, Hardware, Hashing, HMAC, Mainboards, OpenSSL, Power User, Security, SHA, SHA-1, Software Development, SuperMicro, X10SRH-CF | Leave a Comment »

« Previous Entries

Next Entries »

	jpluimers on Windows warned me of disk full…
	jpluimers on Started making people walk me…
	jpluimers on Stack Overflow’s forum is dead…
	jpluimers on Some links on getting the most…
	boctorbill on Some links on getting the most…

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘Hardware’ Category

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Finding the Windows and controls

Automating the click

MacOS

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Self signed certificate

Certificate authority

Straightforward parameters

Further encryption hardening

Other settings

Enabling AES

padlock ACE support

OpenVPN Client Export Package

Creating and exporting users

Further reading

Rate this:

Share this:

Rate this:

Share this:

Obtain the license code from your IPMI BMC MAC address

Steps

Reverse engineering links

Rate this:

Share this: