Google+ Followers

Sunday, March 13, 2016

Changing the encryption password on CyanogenMod 13 (Android Marshmallow)

In order for your phone to be secure, you need a strong encryption password. Unfortunately, the default is to use the lock screen password and having a strong password on the lock screen makes it way too difficult to access the phone. You really want to use two different passwords: a strong one for encryption that is only required when you boot the phone, and a shorter one for the lock screen. Then you protect the lock screen by throttling unlock attempts and possibly limiting the number of attempts before the phone reboots (thus requiring the stronger password to decrypt). Apps like Cryptfs Password previously made this easy, but unfortunately on CM13 nightlies (Android Marshmallow), this no longer works as the interface has changed. In fact, using one of these apps, or the old command-line syntax can cause data loss! If you are coming here after attempting to change your password and finding that you can longer decrypt your phone, I’m sorry, I don’t know how to recover data in this case.

I do not know of an app that can change the encryption password on these devices yet, but you can still change it from the command-line. This must be done as root, so you will need to enable root in the developer options, then use su in the terminal. Note, however, that the syntax has changed. Previously, the command was:

vdc cryptfs changepw password newpassword

Now the command expects an additional parameter, the old password:

vdc cryptfs changepw password default_password newpassword

Currently, the old password parameter is not used (it doesn’t actually have to be the old password, it can be anything), but it must be present for the new password to be interpreted correctly. The command should indicate success by printing:

200 0 0

Yea, it would be nice if it gave helpful error messages, but all you get is cryptic numerical codes. You can verify that the password was set correctly with:

vdc cryptfs verifypw newpassword

If the new password is correct, this command will also print:

200 0 0

In order to set the encryption password correctly and separately from the lock screen, you will want to encrypt the phone, then set your lock screen with a password (opting to require the password at start up), then change the encryption password with the command above. Now the lock screen will be the password you originally selected when you set the lock screen password, but the stronger password will be required to decrypt the device on boot.

Hopefully some of you got here in time to avoid data loss. Thanks for reading!

Wednesday, October 21, 2015

How to unbrick a Buffalo WZR-HP-G300NH and install OpenWRT

So, after a failed firmware installation, all you get is a flashing red DIAG light? All is not lost, you probably don’t need any special equipment or to open the case to unbrick the Buffalo WZR-HP-G300NH. You can probably still tftp a new firmware image when the router boots up. Instructions here are for Debian, but should be easily adaptable for other Linux distros. First, download the firmware image you want to install. If you want to install OpenWRT, it is going to be the ar71xx and make sure you get the tftp version. Here is the one I used. Now you will need to make sure you have a tftp client installed:

aptitude install tftp-hpa

Now you need to configure your network to connect to the router and create a static arp entry for it. Directly connect the router to your computer by ethernet cable, but leave the router powered off. You will need the MAC address for the router, you can get it from the SSID on the label, just insert colons like: 001D12345678 = 00:1D:12:34:56:78. You will need to do this as root.

/etc/init.d/networking stop
ifconfig eth0 192.168.11.2
ifconfig eth0 netmask 255.255.255.0
arp -s 192.168.11.1 00:1D:12:34:56:78


Replace eth0 with the ethernet interface you are using, if necessary (it is probably eth0), and use the MAC address from your router, as described. But the IP address should be as shown, not based on your usual network configuration. Now change to the directory where you downloaded the firmware image and start up your tftp client and prepare to send the image to the router (don’t power it on yet). Once you start the tftp client, you will be typing at it’s command prompt.

tftp 192.168.11.1
tftp> verbose
tftp> binary
tftp> trace
tftp> rexmt 1
tftp> timeout 60
tftp> put openwrt-15.05-ar71xx-generic-wzr-hp-g300nh-squashfs-tftp.bin


(Replace the name of the image, if you are using a different one.) As soon as you hit enter on that last command, plug in the router. The tftp client will keep retrying until the bootloader on the router is ready to receive the image, then you should see the upload begin to progress. Wait a few minutes and the router should reboot. Now you can turn your normal networking back on.

/etc/init.d/networking start

If you installed OpenWRT, the default IP for the router will now be 192.168.1.1, not 192.168.11.1. If your image included LuCI, like the one I used, you can now point your web browser to that IP to access the web interface. Now you have not only unbricked your router, but you are free to enjoy all of the awesomeness of OpenWRT!

Most of the instructions here are based on this post, many thanks to the author!

Saturday, November 22, 2014

Better speech compression with Opus

In a previous post, we looked at configuring Audex for ripping CDs to the superior Opus format. While that was good for general purpose audio encoding, it doesn’t let us take advantage of Opus’ immense versatility, it’s ability to get excellent results across a wide range of bit rates.


You will notice at the low end of that graph are codecs that typically specialize in speech, because speech is more compressible that complex audio sources like music. Speex, for instance, can get excellent compression of speech with acceptable quality, yielding much smaller file size than MP3 or Vorbis. One of the benefits of Opus is that it should be able to replace this usage as well.

As you might have guessed, the opusenc commands we gave Audex can also be used directly on the command line. If you want to target a lower bit rate for speech encoding, all you need to do is add the --bitrate option. For speech, try something in the range of 16-48. In Audex, you might add two different profiles for compressing speech with Opus, just as there are multiple profiles for different qualities of compression with Vorbis.

opusenc takes raw, Wave, AIFF, or FLAC input (FLAC is still the preferred format for archival storage). If you pass a FLAC file that is already tagged with metadata, opusenc will incorporate that metadata automatically, so there is no need to pass it on the command line.

opusenc --bitrate 16 input.flac output.opus

For comparison, a 40 minute audio recording ripped as an uncompressed Wave file was about 403 MB, compressed with FLAC it was about 103 MB, opusenc with default settings got it down to about 26 MB, while the above command reduced it to about 4.5 MB. So targeting the lower bit rate was a space savings of over 80% and made it small enough to share by email.

Saturday, November 15, 2014

Ripping CD to .opus with Audex on Debian

The Opus codec is basically the one codec to rule them all. It is an open standard (RFC 6716) and it outperforms almost all other codecs, open and proprietary, over a huge range of bitrates. It also has a very low latency which is important for internet applications involving real-time communications and it is already supported by modern browsers like Firefox, Chrome, and Opera. But if you want to start storing your music in the best available format, you might have difficulty finding convenient tools that support it. Well, here is one that worked for me, so I’ll share it. It was pretty simple, although not entirely obvious.

Audex is a graphical CD ripper for KDE. It does not support ripping to Opus out-of-box, but it does have a feature to add a new encoder. For this, we will just use the command-line encoder found in opus-tools, so install the packages audex and opus-tools. Now, when you run Audex, go to “Settings” > “Configure Audex...”, select the “Profiles” section, and then “Add...”. Name the new profile “Opus”. Under the “Encoder” tab, select “Custom” from the first drop down. Under “Command pattern:”, put in “opusenc $i $o”, and under “Suffix:” put in “opus”. You can look at some of the other options if you wish (I set mine to replace spaces with underscores), but that is all that is necessary to get it working. Save your new profile, select the profile from the main window, and begin ripping your favorite discs.


If you also want to capture metadata, you will need a newer version of opus-tools than what is in Wheezy. You can download the source, and build it yourself. You will need to have the wheezy-backports repository enabled to get some of the dependencies:

sudo aptitude -t wheezy-backports install libogg-dev libflac-dev libopus-dev

Once the dependencies are met, you should be able to configure and install opus-tools:

cd opus-tools-src-dir
./configure
make
sudo make install


Now, you can change the “Command pattern:” in Audex to “opusenc --title "$ttitle" --artist "$tartist" --album "$title" --date "date" --genre "$genre" $i $o”. This will capture metadata and embed it in your new Opus files.

Update: If you are looking to get better compression for speech recordings, such as lectures, sermons, speeches, etc, see this post.

Thursday, November 13, 2014

Setting up root SSH login on CyanogenMod

I did this with the latest CyanogenMod 11 snapshots on a Nexus 4 and a Nexus 5. I recommend buying a device with an unlockable bootloader, like the Google Nexus devices, because it makes rooting and installing custom ROMs, etc, much more straightforward. Besides, if you buy a device you ought to own it, so why give your money to a company that tries to lock you out of your own devices, as if they still own it even after you have bought and paid for it? If you already have a device that is locked down, you may have to search the web to find a hack to get access to it (Good luck!), but I won’t be covering that here. What I found to be difficult to find and poorly documented elsewhere was how to configure your device for root login via ssh, after installing CyanogenMod. This can be useful for a variety of reasons, for instance, you can easily make a full back up of the phone securely over your wireless network. But as always, exercise caution when using root!

Before you begin, make sure you have a few options set on the Android device. Under “Developer options” make sure that “Android debugging” is enabled, “Root access” is set to “Apps and ADB”, and while you are here, set “Device hostname” to something memorable. (You should have learned to access the hidden “Developer options” menu while install CyanogenMod.) Now, with phone connected by USB, login from your computer with:

adb shell

then start setting up ssh by copying over the template configuration file:

cp /system/etc/ssh/sshd_config /data/ssh
vim /data/ssh/sshd_config

and add the line:

PermitRootLogin without-password

This does not do what it sounds like. It will not allow you to login without authenticating, rather, it disables authentication with a password and requires you to use public key authentication which we will set up in a minute. Next:

mkdir /data/local/userinit.d
cd /data/local/userinit.d
cp /system/bin/start-ssh 90sshd
vim 90sshd


and change:

   # don't daemonize - otherwise we can't stop the sshd service
   /system/bin/sshd -f /system/etc/ssh/sshd_config -D


to:

   # don't daemonize - otherwise we can't stop the sshd service
   ## Actually, yes, do daemonize (remove -D option)
   /system/bin/sshd -f /system/etc/ssh/sshd_config


Now, if you don’t already have one, you will need to generate an RSA key for ssh. On your computer (not the adb shell that is already logged into your Android device) run:

ssh-keygen

and with the default options you will get a ~/.ssh containing id_rsa and id_rsa.pub. You will need to copy id_rsa.pub to your Android device in order to be able to login. Still working from your computer:

adb push ~/.ssh/id_rsa.pub /sdcard/

Now, on the Android device:

cd /data/.ssh
touch authorized_keys
cat /sdcard/id_rsa.pub >> authorized_keys
chmod 600 authorized_keys


Note that the authorized keys file must not be readable by anyone else or ssh will refuse to use it and authentication will fail. Now, you should be able to reboot and login to your Android device:

ssh root@AndroidHostname

If you set a password for the RSA key you generated for ssh, it will prompt you for that password, but it will not prompt for a password for root on the Android device (because it is using the key instead). If you want to login from other devices, make sure you have an authorized key on that device as well. To add more authorized keys, simply concatenate them onto the authorized_keys file, the same way we did the first one. Now you can remotely access your Android device via ssh.

Saturday, September 13, 2014

Watch the NFL Sunday Ticket on Linux

If you subscribe to the DirecTV NFL Sunday Ticket, you can watch all of your Sunday football games on Linux. But it only works with certain browsers because it requires Flash Player 14 which is only available on Linux as a Pepper plugin. Only the Chromium family of browsers supports this API, and the NPAPI version that is used by other browsers is no longer developed on Linux by Adobe (version 11.2 is still receiving security updates). The easiest way to get this is to install Google Chrome. It is also possible to use it with the Chromium packages provided by various Linux distributions; packages are available to install it for both Debian and Ubuntu. For Debian it is in the contrib repository and for Ubuntu it is in Multiverse. It may also be possible to use it with the developer version of Opera, which is now Chromium-based as well, but I haven’t tested this.

Of course, this doesn’t mean that you must or even should swap browsers. You can use a Chromium-based browser with Flash for the NFL Sunday Ticket and still choose another browser, like Mozilla Firefox which seemed to come out ahead in our recent benchmarks, for other things. Ultimately, we would all really like to see web applications, including video streaming, developed with HTML5 and web standards. Mozilla is probably one of the biggest forces pushing for this. Some people even refuse to use the proprietary Flash plugin at all in order to help promote this lofty goal. But if you want to watch your NFL games on Linux this year, now you know how.

Sunday, August 17, 2014

Protip #3: You do want your OpenPGP key to expire

You think you don’t, but you really do.You are probably thinking you don’t want to have to transition to a new key on some arbitrary date. But you can always extend the expiration later. And if you lose your key and don’t have a revocation certificate, the expiration date serves as a kind of “dead man’s switch”. If you don’t prevent it from being triggered by extending the date, your key will be automatically invalidated. This way, if you lose your key (and you don’t have a revocation certificate or have lost that, too), your key will not remain valid forever.

If you use Thunderbird with the Enigmail extension, per my previous tutorial, it is pretty easy to change your key’s expiration date from the Key Management interface. Right-click your key and select Change Expiration Date. Then you can select how many years, weeks, or days it should be until your key expires.




Of course, you will need to re-upload your public key so that your friends can get the extended expiration from the key server. Of course, you can also do the same with GnuPG from the command line, but I’ll leave that as an exercise to the reader.

And now you have no reason to have no expiration date on your keys!