isquared.nl rss (atom)
Fun with Google geolocation
posted 2010-08-11 23:23:55, link to this article
After seeing Samy Kamkars talk at DEFCON 18, I really wanted to play with Google's geolocation API.
Some results already:
hessch@turing:~$ bin/mac_geoloc 00:11:92:a1:b2:40
{
"location" : {
"latitude" : 36.1344023,
"longitude" : -115.1620542,
"address" : {
"country" : "United States",
"country_code" : "US",
"region" : "Nevada",
"county" : "Clark",
"city" : "Las Vegas",
"street" : "Las Vegas Blvd S",
"street_number" : "2955",
"postal_code" : "89109"
},
"accuracy" : 150.0}
}
Which is the location one of the hotspot access-points in the Riviera hotel, according to Google. Yay! :)
Bash function to canonicalize MAC addresses
posted 2010-08-11 19:36:02, link to this article
I was playing with some network related stuff this evening and needed to rewrite MAC addresses to the canonical form. That is, something like this 00-02-DE-AD-BE-EF.
Why, you ask? Well every piece of software seems to have their own ideas on how to represent these magical 48 bit integers.
For instance, you'll often see something like 01:02:03:C0:FF:EE, which might also be written in shorthand as 1:2:3:c0:ff:ee or as a (pretty Cisco specific) perversion like 0102.03c0:ffee.
Indeed, a lot of variation...which makes parsing, a bit hellish.
Well I had written a pretty elegant parser in Perl before, that thing groks almost anything that you can
throw at it.
But today I wanted to implement this in hesschlib, hesschlib is my private library of practical
Bash functions. One of the rules of hesschlib is that things should be done in Bash whenever possible.
So I kludged up a small Bash function that does a pretty good job in rewriting most forms of MAC
addresses that came to mind to the canonical form. Here it is:
# canonicalize MAC addresses (does grok most forms)
function maccanon {
canon=''; for octet in ${1//[\.:-]/ }; do
[ ${#octet} -eq 4 ] && octet="${octet:0:2} ${octet:2:2}" ;
[ ${#octet} -eq 1 ] && octet="0${octet}"; canon=${canon}${canon:+ }${octet};
done; echo ${canon// /-};
}
Which is a one-liner in hesschlib, of course, but broken up a bit here to make it more legible.
And finally, here's an example of maccanon in action:
hessch@turing:~$ for mac in 00:02:DE:AD:BE:EF 1:2:3:c0:ff:ee 0102.03c0:ffee
> do
> maccanon ${mac}
> done
00-02-DE-AD-BE-EF
01-02-03-c0-ff-ee
01-02-03-c0-ff-ee
Why I love HTTP
posted 2010-04-25 13:01:16, link to this article
A few years ago, I worked at a company whose webservers were hosted at
a dedicated web-hosting company.
The question rose whether their website could be reached at foo.bar as well as at www.foo.bar.
Well, no problem you'd say, nothing that a simple A or CNAME record in DNS couldn't fix.
Not so, foo.bar had an A record assigned already for a host in the company's DMZ that used to do a *lot* of stuff.
You can imagine adding a webserver to foo.bar, just to serve 301 moved permanently status codes seemed like a bit of overkill to me.
And apart from that, I was too lazy to have another $many_lines_of_code to keep up to date for such a trivial task.
Thanks to the wonders of HTTP the solution was almost as simple as the problem.
I whipped up a small text file containing a static HTTP 301, and used the almighty inetd and cat to glue this to a socket.
It worked like a charm. It was also great to see sites like Netcraft list the webserver of foo.bar as cat/0.9. :-)
I thought of this today, when I was playing a bit with my Nintendo DS running DSLinux.
I could find various MP3 decoders, but nothing to do streaming. So I kludged together the other side of the hack that I explained above:
#!/bin/sh
(nc mp3.streampower.be 80 <<_GETREQ
GET /stubru-low.mp3 HTTP/1.0
_GETREQ
) | sed -n '/^$/,$p' |\
madplay -
Et voila. Streaming audio. (In this case the Belgian music station Studio Brussel.)
Thank you, sir Tim.
Sitecom WL-340 shell commands via HTTP
posted 2010-04-18 16:40:26, link to this article
My local Media Markt (a large German chain of electronics stores) had some cheap NAT routers for sale. Out of curiosity I bought one.
This router (the Sitecom WL-340) runs Linux and the internal console port is nicely labeled and that alone made me buy two more as you can never have too much hardware to play with. ;)
When poking around in these boxes I found that they have a nice hidden web page to run commands on these boxes.
You can access this page as /system_command.htm on your routers webinterface.
I thought it might be useful to access this command shell from scripts, so that you can use stock WL-340s for various "unintended" purposes. ;)
With the help of the amazing Firebug extension for Firefox I managed to use the remote command facility of these routers from the shell.
Like so:
hessch@kirchhoff:~$ curl -s -o- -u admin -d command='cat /proc/cpuinfo' \
-d next_file=system_command.htm -d todo=system_command \
http://192.168.11.128:8080/setup.cgi | \
sed -n '/outlog_Display/,/\/textarea/{/textarea/d;p}'
Enter host password for user 'admin':
system type : Ralink SoC
processor : 0
cpu model : MIPS 24K V4.12
BogoMIPS : 212.99
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes
ASEs implemented : mips16 dsp
VCED exceptions : not available
VCEI exceptions : not available
Now, this only needs a small wrapper shell script and it's ready for (ab)use.
I'll probably post some more hacks based on these boxes later on.
fi.sh - a Boids clone in Bash
posted 2010-02-22 19:29:02,
link to this article
Read full article
After squa.sh,
I thought it was time for another abuse of the Bash shell.
A few weeks ago I wrote fi.sh, a simulation of flocking behaviour, like migrating birds or
a school of fish, written in pure Bash and with ascii-art graphics, of course.
Fi.sh is inspired by the classic Boids algorithm by Craig Reynolds. But since I wrote this in a week when I was in the middle of nowhere in Andalucia, without any means of connecting to the Internet it only uses two behaviours, instead of Reynolds’ three, still the results look pretty convincing.
Craig Reynolds original Boids
Probing a SecurID Token
posted 2009-10-25 17:20:59,
link to this article
Read full article
Today I peeked inside a RSA SecurID token and made a little test jig to probe some test pads that are inside.
Not much interesting found so far, but hit the read link to read about my journey to the SecurID's deepest secrets... ;)
Patch for Gammu's DCT3 debug trace
posted 2009-06-27 20:06:43, link to this article
I've written a quick and dirty patch for Gammu's nokiadebug command. Normally, nokiadebug writes debug traces to a hardcoded out.xml file, which is not really practical.
With my patch applied to gammu-1.24.0, the output of nokiadebug that was previously sent to stdout is now written to stderr. The debug traces are now written to stdout. This way it is much easier to follow the debug traces 'live'.
You might need to rebuffer gammu's stdout to emit the complete protocol hierarchy per message at once. The following (pretty ugly) awk does this for you, to add some clarity I've added line breaks to what was an even uglier one-liner before:
hessch@c3:~/gsm$ gammu nokiadebug nhm5_587.txt v18-19 2>/dev/null | awk '
/^\<l1/ {i=0}
/^\<\/l1/ { end = 1 }
{
if ( i>=0 ) {
buf[i] = $0;
i++
};
if (end == 1){
end = 0;
for (j = 0; j < i; j++) {
print buf[j];
};
i = 0;
}
}
'
You can download my patch for Gammu at http://isquared.nl/src/gammu-xmlstdout.patch..
UDGBUF, Part 1.5 : Adventures with the HD44780
posted 2009-06-16 19:57:31, link to this article
Yesterday (and today when I confirmed this), I noticed that it can be helpful to actually understand what you're doing. :) What I didn't knew when I was POKEing bytes in my Psion Organiser's address space at first, is that when you access addresses 0x180 and 0x181, you're actually addressing the HD44780 LCD controller in the Organiser.
The address 0x180 is the instruction register of the HD44780 LCD controller, the address 0x181 is its data register. I should have wondered already why it was possible to write subsequent rows in a UDG to the same address 0x181 to define a character.
If we look at the code of defining a user defined character again:
udg:(udgnum%, b0%, b1%, b2%, b3%, b4%, b5%, b6%, b7%)
pokeb $180, 64 + udgnum%*8
pokeb $181, b0%; pokeb $181, b1%
pokeb $181, b2%; pokeb $181, b3%
pokeb $181, b4%; pokeb $181, b5%
pokeb $181, b6%; pokeb $181, b7%
You see that first the argument 64 + udgnum%*8 is written to the address 0x180. The term 64 (or 0x40) is the instruction to the HD44780 LCD controller to set the CG (character generator) RAM address. The least significant 6-bits of the instruction contain the address itself, this is the udgnum% * 8 term. udgnum% In this case, is the character to define. A character contains 8 rows of pixels, so to reach the next character you multiply this by 8.
Poking to 0x181 writes the bit pattern poked to this address in the CG RAM, the magic part is that after writing this pattern, the CG RAM address is automatically incremented by the controller!
Knowing this, I realized that it must be possible to use this to read from the CG RAM as well as writing, but it's not possible to use the autoincrement magic then. This morning, in the train to work I wrote a small OPL program to test this assumption:
rlcdreg:
local char%, row%, byte%
rem dump UDGs from HD44780 CG RAM
char% = 0
while char% <= 7
row% = 0
while row% <= 7
rem hd44780 instr reg is at 180h
rem instr 40h addresses CG RAM
pokeb $180, $40 + char%*8 + row%
rem data reg is at 181h
byte% = peekb($181)
print "chr"; char%,
print "row"; row%,
print "val"; byte%
row% = row% + 1
endwh
char% = char% + 1
endwh
And the character definitions came scrolling down my Psion's little screen!
Pretty useless, maybe. But it means that it is possible to manipulate the UDG definitions in the LCD controller directly, without using some shadow copy in the Psion's RAM. I think that I will experiment with this in OPL first and when succesful port it to machine code instead for speed, would be a nice opportunity to learn the instruction set of an ancient processor. ;)
To be continued.
UDGBUF: a poor man's framebuffer on Psion Organiser II, Part 1
posted 2009-06-13 21:57:15, link to this article
Today I had some more fun with my rediscovered Psion Organiser II. It's about time to get my hands on a model LZ or LZ64 to enjoy twice the amount of screen real estate. ;)
This time I toyed with UDG (user defined characters) again. As the Psion reference manual states you can use these to make small animations as updating these changes them on screen immediately. That gave me the idea to implement some minimalistic framebuffer using all eight UDGs. I print four static UDGs in screen row 1, the other four in screen row 2, this way you get a whopping 40x16 pixel space for graphics!
It would be nice to read/write to the display controller directly and provide some convenience functions to do basic drawing, but I don't feel like learning to write HD6303 machine code just yet, so for now I plan to pass a pointer to some shadow memory (which I plan to allocate by creating a large global array or string) around where you do your graphics stuff, this will be then copied to the UDGs.
As a first test, I wrote a small program that walks through the memory of the Psion and displays it in the UDGs, with this result:
Tomorrow, I'll try to write some functions to provide a few basic graphics operations to set and get a pixel value. And maybe even some Bressenham line/circle drawing after that.
JavaScript unit conversion gadget brings lots of RegEx fun
posted 2009-06-07 20:39:38, link to this article
My girlfriend started a cooking blog recently, if you want to keep track of what I eat, I suggest you subscribe to her feed. ;)
To help her American followers (and others suffering under the burden of a unit system from the
middle ages), I kludged together a little gadget to add to her Blogger pages. The gadget tries
to convert a few metric units to something equivalent in stones, feet and that Fahrenheit thing.
Doing so, I learned a nifty thing about JavaScript regular expressions. The replace method in JavaScript 3 makes it possible to call a function to return the replacement string. This way, I can match value, a possible prefix and unit, make backreferences and pass those to a conversion function and replace the matched text in the blog posts with converted values in one go, like so:
var re = /(\d+|\u00bd) ?([mcdk]|(?:mili|centi|deci|kilo))?(g(?:r|ram)?|l(?:iter)?|c(?:elcius)?)\b/gi;
function knvrtit() {
var entries = document.getElementsByClassName('entry-content');
for (var i = 0; i < entries.length; i++) {
entries[i].innerHTML = entries[i].innerHTML.replace(re, das_Konvertor);
};
}
But, what is that unicode \u00bd, you say? Oh, well as it happens some keyboard layouts have a 1/2 character and some people like to use it as well....
Das_Konvertor() then does it's magic using a case construct to multiply values based on the
prefix of a unit, and then uses a second case construct to decide to convert in what way based on the
type of unit encountered.
The code for das_Konvertor() is a bit long, but it looks somewhat like this:
function das_Konvertor (str, value, prefix, unit, offset, s) {
// do stuff
return string_in_imperical_units;
}
It would be fun, and very web2.0ish to, instead of doing my own ugly conversions, pass the calculation to be done to the almighty Google calculator in an XMLHttpRequest and display the result. If it keeps raining in the weekends, I might do so. ;)
Perl anonymous hashes as lookup-tables
posted 2009-05-16 16:36:57, link to this article
Today when munging some data in Perl I came up with a elegant way to use anonymous hashes as lookup tables.
In this case I wanted to translate month names to integers. Of course you could use a bunch of regular expressions to do so. But adhering to the Perl motto "there is more than one way to do it" I tried using an anonymous hash as a lookup table, like this:
$month = ${{
'jan' => 1, 'feb' => 2, 'mar' => 3,
'apr' => 4, 'may' => 5, 'jun' => 6,
'jul' => 7, 'aug' => 8, 'sep' => 9,
'oct' => 10, 'nov' => 11, 'dec' => 12}}{$month};
I quite like this method as no extra variables are needed and you can use this to map many types of data to others.
Dreft
posted 2009-04-18 08:38:53, link to this article
Dreft is a quick and dirty tool that I wrote some time ago to do a bunch of reverse DNS lookups for a CIDR block.Its a pretty simple script, the most interesting part is the ugly workaround to create an in-addr.arpa address from a Net::IP object, somehow I couldn't convince Net::IP to do this for me when iterating addresses.
Usage is pretty straightforward too:
hessch@blokje:~$ dreft 4.2.2.0/29 4.2.2.1 -> vnsc-pri.sys.gtei.net. 4.2.2.2 -> vnsc-bak.sys.gtei.net. 4.2.2.3 -> vnsc-lc.sys.gtei.net. 4.2.2.4 -> vnsc-pri-dsl.genuity.net. 4.2.2.5 -> vnsc-bak-dsl.genuity.net. 4.2.2.6 -> vnsc-lc-dsl.genuity.net.
Below you'll find the complete script, or as a handy downloadable link here.
#!/usr/bin/perl -w
# dreft - reverse dns enumerator
# Hessel Schut, hessel@isquared.nl, 2008-06-24
use strict;
use Net::DNS;
use Net::IP;
my $ip = new Net::IP ($ARGV[0]) or die (Net::IP::Error());
my $res = Net::DNS::Resolver->new;
do {
# $ip->reverse_ip doesn't work when iterating IP addresses
# horrible kludge to in-addr.arpafy the current IP:
my $ptr = join('.', reverse(split /\./, $ip->ip()));
$ptr .= ".in-addr.arpa";
my $rr = $res->query($ptr, qw(PTR));
if ($rr) {
print $ip->ip()." -> ".(($rr->answer)[0]->rdatastr)."\n";
};
} while (++$ip);
SQLite based Bluetooth device logger
posted 2008-11-01 22:16:40,
link to this article
Read full article
Btsql is a simple Bluetooth device logger, originally written in Perl, but later I rewrote it in C to support multiple Bluetooth (HCI) devices. The C source is very rough, but it basically works. :-)
All application logic resides within the SQLite3 database, that way the logger doesn't need to do more than blindly inserting values in the database. A couple of triggers do the rest.