Encrypting an Android phone with a broken USB port

I have an Android phone with a broken USB port: neither the data nor the power lines work. However, I can still charge the battery by removing it from the device and putting it into an external charging device. Apart from that, the device still works absolutely fine and I see no reason to throw it away or risk breaking it by trying to repair it.

I have now decided that I want to encrypt this phone, but Android wanted me to connect it to power, even though the battery was 100% full.

Fortunately, one can force the device encryption from a root shell on the device by invoking:

vdc cryptfs enablecrypto inplace 

The phone will then reboot and start encrypting. Note that if your battery runs out during this process, you will loose data, so make sure to take a backup first!

Controlling your monitor’s brightness from your computer

I usually have to work more than eight hours a day on my computer. Especially in winter when the sun sets early, I often would have to dim the brightness of my monitor in the evening. But because most monitor on screen menus are hard to use, I almost never do that, because I am too lazy. But if I don’t I sometimes get a headache. So I thought, it must be possible to somehow control the brightness of my monitor without using the crappy menu. And it turns out that this is actually possible. Many monitors support DDC, which should in theory allow you to adjust their brightness. For Linux, there is DDCcontrol, which worked perfectly for my Dell UltraSharp U2412M, altough it does not offically support this monitor.

Unfortunately, DDCcontrol is not in the Ubuntu package repositories. However, on my Ubuntu 14.04 I was able to use the packages from ddccontrol, gddccontrol and libddccontrol0 from 15.04. Additionally, I had to install ddccontrol-db from 10.04. However, keep in mind that using packages from different Ubuntu versions could in theory break your whole system. So be careful, I am not responsible if kittens die.

After that, I had to install i2c-tools and add my user to the i2c group:
sudo apt install i2c-tools && sudo gpasswd -a nico i2c

Then, ensure that the i2c-dev module is loaded on boot by adding it to /etc/modules.

After rebooting your machine, you should be able to use gddccontrol to adjust monitor parameters. On the shell, I was able to adjust the brightness using the following command: ddccontrol -r 0x10 -w "$your_brightness_value" dev:/dev/i2c-7
Keep in mind that the command most likely looks different, depending on your machine and your monitor.

That’s it! Now I can adjust the brightness of my monitor more conveniently!

PC Engines APU: Installing debian

Until now, I only ran pfSense on my PC Engines APU boards. But I now wanted to get one of them running under Debian Linux.

The first challenge is creating a live Linux that starts a serial terminal on boot. I found that this was the easiest using Grml2Usb. I booted Grml on my normal PC and plugged in a USB stick. Then, using a Grml ISO image, I did the following:
grml2usb --fat16 --bootoptions="vga=off" --bootoptions="fb=false" --bootoptions="console=ttyS0,115200n8" grml96-full.iso /dev/sdz1

This formats /dev/sdz1 and creates a Grml stick that automatically starts a serial console.

Then, boot from that stick. Using the awesome grml-debootstrap you can debootstrap a Debian installation on your APU. After that, you have to chroot into your new installation:

mount /dev/sda1 /mnt
mount -t sysfs sys /mnt/sys
mount -t proc proc /mnt/proc
mount -o bind /dev /mnt/dev
chroot /mnt /bin/bash

First, edit /etc/default/grub to make Grub aware of your serial port. To do that, set the following variables there (replacing them if they already exist):

GRUB_CMDLINE_LINUX_DEFAULT="gfxpayload=text fb=false console=ttyS0,115200n8"
GRUB_TERMINAL="serial"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"

Then, make Debian spawn a shell on your serial port. Edit /etc/inittab and uncomment the following line:
T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100

Afterwards run
update-grub
and reboot. You should see Grub and then your Debian booting!

Firefox: Disable search and Domain Guessing

I don’t want my firefox to perform searches on google or similar when I don’t explicitly instruct it to do so. This is especially annoying if you enter something like sw01.mgmt.corp.client.com and firefox performs a google search on that because you didn’t configure your DNS correctly.

Go to about:config and set
keyword.enabled = false

But that isn’t enough. If you enter something like internalapp it will complete that to www.internalapp.com… This “feature” is called Domain Guessing. Let’s get rid of that, too:
browser.fixup.alternate.enabled = false

Additionaly, I have set up a few keywords for search engines, so when I enter something like
g test
into the URL bar firefox will do a google search.

Statische DNS-Einträge mit einer Fritzbox

Betreibt man hinter seiner Fritzbox einen Server, möchte man ihn möglicherweise über den DNS-Namen erreichen können. Da man einem Server aber sinnvollerweise eine statische IP-Adresse vergibt, wird diese von der Fritzbox nicht in den DNS eingetragen. In einer Konfigurationsdatei kann man den Host entsprechend hinterlegen.

Wichtiger Hinweis: man sollte die Konfigurationsdateien der Fritzbox nur bearbeiten, wenn man weiß, wie man eine gebrickte Fritzbox wiederbelebt. Ich übernehme keine Haftung für die Richtigkeit dieser Anleitung.

  1. Das DHCP-Lease in der Fritzbox entfernen, falls noch eines vorhanden ist. Das geht in der Weboberfläche über Heimnetzwerk > Netzwerk, indem man auf das rote X beim entsprechenden Host klickt.
  2. Falls noch nicht geschehen, telnet aktivieren und einloggen.
  3. multid stoppen:
    multid -s
  4. Die ar7.cfg bearbeiten:
    nvi /var/flash/ar7.cfg

    in dieser Datei gibt es einen Abschnitt “landevices”, wo man einen Block wie diesen hier einfügen kann (Werte entsprechend anpassen):

    } {                                                                                                     
    		ip = 192.168.178.5;                      
    		name = "server";                            
    		mac = 12:34:56:78:90
    		medium = medium_unknown;                                         
    		type = neightype_unknown;                                       
    		staticlease = no;                                                                                    
    } {
  5. Nach einem Reboot der Fritzbox findet sich ein entsprechender Eintrag im DNS.

The Admin’s Toolbox: Multisystem

For the past years, I always had a couple of CDs with me when I went out to fix a computer. I had CDs for several Linux distributions (especially the awesome Grml), several versions of Windows, and some bootable virus scanners. As this collection grew, I carried around about 25 CDs with all kinds of stuff. Then, as the first computers without optical drives were manufactured, I had to put in a few USB sticks.

Since a few days I only have a 32 GB usb stick with me. Thanks to MultiSystem (French) I could integrate a lot of bootable tools onto just one stick. The stick is one of the few with a write protect switch (a TrekStor CS 32 GB), so it can’t compromised on a virus-infected machine. Adidtionaly, I have a CD with Plop on it with me so I can boot from the stick even if the BIOS doesn’t support it/doesn’t like my stick (happens more often than you think).

Broken reset function on a Server

Since a few days we have problems with a server. It sometimes freezes and the only way to make it work again is to reset it. So a few days ago I got a SMS from the monitoring system that alerted me that the server was down again.

After checking, I noticed that it was really down and I decided to reset it using the Reset service of our data center. I sent the reset request, but the server didn’t come back to life after a few minutes. At first I thought it was completely broken. But that wasn’t the case. Literally the reset hardware was broken, so a technican had to walk over to the server and reset it. That’s murphy’s law I guess…

Windows Server Backup fails when VHDs are mounted inside Hyper-V virtual machines

We have a Virtual Machine with Windows Server 2008 R2 that has VHDs mounted. Since we had mounted the VHDs, Windows Server Backup on the Server 2008 R2 Hyper-V host always failed. When we detached the VHDs again, the backup would run just fine. Unfortunately, Windows Server Backup once again is not able to produce a helpful error message. The only indication in the logs is the following message that at least points you to the right VM:

The number of volumes reverted does not match the number of volumes in the snapshot set for virtual machine 'ourvm' (Virtual machine ID 123456789).

We decided to unmount the VHDs prior to the backup and then mount them again afterwards.

Localized Names of Users and Groups in Windows

You know the “Authenticated Users” group in Windows? Microsoft decided to localize its name. For example, in a german Windows it is called “Authentifizierte Benutzer”. While I don’t want to criticize the decision to localize the name, I want to criticize the way it is implemented in some parts of Windows.

If you take a look at icacls, you can write a script that does not depend on the locale of the installed system. Instead of “Everyone” you would just use its SID S-1-5-11 (which does not depend on the locale) according to the list of well-known SIDs in Windows.

That’s ok. Now suppose you want to create a network share using net share. Additionally, you want to restrict access to that share to the “Authenticated Users” group (using the grant argument). Well. No. It is just impossible to do that in a way that does not depend on the locale. The grant argument will only accept the Name of a group, but not the SID. (Additionally, it will fail with a not very helpful error 1332 “No mapping between account names and security IDs was done” if you pass a SID…).

With the help of Google you can find a solution (german) that uses wmic to get the localized name and this is what I used in the end:

set AuthenticatedUsersSid=S-1-5-11
for /f "tokens=2 delims==" %%a in ('"wmic path win32_account where SID='%AuthenticatedUsersSid%' get name /value"') do (
set AuthenticatedUsersName=%%a
goto :loop_end
)
:loop_end
echo Found Authenticated Users localized name: %AuthenticatedUsersName%

But anyway, why doesn’t that work consistently?