Arduino Duemilanove as ISP: ST500K protocol errors due to Serial Reset

Posted by: gdelmatto  :  Category: Hacks

Years ago I wrote about using the Arduino Micro as an ISP for use with a standalone ATMEGA micro controller.

I used this again every now and then, but got to the point where I wanted sort of a more permanent setup. As I had a spare Duemilanove and some prototype boards lying around, all I had to get was a DIP28 ZIF socket and start soldering.

Here’s the Layout:

ATMEGA Pin 20 and 7 -> 5V
ATMEGA Pin 22 and 8 -> GND
RESET: ATMEGA Pin 1 -> Protoboard Pin 10
SCK: ATMEGA Pin 13 -> Protoboard Pin 13
MISO: ATMEGA Pin 12 -> Protoboard Pin 12
MOSI: ATMEGA Pin 11 -> Protoboard Pin 11
Yellow LED Anode -> Protoboard Pin 8
Red LED Anode -> Protoboard Pin 6
Green LED Anode -> Protoboard Pin 3
All LED Cathodes -> GND (attach a 150 Ohm resistor)
On the Protoboard, connect RSET and 5V through a 120 Ohm pull-up resistor

 

With this setup, I opened the ArduinoISP sketch included with Arduino IDE.
In my old tutorial I recommended downloading the sketch from Github, this has become obsolete.
The one include with recent versions Arduino IDE is far more advanced.

I had just these minor things changed in the sketch:

With this loaded onto the Duemilanove I could finally use it it burn standalone micros like a charm.

So, I took the solution upfront. This works for me.

The problem I had up to this point was a very unpleasant behaviour while burning the bootloader onto the micro, where I consistently got errors like these:

/Applications/Arduino.app/Contents/Java/hardware/tools/avr/bin/avrdude -C/Applications/Arduino.app/Contents/Java/hardware/tools/avr/etc/avrdude.conf -v -patmega328p -cstk500v1 -P/dev/cu.usbserial-AH01GO57 -b19200 -e -Ulock:w:0x3F:m -Uefuse:w:0x05:m -Uhfuse:w:0xDA:m -Ulfuse:w:0xE2:m

avrdude: Version 6.3, compiled on Jan 17 2017 at 12:01:35
Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/
Copyright (c) 2007-2014 Joerg Wunsch

Using Port : /dev/cu.usbserial-AH01GO57
Using Programmer : stk500v1
Overriding Baud Rate : 19200
avrdude: stk500_getsync() attempt 1 of 10: not in sync: resp=0x15
avrdude: stk500_getsync() attempt 2 of 10: not in sync: resp=0x15
AVR Part : ATmega328P
Chip Erase delay : 9000 us
PAGEL : PD7
BS2 : PC2
RESET disposition : dedicated
RETRY pulse : SCK
serial program mode : yes
parallel program mode : yes
Timeout : 200
StabDelay : 100
CmdexeDelay : 25
SyncLoops : 32
ByteDelay : 0
PollIndex : 3
PollValue : 0x53
Memory Detail :

Block Poll Page Polled
Memory Type Mode Delay Size Indx Paged Size Size #Pages MinW MaxW ReadBack
----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- ---------
eeprom 65 20 4 0 no 1024 4 0 3600 3600 0xff 0xff
flash 65 6 128 0 yes 32768 128 256 4500 4500 0xff 0xff
lfuse 0 0 0 0 no 1 0 0 4500 4500 0x00 0x00
hfuse 0 0 0 0 no 1 0 0 4500 4500 0x00 0x00
efuse 0 0 0 0 no 1 0 0 4500 4500 0x00 0x00
lock 0 0 0 0 no 1 0 0 4500 4500 0x00 0x00
calibration 0 0 0 0 no 1 0 0 0 0 0x00 0x00
signature 0 0 0 0 no 3 0 0 0 0 0x00 0x00

Programmer Type : STK500
Description : Atmel STK500 Version 1.x firmware
avrdude: stk500_getparm(): (a) protocol error, expect=0x14, resp=0x14
avrdude: stk500_getparm(): (a) protocol error, expect=0x14, resp=0x02
avrdude: stk500_getparm(): (a) protocol error, expect=0x14, resp=0x10
Hardware Version: -1449398444
Firmware Version: -1073745528.444305
Topcard : STK502
Vtarget : 1.8 V
Varef : 0.0 V
Oscillator : Off
SCK period : 0.1 us

avrdude: stk500_initialize(): (b) protocol error, expect=0x10, resp=0x01
avrdude: initialization failed, rc=-1
Double check connections and try again, or use -F to override
this check.

avrdude: stk500_disable(): protocol error, expect=0x14, resp=0x10
avrdude done. Thank you.
Error while burning bootloader.

While I never observed this misbehaviour when using the Arduino Micro, the Duemilanove constantly refused to burn to the chip.

Unfortunately, there seems to be gazillions of people observing the very same error, but afar from “check the cabling”, “check blahblah”, there seems to be not much help on this matter. On the other hand, there are obsiously people, who never encountered this issue. Or it is device or implementation dependenant respectively.

Only after hours of searching and reading, I found some people mentioning similar issues with serial programmers and how they got away with disabling serial signals. That very moment I remembered reading about Arduino doing Reset on Serial many years ago.

I don’t know, why this is not mentioned already in of the Arduino as ISP context (it should, I thinkg). At least there is official documentatio on how to disable reset on serial.
There’s multiple solutions, from soldering, to just sticking restistors. Since I didn’t want to tamper with the Arduino PCB, I’ve just added a removable resistor between RST and 5V. Since I didn’t have a 120 ohm resistor at hands, I had to combine a 100 and a 20 ohm resistor to achieve the same effect.

Weehee! With the resistor in place, it finally works the way it should.

 

 

DNS spoofing/redirecting with BIND’s response policy zones

Posted by: admin  :  Category: Networking

There was a talk on BIND’s RPZ (response policy zones) feature at SwiNOG meeting last friday.

Fun story behind: I happened to implement the RPZ technology at my employer just days before, though with another target in mind.
RPZ is described as a way to implement DNS firewalls. Well, this can be used for the good, and the bad.

Here’s another good use to this technology.
Read more…

copy-pasting directories using the shell

Posted by: admin  :  Category: Debian GNU/Linux, FreeBSD, HowTo's, OS X, RHEL, Shells

Imagine that you need to copy over some files or directories to another host, but the security policy or the connectivity doesn’t allow to use standard file transfer protocols. Here’s a quick and dirty solution to overcome such restrictions.

This little trick involves the ability to access two different hosts via SSH (or telnet, or even a serial console) and a terminal client supporting to capture screen output into a file or a copy-paste buffer.

So, on the source host, go for the file/directory, and tar it up, apply some compression to it as needed, send the output to stdout and pipe it directly through base64:

tar -czpvf - some/path | base64

This will give you some output and the base64-encoded representation of the data, which may look like this:

some/path
some/path/somefile1
some/path/somefile2
some/path/somefile3
some/path/somedir
some/path/somedir/someotherfile1
H4sIAGnAGVgAA+3POw7CQAwFwD1KbkC8kfY+kUIJK+XD+VklDVBAQ7qZ5lnyK+zp+rhs83if6i2d
pW9KKXs2n7nPkVsjIuccqY8hSqRuOO2iF9uyjnPXpbnW9Vvv1/74I46M+O+RAAAAAAAAAAAA8O4J
FJs7gwAoAAA=

The “garbage” shown after the file and directory names is the base64 encoded contents from tar.
Don’t bother decoding the output above, this is just some gargabe from /dev/urandom to illustrate this example 😉

Now, copy-paste just the base64 output (or send it to a file, if your terminal client supports this).
Then, on the supposed-to-be target host, change to the directoy, where your files/directories should end up, then emter the command below:

cat|base64 -d|tar -xzpvf -

Don’t worry, it’ll “hang” on an empty line.
Now paste the buffer (or send the contents of the file captured before into the buffer).

This will looks similar to this:

cat|base64 -d|tar -xzpvf -
H4sIAGnAGVgAA+3POw7CQAwFwD1KbkC8kfY+kUIJK+XD+VklDVBAQ7qZ5lnyK+zp+rhs83if6i2d
pW9KKXs2n7nPkVsjIuccqY8hSqRuOO2iF9uyjnPXpbnW9Vvv1/74I46M+O+RAAAAAAAAAAAA8O4J
FJs7gwAoAAA=

As soon as the buffer is flushed, output will string “hang”, press CTRL-D to complete the transactions.

If done correctly, the input should be sent trough base64 to be decoded, and then passed on to tar to unpack.
You should see the file and directory names accordingly.

cat|base64 -d|tar -xzpvf -
H4sIAGnAGVgAA+3POw7CQAwFwD1KbkC8kfY+kUIJK+XD+VklDVBAQ7qZ5lnyK+zp+rhs83if6i2d
pW9KKXs2n7nPkVsjIuccqY8hSqRuOO2iF9uyjnPXpbnW9Vvv1/74I46M+O+RAAAAAAAAAAAA8O4J
FJs7gwAoAAA=
some/path
some/path/somefile1
some/path/somefile2
some/path/somefile3
some/path/somedir
some/path/somedir/someotherfile1

That’s it, a while directory tree copied without involging file transer protocols.

Of course, the base64 encoding adds some overhead, so this doesn’t work well for huge data loads as it’s limited to the console speed. However this is a very quick solution if only a few files need to be copied quickly without bothering about possible restrictions.

MySQL replication: Cross-Database updates using Procedures and dynamically-switched row-based Replication

Posted by: admin  :  Category: MySQL, Programming

What a lengthy title to describe what this is about. Dough!

Well, I wanted to solve an interesting problem: Imagine a multi-master MySQL cluster, where databases are only fully replicated between masters, but only partially between connected stub slaves.

Now, assume there is two databases, one is called DB1, the other is called DB2.
Both master servers carry both databases, while the connected slaves get only DB2 (enforced by a replicate-wild-do-table=DB2.% config statement in the slave’s my.cnf config file).

+-------+      +--------+      +--------+      +-------+
| SLAVE |  | MASTER |  | MASTER |  | SLAVE |
+-------+      +--------+      +--------+      +-------+
 only DB2         all             all           only DB2
 database       databases       databases      databases

Now, let’s image a query, which populates entries in DB2 by selecting data from DB1.

INSERT INTO DB2.destTable1 SELECT * FROM DB1.sourceTable1;

The way how MySQL replication works, this query is about to fail on the slaves because the referenced source table does not exist.
Of course, this is depending heavily on the actual configuration of the master, and how the log updates in the binary log are handled.

If statement-based replication is enabled, the replication will totally blow up.
On the other hand, if row-based replication is chosen, it is likely to complete.

Why? Because for statement-based replication, the actual statement is replicated as shown above.
With row-based replication, the master will, while writing the logs, expand the statement into the actual actions carried out, so the exact result can be passed on to the slaves.

Let’s see what this looks like:

SET INSERT_ID=1734227546/*!*/;
INSERT INTO destTable1 (field1, field2, field3, field4) VALUES ('val1', 'val2', 'val3', 'val4');

The advantage: The query can be actually carried out on the slave even if the referred to source Table would not exist.
This is was row-based replication is about.

Now, there is a third option for MySQL, which is mixed-mode replication. Actually, in more recent versions of MySQL, this is the default.
In mixed-mode, MySQL will choose by itself, if and under what conditions, statement-based or row-based replication applies.

This is actually a good default in most cases and I use it on all my setup. But in said scenario above, mixed-mode replication will cause unexpected replication failure.

So, it would be fine if there is a way to runtime-switch the replication mode, wouldn’t it?
Luckily there is.

One may either do this globally, or more feasible in this case, per-session.
So first force MySQL into row-based replication before executing the actual query, and then revert-back to mixed-mode replication afterwards after the query has been run.

set session binlog_format = 'ROW';
INSERT INTO DB2.destTable1 SELECT * FROM DB1.sourceTable1;
set session binlog_format = 'MIXED';

This can even be used within a stored procedure. So I can infact add a stored procedure on DB1, which carries out changes to DB2.

CREATE DEFINER=`root@localhost` PROCEDURE `procSampleProcedure`()
    MODIFIES SQL DATA
BEGIN
set session binlog_format = 'ROW';
INSERT INTO DB2.destTable1 SELECT * FROM DB1.sourceTable1;
set session binlog_format = 'MIXED';
END

This is very nice indeed as I can still run MySQL in mixed-mode by default, and only force it into RBR (row-based replication) when needed.
Essentially, this works around potential replication lockups due to missing dependant tables.

([M|m]ac)?\s?OS(\sX)?: Permit ICMP redirects

Posted by: admin  :  Category: Networking, Operating Systems, OS X

So I was fighting around with that Motorola/Netopia router I’m obliged to use, because the network operator doesn’t allow hooking up a custom device.

Well, it is possible after all, as proven in the past, however, in order to use the SIP gateway of network operator (whereas the login credentials are not provided), the operator-branded router must be used. *sigh*

Here’s a somewhat high-level overview: The clients, which shall connect to the lab, are in the same subnet as the default router #1. The destination for more specific lab routes is router #2, which is in the same subnet.

+-----------+        +------------+       +-----------+       +-----------+       +-----------+
| clients   |  ----  | WiFi/Wired | ----  | router #1 | ----  | router #2 | ----  | LAB stuff |
+-----------+        +------------+       +-----------+       +-----------+       +-----------+
{                            CLIENT SUBNET                          } {      LAB SUBNETS      }

So actually, I could just add the more specific routes to any client, indicating it shall forward through router #2.
However, this is cumbersome. I wond’t want to add these routes on every client.

So I tried hacking them into the Motorola/Netopia router. I had my hard time with that, but only because it’s so silly on overly complicated … 🙁
So far so good, my clients could send ICMP echo requests towards the LAB devices, however, that was as close as I could get.

Not every client was capable in accessing everything in the LAB.

As it turned out, the Motorola/Netopia sends ICMP redirects. It does that because router #2 (a cisco, btw) is reachable via the CLIENT subnet and thus directly reachable by anyone in the same subnet.
However, ICMP redirects are somewhat non-deterministic, as the forwarding is not influenced by the router anymore. I consider it vodoo, which is why I prefer turning it off.

The only problem is that this “Netopia SOC OS” doesn’t have an equivalent to a Cisco-type “no ip redirects”-command.
Well, it’s a Linux after all, so I could turn it off by setting /proc/sys/net/ipv4/conf/*/send_redirects to 0. There is an obscure way to break out from the SOC OS shell and get a unrestricted shell:

ping 127.0.0.2;/bin/busybox telnetd -l/bin/sh -p9999

This would open a root shell on port 9999, from where the kernel setting could be changed. However, since this will get reverted whenever the router reboots due to operator updates, I would need to hack this back in. I don’t like this at all. Please, let me officially retrieve the SIP credentials to hook up my IP phone directly, so I can use a Cisco router. Pretty please!

Well, one day perhaps. Until then, I need to get it working with the least intrusive means of configuration.
So, I can’t replace the router, I can’t learn it to not send redirects.
But, if my clients, ([M|m]ac)?\s?OS(\sX)? in particular, don’t play well with ICMP redirects, let’s force them to do so.

On macOS (man, let’s blatandly change the name one more time!), this can be done via the sysctl command in the Terminal.
Query it like this:

# sudo sysctl net.inet.icmp.drop_redirect
net.inet.icmp.drop_redirect: 1

So macOS indeed drops ICMP redirects by default. Let’s change this:

# sudo sysctl net.inet.icmp.drop_redirect=0
net.inet.icmp.drop_redirect: 1 -> 0

With the new setting, connections started to work right away.

A note of caution: In my opinion ICMP redirects can be a dangerous thing, as they open the door for an attacker to influence the client’s idea of the routing table.
A client should not listen to redirects and always forward traffic towards it’s designated router. Overriding a default setting like this may be ok on a case-by-case basis, but should be strongly inspected und monitored.
If I had the choice, I surely had preferred a permanently applied setting on the router instead.

Remoting an old APC PDU using SNMP and remOcular

Posted by: admin  :  Category: Hardware, Perl, Programming, Utilities

Garage sale at the office: Good chance to grab on some (very) old hardware, like an APC 9221 PDU. Yes, it’s old (some 15 years or so), so surely not state of the art. But yet good enough to use in my home lab. Who could tell that there were some unforeseen issues waiting for me …
Read more…

Ansible in 10 minutes or less

Posted by: admin  :  Category: Debian GNU/Linux, FreeBSD, HowTo's, Operating Systems, Scripting

I just remember a recent argument I had with someone about automation. It’s unbelievable, how many things are still done manually on a widespread scale, not leveraging the possibilities at all. Especially with so many frameworks available to help out, sticking to “the old way” ain’t just cool any more.

So let’s quickly look at Ansible, and how we can be up and running for even simple task automation in 10 minutes or less.
Read more…

quick-and-dirty PAM with LUA, mod_magnet and lighttpd -or- how to breach system security

Posted by: admin  :  Category: Programming, RegExp, Security, Shells

Be warned: This example serves as an illustration on how to *NOT* do it.
It’s just one of my examples I teach to apprentices at the office when it comes to learning scrips, and how important data input validation (or the absence of the same) is.
It’s also a good illustration on how attackers may break into systems to steal data or make them part of a botnet.

The given situation depicts a lighttpd server, which exposes a directory which must be protected via LDAP-managed accounts, so there is an immediate need for PAM. However, lighttpd lacks a PAM implementation. Period. There’s a very ugly and highly insecure way however …

Read more…

armv6 Package Builder for FreeBSD is online

Posted by: admin  :  Category: FreeBSD, HowTo's, Operating Systems, Utilities

There it finally is, The Phunsites Package Builder at http://pkgbuild.phunsites.net/.

Since my initial writings on FreeBSD on Raspberry Pi, I’ve always wanted to have a webservice, where I can just select the port I want and it’ll be packaged up in minutes.
Now, there it is. Fully automated, with a neat and (hopefully) easy to use webinterface.

Check it out. It’s free lemons! 😉

pkgbuild2016

Quick&Dirty FreeBSD on Alix (without PXE boot)

Posted by: gdelmatto  :  Category: FreeBSD, Hardware

It’s been a while since my last post and I’ve been quiet busy writing on my graduation essay.

Meanwhilst my colleague Steven donated me a somewhat dated PC Engines Alix computer. I though to put it to some good use as  a packet generator for my new network playground I’m currently building up.

Funny anectode: While googl’ing around on some docs about Alix computers, I stumled accross his 2009 original post on FreeBSD installs.

But then I read that I’d need to go through config hell for DHCP, PXE, NFS for a one-time install … Oh boy, must be kidding …

Read more…