Thursday 22 December 2016

How to delete a stuck Thumbs.db file

From time to time Windows users complain that they can't delete folders. The 1st level support people usually think it is some file system permission problem and escalate it to the sysadmin team.

The error message is, that the file is in use. This is almost certainly not the case here.
File in use?
However, it is amazingly easy to fix:
Change the view to "large icons" and back to "details". This apparently rewrites the thumbs.db file.


The thumbs.db file can simply be deleted then.

Tuesday 20 December 2016

Trend Micro OfficeScan WebReputation filter gone paranoid

Trend Micro OfficeScan web reputation problems

Safe or sorry

Yesterday users started reporting problems with blocked elements on websites. This also completely blocked sites with Anti-Adblock-features.
Although this banner has now disappeared from TrendMicro's OfficeScan support pages, the problem did not disappear completely.

TrendMicro's info about the problem

Options...

There are two three ways to go:

  1. wait it out till TM has fixed it.
    (not an option)
  2. add exceptions for blocked servers manually
    (more secure - more work)
  3. disable web reputation service
    (less work - less secure)


To add exceptions to the filter, navigate to http://YOURTRENDMICROSERVER.YOURDOMAIN:8080/officescan and go to the Web reputation settings:
Agent settings
Here you can manually add exceptions:
By default, the exception list is not avtive. Do don't forget to enable it.
That should fix it for a limited number of sites. You can get a list of blocked sites from the client's web reputation protocol and copy/paste from there.

The other option is to temporarily disable Web Reputation filtering altogether:

Uncheck the activation box for the web reputation service on to disable it globally.

Monday 19 December 2016

Microsoft Office Click-to-run component prevents Visio 2016 installation


Click-to-run

On the Surface Pro 3 I use at work, I need Microsoft Visio 2016 for a project documentation. We still use Office 2007 (32 bit), so I also have to run with the 32bit version of Viso. (Not an issue.)
But when trying to install Visio from the CD-Image, the installer complained about an
Office 2016 click-to-run
installation, that prevents Visio from installing.
I followerd quite a few hints about removing that click-to-run component, but couldn't find it on my system as described.

Greek gift

It turned out to be a greek gift from microsoft:
The Surface Pro 3 came with "Office 2016 Home&Student" as "click-to-run" package. In the list of installed programs it was listed as "Office".

MSI-installer

I removed that and Visio 2016 (32bit) installed without a problem. It also did not harm the OneNote App I frequently use with the SurcafePro3.

Tuesday 22 November 2016

Test your USB serial converter

Back in the days

when PCs came with serial and parallel ports, techs had sets of plugs to test the serial and parallel interfaces with.

There is also a >>>video<<< on this!

Today

I still use a RS232 adapter on my SurfacePro at work to configure Cisco network components. I had quite a few of these for the last few years with different chip sets.

For my microcontroller hacking joy, I have come to like CP2102 based adapters like this one. The chip is 5V tolerant and puts out 3.3V levels which is good enough for 5V applications, too.

Put it to the test

Sometimes, when stuff doesn't work as expected, I wonder: Does my USB-serial adapter even work? And the test is easy:
Simple loopback
On this adapter, we don't have any additional signal lines that we find on a fully featured adapter, so all we have to do is to connect the TXD pin to the RXD.
Now everything transmitted through the TXD pin is fed back to the receive pin.

If the driver installed ok, you will see a new COM Port. In this case: COM3

For the loopback test, you have to configure that COM-Port into Putty:
Configure Putty
By default, Putty has local echo off. That means that if you press a button on the keyboard, you will see nothing, unless something is sent back by the adapter.

If you see what you type, everything is ok:

No local echo

If you enable local echo (tick "Force on"),

Enable or disable local echo
you will see every keystroke twice:
With local echo
And that also means that your adapter works ok.

Materials used in the video and for the blog entry:




Thursday 17 November 2016

Getting started with a Samsung Portable SSD T1 (500GByte)

For my wife's macbook, I was looking for an new external 500GByte USB-SSD drive. She had filled an external 256MByte Transcend SSD with her iPhoto library and now it was time for the next step.

I found a very reasonably priced, now discontinued Samsung Portable SSD T1 (Model MU -- PS500B) at a nearby consumer electronics store. Manufacturing date is 03/2015. Not the latest&greatest, but for 129€, it seemed like a bargain. Worth a try.

From the comments on Amazon, I knew that installation was not painless and many had complaints. So I decided to "unlock" the drive on my Windows 10 PC and re-format it on the MacBook later.

In Windows 10 the drive did not show up with a driver letter, so I couldn't install the software required to unblock the drive. I had expected to see a "tools"-Partition or something like that
The manual was not helpful either.

There is a new drive!

But it looks pretty useless

No tools or utilities partition and no driver CD in the box. Gooooogling helped:

I found the T1 Activation Software here.



I then extracted "SamsungPortableSSD.exe" from the ZIP Archive and ran it.
I choose not to use a password and a few moments later, the drive was accessible:

exFAT... Ugh!
Reformatting to NTFS was quick and painless. The SamsungPortableSSD tool did not seem to leave unwanted stuff on my system.
Re-formatted to NTFS
It is now possible to partition  / format the drive on the MacBook with a HFS file system. No need for stuff that hooks into OSX.
Shows up as expected
Re-formatting to HFS is easy.
Yes, we're sure!
Now that wasn't too hard, although Samsung didn't really make it intuitive. And that might be the reason why I got this drive for cheap.


Friday 14 October 2016

Trend Micro OfficeScan ANOMALY: use of REX.w is meaningless - SOLUTION(not quite)


As described here, our Windows 10 "Anniversary Update" (aka "Redstone) machines suffer from a minor flaw:

C:\Users\reischle>nslookup www.areresearch.net
[0x7FF898F370E3] ANOMALY: use of REX.w is meaningless (default operand size is 64)

[some output removed]

Nicht autorisierende Antwort:
Name:    ghs.l.google.com
Addresses:  2a00:1450:4001:819::2013
          172.217.21.243
Aliases:  www.areresearch.net
          ghs.google.com

Reader "seno" commented, that TrendMicro sends out a patch on request.
After a few minutes with TrendMicro's support, they sent me a download link for the patch.

The patch goes by the name: "osce_11_sp1_win_en_hfb6178.exe".

The next day the colleague in charge of the server sent me this disappointing screenshot:

Tough luck for non-English installations
I should have guessed that from the "_en_" in the file name.
So I went back to TrendMicro's OfficeScan support and complained. They told me that their developers were working on a German version of the hotfix and that they'd let me know when it is available.

If you have an English installation, you should be fine with this patch.
Edit 20161018:
Got a German patch now, too. Works fine.

Tuesday 11 October 2016

Poor man's FPV: CX10W and Cardboard

Flying FPV on a shoestring budget

I can see myself!

Over the time I have acquired quite a few microdrones. But none of that enabled me to fly FPV. (FPV = First Person View). Although the CX-10W should do the trick, flying with an app, I was never quite happy with it.

Here is the VIDEO on both the build and flight.

There's an app for that

I discovered that there is an alternative to the IOS app recommended by cheerson. It looks like it is from the same makers, but has some extra features. - Like 3D view. Well... not really, if you have one camera. But it gives you two images to view through a "google cardboard" compatible viewer.
WiFi FPV from the AppStore (free)
There are several "FPV" apps on the appstore. The one you're looking for goes by the name "WiFi FPV" and is from "Le Wei Technology". 
2D-View -> change to 3d

3d view

App control sucks

While that is all well and good, I don't like controlling the CX-10W with the app, which doesn't work anyway with the phone a few cms in front of your eyes. But I still have the remote control of my CX-10A, which is compatible with the CX-10W.
The CX-10W can be controlled by all newer CX-10 series remotes

To the workbench!

Apart from that, I need some duck tape, three safety pins and the head band from a broken LED head lamp to make my well used google cardboard clone wearable. I had these for quite a while and they are not available any more. These are probably an OK replacement. And they already come with a strap.
This pic is missing the remote control
I attached the safety pins to the goggles, so I can remove and adjust the strap.
Pins atached. Now the strap.
Tooo easy....

Here's how to set things up

  • Switch on the drone
  • Connect phone to the drone's WiFi AP
  • Start the WiFi FPV app
  • switch to 3d-view
  • (if you want to record your flight, hit the camera button now)
  • insert phone into 3d-goggles
  • turn on remote control
  • pair with drone

And you're good to go!

Outside

There was a very slight wind from NE and the temperature was around 10C, which already affects the battery capacity. Still, I got a few minutes of flight out of the CX-10W.
You will look stupid, too with a cardboard box
in front of your face. Do we care?
I did not find flying easy. Despite the fact that I do hold a sport pilot's license and should not easily be confused by a couple of turns, I lost track of the drone very quickly. I had the feeling that I lost the video stream very often, but it did not look so bad on the recording.
Although the grass was freshly cut, it was hard to locate the tiny drone when it crashed.

Bottom line

A project that didn't cost me anything, didn't take long and was a lot of fun.
Things probably would be easier if he drone held it's hight. The newer model with a barometric pressure sensor for automatic "height hold" is only a little more expensive. I don't have one, but if I had to buy one, I'd go for the CX-10WD in the version with the remote control.


Parts list:

Wednesday 5 October 2016

Trend micro officescan and Cisco Anyconnect: Profile settings require a single local user

Too many local users

One of our Surface Pro users was unable to connect to our Vpn with his Cisco Anyconnect (3.1.10010) client.
The message was clear: He was not alone on his machine and blocking such a machine makes sense (e.g. in a terminal server environment).



The message in the ASA's log was:
Group <XXXX> User <XXXX> IP <XXX.XXX.XXX.XXX> SVC Message: 16/ERROR: Profile settings require a single local user but multiple local users are logged in..

The error message on the client was:
AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer.  A VPN connection will not be established.

The task manager's "Users" tab did not show any additional users on his machine.
But there was one additional session visible in the command shell:


C:\Users\YYY>query session
SITZUNGSNAME   BENUTZERNAME          ID  STATUS  TYP         GERÄT
services                              0  Getr.
                                      1  Inakt.
>console     YYYY                     4  Aktiv
rdp-tcp                           65536  Abhör.


C:\Users\YYY>

Power of the shell!

The inactive "Session 1" should not be there.
To find out more about it, we need PowerShell:

PS C:\Users\YYY>  Get-Process | Where SessionId -eq 1

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id  SI ProcessName
-------  ------    -----      ----- -----   ------     --  -- -----------
    372      10     1544      10456 ...00            5312   1 csrss
    314      46    13420       4288   193     3,63   9208   1 PccNTMon


Virus scanner troubles...

The user could not kill any of there processes in the task manager. But PccNTMon is part of Trend Micro' Office scan.


So we disabled that. The processes and both the processes and the session disappeared.

Anyconnect then connected without problems. - Ok as a one-time workaround, but not acceptable as a permanent solution.

Friday 30 September 2016

Recovering files from a damaged CF card

Loss of memory

This is more like a "note to self", so I remember next time. (Just like the CF-card now does.)

At the media company I work for, we shoot tons of videos and pictures. From time to time something is bound to go wrong.
A colleague who had been at the site of an accident approached me with a 16GByte CF card that mysteriously died on it's way from the camera to the PC's card reader.
Windows only offered to format the card.

Linux to the rescue!

I usually use linux to dd / dd_rescue stuff to a file and work from that. No luck here:
Linux didn't like it at all, reporting multiple errors in syslog. fsck complained about a missing superblock. Nothing worked and I had no time for more investigations.

Windows to the rescue!

So it seems like the file system is badly damaged, possibly with some physical damage to the memory card. Here is how we got the data back:

  • re-inserted the card into the camera
  • did a quick-format (in the camera)
  • removed the card and inserted it into the PC's card reader
  • Windows now accepted the card, but found it empty, of course
  • we downloaded the free version of Recuva 
  • we let Recuva do a deep scan for video files and it found numerous files. The file names were lost, of course
  • we restored all the files on the card to the PC (which included a lot of obsolete files)
  • fortunately the important, new files were all complete and error-free

That was even easier than my usual Linux approach.

The CF-card can't be trusted any more and will be destroyed.

Friday 23 September 2016

Apple iPad charging slowly or discharging when plugged in

Battery low warning

The media comany I work for presents their IOS apps on local fairs from time to time. I had reports from the ladies presenting the apps on iPads, that they were not charging or even discharging despite being plugged in.

On site

Having nothing better to do on a Friday afternoon, I drove to the fair, equipped with a few spare iPads and power supplies, to see for myself what was going on.
It took me a few minutes to dig my way into the three vandalism-proof iPad stands and get hold of the power supplies. A closer examination of the power suppies made things clear:

Different power ratings

Although Apple has it on their web site, I was not aware of the fact that there are three different power supplies out there. All looking the same.

spot the difference

The power ratings (top-to-bottom) are 12W, 10W and 5W.

Watts: Better to look at them, than to look for them.

The 5W adapter apparently came with an iPad mini, while the 10W adapters are for all iPads without retina display.

With a 10W adapter, an iPad with retina just seems to be able to hold it's charge at reduced screen brightness. A 5W adapter is just useless to keep an iPad retina on constantly.

I replaced all chargers with 12W models. All iPads charged up ok, leaving some happy people to work through the weekend on the fair.

Friday 9 September 2016

Win10 and TrendMicro OfficeScan - ANOMALY: use of REX.w is meaningless

For a few days now, I get the message:

[0x7FFAD4C870E3] ANOMALY: use of REX.w is meaningless (default operand size is 64)

when calling pretty much any network related command in a cmd-shell. This is the case for both normal and elevated shells.

The symptom went away when disabling TrendMicro OfficeScan on my machine.

It probably came with the latest patch from TrendMicro to provide compatibility with Win10 anniversary edition:

Apart from that, there are no negative effects on my system so far.

UPDATE:

Read on --> HERE <-- for the follow-up

Sunday 14 August 2016

Mini ESP8266 dev board and a demo WiFi hack

I attended a one week network security training recently and taught end-user security awareness a little later. One outstanding topic in both trainings were weak WPA/WPA2 passwords.
I actually wanted to explore ways to use menues on my little I2C OLED display. So I set out to combine testing for weak WiFi passwords and findind a way to make easy to use menus.

But menues need buttons and there was no space left on my little breadboard between the NodeMCU dev module and the OLED. So I looked for smaller breadboard-ready ESP8266 dev modules and found this inexpensive ESP8266 Dev Mini Module.




Further research showed that this might be pretty much a knockoff of the Wemos D1 Mini, I hadn't seen before.
This board has a lot less pins as compared to a full NodeMCU dev board. But all the important ones seem to be there. The board came with a set of headers and I decided to make the USB stuff the bottom side, so I can see the LED on the ESP-12F module.
Top view: ESP-12f

Bottom view: USB
The USB drivers auto-installed on my Windows 10 machine.


So my first project with this board was a very simple WiFi security scanner that lists all available AccessPoints (excluding the invisible ones) and try to get in with a list of passwords stored in the SPIFFS file system.

Here is my video about both the module and the Wifi Security tester.


Fritzing schematic of the WiFi scanner
My motivation was to find out how to make a simple menue system. The current implementations has quite a few shortcommings. Eg: The list of WiFi targets can only be a few items long, and does not scroll. Simpley because the number of  networks visible from my lab was never longer than that.
I use interrupts (falling edge) on the GPIO pins to trigger functions that increment or decrement the menu selection bar.

Good WPA/WPA2 password lists are shipped with Kali linux, but these are *WAY* too big to fit on the module's file system. You have to ressort to "educated guessing" there,

If you are looking for the code for the Wifi-Security tester, it is up on my GitHub repository. It still needs quite a lot of cleanup and a few functions should be rewritten, so beware!


Wednesday 27 July 2016

Fix 0x00000002 error adding a network printer in Windows 10

Since we deployed Win10 on abt. 400 machines, some printing issues we didn't have under win7 turned up. Similar to the 0x00000057 error described here, I now faced a 0x00000002 error when a user tried to add a printer.
I first followed the procedure for the 57 error, but the driver would not automatically install when the user's GPO controlled printer mapping kicked in.

After manually adding the printer with admin-rights, it was also available for the user.

Steps:

  • Delete the old printer driver as described here. As I worked remotely (SCCM) in the user's own session, I used an elevated shell.
  • Reboot
  • Start an elevated shell
  • Run "control printers" to bring up the "add printer" dialog with admin rights

Bring up the add printers dialog with admin rights
  • Go "unlisted printer" and browse your print server's shared printers.
  • Add the required printer.
  • Once the driver has been installed, exit the admin shell.
  • Under the user's account, add the printer again. (This time there should not be an "installing drivers" message)
  • Print a test page
Although it doesn't explicitly state that in the error message, it seems that the 0x00000002 is a rights/privilege issue.

Thursday 21 July 2016

Fix 0x00000057 error adding a network printer in Windows 10

Today one of our support staff approached me with a problem he could not find a solution to:
Our users have their printers assigned via group policies. This works well and the users don't need admin privileges to install the printer drivers.

Apparently a Kyocera printer disappeared from a user's machine and nothing he had tried brought back the printer. By the error message it was a connection problem, but he cound not find any connectivity issues.

I found a hint here, which didn't quite work for me, but set me on the right track.
For our scenario: Win2008R2-64bit print server / Win10 (x64) client, the procedure turned out to be as follows:


  • Run regedit
  • Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3
  • Find the entry that most likely corresponds to your missing printer
  • Klick that key
  • Find the InfPath entry and note the path. It will be something like: C:\windows\System32\DriverStore\FileRepository\hpcu115u.inf_amd64_4a9d334b04ff58b2\
  • Navigate to that path with explorer
  • Take over ownership of that directory and all subfolders
  • Allow "full access" to the directory for yourself
  • Delete the directory
  • Remove the whole registry key of that printer (like: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\HP Universal Printing PCL 6 (v5.3) )
  • Restart the local spool service
  • Add the print server's shared printer with the "add printer" dialog
That did it for me. The printer drivers were downladed from the print server, installed and now work without any issues.


Wednesday 6 July 2016

GMail notifier with ESP8266 / NodeMCU


A while back I investigated the use of NodeMCU with GMail. One result was this script to send mails over GMail. The other aspect I initially didn't fully investigate was the atom feed offered by GMail.
Looks like we have unread mail
If you haven't watched the video yet, here it is.

In the code below, I use that feed to retrieve the number of unread elements from the inbox.
Apart from the Lua code, you also need to place the two files with the mailbox icons on NodeMCU's file system:

Mailoff-file: here
Mailon-file: here

That is what it looks like in action:



I recommend "esplorer" to copy the files to the ESP8266 module.

 -- ESP8266 NodeMCU  
 -- GMail Notifier  
 -- 2016/07 Andy Reischle  
 -- www.AReResearch.net  
 -- Graphics handling and conversion  
 -- adapted from Daniel Eichhorns blog  
 -- http://blog.squix.org/2015/05/esp8266-nodemcu-how-to-create-xbm.html  
 --  
 -- To see this script in action, see:  
 -- https://youtu.be/IVxJosLZCXs  
 wifi.setmode(wifi.STATION)  
 wifi.sta.config("YOUR-SSID","YOUR-WIFIPASS")  
 wifi.sta.connect()  
 -- setup I2c and connect display  
 function init_i2c_display()  
    -- SDA and SCL can be assigned freely to available GPIOs  
    sda = 5 -- GPIO14  
    scl = 6 -- GPIO12  
    sla = 0x3c  
    i2c.setup(0, sda, scl, i2c.SLOW)  
    disp = u8g.ssd1306_128x64_i2c(sla)  
 end  
 function xbm_picture()  
    disp:setFont(u8g.font_6x10)  
    disp:drawStr( 0, 62, "Google Mail Notifier")  
    disp:drawXBM( 10, 5, 32, 32, xbm_data )  
    disp:drawStr (65,30, unread .. " unread")  
 end  
 function bitmap_mailon(delay)  
    file.open("mailon", "r")  
    xbm_data = file.read()  
    file.close()  
    disp:firstPage()  
    repeat  
       xbm_picture()  
    until disp:nextPage() == false  
    tmr.wdclr()  
 end  
 function bitmap_mailoff(delay)  
    file.open("mailoff", "r")  
    xbm_data = file.read()  
    file.close()  
    disp:firstPage()  
    repeat  
       xbm_picture()  
    until disp:nextPage() == false  
    tmr.wdclr()  
 end  
 init_i2c_display()  
 function checkmail()  
 user="YOURADDRESS@GOOGLEMAIL.COM"  
 pass="YOURGMAILPASSWD"  
 b64 = crypto.toBase64(user .. ":" .. pass)  
 -- print (b64)  
 local LED_PIN1 = 4   
 gpio.mode(LED_PIN1, gpio.OUTPUT)  
 conn=net.createConnection(net.TCP, 1)  
 conn:on("receive", function(sck, c)  
 -- print(c)  
 start1,stop1=string.find(c,"<fullcount>")  
 start2,stop2=string.find(c,"</fullcount>")  
 if start1 then  
   unread=string.sub(c,stop1+1,start2-1)  
   print ("Found " .. unread .. " unread Mails.")  
    if tonumber(unread) > 0 then  
         gpio.write(LED_PIN1, gpio.LOW)  
         conn:close() -- we got what we came for, so close  
         bitmap_mailon()  
     else   
         gpio.write(LED_PIN1, gpio.HIGH)   
         conn:close() -- no Mail, so close  
         bitmap_mailoff()  
    end  
  end  
 end )  
 conn:on("connection", function(conn)  
    print("connected")  
    conn:send("GET https://mail.google.com/mail/feed/atom/ HTTP/1.1\r\n" ..  
        "Host: mail.google.com\r\n"..   
        "Authorization: Basic " .. b64 .. "\r\n" ..  
       "User-Agent: Mozilla/4.0 (compatible; esp8266 Lua;)"..  
        "\r\n\r\n")   
 end )  
 conn:on("disconnection", function(conn) print("disconnected") end )  
 conn:connect(443,"mail.google.com")  
 end  
 tmr.alarm(0,30000,tmr.ALARM_AUTO,checkmail)  

Not much stuff is needed for that little project:


Assembly is done in no time at all. Just connect power and I2C leads. (For me, this works without pull-up resistors.)

Not a lot to do.






Wednesday 22 June 2016

A look at the TOP-308 IP camera

The TOP-308 is a wired-ethernet IP network 720p camera. It found it for under 15 Euros (now:20) at Banggood and thought it might replace my somewhat aged Linksys WGS54 .

Power on

The camera does not come with a power adapter. The connector is a center-positive barrel connector and requires a 12V 1A power supply. (ToDo: measure actual current)
I found an orphaned power supply in a junk box.

First contact

If your local network segment is 192.168.1.0/24, you're nearly there: The camera's address comes pre-set to 192.168.1.10. Changing it requires some effort. (More about that further down.)
The easiest way to get a video stream is to  use VLC, click "Open network stream" and enter:

rtsp://admin:@192.168.1.10/user=admin_password=_channel=1_stream=0.sdp

as the network address. This should immediately show a live stream.
First stream

Browsing is not a breeze

In Chrome & Safari, the web interface of the camera is a total pain. I struggled with it for quite a while. The web page always came up in Chinese, although the source code shows that there was an "English.js" that could be retrieved from the camera.
So I used the requestly-plugin for chrome to replace the requested file:
The resulting web page turned out to be entirely useless.
No way I could set up any of the camera's parameters in here.

Internet Explorer to the rescue

So I resorted to using the Internet Explorer 11. That brought up a different page that allowed not only to change the language, but also offered to download an active-X control from the manufacturer's web server.
That made things a lot easier to set things up. Date, DHCP.... anything you'd expect.
Many users will probably be happy with that. I'm not.

A closer look

I don't particularly like the Internet Explorer (iexplore) and it is only a matter of time when old 3rd party plugins are no longer supported.
That setup panel needs to communicate with the camera in some way and I need to find out about that. So I ran nmap against the camera:
Scanning 192.168.1.10 [65535 ports]
Discovered open port 554/tcp on 192.168.1.10
Discovered open port 80/tcp on 192.168.1.10
Discovered open port 9527/tcp on 192.168.1.10
Discovered open port 9530/tcp on 192.168.1.10
Discovered open port 34567/tcp on 192.168.1.10
Discovered open port 8899/tcp on 192.168.1.10
Completed Connect Scan at 23:12, 35.47s elapsed (65535 total ports)

So there are a number of open ports to be examined:
Port 80 goes without saying: The web interface.
Port 554 is the RSTP port we already used to stream to VLC in the example above.

That leaves 9527, 9530, 34567 and 8899 for further investigations.

A quick look at a wireshark trace suggests that TCP-port 34567 is the most promising candidate for reading / writing camera parameters. That connection also reveals an otherwise hidden user/password combination:
"PassWord" : "tlJwpbo6", "UserName" : "admin"

On port 9527 there is something that looks like a telnet interface. Logon is "admin" and no password:

Save SysTime to Flash:2016-06-23 10:28:04, Time:2378 Min, Trail:2378 Min
Save SysTime to Flash:2016-06-23 10:30:04, Time:2380 Min, Trail:2380 Min

username:admin
password:
admin$ help
----------------------Console Commands----------------------------
                 232 Comm dump
              485Pro 485 Protocol!
             ability Net Ability Utility!
                  ad AD debug interface!
               alarm Alarm status!
             bitrate Dump BitRate infomation!
                 cfg Config Help Utility!
        cloudupgrade CloudUpgrade console utility!
                comm Comm Input String
              encode Encode commands!
               front front board utility!

                  fs Fs debug interface!
                heap Dump heap status!
                help Try help!
                 log Log utility!
               magic magic tools!
              netitf NetInterFace Dump!
                netm NetManager Dump!
               onvif Onvif debug msg!
              packet Packet usage!
                 ptz ptz dump!
                quit Quit!
              reboot Reboot the system!
              record Record console utility!
                 rtp RTP Dump!
               shell Linux shell prompt!
            shutdown Shutdown the system!
                snap Snap Console Utility!
              thread Dump application threads!
                time Set SystemTime!
               timer Dump application timers!
             upgrade Upgrade utility!
                user Account Information!
                 ver version info!
             xmcloud XmCloud Dump!
To see details, please use 'cmd -h'

admin$ ver
Save SysTime to Flash:2016-06-23 10:32:04, Time:2382 Min, Trail:2382 Min
ver ---- V4.02.R12.00006210, [000 06 210]
Version: V4.02.R12.00006210.10010.140700.00000, BuildTime: 2016-02-24 13:22:12
admin$

That looks like a fairly recent build.

Through the shell command, I seem to be able to access a busybox binary, but could not get it to behave like on a standard linux system.

ls -l
ls: invalid option --

BusyBox v1.16.1 (2015-12-18 09:48:05 CST) multi-call binary.

Usage: ls [-1AacCdeFilnpLRrSsTtuvwxXk] [FILE]...

ls (-l)sh: syntax error: unexpected word (expecting ")")
admin$

Something seems to cripple the input. But there are lots of other options to look at:

admin$ netm
----------------------------------------------
netm -c          show Connect Information!
netm -s          show Transport Information!
netm -a          triger Adapter Debug Output!
netm -t <valve>  Adapter statistic output!
netm -p          print debug info or not!
admin$ netm -c
TODO:===>
NatRegisterEnable[1],NatRunStatus[2],NatServerIp=[52.29.139.70],DeviceMac=[68f06f04f5e9d090]!
admin$

And why does this thing have a reference to an Amazon AWS server? Sooo many questions...




To be continued...

PS: Yes, I am aware of the "CMS" software for the TOP cameras. I try to get away without proprietary software.


Tuesday 21 June 2016

Convoy S2+ mod for Keeppower 18350 cell

From an earlier electronics project, I had a nice Keeppower 18350 protected cell left over. These are great little cells, although the capacity is not outstanding at 900mAh. It would have been a shame not to put that cell to a good use, so I looked for a suitable single cell lamp.
I found a good quality Convoy S2+ that looked nice and should be compatible with 18350 cells. It also was within my budget.
I intentionally choose the warm white XML2 T6-4C LED because I when hiking and camping, I find the cold/neutral white a bit too "harsh" and unpleasant for reading.
I already have an "eagle eyes" branded light for 18650 cells that I quite like. Some of my cells would not fit into that light.
Bits'n pieces
So I ran into the same problem. My cell doesn't fit:
The strip for the protection circuit adds a few 10ths
The bulge is not that wide, so a groove in the anodized aluminium tube should do the trick.
The bulge is just 4mm wide
So it's off to the workshop...
Not too much pressure and a pair of protective pads!
... to file it down a bit. To get smooth ends, I needed a bit of fine grained sand paper.

And sure enough:
The battery now fits nicely
This works, of course:
Ain't she a beauty?
I was pleasantly surprised by the moderate power requirements of the Convoy (XML2 T6-4C):
(And: No, the battery is not the limiting factor here.)

Low: 57 mA
Mid: 430mA
High: 1049mA

As opposed to my similar looking (different driver, though) Eagle Eye X2 (with a XM-L T6 U2-1A) emitter. (That I use with a 3100mAh 18650 cell.)

Low: 254mA
Mid: 1224mA
High: 1980mA (no wonder this thing gets hot!)

Bottom line: The combination of this LED and driver seems great for the small cell. I especially like the low light mode, which should last for about 15 hours with the 900mAh cell The XML2's improved efficiency over the older XML is very well used in this scenario.

PS: The Convoy  S2+ also works great with a CR123 cell.
PPS: To change between 3 and 5 modes (incl. strobe / SOS), switch the light off briefly after it has flickered in low-power mode.