Blog

I was struggling for quite some time to upgrade firmware in my screen. Even after following the guide, I was always getting “No valid update files found. Please check your USB device and try again.” message.

My flash stick was 4GB already formatted as FAT32. Searching the forums, lot of people seem to have similar problem, I was getting hopeless. When reviewing the partition setup of my flash drive, I noticed it has GPT. I decided to re-partition it with the older MBR and that worked!

The screen seems to be able to read firmware only from drives with MBR and FAT/FAT32/NTFS.

I used the Mac OS X Drive Utility. Make sure to select the Device, not the Volume. Otherwise you can’t change the scheme.

This applies at least to C32HG70QQ and C27HG70QQ. In my case the full PN is LC32HG70QQUXEN, and I successfully upgraded to m-HG732CCAA-1024.0[2DA7].bin

Most recent firmware can be download from the Korean support site:

For 32″ ver.1024, 2021-08-24 https://www.samsung.com/sec/support/model/LC32HG70QQKXKR/

Install Bazel

brew cask install caskroom/versions/java8

brew install bazel

bazel version

Pull example

git clone https://github.com/bazelbuild/examples.git

Example Build

cd examples/cpp-tutorial/stage1

bazel build //main:hello-world

bazel run //main:hello-world 

ls -la ./bazel-bin/main

Are you considering buying GoGogate 2 to control your garage or gate using your iPhone or alike? I was going to use my existing gate position sensor, however I had no idea how the inputs of GoGogate 2 are wired. No luck on the internet however I gave it a shot.... And no problems whatsoever :). I can totally recommend it.

For whoever might be interested here are photos of GoGogate 2 boards after disassembling and reverse engineered schematics of the input circuitry is below.

Ohh!! hello there, seems like GoGogate 2 is based on Raspberry Pi Model A+ V1.1, some custom shield board designed by REMSOL (Company behind GoGogate), some wireless module (guessing 433 MHz) and USB WiFi dongle.

Funny, that is how I would have done it these days. The best part? Delivered in days! It would be more fun building something on my own, but this is just what I need anyway.

Nexus 5000

sh hardware internal gatos all-ports

Nexus 5500

show hardware internal carmel all-ports

Nexus 5600

show hardware internal bigsur all-ports

Nexus 9000

This is just list of my personal favourites, I will most likely update this list in future.

Blogs

http://packetpushers.net - Ethan Banks, Greg Ferro and others (weekly shows and community content, iTunes)

http://etherealmind.com - Greg Ferro

http://packetlife.net - Jeremy Stretch

http://comeroutewithme.com - Carl Niger

http://www.fryguy.net - Jeffrey J. Fry (Published workbooks, NX-OS, IOS-XR, JUNOS)

http://lostintransit.se - Daniel Dib

http://certification.codergenie.com/

http://networkgeekstuff.com

http://www.ipspace.net - Ivan Pepelnjak

http://thenetworksherpa.com - John Harrington

Conferences

NANOG

https://www.nanog.org

https://www.youtube.com/user/TeamNANOG

UKNOF

http://www.uknof.org.uk

https://www.youtube.com/user/UKNOFconf

Interesting People

iproute2mac (CLI wrapper for basic network utilities on Mac OS X providing linux-like ip command) was accepted to Homebrew master branch.

Installation is straightforward now:

Just list of Cisco VIRL limtations / bugs I wish I'd have known as of Aug 2015:

You can not modify topology (add node/connection) once simulation has been started.

NX-OS does not support VPC http://community.dev-innovate.com/t/nxosv-more-info-updated-4-20-2015/632

When doing IPsec Site-to-site VPN between Mikrotik RouterOS and StrongSwan (e.g. VyOS, Vyatta, linux distro) there is problem that StrongSwan some time ago changed default value of leftsendcert=always to leftsendcert=ifasked, which results in failed IKE negotiation.

Log:

pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: we have a cert but are not sending it without request pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: sent MR3, ISAKMP SA established pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: retransmitting in response to duplicate packet; already STATE_MAIN_R3 pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3

I found two practical solutions:

Modify RouterOS Configuration - Specify Remote Certificate in Peer configuration (Remote certificate needs to be imported)

Modify StongSwan Configuration - Add leftsendcert=always to /etc/ipsec.conf in related peer section

When trying to change password of Active Directory user using Net/LDAP in Ruby you will probably get into several problems.

You have to be using TLS secured connection

Bind user have to have appropriate role / privilege

New password have to fulfill Password Policy requirements according to your configuration.

Password have to be encoded regarding  http://msdn.microsoft.com/en-us/library/cc223248.aspx  (Quotes + UTF-16LE).

To make this work with Net/LDAP here is my working code snippet:

def self.str2unicodePwd(str) ('"' + str + '"').encode("utf-16le").force_encoding("utf-8") end Net::LDAP.open(..., :port => 636, :encryption => :simple_tls) do |ldap| result = ldap.search :filter => (Net::LDAP::Filter.eq("cn", "my_user")) ... ad_user = result.first ops = [[:replace, :unicodePwd, str2unicodePwd("new_password")]] ldap.modify :dn => ad_user.dn, :operations => ops end

And here is function I was using while debugging string manipulation:

def str2hex (str) str.each_byte.map { |b| "0x"+b.to_s(16).rjust(2,'0') }.join(" ") end

These days IPv6 is getting world-wide ISP adoption as well as implementation on content servers and server software but client side in enterprise networks is still problematic especially due to difficult IPv6 address assignment -> security issues.

In this post i will sum up current IPv4 security  and possible IPv6 security implementations in Silicon Hill network. This network has 4000+ devices connected to tens of VLANs - all directly routed in C6500 box. It is very straightforward network topology and most security policies are applied in access layer.

In Silicon Hill network ...

You want to be able to identify users based on their IP address (abuse resolution)

You want to prevent IP address spoofing

You want seamless user experience (Default client configuration should work)

So there is proprietary management software which manages database of users, devices, their MAC and IP addresses and configures switches accordingly.

Current IPv4 security for wired devices

L2 security - Each user has allowed MAC addresses on his switchport (port security)

L3 security - Each user has allowed IP addresses configured in inbound ACL applied to his switchport

DHCP assigned addresses based on MAC address

Current IPv4 security for wireless devices

WPA2 Enterprise, RADIUS

L2 - Each user has allowed MAC addresses, which are checked during RADIUS ACCESS-REQUEST (Calling-Station-Id)

L3 - Only DHCP assigned addresses are allowed

It would be easy to implement IPv6 if same security approaches could be used, however this is not the case.

IPv6 address assignment

Client behavior in respect to global IP address selection is controlled using configurable Router Advertisements (RA) - SLAAC or DHCPv6.

SLAAC - Client uses network prefix (/64) provided in RA and chooses 64 LSBs of address in two ways.

EUI-64 - Device generates his host part of address from his MAC address using standardized algorithm.

Temporary address - Device generate his host part of address in random way (RFC 4941).

Temporary addresses are game changer, they prevents user tracking, however they made implementation of IPv6 security very problematic -  once network administrator decides to use SLAAC, he looses control over which addresses are being used by users.

If there would be single bit in ICMPv6 RA to control wherever device is allowed to generate Temporary address  there would be no problem!

Thus if inbound ACL is applied to users switchport, which allows him to use only specified address (eg. EUI-64), once client device generates Temporary address it ends up with misconfigured dual-stack and would most probably end up in broken user experience.

Device would think it has valid IPv6 configuration, however ACL would drop its packets - this would result in timeouts of various protocols.

Solution?

DHCPv6 - Equivalent to DHCPv4, however several differences are there, most notably:

You cannot use MAC address to identify devices. Instead DUID is in DHCPv6 packet.

You cannot set default route.

For DHCPv6 packet delivery Link-Local and multicast addresses are used.

Which addresses are used to deliver DHCPv6 packets is not real problem and can be solved easily (Adding these addresses to switchports ACL).

Even using RA for default route preference makes sense.

DUID instead of MAC address for identification is again enhancing user privacy, however it is making implantation of IPv6 security problematic. Most because its generation is leaved to operating system and thus can result in problems as changing DUID after reinstallation of OS, or same DUID for cloned VMs. 

This would leave us to constantly updating our database of users devices with their DUIDs.

Solution?

We could use DHCPv6 server which would listen on L2 to DHCPv6 packets and read  MAC addresses directly from L2 frame header. 

Current implementation of ISC-DHCP is not supporting any of this. What is interesting is RFC 6939 which adds Client Link-Layer address (MAC) as DHCPv6 option. This if implemented in DHCPv6 Relay on our C6500 would enable using ISC-DHCP for v6 the same way as for v4.

In the mean time we can use another DHCPv6 server - dhcpy6d (Developed at IFW Dresden). With simple modifications dhcpy6d can read MAC addresses from L2 frame header and provide address allocation according to static records in PostgreSQL database.

Conclusion