Eric Park's Blog

Internet censorship in Korea, and the eventual end

Sun, 11 Jan 2026 00:00:00 GMT

This blog post is written in response to the pearl-clutching prudes and puritans that dictate how I as an adult get to browse the goddamn Internet.

Even though our country is not an authoritarian state and doesn’t have the Great Firewall of China, it’s still widely known for censoring the Internet, something that rudely startle foreigners when they want to go on NSFW sites in their hotel rooms.

Now, if we get into the entire should they, shouldn’t they thing then this blog post will be so long you won’t read it. (I mean you probably already clicked away but still, please pretend you’re reading. Yay, thanks for continuing.) But my take is that censorship leads to overreach, which has already been proven by the way I run into roadblocks accessing sites that I as an adult have the legal right to. So no, I don’t agree that this is the right approach and think they should fix that, but in the meantime let me go over how they actually censor the Internet.

How they (used to) censor the Internet in Korea

Traditionally, the major ISPs in Korea used to poison DNS entries like all the other nanny states and countries that decided they could decide what’s best for you. That means you ask for Google.com and if Google was one of the banned no-no websites (according to some review somewhere), essentially, the ISP’s DNS servers would respond with an IP that is not Google’s and redirect you.

Of course, that was largely patched out thanks to encrypted DNS’s proliferation and the fact that HTTPS stops your browser from loading the scary-looking “Warning” page from the Korean government, especially if HSTS is enabled.

For context, this is what you would see if you got hit by one of those censorship measures:

Ugly as sin, all in Korean (except for the threatening “Warning” text), and some bullshit about how they’re “legally” blocking the site as it has passed through review of some board (read: puritans) that has determined it is either illegal or “harmful” (유해 내용). Except “harmful” in this case extends to totally legal mature content that little Timmy on his iPad shouldn’t be viewing, but since parents don’t know diddly-squat about how parental controls work let us the government do it for you!

As mentioned before, people realized sending DNS requests back and forth on an unencrypted port was a really bad idea, and we quickly patched that with things like DNS-over-TLS and DNS-over-HTTPS. Now, Korean ISPs no longer poison DNS, though it’s still a good idea not to use their DNS servers in case they’re doing anything funny.

So what changed?

How they (currently) censor the Internet in Korea

In present day, ISPs look at the actual HTTPS request.

When you make a request to a server, there is some communication back and forth to establish a TLS connection. One of the extensions to TLS is SNI, or Server Name Indication. Basically, as web servers become more and more reverse proxies and host various domains on one server, it became important to signal which particular domain you as a client were interested in. So the domain name would be specified in the SNI field and the server would send over the TLS certificate corresponding to the domain and everything would continue.

But the SNI field is not encrypted, and thus Korean (and other countries’) ISPs could sniff out which website you were trying to visit, and cut the connection. They can’t really redirect you to the Pennywise website above, but they can interrupt your connection by sending a reset packet.

So how can I get past it?

The easy, boring solution: use a VPN, or a proxy, etc.

But it seems like a waste and a hassle, when all you need to hide is just that single SNI field! Surely there’s a solution to that?

Well, there is. Initially proposed as Encrypted Server Name Indication (ESNI), the latest proposed standard is Encrypted Client Hello (ECH), which now encrypts the unencrypted portions that help set up the TLS connection.

With ECH, ISPs can no longer spy on what is being sent over the wire and to which site you are connecting to.

Great, can I use ECH now?

Kind of.

ECH is supported in most major browsers, but servers must also support it. Support is slowly rolling out, but until it becomes mainstream you may still run into some sites that are being blocked by your friendly Big Brother.

And for clients like curl, the SSL library used must support ECH. As of right now, the default curl binary as it ships on Arch Linux does not support ECH, for example.

I ran into this problem with my Rust program, where the connection would succeed for a given site on my browser, but fail catastrophically on my Rust client. The dependency that I use, reqwest, recently switched to rustls, which does have ECH support on the client-side. There’s no documentation on how I can use it on reqwest, nor any indication of whether it is enabled by default (so I presume no).

But once ECH becomes mainstream, the only way to censor my Internet access would be to make like China and block all requests that go over ESNI/ECH. And that certainly wouldn’t work at all without breaking a large chunk of the Internet.

I’ll certainly look forward to the day they shut down that ugly stupid warning website.

SSH key updating with systemd

Mon, 22 Dec 2025 00:00:00 GMT

This is a follow-up to a blog post I did a long while ago on how to set up persistent access with SSH keys. Nowadays, it’s hard to find a Linux system that doesn’t have systemd, and crontab is sometimes not even installed.

So, in case you are on one of those machines, here’s how you can use that script with a service and systemd.timer unit file, that does the exact same thing as crontab.

Create the `systemd` unit files

Since updating our SSH keys can be done with user privileges, we will make a user unit file.

mkdir -p ~/.config/systemd/user
touch ~/.config/systemd/user/ssh-key-update.service

Now, paste in the following with your editor of choice:

[Unit]
Description=Update SSH keys from GitHub

[Service]
ExecStart=/path/to/update-ssh.sh

Next, we need to make a timer that will run our ssh-key-update systemd service.

touch ~/.config/systemd/user/ssh-key-update.timer

Paste in the following:

[Unit]
Description=Update SSH keys from GitHub

[Timer]
OnBootSec=5min
OnUnitActiveSec=5min
Unit=ssh-key-update.service

[Install]
WantedBy=timers.target

Enable and start the timer

Run:

systemctl --user enable --now ssh-key-update.timer

You will see that your SSH keys will periodically be fetched and saved like before. However, when you log out, updates will stop.

Enable lingering

Run:

loginctl enable-linger

This will enable lingering, which will allow systemd.timers to continue running even if you are not signed in.

Boingo Hotspot Captive Portal shenanigans

Sun, 21 Dec 2025 00:00:00 GMT

Here are two issues I encountered with the “Boingo Hotspot” Wi-Fi network offered at some US airports. I’m writing it down here because this was an issue last year, and I’m sure will continue to be a problem in 2026 when I come back unless they actually fix their broken captive portal implementation.

Issue #1 — DNS-over-TLS/HTTPS doesn’t work

I’m using DNS-over-TLS with systemd-resolved, and when I connected to the free network in O’Hare, I noticed that DNS resolution requests were timing out with dig. The issue? Boingo Hotspot blocks DNS-over-TLS/HTTPS and only allows querying through the standard DNS port of 53.

So, if your /etc/systemd/resolved.conf (or /etc/systemd/resolved.conf.d/dns-over-tls.conf) looks something like this:

# ...
[Resolve]
# ...
DNS=1.1.1.1#one.one.one.one
DNSOverTLS=yes
Domains=~.
# ...

Then you’ll get the following message when you try to dig for domains:

$ dig google.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out

The fix? Disable DNS-over-TLS. You can modify the configuration file, but that disables DNS-over-TLS for all connections. Instead, blacklist the specific Boingo Hotspot SSID through (assuming you are using):

$ nmcli connection show
$ nmcli connection modify _Free_ORD_Wi-Fi connection.dns-over-tls 0

0 means disable, 1 means opportunistically enable, and 2 means enable.

Now, you can verify that DNS-over-TLS was disabled by running systemd-resolve --status, which should result in something like the following output:

$ systemd-resolve --status
Global
           Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/unsupported
...
Link 3 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 100.109.0.31
       DNS Servers: 100.109.0.32 100.109.0.31
     Default Route: yes
...

Notice the - in front of DNSOverTLS.

With that, I fixed DNS resolutions, but I still couldn’t get any Internet access. And that’s because

Issue #2 — DNS hijacking doesn’t work with HTTPS

This is more of a general tip, as I’m not aware of any captive portal implementation that can DNS hijack something like google.com. To work around this problem, most OSes and browser companies use a dedicated HTTP URL for checking connectivity, but this can sometimes fail. And with HSTS becoming more and more prevalent, it’s hard to find a website that will let you downgrade to HTTP.

The solution is to visit neverssl.com, which will hopefully redirect you to the captive portal.

I still don’t understand why businesses insist on using captive portals. Sure, you get the ad revenue, but this is such a terrible user experience.

When your controller doesn't work, blame your keyboard

Thu, 11 Dec 2025 00:00:00 GMT

I think it should be illegal for game companies and indie studios to drop so many nice games (and DLCs to games that I loved) during finals season, but my Linux machine tried to save my grades one last time by not letting me play with my controller.

More specifically, my Xbox One controller would pair fine with my Linux laptop, and Steam would detect it and launch Big Picture Mode when I hit the Xbox button. However, once I was actually in game, the controller wouldn’t work.

I tried enabling Steam Input, to see if having it go through Steam’s controller translation layer would maybe make the game detect it, but it wasn’t working. I wondered how controllers were represented in the Linux kernel and poked around in /dev/input, and sure enough, looking through that directory yielded me js0. Short for joystick-0, apparently.

So if I cat /dev/input/js0, I should see a bunch of gibberish printed to the console whenever I interacted with my controller, right? But I got absolutely nothing.

And then I noticed js1.

/dev/input, like other device folders, has a neat little by-id folder inside that maps devices via their identifier and not the order in which they connected to the system. And sure enough:

$ ls /dev/input/by-id/*joystick
/dev/input/by-id/usb-Keychron_Keychron_K2_Pro-if02-event-joystick

I unplugged my external keyboard from my laptop and restarted the game. And sure enough, my game started to pick up my controller input again.

Now to keep my self-preservation instincts until next Friday.

Why I'm moving away from NixOS

Sat, 20 Sep 2025 00:00:00 GMT

For nearly one year, I’ve been trying out NixOS, meticulously writing out the configuration for my machines in my repository. Every new program install, every configuration change, for all of my devices running NixOS was carefully packaged up into a commit and put into the repository.

Now, after nearly a year of experimentation, here are the pros and cons that I’ve learned, and why I’m ultimately switching away from NixOS.

Disclaimer

Usual disclaimer because people love to engage in tribalism.

This blog post details why I switched away from NixOS. Some of these pros and cons may not apply to you. Some of them you may find an easy workaround for. Some of them you may find baseless.

Please write about them in the comments in the hopes that it may help others (and if it addresses some of the points in this blog post I may edit it to reference your comment), but please refrain from pushing your viewpoint as the ultimate solution, because it probably isn’t for absolutely everyone. Thanks.

Pros

I just want to get the pros out of the way, because there were certain niceties that I came to enjoy using NixOS!

Fast recovery time from scratch

If my laptop breaks, my SSD dies, or I make a horrible mistake and ruin my workspace, the traditional way of a re-install would dictate I make an install media, wipe my drive, re-install the OS, install any drivers (yes, even for macOS, they don’t ship with literally everything), install all my programs, then set them up one by one.

With NixOS, this is also mostly true, except for the parts after the OS install. Instead, it is cloning my repository, making a symlink, and running sudo nixos-rebuild switch. And I get mostly¹ my computer back, with all the programs I installed!

Sure, if the specific programs do not support being configured by NixOS, then I have to set them up, but overall, this drastically reduces the time I have to spend remembering and re-installing all of my programs that I used to have.

Fast recovery time from bad configurations

If I make a mistake configuring something, or if I install a program that I do not want, recovery is literally a git revert and a sudo nixos-rebuild switch away.

I can even tell what broke my computer with a git bisect. Imagine bisecting all the decisions you made configuring your computer to figure out where it all went wrong. Well, with NixOS, you can!

And because each configuration change can be documented with a Git commit message, you don’t have to scratch your head in six months and wonder why the hell you set things up in a certain way.

Cons

Only two pros and straight into cons? (Yeah, I mean, look at the title of this blog post…)

The friction of installing things

On other operating systems, installing an app is double-clicking an .exe and going through prompts, or dragging an app to a folder from a .dmg, or typing sudo pacman -S blender. On NixOS though, every program install requires you to open up your configuration repository, locate the Nix configuration file corresponding to the host that you want to configure, and add up a new line for the program you want to install.

Actually. The full process is going to search.nixos.org, finding the package name of the package you want to install, opening up your configuration repository, locating the Nix configuration file corresponding to the host that you want to configure, and adding up a new line for the program you want to install.

(I know some NixOS experts will say there are commands like nix-locate, but with my usage of them the past couple of months they aren’t perfect. For example, finding the dig tool inside the dnsutils package was not something I managed to achieve with nix-locate but the actual website surfaced it.)

And those are for programs that are tracked by nixpkgs. So what if it isn’t?

NixOS requires you to know or learn Nix

“I’m using NixOS and I didn’t have to learn Nix.”

Maybe, but when you run into this issue, you’ll probably wish you had to.

As long as you stick to the packages available in nixpkgs, you should be mostly okay with your daily usage of NixOS. But run into a package that isn’t available, and you’re suddenly in for a world of hurt.

In my case, nimf, the Korean input method editor that I love on Linux, and python-validity, the software package that powers the fingerprint reader on my ThinkPad T480, were all unavailable on nixpkgs. They used to be open as packaging requests on nixpkgs (the latter of which I submitted myself):

but were all closed when NixOS maintainers decided to stop taking any packaging requests². Now, if you want them, you should contribute them yourself.

If you wish to see this package in Nixpkgs, we encourage you to contribute it yourself, via a Pull Request.

So. If you don’t know Nix, you can’t do those things, because everything in NixOS runs atop Nix, so you better learn it or spend time learning it instead of using the tools that you want to use.

“Isn’t this true for all distributions?” You say. Sure. With Arch, you probably have to write your own PKGBUILD manifest to package your own program. But that doesn’t require you to learn a whole new language. (The example I brought up, PKGBUILD, only means you need to know bash, and the details are nicely documented in the Arch wiki.)

And suppose you don’t want to learn how to use Arch’s PKGBUILD. Fine. Then Arch has another escape hatch up its sleeve. You can use PKGBUILDs provided by the community through the AUR, or Arch User Repository.

“Okay, but the AUR can have malicious PKGBUILDs.” Fine. (We’ll overlook the fact that you fully trust nixpkgs and all of its contributors.) There’s yet another escape hatch offered by other distributions. You can just compile and install the package yourself, no packaging tool config needed. You can’t do that on NixOS, because the system directories are immutable and you can’t modify them. Any forced changes will be gone by the next generation build.

I’m not saying that NixOS shouldn’t have been built on top of Nix. That wouldn’t make sense. They literally have it in the distribution name. But through this approach, it makes it tricky for newcomers to quickly adapt and install things that they need if they do not know the core language powering the OS.

“Well, duh, of course you need to learn Nix to work NixOS. It’s like going to Japan and expecting people to speak English.” Sure, but there are workarounds to living in Japan without learning Japanese. There are workarounds on other distributions if you don’t really know their PKGBUILD system and just want a tool to work. But with NixOS and Nix, immutability comes into play, restricting a lot of the escape hatches that would’ve alleviated some of those problems. Some might see it was a bonus, a feature, but I think you’ll agree that it is at least painful if you do not know these things.

The friction of upgrading things

Say you receive a file that requires version 3.6.12, but the installed version on your computer is 3.6.6. How do you proceed?

On other OSes, you just grab the installer for 3.6.12, install, and be on your way. Or it’s a sudo pacman -S blender or sudo apt upgrade blender, or whatever. The point is, you can upgrade just a single package on other operating systems.

On NixOS, from what I can tell, this is not possible. All the package metadata goes into the nixpkgs repository, and each version bump is tracked as a Git commit. While this is probably great for the NixOS folks maintaining everything, this means that all the package versions are stuck at whatever commit revision is locked inside your Nix “flake” lockfile, until you change that commit revision to a newer one that includes version 3.6.12.

The trouble is, any commit between your initial commit revision and the new 3.6.12 commit revision also gets included, which includes other package upgrades. Thus, what was a simple single package upgrade now turns into a 20+ min (or even a few hours if you didn’t upgrade for a while!) hassle.

Also, after you’ve finished the upgrading process, there’s no easy way to know exactly which versions have changed between the last flake lock and the current one. I only realize that KDE must’ve gotten a new major version bump when I reboot my laptop and the wallpaper changes, or when I open up a program and get a “What’s New” popup. NixOS doesn’t really show you a list of packages that will be upgraded.

The speed of compiling things

So why does upgrading take so long?

Usually, when I take a peek at my console while it is upgrading my system, I see a lot of packages being compiled into binary form that can then be installed on my system.

But NixOS has a binary cache, available at cache.nixos.org! Your builds shouldn’t be taking that long! What gives?

Well, as the name of the subdomain implies, packages first have to be built on NixOS’s servers before they are “cached” for distribution. If the requested package has never been requested before, or if there has been a new update to an existing package, a build job has to run before the cached binaries are available for download.

And if there are tweaks to the build process in your configuration, that requires another binary, which is probably not cached by NixOS’s servers. Which means NixOS immediately defaults to compiling the package from source on your system.

You can set up build cache servers yourself, and this means that you don’t have to turn your weak laptop into a furnace every time you run a switch³, but it’s yet another thing that you have to configure and keep track of.

Configuring “everything” through NixOS

The beauty of documenting configuration in your NixOS configs is great, up to a point. And that point is when you want to configure something that hasn’t been translated to a Nix configuration line yet.

Think of some hidden checkbox in that productivity suite that you use that isn’t recorded as a config file change anywhere. Think of some cloud-only app that saves host configuration using your hostname. Okay, perhaps those are contrived examples, but the fact is that not absolutely “everything” can be configured through NixOS.

And sometimes, that’s okay. Like for example, the desktop environment I use — KDE — has a bunch of options that I like to tweak for each system. But if I had to make a change in my configuration file each time I tweaked an option or messed with a checkbox, just to make sure the setting would persist if I ever reinstalled my system, I think I would go mad.

Of course, there are tools like rc2nix in the KDE instance that offers to convert your current configuration into a Nix config. But in my usage, this hasn’t been perfect, since the KDE suite of apps is inconsistent and store configuration files in all sorts of places. (I mean, just look at Dolphin with its .dolphinrc. rc2nix can’t capture that. Then you have to figure out where it is and what config lines are pertinent to your specific host and then make a Nix config for that in your config repository and make sure the symlink works and then make sure new lines appended by Dolphin as you use it don’t get wiped out during a rebuild and re-symlink and so on and so forth, and you can see why it quickly becomes a massive headache.)

Like I mentioned with Dolphin, not all programs are friendly to being configured externally. Programs are meant to run anywhere, on most major operating systems, and on most major distributions if packaged for Linux. It’s very highly probable that the programs and tools you use do not know the existence of NixOS and are not written to be accommodating towards it.

And if a configuration change requires you to copy over or symlink a configuration file, any change you make within the program gets wiped out when NixOS rebuilds a generation and redos the configuration step, which is not a good user experience. You’re meant to configure “everything” (possible) through NixOS, but as we’ve established, you can’t configure “everything” through NixOS, so you end up with a bad time when the two configuration sources clash and overwrite each other.

Conclusion

So does that mean NixOS is bad and you shouldn’t use it? No. I still enjoyed my time using and learning NixOS. But I have a certain way of using my systems, and over time I’ve realized that my way of computing does not really match the declarative, immutable approach that NixOS takes.

Perhaps I’ll give NixOS another try once I have the time available to thoroughly learn Nix, and once the documentation for NixOS has matured to a point where it is easy to address some of the pain points I experienced above. But for now, I really just want to use my computer to do the things I want to do, and NixOS has become more of a hindrance with its cons than the benefits it provides through its features.

I say mostly here because of the con I’ll get to in a second. ↩
Which is totally valid, it is their right to do so! It does make it harder for users, so my point still stands. ↩
This is a really handy alias, and I’m not sure why it’s not the default. But you can configure it yourself if you want. ↩

Bits and pieces from my Bluu internship

Fri, 29 Aug 2025 00:00:00 GMT

I’ve been meaning to write about what I worked on during my internship, but I didn’t get a chance to do so until today. So here are the two artifacts that I worked on during Summer 2025, which I have been allowed to share as I worked on them during my spare time:

The report tool

Many companies have a time-tracking system where they track what their employees have done over a given day. We were supposed to write up our individual reports, collate them, and then send them off as one giant team report. The trouble was, collating them into one nice table was rather cumbersome and annoying, especially if changes had to be made last-minute as it would shift the table layout.

So I made a web app that would allow users to type in their work item, export their daily report, and collate them in one go into one table. It even has some nice quality-of-life features, like automatic sorting of the name and projects based on hierarchy and priority. (Plus, it has a hidden Easter egg!)

Check out the web app here (warning: is in Korean). And the source code is available here.

One tidbit if you do decide to look at the source code. I noted this in the README.md, but the entire page is just one HTML file with inline Babel and <script> tags powering everything. The reason was because at the time, I did not have any development tools installed on my work computer, and I didn’t want to work on this on my personal computer and then transfer it over — that would’ve been a whole headache on its own. So everything is in one file, but thanks to modern text editors/IDEs like VS Code (which was thankfully available on the Microsoft Store), it wasn’t that hard to edit.

The automatic time-card script

ADP is a payroll/HR platform that companies use to keep track of employee time cards. One fatal flaw of ADP (or perhaps the browser?) is that on Microsoft Edge, the password autofill doesn’t work. Which meant every morning, I had to run up to my desk, wait for Windows to wake up, wait for the ADP page to load, type in my credentials like a savage, wait for the main page to load, and finally click on the clock-in button.

So instead of doing the normal thing of switching to a different Chromium-based browser, I wrote up a little Python script that will do the ADP clock-in for me. Now, I just have to click on a shortcut and go make coffee, and by the time I get back I’ll have been clocked in.

Disclaimer 1: this script can and certainly will break if ADP updates their website design.

Disclaimer 2: this script can be a little flaky at times depending on the timing, so make sure you are actually clocked-in after your coffee break!

Disclaimer 3: manually running the script once you come into work is fine, but if you put it on some scheduler and automate it while you haven’t come into work, that can be illegal. I’m not a lawyer.

Here is a Gist to the entire script. You will have to supply your own credentials and perhaps change the WebDriver path for your specific browser.

That wraps it up for this blog post! Those were the small things I got to work on this summer that I was allowed to share.

A rant about cheap proprietary IP cameras (featuring Hej Home)

Fri, 18 Apr 2025 00:00:00 GMT

A couple of months back, I was helping with cleaning out a relative’s closet when we came across this cheap-looking indoor IP camera from a company named Hej Home (헤이홈). The relative didn’t need it or want it, so I thought it might be fun to figure out how it ticks, and potentially have it set up as a local-only IP camera.

Before I get your hopes up too much, I didn’t really succeed in the latter half. This blog post documents my attempted journey on getting this camera to work for me, and a rant on all this garbage, crap IoT devices with no local access options, contributing to the e-waste epidemic everywhere.

Specifications

The unit I have is the “Smart Home Camera Pro (스마트 홈카메라 프로)”, model code GKW-MC055. It has one micro-USB port that carries over the power pins only, a reset hole, and a microSD card slot.

There is one tiny lens in front, with two LED indicators. One of the LED indicators is used for the status of the camera and lights up red when power is initially connected. Once the camera has finished initializing, the LED turns blue. The other indicator light denotes whether the camera is in night-vision mode. In the night-vision mode, an array of IR LEDs on the perimeter ring of the lens turn on to illuminate the area.

The camera also has a speaker and a mic for bidirectional communication via the app.

Speaking of the app, let’s try setting it up!

Setting up the camera on the official app

As always, the best place to start is the official manufacturer app, so I downloaded it and it asked me to set up an account. Fine, I guess. I set up the account and confirmed that I could actually see myself in the camera stream.

I then trawled through the settings menu, looking for any options to enable local access via RTSP or ONVIF. Unfortunately, no such setting existed. Looking through the FAQ section yielded no results.

Port-scanning the IP camera

Perhaps the local access ports are already open? I thought.

Time to port-scan this camera!

$ nmap 192.168.8.123
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-17 13:33 US Eastern Daylight Time
Nmap scan report for xxx.lan (192.168.8.123)
Host is up (0.022s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE
6668/tcp open  irc
MAC Address: B4:FB:E3:XX:XX:XX (AltoBeam (China))

Nmap done: 1 IP address (1 host up) scanned in 2.28 seconds

That was strange. There was only one port open, and I was pretty sure the camera didn’t have an IRC server running. I tried a more comprehensive scan, but it yielded the exact same result:

$ nmap -sS -p- 192.168.8.123
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-17 13:35 US Eastern Daylight Time
Nmap scan report for xxx.lan (192.168.8.123)
Host is up (0.019s latency).
Not shown: 65534 closed tcp ports (reset)
PORT     STATE SERVICE
6668/tcp open  irc
MAC Address: B4:FB:E3:XX:XX:XX (AltoBeam (China))

Nmap done: 1 IP address (1 host up) scanned in 28.72 seconds

Looking online, port 6668 seemed to be used by IoT devices that were based on the Tuya SDK, which was this company that specialized in licensing out its IoT platform for other companies to rebrand and re-sell. Hej Home seemed to be one of their clients, which explained why they were able to churn out so many IoT devices on their store.

But that’s not going to help me here. I looked up if there was a way to enable ONVIF with the underlying Tuya SDK and found this page. It seemed like enabling ONVIF was a simple configuration swap, so I sent off an email to the company behind Hej Home and asked if they would please consider enabling this. (It would cost them literally nothing to do this — it’s a config change and as far as I know Tuya won’t charge them extra for it or whatever.) Sadly, I’ve yet to hear back from them after emailing them on March 25.

So that’s out. What’s next?

Disassembling the camera

I decided to disassemble the camera and perhaps dump the firmware from the flash chip inside to see if I could glean any more clues from it. I made a false start trying to get into the camera from the bottom half — that only yielded access to the microUSB port, which was good if I ever wanted to transplant a USB-C port in there, since I only needed to solder on the power wires. Unfortunately, the brain and major parts of the camera were not inside the lower half like I assumed it would, and if I had been any less gentle with it I probably would’ve broken the camera, ending this exploration right then and there.

I eventually figured out that you had to separate the top half of the camera. More specifically, the globe shape split into two spherical halves, allowing me to extract the motherboard and the lens assembly, which was sandwiched together into one slim package. This small sandwich controlled the entirety of the camera, from the motors used to move it horizontally and vertically to camera control, SD card recording, and power input from the port downstairs.

Dumping the SPI flash chip

My attention immediately landed on the single marked flash chip, from XMC. The marking read XMCQH64AHIG, and I was pretty sure I could use flashrom to dump its contents. Unfortunately, I stumbled across this open issue on the flashrom GitHub, which had been open since July 2020.

I tried to figure out why the two linked pull requests had been closed, and discovered that the flashrom team didn’t use GitHub for development. Rather, they had their own Gerrit instance where they reviewed and merged patches. The associated pull request (actually, multiple of them) had been transferred to Gerrit but had been lost to time, and the original PRs had been closed.

So I tried my luck by submitting a patch myself, which actually got merged in March 29! So after 5 years, flashrom gained the ability to read and write from this chip.

Looking at the firmware dump

Now that the chip definition had been added, I used the flashrom development binary I compiled to rip the firmware from the board. I then used binwalk -Me cctv.bin to extract the contents and had a look around.

There was a file named tuya_config.json in one of the extracted folders that looked very promising. One of the config options caught my eye:

    "onvif_enable": 0,

What would happen if I just changed that to 1? I thought. So I fired up hexedit on a copy of the firmware dump, searched manually for 6F 6E 76 69 66 5F 65 6E 61 62 6C 65 (which was onvif_enable in hexadecimal), and replaced the value 30 (0) to 31 (1). I then flashed the firmware back onto the camera and connected it to power.

During startup, a startling chime came from the camera which I had never heard before. I got nervous and excited for a moment, thinking that ONVIF had finally been enabled. Unfortunately, nmap showed that there were no new open ports on the camera.

I then looked into whether I could flash a completely new firmware image, overwriting whatever proprietary crap that Hej Home and Tuya had on there.

Looking for open-source options

From my previous expedition, I knew that the SoC of the camera was this chip marked AK3918 from this company named “Anyka”. Turns out, this was some Chinese company producing an all-in-one SoC for IoT camera makers.

While there was a datasheet available, the drivers and hardware definition had never been mainlined into the Linux kernel, probably because no Chinese company has the time to do that. Actually, they didn’t even release the kernel sources despite shipping a variant of the Linux kernel, but we all know that GPL is merely a suggestion to these hardware OEMs that they never take seriously.

There were some repositories attempting to reverse engineer cameras built upon this SoC, but I quickly realized that there were different firmware revisions to this SoC as well, and most of the repos that I found targeted the AK3918v200 revision, while my camera had the AK3918v300 one. Even if I could somehow tweak things to get the v200 repos working on the v300 one, the repositories only had basic scripts available, and it was not clear whether I would be able to even set up RTSP or ONVIF with those open source options.

Cutting my losses and moving on

Unfortunately, this is where I choose to stop. It’s been great getting my hands dirty disassembling this camera, dumping firmware, and contributing to the flashrom project, but going any further is just not worth my time.

For reference, a camera on Amazon that supports ONVIF is only around $25. I can buy it, hook it up, and connect it to Home Assistant with much less hassle than what I just went through. I don’t know how many hours, days, or even weeks it’ll take before I get some semblance of local access working on the original godforsaken camera, but I do know for sure that it’ll be worth much more than $25.

But forget about this alternative for a second. It’s ridiculous that a camera that is capable of being streamed to a local server without Internet access just can’t do that, because of some configuration change that’s locked away in a proprietary SDK. Without it, this camera becomes worthless to me, and probably to a vast majority of others as well. Nobody would be comfortable streaming the inside of their home to some server farm in China somewhere… or at least nobody should be comfortable in doing so.

And yet Tuya and all the client companies that depend on Tuya use this approach because it’s so easy to set up. They can pump out all this e-waste IoT garbage and get the tech illiterate audience to buy them and set them up, since they value the ease of use in not having to deal with setting up port forwarding and a NVR or whatever. But in doing so, they don’t realize that they’re giving a 3rd-party access to their living room space, or their baby crib or whatever.

So please, if someone you know is thinking about setting up cameras in their home (or any IoT device, really), always stress the importance of local-only access and why having devices phone home via the Internet is not a good idea, even if it is convenient. Home Assistant is extremely easy to set up, and now that they sell ready-made kits to set it up in minutes, there’s no real excuse in not using such a solution.

Fix up audio delay in Meta Quest recordings

Sun, 06 Apr 2025 00:00:00 GMT

I bought my Quest 3 in October 2023. Today is April 2025. After 18 months of firmware updates, this bug still lingers: the audio desyncs by a couple hundred milliseconds whenever you use the recording functionality (the “Camera” app) to record gameplay footage inside the Quest.

I hate having to adjust the delay manually every time I splice the footage in my video editor, so I decided to just automate it with ffmpeg (all hail ffmpeg).

Step 1: Figure out the delay values

I first loaded up the video clip in my video player and played around with the audio delay option until I could get the audio and video in sync. A good trick to sync up Beat Saber footage, for example, is to listen for the “click” when you press the play button and the screen turns black, or when your saber goes through a note and makes the piercing sound.

On MPC-BE, you can find the delay option by opening up the options menu with the ‘O’ key, navigating to “Audio > Sound Processing”, checking “Audio time shift (ms)” and adjusting the delay there. Start with increments of -100 ms. For my headset, I found a delay of -400 ms, although it may be different for you depending on your unit variation and whatever game you’re recording. (Also, I have no idea why this option is buried here…)

Step 2: `ffmpeg`

And the command to shift just the audio with ffmpeg is the following:

ffmpeg -i input.mp4 -itsoffset 0.4 -i input.mp4 -map 1:v -map 0:a -c copy output.mp4

Don’t forget to change the offset value if the delay is different for you!

I have a positive delay value

If your video clip’s audio is ahead of the recording for some reason, use the following:

ffmpeg -i input.mp4 -itsoffset 0.4 -i input.mp4 -map 0:v -map 1:a -c copy output.mp4

Note that the -map numbers have changed, since we are now grabbing the non-delayed video stream from the first input and the delayed audio stream from the second input.

Conclusion

Don’t forget to uncheck the delay in your video player afterwards. (Or else you’ll drive yourself crazy figuring out why all your content has audio sync issues! Not speaking from experience.)

Also, if the fix is this simple, why can’t the Quest just correct the recording once it is finished…?

Buying my (Korean) name on the Internet

Sun, 30 Mar 2025 00:00:00 GMT

After a intriguing conversation about punycode, on a whim I searched for my Korean name to see if it was available. I was pretty sure it wouldn’t be because it’s a common name.

Long story short: go see my (Korean) face: http://박선우.com

I nearly lost my entire home server

Tue, 04 Mar 2025 00:00:00 GMT

Around the first week of January, I said goodbye to my family in Korea and got on a flight back to the US to continue my studies. The flight itself was quite uneventful, and I enjoyed a couple of movies I’d brought on my phone and played games on my Steam Deck. But I don’t like long-haul flights in general because all the shaking around makes it impossible to get any sleep and the noise-canceling headsets can only cut out so much engine roar.

As the plane touched down and taxied to the gates, I toggled off airplane mode and watched the flurry of notifications and activity as the phone synced with the world after 13 hours of disconnect. I didn’t see anything noteworthy, so I grabbed my bags and got off with the others.

I went through the visa check, picked up my bags from the carousel, and headed to the multi-modal facility where all the buses were. While waiting for the tram system to come by, Pushover suddenly chimed on my phone. I immediately knew it was not a good sign because that ping sound was configured for critical alerts.

Sure enough, I was greeted by this, after 13 hours of torture on a flight:

My first thought was: why did this have to happen after I’d come all the way to the US?! Answer: Murphy’s Law. Second thought was: thank god for dual-parity. I thought it was overkill when I initially configured my array that way, but now it was evident that I’d missed total catastrophe by a very slim margin.

I thought it was strange that two drives dropped off of the array at the same time, but didn’t think much of it at the time. (Foreshadowing.) While the drives there were a mix as I bought the drives in batches, there could’ve been a time when I bought two in a single batch. Perhaps it was a manufacturing defect.

At any rate, I ordered up two 16 TB replacements and took the server offline to prevent any more reads and writes from taxing the other drives and causing them to fail. The server would be unavailable, and my family would be mad at me, but it was better than creating a worse situation where I’d have to reconstruct the server from scratch.

Now, conforming to best practices, I do have a backup server with a replica of the data on the main server. However, because I wanted to tackle two birds with one stone, the backup server was located offsite, so the schedule for backing up ran every day during the early hours when everyone was asleep, and it was constrained by Internet bandwidth between the two sites. Depending on when the last backup was, it was possible that it didn’t have all the bits of the latest copy on the main server, and at any rate, it was going to be a painful affair trying to restore around 18 TB of data over the Internet.

So the drives arrived, I got them installed with help from my family, the server resilvered and everything was right with the world, right?

An ideal world where everything goes right

When the new hard drives arrived, I got on a video call with my family members and instructed them on how to change the drives. It was slightly tricky because the case I used for the main server, the Jonsbo N1, required you to slide the server out of the main case rail and replace the drives. This was a finicky process, because the server was in a media cabinet and that meant you had to take out the entire server and delicately disconnect cables and make sure you didn’t drop it and kill the rest of the drives.

But we managed to get it done, and I booted the server up and started the rebuild process. I opted to skip the preclearing process, because there was no way the brand-new drives were faulty, right?

The new drives are… faulty?

Unfortunately, the new drives immediately threw up the exact same I/O errors a minute into resilvering. One dropped off from the system entirely, just like the 8 TB one from the two original drives that “failed”. smartctl couldn’t detect the drive that went AWOL:

Smartctl open device: /dev/sde failed: INQUIRY failed

…and gave tons and tons of errors for the other drive, even though all the SMART attributes looked healthy and the drive was deemed okay by SMART standards:

Error 385 occurred at disk power-on lifetime: 20508 hours (854 days + 12 hours)
  When the command that caused the error occurred, the device was active or idle.

  After command completion occurred, registers were:
  ER ST SC SN CL CH DH
  -- -- -- -- -- -- --
  04 61 02 00 00 00 a0  Device Fault; Error: ABRT

  Commands leading to the command that caused the error were:
  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name
  -- -- -- -- -- -- -- --  ----------------  --------------------
  ef 10 02 00 00 00 a0 08      01:08:16.785  SET FEATURES [Enable SATA feature]
  ec 00 00 00 00 00 a0 08      01:08:16.785  IDENTIFY DEVICE
  ef 03 46 00 00 00 a0 08      01:08:16.785  SET FEATURES [Set transfer mode]
  ef 10 02 00 00 00 a0 08      01:08:16.784  SET FEATURES [Enable SATA feature]
  ec 00 00 00 00 00 a0 08      01:08:16.783  IDENTIFY DEVICE

dmesg showed more cryptic and sinister errors:

20:28:04 dipper kernel: ata2.00: configured for UDMA/133 (device error ignored)
20:28:04 dipper kernel: ata2: EH complete
20:28:04 dipper kernel: ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
20:28:04 dipper kernel: ata2.00: irq_stat 0x40000001
20:28:04 dipper kernel: ata2.00: failed command: WRITE DMA EXT
20:28:04 dipper kernel: ata2.00: cmd 35/00:c8:e0:a3:05/00:01:00:00:00/e0 tag 19 dma 233472 out
20:28:04 dipper kernel:         res 61/04:c8:e0:a3:05/00:01:00:00:00/e0 Emask 0x1 (device error)
20:28:04 dipper kernel: ata2.00: status: { DRDY DF ERR }
20:28:04 dipper kernel: ata2.00: error: { ABRT }
20:28:04 dipper kernel: ata2.00: failed to enable AA (error_mask=0x1)

So I had to dig deeper. There was no way that the new drives were faulty in the exact same way as the old drives, and both of them at that.

Going down the chain

The first thing was to figure out if the drive bays were going bad. I video-called with my (frustrated) brother and had him swap around drives in the bays.

However, after swapping, the problems followed the drives. This was a real head-scratcher. If the drives weren’t faulty, then something down the chain was the problem. But how come the problems followed the drives across bays if the drives themselves weren’t faulty?

I asked and checked to make sure that all the connections were firmly seated. This was quite the ordeal, because it’s really hard to tell whether a connection is “good” over a grainy video call. My brother did note that one of the Molex connectors that went to the SATA backplane of the Jonsbo N1 was slightly loose when he went to push it in, so I was hopeful that perhaps it was a power issue. The failure probably followed the drives because they were the most susceptible to brownouts, and the fact that the new drives were now much bigger in capacity than any other drive in the system supported the hypothesis that they were the first ones to quit when the power was insufficient and throw errors.

Unfortunately, this managed to throw me off the scent temporarily. Even the preclearing process seemed to work fine, so I canceled the preclear and started the rebuild. However, a minute into the rebuild, the same freaking problem returned.

I had to move further down the chain. My suspects, in order from the drive to my screen thousands of kilometers away, were the following:

SATA backplane
The SAS to SATA (1x4) breakout cables (SFF-8087)
The LSI RAID card, flashed into IT mode, acting as the HBA
The actual motherboard itself
The PSU
Me, I was going insane and this was all a hallucination

Of particular note was the breakout cable.

History repeats?

See, while seeking help on the UnRAID forums, I came across a post that I wrote in 2023, where I had two drives die on me after an UnRAID upgrade.

Wait, two drives? Like, what I’m going through right now?

This was back in June 2023, and I happened to be on a trip to Beijing, so I didn’t have physical access to my server. Thankfully, that particular trip ended after 2 weeks, and I was able to fly back to Korea and diagnose further, and it turned out to be the SAS to SATA cable going bad.

For context, the Jonsbo N1 case is a mini-ITX case, so the insides are very, very cramped. So much so that a SAS cable sticking out the side has to be bent around to fit in the case. I even tried using a right-angle, 90-degree cable, but you still needed a bend to route the cable through to the area where the SATA connectors on the backplane were. Making matters worse, the SATA ends had to be right-angled, too, or else they’d snap off when the server was slid back into the outer casing and Jonsbo would void your warranty. And it’s hard to find sellers that will sell a cable that has both a 90-degree bend at the SAS end AND the SATA ends.

I’d replaced the cable and the drives had all spun back up again with zero problems. Until now, of course.

”Supply chain issues”

I decided to replace both the HBA card and the breakout cable in one go, so that if either one turned out to not be the culprit, I wouldn’t have to wait longer to get another shipment. Plus, it was not that expensive — a used card on AliExpress only cost about $30, and the cable only added a bit more to the total.

Unfortunately, it was the worst possible timing to be shopping for replacement server parts. Because of the Chinese Lunar Year holiday, a lot of the AliExpress sellers were taking off days, for the entire week and then some. This meant that by the time the parts made it out of their warehouses and got shipped in a boat from China to Korea it would be mid- to late-February, which meant we’d be without our server for an entire month.

While researching options, I came across those PCIe to SATA cards, with chipsets from ASMedia. They served essentially the same purpose as the HBA card — why couldn’t I use them?

I thought I’d read something about avoiding those cards since they tended to drop the drives whenever the load increased and were generally unreliable, but it turned that I was thinking about those SATA port multiplier cards, which had Marvell chipsets and were best avoided at all costs. Regular PCIe to SATA cards seemed to be fine, though it looked like the cards based on the ASM1166 chipset needed a simple firmware update for it to work properly. But compared to an LSI HBA card, that wasn’t that big of a deal, since you needed to flash the firmware on LSI cards to get them into IT mode anyway. And the price was an absolute bargain — I paid perhaps $10 for the card, and like $2 for a 12-pack 90-degree SATA cable set, which was cheaper than the LSI option by half as much.

So I picked up a card with the ASM1066 chipset from AliExpress, which immediately shipped because it came from AliExpress’s warehouses, and they seemed to ignore holidays. (The joys of capitalism.) Unfortunately, the port at Pyeongtaek (평택) that screened the packages for customs did not, so I only got the card during the first week of February, which was still way better than the expected ship date for the LSI card.

When the card arrived, we discovered that it was absolutely perfect. It took up much less space than the previous LSI card, and the ports were angled towards the front of the case where the hard drives were, so there was absolutely zero bend or pressure on the SATA cables, which meant they wouldn’t fail that way.

Once we got everything hooked up, the server was powered back on, the drives came back, I was able to start the resilvering process, and it was a happy ending, right? Right?!

The Server of Theseus

What do you do when you’ve replaced virtually everything about the server… and you still get slapped in the face with:

This was bad. Somehow, the problem persisted, even when I had:

Replaced the hard drives with brand-new ones
Replaced the RAID card with a brand-new SATA card
Replaced all the SATA cabling between the card and backplane
Randomized the order of the hard drives connected to the backplane so as to rule out a bay issue

Out of ideas, I asked for help on the UnRAID forums again, since I had no idea where those ATA errors were coming from. @JorgeB on the forums said that the errors still looked like a connection problem, particularly on the power side.

Unfortunately, I didn’t have a spare PSU to test, but I had an idea. I called in and asked my brother to move the Molex connectors one row down, to see if perhaps the length was the issue. (By one row down, I mean the Molex cable was one long cable with four Molex plugs wired in parallel, and I was using the two outermost ones furthest away from the PSU.)

He had one hell of a time getting the cable out of the connector because the connector on the backplane was in a hard-to-reach spot. I also wondered whether heat had deformed the connector, making it harder to remove and potentially causing an imperfect contact between the pin and connector. Unfortunately, I couldn’t tell over the grainy video call, and the photos didn’t help much, either.


Can you make out the 4-wire Molex cable underneath the thick cables marked ‘ChingLung’?

Finally, once the server was reassembled for the umpteenth time, he powered on the system and I started a preclear to see if the I/O issues had gone away.

Jumping over the first hurdle

UnRAID’s pre-clear system is comprised of five different stages, but only three of them are the ones that access every single byte on the drive. And unfortunately (or fortunately?) for me, the drives that I was preclearing were 16 TB in size.

It was a long and agonizing wait, but I decided to wait it out, because I didn’t want to risk another failure while rebuilding the array because of some latent power issue that decided to manifest again. So I let it run, and checked in periodically to monitor the progress.

Each stage took around 20 hours to complete — 20 hours to either read or erase every single byte of the 16 TB drive.

But thankfully, the preclear passed after running for a bit over 62 hours:

####################################################################################################
#                              Unraid Server Preclear of disk _____JFA                             #
#                            Cycle 1 of 1, partition start on sector 64.                           #
#                                                                                                  #
#   Step 1 of 5 - Pre-read verification:                  [20:44:44 @ 214 MB/s] SUCCESS            #
#   Step 2 of 5 - Zeroing the disk:                       [20:46:40 @ 213 MB/s] SUCCESS            #
#   Step 3 of 5 - Writing Unraid's Preclear signature:                          SUCCESS            #
#   Step 4 of 5 - Verifying Unraid's Preclear signature:                        SUCCESS            #
#   Step 5 of 5 - Post-Read verification:                 [20:44:42 @ 214 MB/s] SUCCESS            #
#                                                                                                  #
#                                                                                                  #
#                                                                                                  #
####################################################################################################
#       Cycle elapsed time: 62:16:35 | Total elapsed time: 62:16:36                                #
####################################################################################################

####################################################################################################
#   S.M.A.R.T. Status (device type: default)                                                       #
#                                                                                                  #
#   ATTRIBUTE                   INITIAL CYCLE 1 STATUS                                             #
#   Reallocated_Sector_Ct       0       0       -                                                  #
#   Power_On_Hours              3       65      Up 62                                              #
#   Reported_Uncorrect          0       0       -                                                  #
#   Airflow_Temperature_Cel     28      41      Up 13                                              #
#   Current_Pending_Sector      0       0       -                                                  #
#   Offline_Uncorrectable       0       0       -                                                  #
#   UDMA_CRC_Error_Count        0       0       -                                                  #
#                                                                                                  #
#                                                                                                  #
####################################################################################################
#       Report genereated on: February 08, 2025 at 13:00:38                                        #
####################################################################################################
--> ATTENTION: Please take a look into the SMART report above for drive health issues.

--> RESULT: Preclear Finished Successfully!

And a short while later, the second 16 TB disk precleared successfully, giving me some hope back:

####################################################################################################
#                              Unraid Server Preclear of disk _____DA5                             #
#                            Cycle 1 of 1, partition start on sector 64.                           #
#                                                                                                  #
#   Step 1 of 5 - Pre-read verification:                  [21:27:40 @ 207 MB/s] SUCCESS            #
#   Step 2 of 5 - Zeroing the disk:                       [21:30:35 @ 206 MB/s] SUCCESS            #
#   Step 3 of 5 - Writing Unraid's Preclear signature:                          SUCCESS            #
#   Step 4 of 5 - Verifying Unraid's Preclear signature:                        SUCCESS            #
#   Step 5 of 5 - Post-Read verification:                 [21:27:42 @ 207 MB/s] SUCCESS            #
#                                                                                                  #
#                                                                                                  #
#                                                                                                  #
####################################################################################################
#       Cycle elapsed time: 64:26:28 | Total elapsed time: 64:26:28                                #
####################################################################################################

####################################################################################################
#   S.M.A.R.T. Status (device type: default)                                                       #
#                                                                                                  #
#   ATTRIBUTE                   INITIAL CYCLE 1 STATUS                                             #
#   Reallocated_Sector_Ct       0       0       -                                                  #
#   Power_On_Hours              3       67      Up 64                                              #
#   Reported_Uncorrect          0       0       -                                                  #
#   Airflow_Temperature_Cel     28      41      Up 13                                              #
#   Current_Pending_Sector      0       0       -                                                  #
#   Offline_Uncorrectable       0       0       -                                                  #
#   UDMA_CRC_Error_Count        0       0       -                                                  #
#                                                                                                  #
#                                                                                                  #
####################################################################################################
#       Report genereated on: February 08, 2025 at 15:10:38                                        #
####################################################################################################
--> ATTENTION: Please take a look into the SMART report above for drive health issues.

--> RESULT: Preclear Finished Successfully!

Rebuilding

The rebuild process was slightly more complicated than it had to be, because I’d opted to get drives of a bigger capacity to replace the “failed” ones.

Now, UnRAID won’t let you have a data drive that is bigger than the parity drive, and the amount of available storage is just the sum of all the data drive capacities, which meant I wouldn’t have any extra storage space available right now by swapping out two out of the five 8 TB drives in my array with 16 TB ones. It just meant that I’d have to assign them as parity drives, and in the future if I ever got a drive that was bigger than 8 TB (but less than or equal to 16 TB, because of the parity drives) to replace one of the data drives then I’d see the increased storage space. As for now, it was mostly future-proofing.

Unfortunately, one of the two drives that had failed was a data drive, and as I mentioned earlier, UnRAID wouldn’t let you have a data drive bigger than a parity drive, even if you wanted UnRAID to only use the first 8 TB and use the rest later once all the parity drives were upgraded.

Thankfully, UnRAID has a special “parity-swap” procedure for instances like these: you assign the new drives as parity drives, and then move the other 8 TB parity drive into one of the data drive slots (where the failed data drive used to be). Then UnRAID recognizes that you’re trying to copy the parity data from the old drive to the new, and then rebuild the data drive on top of the old parity drive.

I assigned the drives and clicked the copy button to start the process. The array isn’t accessible during the copy step, but I was fine with that as long as it didn’t crash during the procedure. My server had one final scare up its sleeve, though, just to get a last laugh:

This was just the “Fix Common Problems” plugin telling me that my array was already in a degraded state, but when I saw the “Errors” part I instantly thought the drives had dropped out again due to another brownout or something.

Thankfully, nothing of that sort happened, and the parity-swap finished successfully after several hours. It actually took longer than each preclear step, probably because the 8 TB also slows down near the end, and we need the data from the 8 TB drive to populate the 16 TB one.

I then kicked off the data and parity drive rebuild process, which could be done in one go. This took the longest, clocking in at 27 hours (!), but mercifully it passed as well:

And with that, the server was finally brought back online after 28 days, concluding the outage.

Failure Analysis

Given that futzing around with the Molex connector temporarily resolved the problem the first time around and permanently resolved it in the end, we can focus on the power-side of things.

First, in terms of wattage, I was well within the specs of the system. The power supply was a SP750 model from Lian Li, and from what I can tell with the system specs, the most I ever needed with the parts in the NAS was perhaps 380 W. That is half of the rated wattage of the PSU, so a failure of it was rather unlikely.

That left the single cable, which was carrying all the power to the backplane. When I first built this system, this was the only option, because Jonsbo’s backplane only had the two Molex ports, and also because Lian Li decided to only ship one Molex cable in their entire set of detachable cables.

But did I overdrive the cables to the point of them failing? Well, let’s do some math.

For starters, here are the specifications sheets for the two model types of the drives that I have in my NAS:

As previously mentioned, I have two 16 TB drives, and three 8 TB drives. Seagate’s specs say the maximum operating wattage of the drives is 10 W for each drive, although it doesn’t list the start-up peak power, which would probably be higher than 10 W. WD does list the peak amperage of the 12 V rail at 1.75 A, giving us around 21 W of peak start-up power. WD also mentions that the average power requirements for read and write is about 6.2 W. Scaling that up to Seagate’s power requirements linearly suggests that Seagate’s peak startup wattage is about 31 W, so we’ll assume it is around that number.

This means that during startup, the drives in my NAS draw about 125 W, and during normal use with all drives spinning at once, the average power draw should be around 38.6 W.

According to a forum post on LTT, a single Molex cable should give me 120 W of power on the 12 V rail, which means I briefly exceed this rating upon starting up the server by about 5 W. But again, this is with us assuming that the peak startup wattage for the Seagate drives scales linearly from WD’s specifications, which is probably not the case. And during normal use, the power usage is well below the maximum capability of a typical Molex cable.

So here’s my hypothesis on what happened. This server has been running non-stop since June 2022, which means it has been operational for nearly 3 years at this point. During the time, perhaps the load on the cable was slightly over the rated limit, causing slight amounts of heat to deform the connector and cause imperfect contact on the pins. Paired with the vibrations from the hard drives sitting directly on top of the backplane, the cable kept creeping out of the connector until at some point, the voltage sag from the imperfect contact was just too much for some of the hard drives to handle, and the most sensitive ones began to drop off from the server, causing the I/O errors.

When the Molex plugs were moved one row over, the new plug was still in good condition and was able to make better contact with the backplane connector.

There was one chance where I could’ve suspected this and have avoided the hassle of waiting for the new parts to arrive. The fact that two drives dropped out at the exact same time should’ve clued me into the fact that this was no drive failure. Even if they were from the same batch, drives don’t just up and die from the array in the same precise moment like that, due to manufacturing variations. Of course, this is all in hindsight, so I guess it’ll serve as a reference in the future if it ever happens again.

Lessons learned

Unfortunately, if my hypothesis is correct, this is still a temporary solution. If the wattage is exceeding the cable specs by only a little, it would still work for maybe a year or two before developing the same problems.

To solve this for good, I’m planning to buy and install two separate Molex cables from the PSU to the backplane, with the highest wire gauge I can obtain so that more power can be delivered over less resistance. This should help with the marginal heat generated, if any.

But thankfully, the home server is finally back up, and ultimately I did not lose any data from this incident or have to restore from a backup. The redundancy part of my server functioned exactly as I planned.

To reduce the downtime from waiting for parts next time, I plan to have at least one spare hard drive available as well. Since the Jonsbo N1 only houses 5 drives at once and I use all of the bays for the array, that means the drive will have to be a cold spare, but it’s faster than waiting weeks for the drives to arrive from China or wherever.

(Note: I don’t think having more than one spare is a good idea, for a couple of reasons. Drives historically have become cheaper over time, and I still stand by the fact that the chances of two or more drives failing at once is extremely slim. And yes, I do realize the irony while writing this blog post, but again, this was not a problem with the actual hard drives, and if I had started with the cabling then I could’ve gotten away with purchasing no drives at all.)

So there you go — if you’re chasing random I/O errors that seem to haunt you across different hardware, hopefully you can also fix it by closely inspecting the power situation of your system, and making sure that all the connectors tightly fit the inserted plugs!

Profiling with cargo flamegraph

Sat, 25 Jan 2025 00:00:00 GMT

This will be a rather short blog post, because all I wanted to show off was this flamegraph, generated from one of the questions in the competitive programming course I’m taking:

(Note: the SVG file is actually interactive, but you do need to right-click on the image and open it in a new tab!)

I love looking at flamegraphs!

Side-note: getting cargo flamegraph running on Windows is slightly involved.

Windows Preparations

If you have BitLocker enabled on your machine, back up the recovery key. You will need it in a sec. Most Windows machines nowadays ship with BitLocker enabled.
Enable dtrace functionality by running bcdedit /set dtrace on in an elevated permissions terminal.
Download and run the installer from Microsoft’s official dtrace repository.
Set the _NT_SYMBOL_PATH system environment variable to the following (see details on why here):

srv*c:\symbols*https://msdl.microsoft.com/download/symbols

Reboot your machine. Enter in the BitLocker recovery key when prompted.

Linux Preparations

On Linux, you do need the linux-tools packages for your specific kernel version. I’m using NixOS, so I just had to run nix shell nixpkgs#linuxKernel.packages.linux_latest_libre.perf to get just the perf package that flamegraph-rs requires. (No idea what the libre part is for, but there wasn’t one without that suffix…) Check out the official installation section of the README for distro-specific instructions.

Buffering by block in Rust

Thu, 23 Jan 2025 00:00:00 GMT

I’m taking a competitive programming course this semester, and the platform we’re using (Kattis) apparently prioritizes fast I/O, to the point where some right answers will be rejected with a Time Limit Exceeded (TLE).

I wanted to see if there was a way to squeeze out just a bit more read/write performance in Rust, and was surprised to learn that stdout is line-buffered by default. This means that an innocent-looking code sample like the following writes slower to console than the theoretical speed limit:

use std::time::Instant;

fn main() {
    let time = Instant::now();

    for i in 0..500000 {
        println!("{}", i);
    }

    let duration = time.elapsed();
    println!("Time elapsed: {:?}", duration);
}

When you run it, you’ll get an output like the following:

(...)
499997
499998
499999
Time elapsed: 17.5983885s

So why does this happen? Every time you call the println!() macro, it emits a newline character (\n) to stdout, and every time stdout sees a newline character it flushes its buffer. To flush the buffer, it executes a syscall that writes the contents of the buffer to the console, or to a file if there are redirects, whatever.

The problem is, every time you execute a syscall there is some overhead because the processor has to change from user to kernel mode and shift around registers and so on. And we’re doing this 500k times! So the overhead stacks up.

The solution is to stick a BufWriter in front of the stdout, which might seem weird and the exact opposite of what we’re trying to achieve (we wanted less buffering, right?), until you realize that BufWriter holds the contents you are trying to write in a separate buffer. When we call .flush() on BufWriter, it dumps all of the contents in stdout and calls .flush() on it as well, which effectively makes stdout block-buffered.

I was initially skeptical of this approach and thought stdout would just end up calling the write-syscall whenever it saw the newline character being passed through from BufWriter’s buffer, but the performance improvements suggest otherwise.

The modified code:

use std::io;
use std::io::{BufWriter, Write};
use std::time::Instant;

fn main() {
    let time = Instant::now();
    let output = io::stdout().lock();
    let mut buffer = BufWriter::new(output);

    for i in 0..500000 {
        writeln!(buffer, "{}", i).unwrap();
    }
    buffer.flush().unwrap();


    let duration = time.elapsed();
    println!("Time elapsed: {:?}", duration);
}

And the results in case you thought I was lying:

(...)
499997
499998
499999
Time elapsed: 3.7357123s

So why doesn’t Rust just let us toggle between line-buffered and block-buffered for stdout? Well, the issue exists on their GitHub issue tracker, but the associated pull request was closed back in 2022 and as a result the problem has been stuck like that for the past 3 years. (If you count the original issue that makes it nearly 6 years!)

So until this becomes part of the language, the workaround above seems to be the best crate-free way of getting faster I/O in Rust. Of course, you could also try and get the raw, unbuffered stdout using workarounds such as this one by @WieeRd on GitHub, or do what ripgrep does with their conditional buffering.

If only Kattis allowed crates.

KT's outdated Wi-Fi, on Linux

Sat, 04 Jan 2025 11:15:00 GMT

If you ever try and connect to a public Wi-Fi AP hosted by KT, perhaps at a Starbucks, with your Linux laptop, you may notice that the connection fails. For me, KDE prompted that the password was incorrect, when it wasn’t — my Android phone could connect to the AP just fine.

If you looked at the logs, you would see something like this:

Dec 26 16:39:14 kernel: wlp3s0: associate with 06:09:b4:78:b3:13 (try 1/3)
Dec 26 16:39:14 kernel: wlp3s0: associate with 06:09:b4:78:b3:13 (try 2/3)
Dec 26 16:39:14 kernel: wlp3s0: RX AssocResp from 06:09:b4:78:b3:13 (capab=0x431 status=0 aid=1)
Dec 26 16:39:14 kernel: wlp3s0: associated
Dec 26 16:39:14 wpa_supplicant[1408]: wlp3s0: Associated with 06:09:b4:78:b3:13
Dec 26 16:39:14 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Dec 26 16:39:14 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Dec 26 16:39:17 wpa_supplicant[1408]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Dec 26 16:39:17 wpa_supplicant[1408]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Dec 26 16:39:17 kernel: wlp3s0: disassociated from 06:09:b4:78:b3:13 (Reason: 23=IEEE8021X_FAILED)
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=06:09:b4:78:b3:13 reason=23
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="KT_starbucks_Secure" auth_failures=2 duration=31 reason=AUTH_FAILED
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: Added BSSID 06:09:b4:78:b3:13 into ignore list, ignoring for 10 seconds
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: BSSID 06:09:b4:78:b3:13 ignore list count incremented to 2, ignoring for 10 seconds

This is because KT’s Wi-Fi uses WPA2-Enterprise, and they’re still using a TLS version that is lower than TLS v1.2, which is disabled by default for security reasons in OpenSSL. This is even documented on the Arch wiki.

For some context, while TLS v1.0 and 1.1 were only deprecated in March 2021, TLS v1.2 has been available since 2008, and TLS v1.3 (the latest) since 2018. There is really no excuse for why KT is still using the outdated version.

Instead of overriding the settings and allowing an insecure version of TLS, my solution was to just use the open Wi-Fi with no authentication and then utilizing Tailscale’s excellent exit node feature to just secure my connection. Much less hassle and my connection is still secured from eavesdroppers.

This is the same company that claims they’re the forerunner in AI solutions on television ads. I wonder if you guys feel any shame, KT?

Reverting DD-WRTed WRT32X back to stock

Sat, 04 Jan 2025 11:00:00 GMT

I found an old router we used to use back in China while digging through our moving boxes. At the time, I flashed DD-WRT on the thing because we used a VPN service named Astrill, which had a little DD-WRT applet that let you set up a network-wide VPN for the entire household (which meant we didn’t have to configure VPN on each device).

Now that I was no longer in Internet-censorship-land, I decided to flash it again with OpenWrt. But the instructions online only cover how to flash OpenWrt from a stock system.

Rather than risk bricking the router trying to manually dd over the partitions, I decided to first flash the stock Linksys image onto the router and then convert it to OpenWrt from there. Unfortunately, the forum post on DD-WRT’s forums detailing how to go back to stock required you to grab a custom-made image that had a padded bit, so that DD-WRT’s image flasher would flash it correctly to the partition table. While the image was available for download here, DD-WRT’s forum software would only allow downloads once you signed up for a forum account.

I tried to sign up for a temporary account to download the pre-converted image, but it appears that DD-WRT’s forum is in a state of abandonment. The confirmation email to actually activate the account never arrived, and my email to the forum administrators went unanswered.

Time to follow the instructions on how to pad a stock image manually, then. While following the instructions, I didn’t realize that newer stock firmware images had a different partition layout, so the amount of data to pad was different. Of course, I only found out about this when I overwrote the partition and essentially soft-bricked the device. Thankfully, the A/B partition swap kicked in, and I was able to retry with the correctly converted image.

So if you ever find yourself with a WRT32X flashed with DD-WRT and you want to go back to stock or use OpenWrt on it, you can use this image that I converted here. (Alternate mirror on Catbox) Don’t forget to verify your download with the SHA256 checksum:

fdf5914007d02ee86a2a93d3e20bd677403ec1c9849d8126840c79126507239c

As for the router, I don’t think I’ll be using it. I successfully flashed both partitions with OpenWrt, but the open-source mwlwifi driver and firmware won’t let you adjust power levels, which means it’ll blast out the 2.4 GHz signal at full tilt and drown out the 5 GHz signal:

Maybe the firmware could be reverse-engineered one day?

I migrated my site to Astro!

Sun, 29 Dec 2024 00:00:00 GMT

If you’re reading this blog post, it means the new site based on Astro is now live!

Announcements

Here are all the breaking changes regarding my site that you should probably know about:

If you are using an RSS reader to subscribe to my blog, you need to update your URL from https://ericswpark.com/blog/index.xml to https://ericswpark.com/blog/rss.xml. You should’ve also seen a notice on your reader if you are subscribed to the old feed URL.
Some subfolders are now children to the /pages subfolder, such as /pages/tools and /pages/fun. I’ve set up redirect notices, but please update your bookmarks as soon as possible.

Motivation

I’ve gone through so many website frameworks that it’s honestly very hard to keep track. I used WordPress, Ghost, Jekyll and then finally settled on Hugo in 2021. For the last two frameworks, I used GitHub Pages for hosting, because I’m a student and it’s hard to beat the price of free.

When I settled on Hugo, I thought I’d stay on for the next couple of years. While the entire website worked okay, I was dissatisfied with a couple of things.

For starters, because I was (and still am) quite terrible at design, I decided to use a pre-made theme called anatole. While I am grateful that I was able to use it, the site built on top didn’t really feel like my own creation, even as I tried to style it my way.

Speaking of styling things, it was quite difficult to do with Hugo. Hugo was built on top of Google’s Go language, and it has its unique templating syntax. The idea of having to learn it to make even the smallest changes to my website put me off from actually customizing the look and feel of my website for a very long time.

But I liked the fact that I could just write for my blog by making a Markdown file, committing it, and pushing the changes to GitHub. Hugo, and the anatole theme I was using, had good support for internationalization (i18n), which I needed because I also translate my blog posts into Korean. This was so simple, in fact, that I was able to continue to post on my blog in the military back in 2021-23, by using my iPad to write Markdown in Working Copy and pushing it to GitHub.

However, the final limitation that had me fishing for alternatives was when I tried to add some JavaScript to my website. I had a bunch of utilities, and I’d gotten by with vanilla JS by just stuffing them inside <script> tags and forcing Hugo to render raw HTML inside my Markdown files (which was gated behind a config option that started with a scary unsafe keyword for no coherent reason). But as the scope of my tools and pages grew, I had to include more features and dependencies, and that meant using a JS bundler to compile my JS into the final form.

This was not a built-in feature for Hugo. I had to bolt on compiling JS with webpack, and while it sort of worked, it made the build process more convoluted. Worse yet, I couldn’t figure out how to neatly organize my source files and have webpack cleanly compile them into bundled files for Hugo to pick up. And the fact that I still had to learn the templating language if I wanted any changes made signalled to me that it was perhaps time to move on.

First try: NextJS!

I had some experience using NextJS for some of my personal and college projects, and thought it would be a perfect fit for my new website.

Unfortunately, I was about 40% complete with the migration when I realized that the built-in MDX compiler did not support relative imports for images. Nor did the next-mdx-remote repo support it. This was a problem, because I already had a huge collection of blog posts (67 of them, or 134 counting the Korean translations) written in Markdown, with images nestled in each folder for easy relative imports:

blog/
  2024/
    2024-12-29-i-migrated-my-site-to-astro/
      en.mdx
      ko.mdx
      imgA.png

For some context, this meant I couldn’t do something like this in en.mdx:

import imgA from './imgA.png';

I migrated my site to Astro:

<Image src={imgA}>

Instead, I would’ve had to move all of my images to the public/ directory, which was very messy and not something I was willing to put up with.

mdx-bundler looked like a potential solution, but it required having a separate bundler as a build step, and that reminded me too much of Hugo and the webpack situation.

At this point, the members of the Purdue Hackers Discord couldn’t recommend Astro enough, so I decided to try that next, even though I was really bummed that I couldn’t use something I was familiar with. But hey, maybe Astro is better?

(spoiler alert: yes it is, because you’re reading this blog post)

A rough start to the migration

I got started with the migration back in November 29th, so the entire process took exactly one month. But I swear that there is a good reason for why it took so long.

I had a couple of requirements for the migration:

All URLs must stay exactly the same. If there are any changes, I should be able to set up redirects or notices.
The RSS feed should pick up where it left off, without any disturbances to the subscribed readers.
All features must come over from the old website, including the theme switcher, language switcher, Giscus comments, and so on.

Almost immediately, I hit a roadblock. Astro would refuse to render my previous RSS feed URL at https://ericswpark.com/blog/index.xml. I filed a bug report, but it sat dormant until this week. After some back and forth with Astro core maintainers, I figured out where the bug was coming from and submitted a pull request. Even though a member on the Astro Discord said they’d look into the pull request, as of writing this blog post it still hasn’t been merged, but it’s okay because patch-package is a thing and I can just remove the patch whenever they get around to merging it.

I decided that requirement #2 could be relaxed a little, and decided to move the URL from index.xml to rss.xml. It seemed more appropriate, and I could add more feed formats in the future, like rss.json.

After finals week passed, I continued work on the website migration. It took a while, because I had to write mostly everything from scratch. All the components had to be written for things like GitHub Gist embeds, the styling had to be written with CSS (although Tailwind CSS really helped here), and routing — especially i18n routing — had to be set up properly and to my liking.

But when you get past all of that?

The best of all worlds

The really neat thing about Astro is that mostly everything I can think of has first-class support. You want MDX? Astro has it. Want code syntax highlighting? Astro has it. Tailwind CSS? Astro has it. Want to add React? Sure. Vue on top? Why not. Server-side rendering? Config switch. Static site generation? The default. Their documentation is fantastic and their .astro files were just JS extended a bit with a frontmatter-like section, so I was accustomed to the framework in no time at all.

And because I could write the CSS from scratch, I had greater flexibility and freedom to customize the site however I wanted. (That being said, I’m still terrible at design. But I’m still proud of the homepage.) And Astro does some pretty nifty scoped styling, so that rules don’t conflict with each other. Global styles can still reach over and threaten to ruin your day, but you can just dial up the specificity to avoid that.

And despite that snag I hit in the very beginning of the migration, the rest of it went very smoothly, and I was able to hit all the requirements that I set out for myself!

Comparisons

If you’re curious, here are some of the before-and-after shots:

In particular, I’m very pleased about the following bits:

The language switcher is one click instead of two. It also asks properly if you want to be redirected to the main page of the other locale if there is no translated version, instead of just disappearing, which is what happened on my old site.
The theme switcher lets you toggle to an automatic mode. It’s a bit hidden, though — you need to right-click on it twice, or go to the About page and scroll down to the “Site Settings” section.
The homepage. Did I mention the homepage yet? Oh god I love hover effects
The footer and the whimsical blurb text.
Much more efficient use of space, and the focus on content. I didn’t like having the sidebar taking up space while I read through the content on my blog post, and now you don’t have to suffer through that either.
And with Astro, I can extend this site however and whenever I want. I already went through just how flexible this darn framework is.

Of course, the site will always be a work-in-progress. But now that the big migration is over, I can finally get back to writing more blog posts that I’ve been putting in my to-do list.

That’s it!

I hope you enjoy the new site! If you have any suggestions or feedback, please reach out to be via email. In particular, please report any broken links, although I am pretty sure I’ve brought over all of them as I absolutely hate linkrot.

Also, I’ve taken the opportunity during this migration to hide a little Easter egg on the site. I personally think it’s cute. Feel free to let me know via email or Discord if you find it! (And no it’s not the blurb text in the footer.)

Now on Bluesky

Sun, 24 Nov 2024 00:00:00 GMT

I am now on Bluesky!

Couple of things:

Love how they do domain verification. Sure, Mastodon’s way of checking profile linkback is cool, too, but adding an actual DNS record feels “official”. Maybe it doesn’t scale very well, but they provide an alternate in the form of a .well-known file.
Interface is exactly like Twitter/X, but you don’t have to see Nazis. Sold!

Overall, this really seems like the replacement for Twitter. While Mastodon had some really innovative ideas in terms of federation and what not, the overall structure of it, coupled with the card column layout, was too confusing for normal people.

Now here’s to hoping it stays this way. Third time’s the charm?

The Esc key bug in games with the CJK IMEs

Tue, 19 Nov 2024 00:00:00 GMT

Recently, I’ve been playing through a really old shooter game named “Spec Ops: The Line”. Being a very old game, it has a bunch of weird quirks, such as some parts of the game being tied to the frame rate and being impossible to beat if you have a high refresh rate monitor, or the fullscreen mode completely screwing up the resolutions of the secondary monitors, etc.

But one bug that has seriously nagged me is that I can’t pause the game. Whenever I press the Esc key to bring up the pause menu, the pause menu flashes for a quarter of a second and then blinks out again. The only workaround I found was to Alt-Tab out of the game, then Alt-Tab back in, then quickly hit the Esc key twice while the game redrew onto the screen.

Unfortunately, you can’t really save and quit the game without going through the pause menu, so I tried to figure out what was going on. For some reason, I couldn’t find much information about it online. Given that SOTL had a recent surge of eyeballs on it when it was delisted from Steam, I knew that if it was a widespread issue then people must have posted about it online. The fact that there wasn’t any coverage about it, as far as I could tell, told me that it was a quirk with how the game interacted with my environment and system.

I first tried unplugging all external keyboards and mice, in case Windows was doing something weird with multiple input devices. That didn’t help. I then tried switching my input method editor from Korean to English, and that immediately fixed it. Wait, what?

So I looked online, and it seems this affects other games, too:

But why? I don’t know, but here is my best guess:

With a CJK (Chinese, Japanese, Korean) IME (input method editor), the editor must chain together a series of keypresses that the user inputs to write a single character, unlike other languages like English. For example, to type the Korean letter 가, you press the “r” key and the “k” key on the keyboard, but you get one character on the screen.

So how does the IME know whether the user meant to type 가, or ㄱ and ㅏ separately? One way that users can do this is to press the escape key after pressing the first key. This tells the IME to return to the alpha character input mode, awaiting the first keypress for the next string of keypresses to construct another character.

My hunch is when the IME emits the event for the Esc key, it also emits the event that lets the program running that it has returned to this state that awaits the alpha character input. This would allow programs to stop displaying the underline under the character being currently modified, to let the user know that successive keypresses will be interpreted as a new character. For game engines that are listening for the Esc key, they interpret it as two presses on the Esc key in succession, even though the Esc key has been pressed only once.

Unfortunately, I could not reproduce this with other keycode capturing software like KeyboardStateView for Windows, so it might just be a case of bad game engine code in some games where they never thought to test it on CJK IMEs. A pretty strange bug!

iPhone battery swap review: Apple sent me someone else's SIM?

Mon, 07 Oct 2024 00:00:00 GMT

So about a week ago, I sent in my iPhone for a mail-in repair because my battery health had dropped to 80%. (It was actually lower than that, with diagnostics showing the battery at around 77%, but for some reason the settings page stubbornly displayed 80%, as if taunting the fact that my AppleCare+ was about to run out. Thankfully, the customer agent saw the same value as I did through diagnostics, and I was approved the swap.)

A week later and it’s today, and I got my phone back. The itemized receipt was the first thing that I saw out of the box, and it showed that Apple replaced my battery and the ambient light sensor for some reason:

My only guess is either the sensor was damaged during repair, or it was damaged in such a way that it worked okay during regular use but failed diagnostics. I certainly didn’t notice the light sensor misbehaving while I used it for the last two years.

When I opened up the enclosed box-within-a-box that had my actual iPhone, I noticed that they’d removed the tempered glass screen protector, which was understandable since they had to remove the screen to get to the battery. However, they’d manhandled the removal, because the border of the frame showed gouges where they inserted their metal pry tool to lever the display up:

Sure, it’s not noticeable unless you look really closely, but I’m still bummed about it because I took very good care of my device, and it was in pristine condition when I sent it in. Anybody would expect their iPhone back in a similar condition they sent it out, especially if it went to the official repair center. And before you start to defend Apple in the comments, ask yourself if you’d say the same thing if a third-party repair center made the same marks on your phone?

Anyway, that wasn’t the most surprising thing I found with the repaired phone. I booted it up, and the initial setup wizard greeted me, because of course they’d wiped the device. (It’s okay, I have a backup, obviously.) But as I went through the setup process, I noticed the signal strength meter showed bars, and the 5G Ultra Wideband text showed up next to it. But I hadn’t even swapped in my SIM card yet…?

Turns out, someone at Apple made a mistake, and put in someone else’s T-Mobile SIM card in my repaired iPhone. I know the iPhone itself was my original iPhone, because the serial number matched what I wrote down previously.

I called up T-Mobile and explained the situation, and the agent said I was free to toss the SIM as the owner of the SIM would probably just request another SIM. Still, I plan on holding onto it for a while just in case Apple asks for it back, but really this shouldn’t happen in the first place. Also, if you’re sending in any of your devices for repair, remove all accessories and especially your SIM card for precisely this reason! You never know who might get hold of it, and nothing good can come out of someone having access to your number.

Conclusion: battery swapped, health 100%, frame damaged, and Apple gave me someone’s number just in case I was lonely. 6/10?

Shipping packages from Korea to the US with EMS Premium

Wed, 25 Sep 2024 00:00:00 GMT

Recently I needed to get a phone shipped from South Korea to here in Indiana, US. My plan was to purchase the phone online and get it shipped to our house, then ask a family member to ship it over via the post office. Sounds simple enough, right?

For starters, the local post office (EMS) refused to send the phone because it contained a lithium battery. I searched this up, and it seemed like the alternative was to use a much more expensive service like DHL or FedEx, or use something called EMS Premium. It was an option being offered by UPS Korea in conjunction with Korea’s post system, and the price seemed pretty reasonable.

To ship a phone with EMS Premium, the family member had to fill out a bunch of forms. One of them asked for the phone’s IMEI, the model number, and serial number. They also asked us to sign a form saying that they were not responsible for any damages caused to the phone. (We were allowed, however, to purchase insurance, in case the package itself was lost during transit.) So in case you try something similar, make sure to use plenty of bubble wrap and other soft materials.

All in all, it cost 54,000 won (about $40.62 as of writing this post) for the base shipping price, along with 10,000 won (about $7.52 as of writing this post) for the added lost shipping insurance.

Here’s the timeline, with local time specified for each event:

2024-09-11 10:31 - Package is received by the local post office in Korea
2024-09-11 13:22 - Package leaves local post office
2024-09-11 14:36 - Package arrives at central hub in the eastern part of Seoul
2024-09-11 15:31 - Package leaves the central hub
2024-09-11 19:59 - Package arrives at the international post warehouse at Incheon Airport
2024-09-11 23:21 - Package handed to 3rd party courier (UPS in this case)

For some reason, the package info didn’t update for a very long time after that last entry. I got worried, but it turned out that there was a changeover from the tracking code that EMS Premium used to the UPS one.

The changeover itself took like two days, which was a bit annoying but not the end of the world. Once the new tracking number had been generated the EMS Premium site started to redirect me to UPS’s website with the new code:

2024-09-13 12:19 - A label is created with UPS, but they don’t have the package yet
2024-09-13 13:54 - Package arrives at UPS facilities at Incheon, Korea
2024-09-13 13:59 - Package leaves UPS facilities
2024-09-13 14:04 - Package arrives at another UPS facility at Incheon, Korea
2024-09-13 15:06 - Package awaits final clearance from customs

Again, another long wait. I was rather nervous, because it was Friday, and Monday marked the start of Chuseok, a national holiday in South Korea. I thought that maybe UPS and/or the customs at Incheon Airport wouldn’t operate during holidays or weekends, but it turned out that they did, because the package started to move once more:

2024-09-15 01:30 - Package leaves from the facility
2024-09-15 05:52 - Package cleared by customs and is being transported

At this point, I was pretty sure that the package had made it onto a plane. I looked online, and it seemed like all packages leaving Korea headed for the US passed through a UPS facility in Anchorage.

Unfortunately, for cargo flights, it’s hard to track exactly which flight it is, as some flight radar sites online disagree on the exact schedule and positioning of each route. I then found flight 5X6099 on Flightradar24, which seemed like it had departed at 1:30 AM, exactly the time listed on the tracking page. Sure enough, the flight landed at 3:35 PM in Anchorage, and the tracking resumed:

2024-09-14 15:52 - Package arrives at UPS facility in Anchorage
2024-09-14 17:51 - Package leaves UPS facility

Another time zone change, this time to Kentucky.

2024-09-15 04:13 - Package arrives at UPS facility in Louisville, Kentucky
2024-09-15 10:29 - Import scan at facility
2024-09-15 14:43 - Package leaves UPS facility
2024-09-15 17:10 - Package arrives at UPS facility in Indianapolis, Indiana
2024-09-16 07:17 - Processing at local post office
2024-09-16 08:54 - Out for delivery
2024-09-16 12:42 - Delivered

In summary, it took 6 days in total for the package to arrive from Korea to the US. While the box was looking a bit squashed, the actual contents inside were undamaged, right down to the glass screen protector that I’d included.

The downsides are that the package contents aren’t insured for damage, like I mentioned previously, and as your package grows in physical dimensions and weight the price balloons exponentially. Even if you don’t opt for EMS Premium because whatever you’re sending doesn’t contain lithium batteries, it would’ve cost nearly 100,000 won (around $74 as of writing this) to send a box filled with tools like calipers and Korean snacks.

Still, it’s cheaper than a round-trip flight. So unless you or someone you know have a scheduled flight coming up, perhaps this is the best and only way to get packages with potentially flammable goods inside across the globe.

Django: Disallow Postgres-specific fields

Mon, 05 Aug 2024 09:52:00 GMT

Django has some fields you can define in your models that are specific to a given database engine. The problem is, once your codebase starts using those fields, the project will never work again with another database engine because of the migrations that will fail on different engines.

However, it’s hard to remind yourself not to use these fields, and coordinating that on a big project with multiple developers is close to impossible. Which is why you can write a Django system check that will disallow such fields from creating a migration file:

import inspect

import django.contrib.postgres.fields
import django.apps

from django.core.checks import Error, register


# noinspection PyUnusedLocal
@register()
def disallow_postgres_specific_fields_check(app_configs, **kwargs):
    errors = []
    disallowed_fields = [
        item[1]
        for item in inspect.getmembers(django.contrib.postgres.fields, inspect.isclass)
    ]

    for model in django.apps.apps.get_models():
        for field in model._meta.get_fields():
            for disallowed_field in disallowed_fields:
                # PyCharm bug, see: https://youtrack.jetbrains.com/issue/PY-32860
                # noinspection PyTypeHints
                if isinstance(field, disallowed_field):
                    errors.append(
                        Error(
                            f"Field {field} cannot be used as it is a Postgres-specific field: "
                            f"{disallowed_field.__name__}",
                            hint="Use fields that are database engine-agnostic and provided by Django.",
                            id="config.E005", # Use an ID specific to your codebase
                        )
                    )

    return errors

Here’s the final commit in the shipper project, if you’re interested.

I need a new browser

Mon, 05 Aug 2024 04:11:00 GMT

In May this year, I switched from Firefox to Chrome after the Mozilla team rejected one of my crappy browser extensions from their store:

Okay, that wasn’t the entire reason. For years, I’ve been quite annoyed by the design decisions of the developers behind Firefox, with the arbitrary reasons behind not supporting latest web standards such as WebUSB:

It doesn’t help that Mozilla touts Firefox as a privacy-respecting browser, but then turns around and implements crap like an ad-tracking API. And this isn’t even their first dumbest idea: they got caught doing some stupid stuff with a not-funny-at-all easter egg (I can only assume what drugs the marketing team were taking when they came up with that idea).

So I switched. And life was good. For about two months. Then I noticed this in my Chrome settings:

I now need to switch my main browser again.

Features I need

WebUSB / other latest web APIs

I feel like this is the hardest feature to satisfy, so I’m not even going to try. Because right now, the only browser that implements WebUSB seems to be Chromium and co.

Thankfully, not a whole lot of websites use such APIs (yet), so I can just keep a copy of Chromium around for such instances where I do need to interface with a device that uses them.

Again, Mozilla developers, it would be great if this was natively supported and I didn’t have to install a “privacy-invading” browser as you guys claim to do something like reflash my Arduino boards. Unfortunately, the Mozilla Specifications Positions page makes their stance on WebUSB quite clear:

(…) Because many USB devices are not designed to handle potentially-malicious interactions over the USB protocols and because those devices can have significant effects on the computer they’re connected to, we believe that the security risks of exposing USB devices to the Web are too broad to risk exposing users to them or to explain properly to end users to obtain meaningful informed consent. It also poses risks that sites could use USB device identity or data stored on USB devices as tracking identifiers.

Okay, then feature-flag it and chuck it in about:config for people that do understand how it works. You guys love sticking config options in there anyway. Why not one more?

Honestly, if the permission dialog for WebUSB/WebBluetooth/etc. had a giant scary triangle with yellow or red colors that screamed “this is dangerous” then I think it’s deterrent enough for regular users to hit “Deny”.

Sync

Chrome’s Sync is really, really good. I don’t think I had a history item that didn’t sync across devices.

Contrast that with Firefox Sync, and you just know Mozilla’s implementation isn’t as good. Personally, I’ve had so many issues with syncing that it drives me crazy. Sending tabs to devices is a crapshoot and every now and then it doesn’t work.

However, I can’t make a concession on this point, because I value being able to pick up my work right where I left off on my other devices. Loading up a long article on my laptop, and then riding the subway and reading that same article on my phone becomes much more cumbersome if I have to manually copy and paste URLs around.

Which leads us right to…

Mobile apps

I’m currently back on my iPhone after the disastrous attempt of switching to Android a couple of months ago, which means every browser is just reskinned WebKit. (Unless you’re in the EU, of course, because that’s where you get actual basic human rights, apparently.)

Again, Chrome makes the best of it with WebKit, but Firefox’s iOS app is quite buggy. I don’t blame the developers, but there are still outstanding bug reports that I filed a few years back that have still yet to be fixed. (Like this, this, and this. And some that I didn’t report but personally encountered, such as this one.)

Unfortunately, LibreWolf — the Firefox fork I was eyeing — do not have any mobile apps, and from what I can gather from their documentation, don’t have any immediate plans on creating any. Coupled with the previous Sync requirement, this rules out a vast majority of browsers that don’t have a big developer team behind it, at least for me and for the time being.

uBlock Origin

This is another hard requirement of mine, and one which rules out nearly all Chromium-based browsers immediately. (Why else would I be switching from Chrome?)

Brave is a Chromium-based browser that claims they’ll retain Manifest V2 after Google yanks and kills it, but this hinges on Google not removing the code paths from Chromium as referenced in the Brave CEO’s tweet (or Xeet or whatever they call it nowadays). They think it’s required for enterprise support, but I don’t want to switch browsers yet again if their bet turns out to be a dud.

Switching to…

So for the time being, it seems like I’ll grudgingly be going back to Firefox, and staying there until a better alternative pops up or until Mozilla manages to kill it for good.

Just like a NLE video editor, it seems like good browsers are hard to come by.

I got scammed on Swappa

Mon, 08 Jul 2024 00:00:00 GMT

I bought a brand-new, unopened Samsung Galaxy Z Fold5 back in January this year. At the time, I needed a phone to develop Android apps on, and I was browsing through Swappa when this listing caught my eye:

At the time I thought it was a great deal, and the thought of being able to test apps on a foldable screen made me pick it up.

I only had the rational thoughts after I’d paid for the listing, so I contacted the seller and asked if the phone was legitimate. This was the (rather shouty) response:

The only thing I could do was wait and hope that the phone really was legitimate. And when it showed up, for a while I thought that it really was. It was sealed in the factory original packaging, with a pre-loaded Google Fi SIM card. I guessed the seller had gotten the phone from Fi as a promotion and was selling it on.

And all was well, for about five months.

The problems start

Then one sunny day in June, I noticed that my phone didn’t have reception. I was out on vacation in Korea, and noticed that the US eSIM that I had wasn’t getting any roaming signal. Thinking it was a simple bug with the system, I contacted Visible and asked them if they could re-provision the eSIM and enable Wi-Fi calling.

After a bit of back and forth, this is what they finally responded with:

Sure enough, when I looked up the IMEI, it showed up as blacklisted:

Of course, the seller stopped responding on Swappa, so I filed a PayPal claim. However, PayPal took so much time sorting out the claim that I thought they were trying to help out the seller at times. Despite being unresponsive on Swappa, the seller provided fishy “evidence” on the PayPal claim, saying ridiculous things like the phone not being blacklisted at the time of sale. (And?)

After a month of back-and-forth like this, PayPal told me that the only way I was getting a refund was if I submitted a police report:

The trouble was, I was in Korea, and I didn’t have reception because my phone had been blacklisted. To top it all off, Visible didn’t allow re-downloading the eSIM outside of the US.

I first ported my phone number to a carrier that did allow eSIM downloads outside of the US, and also supported Wi-Fi calling activations overseas (I have no idea why this isn’t the standard). Then I called up the sheriff offices and asked for an officer that I could file a report with. I’d like to thank the officer at the Tippecanoe County Sheriff for helping me out — he even sent the report over the Fourth of July:

Finally, after nearly a month since I first reported the claim to PayPal, PayPal closed the claim in my favor and refunded me the full amount.

How?

So how did my phone get blacklisted five months after the sale? And what can you do to avoid such a thing?

Well, as part of gathering evidence to submit to PayPal, I contacted Google Fi about the blacklisted phone, and this is what they had to say:

So here’s how the scam works:

The scammer buys a new phone from Google Fi, backed by insurance
The scammer sells the phone on used marketplaces like Facebook Marketplace and Swappa
After the sale, the scammer gives some time to make the buyer think the phone is legitimate
The scammer then claims the phone as lost/stolen
Insurance gives the scammer a new phone to repeat the scam with
Insurance blacklists the original phone, screwing over the buyer

This is a pretty clever tactic, because if you didn’t use something like PayPal and don’t have buyer’s protection, you’re absolutely screwed at this point unless you take the scammer to a small claims court or something. I was very nearly in this position because my buyer’s protection on PayPal expired a week after the claim was closed. If the scammer had been a little bit more patient then they totally would’ve gotten away with it.

And for the scammer, there’s literally no downsides. If they get away with it, they make nearly a grand and still get their phones for their next scam. If they don’t (like my case), they only lose out on the UPS shipping fees and the seller chargeback fees (if PayPal charges any). Which is probably why they did this with other folks, too:

Unfortunately, there’s no real good way of protecting yourself from scams like this, other than not buying used phones. I’m personally never buying a used phone again after this incident unless the seller is someone I trust. Phone insurance can go as long as the original owner keeps paying for it, and the used phone can be blacklisted at any point.

The massive headache I had to go through to get my US cell service back up while overseas was truly the worst experience that I’d never like to go through again. Don’t do what I did and pay a little more for peace of mind.

Update

PayPal banned me:

They initially told me that this was because I was accessing my US PayPal account from another country (yeah, I was traveling. So what?) but then refused to elaborate more when I explained I was out on vacation. I’m guessing the ban reason is because of the claim opened months after the sale.

I called them up and asked about an appeal, but they told me that it was denied and the decision was final. Very classy, PayPal.

DaVinci Resolve short codec testing

Fri, 28 Jun 2024 00:00:00 GMT

Update: the following only applies to the free version of DaVinci Resolve. I’ve since learned that the Studio version (with the license) supports up to 10-bit color space, and I’ve also confirmed that it can import and play back the codecs below without any issues. For posterity (and for free users) I’ll leave this blog post here, but I strongly recommend purchasing a copy of the Studio license if you need to frequently edit 10-bit media.

I spent some time today testing out the different video format settings on my camera with DaVinci Resolve, as I got burned on the latest project I was working on when none of the footage I shot on my ZV-E1 would import correctly into DVR. The video files would import as audio clips with no apparent warnings or errors.

Here are the test results, as of DaVinci Resolve 18.6:

File format (fps)	Bitrate / Color space	Imported?	Notes
XAVC HS 4K (24 fps)	100M / 4:2:2 / 10 bit	No	Imported as audio clip
XAVC HS 4K (24 fps)	100M / 4:2:0 / 10 bit	Yes*	First few seconds corrupt
XAVC HS 4K (24 fps)	50M / 4:2:2 / 10 bit	No	Imported as audio clip
XAVC HS 4K (24 fps)	50M / 4:2:0 / 10 bit	Yes*	First few seconds corrupt
XAVC S 4K (30 fps)	140M / 4:2:2 / 10 bit	No	Imported as audio clip
XAVC S 4K (30 fps)	100M / 4:2:0 / 8 bit	Yes
XAVC S 4K (30 fps)	60M / 4:2:0 / 8 bit	Yes

Some notes:

I was unable to test any of the XAVC S-I options, as none of the SD or microSD cards I have on hand are fast enough (V90) :/
For the entries that imported with an asterisk, something interesting happened in the first couple of seconds of the footage where the video frames showed up with this weird corruption/color-banding effect in DVR:

I initially thought that maybe the microSD card was going bad, so I swapped it with a spare and tested again, but the same exact problem occurred. I then ran the video through MPC-HC and discovered that the corruption issue was not there.

Summary

As of DaVinci Resolve 18.6, on the free version, the following setting on your camera (assuming you use a Sony ZV-E1) is your best bet:

XAVC S 4K, 100M / 4:2:0 / 8 bit

If you use the 4:2:2 chroma subsampling, your videos will import as audio clips.
If you use 10 bit, the first few seconds of the footage will be corrupt, and there may be other rendering issues exporting the video.

And I’m still looking for a good NLE video editor that won’t make me sign away my newborn (cough Premiere cough) and won’t crash every ten seconds (Kdenlive) and doesn’t have codec allergies. Tag me on Mastodon if you have any suggestions!

Linux on daily desktop attempt lasted two days

Thu, 06 Jun 2024 06:43:38 GMT

A quick summary of what went wrong:

Nvidia graphics

I know it’s always Nvidia graphics, but quite honestly it got very close this time! The only problem is, I kept getting those weird flickering issues on KDE + Wayland:

From reading online, it seems to be a problem with the Nvidia drivers not supporting explicit sync on Wayland. Support was added in driver version 555, but it was still in beta and the stable one was stuck at 550. (And while this was going on, Windows had the 555.x drivers for quite some time now…)

As a workaround, I switched to using X11, which solved this bug but made the experience much slower.

Input method

I just tried to get Korean input working with nimf, but I guess I made a mistake writing .xprofile, because the entire desktop environment ended up going away, never to return:

Sidenote: it’s still a pretty terrible experience configuring an input engine on Linux. I chose nimf because it worked quite well on my other Linux machines using Wayland, but the procedure could use some polish. The current installation procedure involves adding the lines as described on the Arch Linux wiki to .xprofile, signing out and signing back in, and then rebooting when you realize that didn’t work, the messing about with the KDE keyboard settings a little, then finally somehow getting it working after invoking nimf & a bunch of times.

Instead, this should be a single configurable option in the desktop environment’s respective settings page, and hopefully not require signing out or rebooting.

Anyway, that concludes my two day testing of Linux on my daily-use desktop. I’ll probably give it another shot once the 555 driver is out.

Passkey fail

Fri, 26 Apr 2024 00:00:00 GMT

William Brown:

However Chrome simply never implemented it leading to it being removed. And it was removed because Chrome never implemented it. As a result, if Chrome doesn’t like something in the specification they can just veto it without consequence.

I hate waiting on browser support. About a year or two ago, I transitioned my family to use hardware keys to sign in to services, and it was truly fucking awful. Back when I started using hardware keys, Safari on iOS had zero support for FIDO keys (so before iOS 13 or 14?) and when they finally added it they only added support for NFC keys or something like that, which meant keys that relied on Bluetooth and USB connections wouldn’t work at all, unless you got Google’s helper app and did some weird pairing song-and-dance.

It feels like that, but all over again for Passkeys. Bitwarden supports it, but only on desktop browser extensions. (Did I mention that none of the client apps, aside from the browser extension, support hardware keys in 2024? Forcing you to enroll another 2FA just to sign in to those apps, that weakens overall account security?) If I can’t store it in a password manager, I can’t get cross-device sync, and I do not want to dig out a single device every time I want to authenticate to a given service.

Both Chrome and Safari will try to force you into using either hybrid (caBLE) where you scan a QR code with your phone to authenticate - you have to click through menus to use a security key. caBLE is not even a good experience, taking more than 60 seconds work in most cases. The UI is beyond obnoxious at this point. Sometimes I think the password game has a better ux.

The more egregious offender is Android, which won’t even activate your security key if the website sends the set of options that are needed for Passkeys. This means the IDP gets to choose what device you enroll without your input. And of course, all the developer examples only show you the options to activate “Google Passkeys stored in Google Password Manager”. After all, why would you want to use anything else?

Yeah, why wouldn’t I want to store my passkey in my iCloud account? Oh, because I actually own devices that aren’t made in Cupertino and aren’t allowed to talk to Apple’s servers. And on Android it’s Google trying to hoover up the passkeys.

At this point, passkeys are just SSO with extra steps.

Korea's mobile carriers are evolving backwards

Sat, 06 Apr 2024 00:00:00 GMT

As I’ve lived in the US for the last year or so, I feel qualified in comparing cell service between South Korea and the US, and describing how shit the former is.

No mixing numbers

Korea was pretty late to the eSIM game, but when we finally got eSIM, it came with a whole bunch of restrictions. The biggest restriction is that your phone lines get suspended if you happen to mix SIMs with different identities on a single handset.

Your mom’s phone stopped working, and you want to see if it’s a phone problem or a USIM problem so you put your mom’s USIM in your phone? Too bad — now both you and your mother’s cell service have been suspended, which means you have to go to the nearest carrier store to beg them to reactivate it.

(Note that this restriction only became an issue because we didn’t really have dual-SIM phones in Korea for a very long time, probably because the Korean carriers lobbied hard against it. But with the introduction of eSIM, mixing SIM cards in the manner described above became possible.)

Of course, the Korean carriers claim this is to prevent the proliferation of stolen burner phones, but we had that issue back when we had physical USIMs, so I’m not sure what effect this restriction will have in preventing such problems.

IMEI collection

To facilitate the above restriction, Korean carriers collect both IMEI values of your phone when you sign up for an eSIM. They use this information to verify that a given handset only has SIMs tied to one identity.

This is ridiculous. No other carrier requires you to submit both IMEI values just to activate an eSIM card. When I activated my eSIM in the US, Visible (an MVNO of Verizon) asked me for one of the IMEIs on my phone, and that was it.

Speaking of activating eSIMs…

Activating eSIMs in Korea sucks

Korean carriers charge you 2,750 won (about $2) every time you re-download your eSIM. In stark contrast, I can move my eSIM around with my US carrier Visible with zero restrictions. In fact, I can’t think of a single carrier around the world, except for Korea, that charges for an eSIM transfer.

The entire point of eSIM is that since it’s all digital, there’s no physical card to make. The cost of moving bits around on a server and beaming me that eSIM info should be negligible.

Now, apparently the Korean carriers are claiming the cost is due to royalties involved in implementing eSIM. But considering other carriers around the world don’t pass that on to their subscribers, and considering we’re already paying a whole lot of money just for cell service, I think they should stop being so freaking greedy and eat the cost.

Oh, and actually re-downloading the eSIM?

In the US, re-downloading an eSIM is just a couple of taps on the mobile app.

In Korea, you need to call their hotline during working hours and hope that the process works, or go to a physical carrier store. Kind of hard to do when you’re on the other side of the freaking globe, like me.

The arbitrary 4G/5G divide

In America (and many other parts of the world), there is no distinction between the different generations of cell service. If you bought a new 5G phone, pulled your SIM from your old 4G phone and put it in the new one, then you’d get 5G service, automatically.

In Korea, you have to sign up for a specific 4G or 5G plan when you sign up. Of course you have to pay more to get 5G service.

This creates a bit of a problem, where people are content with just using their 4G services, because 5G is marginally better than 4G due to the infrastructure just getting started. Then carriers don’t want to spend money on expanding the infrastructure, which leads to stagnation and 4G and 5G being used in tandem.

But in other countries, all users automatically get 5G service, so they have more reasons to expand and set up more 5G cell towers. This also allows them to deprecate old gear and start removing 3G and 4G services.

In the long term, focusing on maximizing profits by putting arbitrary distinctions on cell service generations will lead to Korea falling behind in terms of cell service quality, compared to other countries.

Speaking of quality going downhill, can I introduce a cell service feature that is nonexistent in Korea?

Wi-Fi calling (or lack thereof)

It’s quite ironic: there are tons and tons of Wi-Fi access points in South Korea, but if you were to try and call through them when you’re in an area with Wi-Fi coverage but no cell coverage, you’ll discover that you can’t.

I got bit by this once when I was traveling in the countryside and got to a place with zero cell service, but pretty decent Wi-Fi. I still couldn’t make any calls or send any texts until I walked closer toward an urban area.

Most first-world country cell carriers already implemented this feature ages ago, so I have no idea what would drive Korean carriers to not implement this, other than cutting corners.

Since we’re talking about costs, I’ll wrap up with…

The cost of unlimited

In the US, I pay $25 for unlimited calls, texts, and data, on 5G. Even data for tethering is free, no strings attached.

In Korea, I need to pay over 100,000 won (about $74) just to get close. And even if I pay 3 times as much, I still get data limits tethering.

If nothing changes, I fully expect this trend to continue. We will get less for more.

I hate Lockdown Browser

Tue, 20 Feb 2024 00:00:00 GMT

Recently I’ve been working off of my Linux laptop for most things, because having a terminal around that isn’t running Windows or macOS is fun and useful.

That got me wondering if I could take one of my courses’ exams on the machine, since it used Respondus’s Lockdown Browser, an exam-focused browser that locks you out of all other apps for the duration of the exam.

Long story short: you can’t. But if you want to follow along, then you can see how terrible Lockdown Browser is, and the insanity that students have to deal with nowadays.

Is there a Linux client?

First thing I checked. No.

Does it run under a VM?

Yes, it runs. It shows you this error message:

And quits.

But we’re Linux nerds, so we’ll dig a little deeper.

Tricking Lockdown Browser

We need to hide the fact that we’re running LDB inside a VM, from LDB.

First order of business is to pass through the SMBIOS information from the host machine to the virtual machine, by editing QEMU’s XML. Add the following lines between the <os> </os> XML tags:

<os>
  <!-- Some other lines... -->
  <smbios mode="host" />
</os>

Next, we need to disguise the CPU. By default, QEMU reports to the virtual machine that it is being virtualized, and that the vCPU is not a physical CPU. We need to tell QEMU to not be so honest, and to pass in the CPU information directly. Find the <cpu> tag, and if it is enclosed, create a closing tag and paste in the following:

<cpu ...>
    <topology sockets="1" dies="1" cores="1" threads="2"/>
    <feature policy="disable" name="hypervisor"/>
</cpu>

You will need to edit the CPU topology to match your vCPU configuration, or else it will either not apply, or your VM will crash.

By disabling the hypervisor, we’re lying to the VM and telling it that it is not actually virtualized. The VM will now think the CPU has virtualization capabilities, not that it is being virtualized. Check using Task Manager inside the guest OS — if you see something like “Virtual Machine: yes”, then it didn’t work properly. It should say something like “Virtualization: Enabled”.

Finally, the last thing we have to do is to hide device names from LDB. Boot into the virtual machine, fire up regedit, and navigate to the following path:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Find each virtual drive device, and change the FriendlyName to something like Samsung HDD 500 GB ATA or LG SuperDrive 20x CD-ROM. (You may need to grant yourself permissions if regedit complains.)

Once you’ve done all that, LDB should now launch.

Very briefly.

There’s a second lockout?

Unfortunately, LDB has a second lockout to lull you into a false sense of security. Once you start the exam, after a couple of seconds, you will see this screen:

This probably uses some other VM detection technique. If you’re curious, there’s a repository named pafish that goes over some of them.

I could probably also find a workaround for this given enough time. But the exam is next week, and I really can’t be bothered, and if this happens on the actual exam I don’t want to get suspected of cheating when I only wanted to take the test on my Linux laptop. I can just take it on another computer.

And therein lies the problem.

What is Lockdown Browser trying to prevent again?

Lockdown Browser tries to prevent cheating by locking you out of the computer you’re taking the test on and disallowing you from opening other applications, like browsers.

Only, of course, on the computer you’re taking the test on.

So what prevents a student from… using two computers? Or heck, a phone? Everybody has a phone right? ~~Do you guys not have phones?~~

Our professor actually recommended students to use one of the campus computers if we used our personal computers to take notes on, since the exam was (and the upcoming exams will be) open notes. What’s the point of using Lockdown Browser, then?

And some reasons why you should avoid installing Lockdown Browser…

While testing out the VM techniques, I noticed that Lockdown Browser was causing the virtualized OS to act erratically. At one point, Task Manager refused to run, despite not having Lockdown Browser open. I had to restore a snapshot to get everything going again.

That’s not all. If you search “Lockdown Browser broke my computer”, you will see a ton of testimonials:

Which is not surprising. Lockdown Browser messes with Windows’s Group Policy, the Registry, and Power Options, to prevent other applications from opening, take full control of your computer, and prevent it from going to sleep. And sometimes the shoddy code of LDB means that your computer might not be the same state as before taking the exam, after the exam is over.

And what better things do students have to do, than reinstall their operating system on their laptop and set up literally every single program that they need for their coursework, in the middle of the semester, and then do it all over again during finals week? Nothing, that’s what. I’m sure everyone cheers at the Windows/macOS setup wizard screen.

Any alternatives?

There is another project that utilizes Windows Sandbox, that actually works. (I’m guessing this is because Windows Sandbox utilizes Hyper-V, which is significantly harder to detect as it’s in Microsoft’s best interests to make it rock-solid for enterprise users and for preventing Xbox exploits.) However, the project was recently placed into Respondus’s bug tracker, suggesting that this will be patched out soon.

So what now?

Once this blog post goes up, I’ll be emailing my professor a link so that hopefully the use of Lockdown Browser is reconsidered. If your school or college also utilizes Lockdown Browser, I suggest linking your instructor this blog post to hopefully convince them not to use Lockdown Browser.

Some might think that LDB is working because I was unable to get the VM detection evasion working. No, it’s not. My whole point is that LDB is unnecessary and just makes students lives more complicated because it messes up your computer for no good reason, while cheaters can just cheat away using other devices they have at their disposal while never ever triggering LDB’s mechanisms — because it is impossible to detect that someone is using another device to cheat. Simply put, LDB punishes students, especially poorer ones that cannot afford multiple computers, while letting cheaters get away scot-free. (I think there might be some social commentary quip that’s appropriate but it’s midnight as I write this and I’m tired so please feel free to come up with one with your own imagination.)

In the meantime, I guess I’ll go find a library computer or something to install this malware-esque examination program on. Because hell if I’m installing this on my personal computer, even if it’s possible on Linux in the first place.

Update

I actually got a reply from my professor today, and it seems like the Lockdown Browser requirement will be removed going forward! (Thank you professor if you’re reading this!)

If your institution requires the use of Lockdown Browser, consider sending them this blog post to show them how ineffective it is. And if they change their mind, post about it somewhere! The more we speak out against this piece of shit software the more normalized it would be to not use it.

PowerShell Incognito Mode

Sat, 03 Feb 2024 00:00:00 GMT

Back in 2021 (three years ago?!), I wrote a blog post about “incognito” mode in the bash terminal. Well, I also use Windows systems nowadays, and I needed a way of disabling PowerShell’s history function temporarily.

PowerShell has two history modules. The first one is constrained within the current session, and you can see all the commands you ran during that session by running Get-History:

PS C:\Users\erics\OneDrive\Pictures> Get-History

  Id CommandLine
  -- -----------
   1 cd .\OneDrive\Pictures\
   2 ls

The other history module is saved by PSReadLine, and this one is a bit more troublesome, as it functions exactly like .bash_history — it saves your commands to a file that persists (until you get rid of Windows or delete that file). The path at which it’s saved is $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine.

Now, by default, the situation is even worse over on PowerShell, because commands prefixed with a space is still saved to the history, unlike bash.

Thankfully, we can fix some of these annoyances ourselves by editing our profile script.

(Note: most of the code below came from this GitHub issue discussing this exact problem!)

Editing the execution policy

Because PowerShell is configured to not run any untrusted scripts by default, we need to adjust the execution policy:

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force

There are two policies: Unrestricted and Bypass. Unrestricted will at least warn you before executing scripts, while Bypass will happily run anything and everything with zero warning (sort of like what bash and Linux shells do by default with anything with the +x flag.)

Edit the profile script

Open up the profile script in your favorite editor:

notepad++ $profile

And paste in the following:

# Don't record space-prefixed commands
Set-PSReadLineOption -AddToHistoryHandler {
    param([string]$line)
    return $line.Length -gt 3 -and $line[0] -ne ' ' -and $line[0] -ne ';'
}

# Disable/enable history wrappers
function Disable-PSReadLineHistory {
    $global:PSReadLineOldHistorySaveStyle = (Get-PSReadLineOption).HistorySaveStyle
    Set-PSReadLineOption -HistorySaveStyle SaveNothing
}

function Enable-PSReadLineHistory {
    # Only change the history style if we previously saved it in `Disable-PSReadLineHistory`
    if (Test-Path variable:PSReadLineOldHistorySaveStyle) {
        Set-PSReadLineOption -HistorySaveStyle $global:PSReadLineOldHistorySaveStyle
    }
}

Now, whenever you want to disable the PowerShell history temporarily, run Disable-PSReadLineHistory. It will disable history recording for that current session.

I wish they’d just add these in as the default.

Clearing old history

If you have sensitive commands recorded into history, then you can delete them by running Clear-History and deleting the aforementioned PSReadLine’s history file.

Or, you can use this script from Stack Overflow.

Windows Bluetooth shortcut with AutoHotkey

Sun, 07 Jan 2024 00:00:00 GMT

Here’s a AutoHotKey script that quickly opens up the Bluetooth settings for Windows 11:

Persistent
#b::
{
    ; Open Quick Actions window
    Send("{LWin Down}a{LWin Up}")
    ; The quick action window takes a while to initialize and allow keyboard navigation
    ; Without the sleep timer you may end up on the wrong screen (or disabling WiFi)
    ; If your computer is slower, increase this value a bit more
    Sleep(600)

    ; WiFi -> Bluetooth
    Send("{Right}")

    ; Bluetooth chevron
    Send("{Tab}")

    ; Enter Bluetooth chevron
    Send("{Enter}")
}

Note that you need at least Build 22563 of Windows 11 in order to use this script.

I got SKT to make me a data-sharing eSIM!

Thu, 28 Dec 2023 00:00:00 GMT

By policy, you can’t get an eSIM from SKT for data-sharing purposes. If you try online, an error message pops up saying that tablets are not supported for the eSIM generation process, and the customer service agents also say it’s impossible. I also couldn’t find anything scouring the various Korean forums, so I assumed I had to use a USIM again to open up a data-sharing line.

But when I went to a SKT branch yesterday, I needed two fields – IMEI1 and IMEI2. Most phones have the two systems for eSIMs and USIMs separate, assigning a separate IMEI to each, which makes eSIM generation possible for those devices. However, for tablets supporting eSIM like the iPad, most of them share a single IMEI value between the eSIM and USIM, switching back and forth as necessary, and many SKT employees just give up at this stage. However, after inputting the same IMEI value for both fields, the registration process proceeded normally.

Of course, this is still against policy, and because data-sharing lines can be frozen or have other issues crop up if you look at it wrong, you need to be aware of the fact that you may potentially waste the eSIM generation fee when you proceed with this process.

Once the registration process was over and the eSIM QR code was scanned on the iPad camera, the eSIM downloaded without any problems. Honestly, this shouldn’t be such a big surprise since eSIMs and USIMs are the same – only Korean telcos treat them differently. (~~Because we’re sooooo special…~~)

If you go for the same thing but the employee won’t do it for you, then I suggest going to a different branch, possibly one run directly by SKT (called 직영점 in Korea). I also got denied a year ago at a different branch. Because this is something that they’re doing against policy, don’t be rude to them if they don’t do it for you and ask them politely or ask another employee.

As a side node, I thought about why they would need both IMEI values, and decided that the carriers were collecting them to freeze SIMs with non-matching identities. (So in Korea, to prevent burner phones, carriers will automatically freeze both lines if they detect that they have different registered identitites but are tied to the same phone.) Which doesn’t make sense, because there are cases where you may need two SIM cards with different registered identities in the same phone (like if you’re troubleshooting why a given USIM card of your relative won’t work in their phone), and if you really needed a burner phone you’d just buy more of them. I suspect the rule’s really in place just to inconvenience consumers.

Update

As of May 24th 2024, this method still works as I used it to activate another device on the network.

Hosting my own short URLs with YOURLS and Docker

Wed, 29 Nov 2023 00:00:00 GMT

I’ve always wanted to self-host a short URL service. Mainly because sometimes you need to hand out links, and links expire. (Unless you manage to cheat entropy and the decay of the universe.) So if I have my own short URL service, I can hand out what is essentially a permalink, because I can update it until the heat death of the universe or when my server shuts down because I forgot to pay the bill on time, whichever is faster.

Anyway, I set it up with YOURLS and Docker (+ Docker Compose). I thought it was going to be difficult, but it’s literally this file:

docker-compose.yml:

version: "3"

services:
  mariadb:
    image: mariadb:11
    container_name: yourls-mariadb
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: ROOT_PASSWORD_HERE
      MYSQL_PASSWORD: DATABASE_PASSWORD_HERE
      MYSQL_DATABASE: yourls
      MYSQL_USER: yourls
    volumes:
      - ./mariadb:/var/lib/mysql

  yourls:
    image: yourls:latest
    container_name: yourls-app
    restart: unless-stopped
    depends_on:
      - mariadb
    environment:
      YOURLS_DB_HOST: mariadb
      YOURLS_DB_USER: yourls
      YOURLS_DB_PASS: DATABASE_PASSWORD_HERE
      YOURLS_DB_NAME: yourls
      YOURLS_USER: ADMIN_USERNAME_HERE
      YOURLS_PASS: ADMIN_PASSWORD_HERE
      YOURLS_SITE: "https://yourls.example.com"
      YOURLS_UNIQUE_URLS: "true"
      YOURLS_PRIVATE: "true"
    volumes:
      - ./yourls:/var/www/html/user

  swag:
    image: linuxserver/swag:latest
    container_name: swag
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - URL=yourls.example.com
      - VALIDATION=http
      - EMAIL=letsencrypt-email@example.com
    volumes:
      - ./swag/config:/config
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - yourls

Once you have it up and running with docker-compose up -d, you do need to move the sample configuration file in the swag/ folder and adjust some settings, but that’s not too difficult.

Here’s a short link back to this blog post: https://links.ericswpark.com/blog-yourls (so meta!)

Automatically generate captions for my videos with Whisper

Tue, 08 Aug 2023 00:00:00 GMT

I hate writing captions for my video, because it’s such a time-consuming process. So when I discovered OpenAI’s Whisper program (and model), and the re-write in C++ made by Georgi Gerganov, I knew I had to try it out to save myself hours of transcribing pain.

After generating an MP3 file in FCPX, I used ffmpeg to convert it to a WAV file that Whisper.cpp expects:

ffmpeg -i input.mp3 -acodec pcm_s16le -ac 1 -ar 16000 output.wav

Then I installed Whisper.cpp:

git clone https://github.com/ggerganov/whisper.cpp.git
cd whisper.cpp

# You probably don't need large, but that's what I used
bash ./models/download-ggml-model.sh large
make large

# Adjust threads to your computer's CPU
./main -t 10 --output-srt --language en --model ./models/ggml-large.bin --file ~/Downloads/output.wav

The audio file I gave it was nearly 12 minutes in length, and Whisper.cpp took about 5 minutes in total to process it.

After it spat out an SRT file, I imported it into FCPX and had a look. While there were some typos that I had to correct, it was nearly 90% correct in deciphering my terrible, terrible voice. The only minor gripe I had was that each line started with a space, which I thought was probably a bug in Whisper.cpp converting the VTT generated by Whisper into SRT, but other than that it was perfect. I no longer have to manually type out my own voice.

Smooth scrubbing videos, version 2

Sun, 06 Aug 2023 23:48:32 GMT

This is an update to the original blog post. I decided to write this quick update blog post because I found some new resources and techniques on re-encoding to get a smooth scrubbing video.

ProRes?

Apple’s ProRes stores video frames “uncompressed”, which means computers don’t have to spend a ton of time decoding them, compared to other compressed codecs like H264 and so on.

Here’s an example command that you can use quickly:

ffmpeg -i input.mp4 \   # input file
  -c:v prores_ks    \   # ProRes encoder to use (prores and prores_aw exists, BUT)
  -profile:v 3      \   # ProRes profile to use (see below)
  -qscale:v 11      \   # The "quality" of the output (9-11 is a good range; lower is better)
  -vendor apl0      \   # Tricks Apple programs
  output.mov            # Must be a container that supports ProRes (the other two being mkv and mxf)

Encoder

Do not use prores or prores_aw. I know it’s shown as an option above, but the two implementations are slow and bad. Just use prores_ks.

Profile

ffmpeg ProRes profiles are mapped to the following integer values:

proxy - 0
lt - 1
standard - 2
hq - 3
4444 - 4
4444xq - 5

Use 3, unless you need 4:4:4 over 4:2:2 chroma subsampling. In which case you will also need to pass in the -pix_fmpt yuva444p101e parameter. (If you don’t what this means use 3 or below.)

qscale

This parameter is discussed in the documentation below, but brass tacks for fast reading:

0 is the best, 32 is the worst
Recommended: 9-13
Overkill (space is of no concern): 5 or below
Warning: approaching 0 will cause the video file to be unplayable as it would be too big for machines to handle!

I got this command from the official ffmpeg documentation, so if you need more details go check it out there.

And unfortunately, unlike the H264 method below, I have been unable to use hardware accelerated encoders on ProRes, as it keeps giving me a weird, nonsensical error each time I attempt it. If you know how to fix this please leave a comment and I’ll update this section!

H264

I need to make a slight correction to making smooth-scrubbing H264 videos.

After reading ffmpeg’s official documentation, to get the smoothest scrubbable videos, you need to eliminate the P-frames as well as the B-frames. And here’s the updated command to do so:

ffmpeg -i input.mp4 \   # input file
  -c:v libx264      \   # H264 encoder
  -profile:v main   \   # H264 profile
  -g 1              \   # Eliminate P frames
  -crf 9            \   # The "quality" of the output (7-11 is a good range; lower is better)
  -bf 0             \   # Eliminate B frames
  -vendor apl0      \   # Tricks Apple programs
  output.mp4

And a quick last pro-tip: if you have an Apple Silicon Mac, you can use hardware acceleration to speed up the video encoding! Just replace -c:v libx264 with -c:v h264_videotoolbox, and replace the -crf 9 parameter with -b:v 8000k (as the encoder only supports constant bitrate settings and not crf). Adjust the value as necessary, depending on the source file.

OK I said last tip but this is really the last one: check out ffpb as it gives you a progress bar for ffmpeg jobs!

Tip on faulty SD cards in GL.iNet routers

Wed, 02 Aug 2023 15:33:38 GMT

After spending about an hour wrestling with my travel router to get it to recognize my SD card, I decided to write this blog post to save someone the headache and pain I went through.

I had an SD card that worked fine in all devices but the GL.iNet router. Now, your first thought is probably the formatting of the SD card, right? Well, I tried everything. Both GPT and MBR for the partition table, and ext4, exFAT, NTFS, and FAT32 for the actual formatting of the partition. But none of the combinations worked.

SSH-ing into the router, I found the following entry in the dmesg:

[  280.757666] mmc0: mmc_rescan_try_freq: reset power

This line kept popping up whenever I ejected and inserted the SD card.

On a whim, I tried a different SD card, a known good one from Kingston. And that’s when the router immediately recognized the card. In the dmesg:

[  444.254378] mmc0: new ultra high speed SDR104 SDHC card at address 0007
[  444.264841] mmcblk0: mmc0:0007 SD16G 14.4 GiB
[  444.265892]  mmcblk0: p1

And when the card was ejected:

[  448.910935] mmc0: card 0007 removed

I looked at the other SD card that hadn’t worked. Some no-name brand SD card. I decided it had failed just enough to not meet the router’s tolerances, snapped it in half, and threw it in the bin.

So pro-tip: if your device stops detecting an SD card, try a different one.

PS: the formatting turned out to not matter much after all. The router (that I have, the GL-AXT1800, anyway) supports exFAT, FAT32, NTFS, and even ext4. I’m not sure whether or not it recognizes GPT partition tables, but given that it’s running OpenWRT underneath I would be very surprised if it didn’t.

Exway doesn't care about USB-C conformity

Wed, 26 Jul 2023 00:00:00 GMT

Today was the first time I charged my Exway remote after getting the electric skateboard in May or so. When I went to plug it in with my USB-C charger, I noticed that the remote didn’t light up.

My heart sank a little when I noticed that the other end of the type-C cable was connected to the type-C port on my charger. If what I thought was true, it would be another device that the engineers didn’t put care into. Sure enough, when I plugged the remote in with a USB-A to type-C cable, it immediately lit up and started to charge.

So in this blog post, I’ll go over my support ticket to Exway, Exway’s response, and why you should care and not accept devices that violate the USB-C specifications.

My support ticket with Exway

My initial report:

From: exway@ericswpark.com
Title: Exway remote missing USB-C resistor
To: service@exwayboard.com
Date: Wed, 26 Jul 2023 13:24:11 +0900

Hi,

I noticed that the remote for the Exway Flex has a missing resistor on the USB-C port. This makes it so that it will not charge with a type-C to C cable. Is this problem fixed with newer revisions of the remote?

Thanks,
Eric

Their response:

From: Support service@exwayboard.com
Title: [Exway Board] Re: Exway remote missing USB-C resistor
To: Exway exway@ericswpark.com
Date: Wed, 26 Jul 2023 08:12:09 +0000

Hi Eric,

Thanks for reaching

The new remote is using the USB-C charge port

Best
Exway after-sale support team

Oh no. They’re not even reading my email…

From: exway@ericswpark.com
Title: Re: [Exway Board] Exway remote missing USB-C resistor
To: Support service@exwayboard.com
Date: Wed, 26 Jul 2023 17:42:40 +0900

Hi Exway,

I think you misunderstood my question. My remote does indeed have a USB-C port. However, it is missing the proper resistor that tells the connected type-C cable that it draws power. As a result the remote does not charge with a type-C-to-C cable.

My question was, whether or not this is fixed in newer revisions of the remote.

Thanks,
Eric

And their response:

From: Support service@exwayboard.com
Title: [Exway Board] Re: Exway remote missing USB-C resistor
To: Exway exway@ericswpark.com
Date: Wed, 26 Jul 2023 08:59:22 +0000

Hi Eric,

Thanks for getting back

Then we suggest you change the cable to USB- C port, C-C cable is still not able to be compatible

Best
Exway after-sale support team

That was kind of the caring and thoughtful response I was expecting from a Chinese company, but I tried again anyway:

From: exway@ericswpark.com
Title: Re: [Exway Board] Exway remote missing USB-C resistor
To: Support service@exwayboard.com
Date: Wed, 26 Jul 2023 18:00:54 +0900

Hi Exway,

Thank you for the confirmation. Is a fix planned in future revisions? Because the device violates USB-C specifications by not charging with C-to-C cables.

Thanks,
Eric

Once again, they misinterpreted my message:

From: Support service@exwayboard.com
Title: [Exway Board] Re: Exway remote missing USB-C resistor
To: Exway exway@ericswpark.com
Date: Wed, 26 Jul 2023 09:04:09 +0000

Hi Eric,

Thanks for getting back

The remote just doesn’t have the agreement, not able to change it, thanks for your support

Best
Leo

So I asked about hardware:

From: exway@ericswpark.com
Title: Re: [Exway Board] Exway remote missing USB-C resistor
To: Support service@exwayboard.com
Date: Wed, 26 Jul 2023 18:06:59 +0900

Hi Leo,

Yes, I understand that a firmware update will not resolve this issue, as it is a hardware problem.

However, for future revisions of this remote, this problem should be fixed, as USB-C spec conformity is very important for all devices shipping with a type-C port. I hope that this is forwarded over to the engineers so that they can incorporate it in future remote revisions. In fact, devices that do not meet this spec can be determined as defective in some jurisdictions.

Thanks,
Eric

And their final response:

From: Support service@exwayboard.com
Title: [Exway Board] Re: Exway remote missing USB-C resistor
To: Exway exway@ericswpark.com
Date: Wed, 26 Jul 2023 09:22:05 +0000

Hi Eric,

I have reported your request and I referred this to the tech team, but I got a negative answer, sorry about that

Best
Leo

So, as of right now, it seems Exway’s stance on this issue is that it is a known issue, but not something they’re willing to address, and something they have no future plans to fix.

What is the problem again?

USB-C ports are different from other ports [citation needed]. Specifically, unlike USB-A ports that give out 5 volts of power by default, USB-C requires a negotiation process before it’ll start handing out power. You may have heard about this on branding material of USB-C chargers: USB-PD, or USB Power Delivery, is the spec that devices must adhere to.

But PD negotiation chips are expensive, when compared to the overall price of the device. The electric skateboard remote in question probably costs five dollars or so to make. (In reality, it’s probably much less than that, if you mass-manufacture it.) Having a chip that costs half a dollar takes up a ton of the budget in the BoM (bill-of-materials).

But obviously, the USB-IF board thought of that, and they provide guidance on how devices should behave (or in this case, identify themselves) if they just want 5V of power, no power delivery negotiation required.

This is done by pulling down the CC pins to ground with 5.1K resistors. (Because there are two CC pins – CC1 and CC2 - you need two of them.) Failure to do so means that with a type-C-to-C cable and charger won’t work with said device – the charger will check the CC lines over the type-C cable, find it “floating” (as in, not pulled down with a resistor), and not send over the required 5V. (And if your device shipped with one resistor, or shares a resistor for the two CC pins (ugh Raspberry Pi Foundation!!!), then it can lead to all sorts of wonky behavior, like the device refusing to charge if the cable is plugged in one way and charging normally when the port is flipped.)

In this case, Exway didn’t put in the required two resistors on the CC pins of the remote, and as a result it won’t charge with USB-C-to-C cables.

So what?

I know what you’re thinking. “Just charge it with a USB-A to C cable! What’s the big deal here?”

Sure, you can charge the remote with this workaround. But let’s look at the bigger picture.

These resistors cost ~~pennies~~ a fraction of a penny (thanks @rickcox on GitHub!) to include. And the instructions on how to do that is a simple Google search away. In fact, if you’re a competent electrical engineer designing circuits, you know your first job is to read the specifications before implementing them on your device.

Which means one of the following is true:

Exway hired incompetent engineers that do a poor job, or
The engineers warned that the port did not follow specifications, but Exway decided not to fix it to save money, or
The engineering team at Exway made a geniune mistake and forgot to include the resistors, or didn’t know about this particular specification (I mean, the USB-C spec is really long, and probably very complicated thanks to the USB-IF committee).

But I don’t think the third one is likely. Nobody caught the problem while testing this product during development? Nobody used a type-C-to-C cable to charge the remote while using engineering samples? No, it is borderline impossible for Exway to not be aware of this problem, unless they don’t do any sort of testing, which again I find hard to believe. (And if they don’t test their products, that’s even more horrifying.)

And now we know they’re aware of it, but they don’t care. They don’t plan to fix the problem, even when they’re made aware of it.

If they’re willing to cut corners on stuff like this, do you really want to risk your life and ride a electric skateboard from them, equipped with their battery? Even if we give them the benefit of the doubt and say that they did everything possible in regards to safety, I don’t think they would be very receptive to a fix if the battery spontaneously combusted, especially given the response above.

So what can I do?

If you have an Exway board that is affected by this problem, then contact Exway and let them know that this is unacceptable. The product is defective by design, and they need to fix it.

Also, consider discontinuing the use of their skateboards.

If you were considering purchasing an electric skateboard, consider alternative brands.

But most importantly, it’s important to spread the word and let manufacturers know that not conforming to USB-C spec in 2023 is absolutely unacceptable. Countless forum posts have been made about this exact issue, and there’s even a subreddit called r/USBCHardware that has constant threads on defective products like these. Help people that might not understand why their device won’t charge with certain cables by not letting these companies get away with bad design.

Links

Discussion on r/Exway

Discussion on r/USBCHardware

Discussion on Hacker News

Migrating Homebrew from an Intel to an Apple Silicon Mac

Sat, 17 Jun 2023 00:00:00 GMT

These are the steps I took to migrate Homebrew from an Intel-based Mac to an Apple Silicon-based (abbreviated as ASi from here on out) Mac.

Preparations

Before moving, run the following command on your old Intel Mac:

brew bundle dump

This dumps the currently installed package list to a Brewfile in the current directory. Save it, or either leave it there if you’re doing a Mac-to-Mac transfer.

Wait, I don’t have my Intel Mac anymore!

Running the above command on an ASi Mac will fail, because that command requires git, and the Intel version of git will crash on ASi.

So after you finish with the ASi Homebrew install below, do the following:

# On Intel Homebrew terminal window
brew uninstall git

# On ASi Homebrew terminal window
brew install git

# On Intel Homebrew terminal window
brew bundle dump

Then proceed, starting with the “Uninstall Homebrew for Intel” section.

Install the ASi Homebrew

This step is rather simple. Just run the Homebrew install command again:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

The installer will give you those two commands to run so that Homebrew is on your path:

(echo; echo 'eval "$(/opt/homebrew/bin/brew shellenv)"') >> /Users/ericswpark/.zprofile
eval "$(/opt/homebrew/bin/brew shellenv)"

(Your command will have your username substituted in, obviously.)

Uninstall Homebrew for Intel

Run the following commands:

cd ~/Downloads

# Because wget (Intel version) might not run on ASi
curl https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh --output uninstall.sh

/bin/bash ./uninstall.sh -p /usr/local

The uninstaller didn’t have the necessary permissions to delete things fully, so I had to go into /usr/local and delete all files and folders in there after it had finished running. It should usually be safe to delete everything in that folder since macOS doesn’t even ship with it by default, but if you do have things that depend on stuff inside that folder, I suggest deleting carefully so that you don’t end up breaking something. In my case, I just decided to re-install whatever I broke, so I just deleted everything within that folder.

Note: @porg on GitHub has rightly pointed out that some tools and package managers also install to /usr/local, so do go through this folder just in case before deleting things.

You may also need to delete any additions you made to your dotfiles so that the Intel version of Homebrew is in your path. In my case, I had to delete the lines in .zshrc referencing the previous Homebrew install in /usr/local.

Reinstalling everything

Open a new terminal window so that the ASi-version of Homebrew is active.

Navigate to the directory with the Brewfile from earlier and run:

brew bundle install --file ./Brewfile

Now you should be good to go!

These AI detectors are getting out of hand

Sat, 06 May 2023 00:00:00 GMT

Recently, I noticed a ton of posts on Reddit where students were accused of academic dishonesty and plagiarism through the use of “AI” tools. With the start being this post:

I have been falsely accused of using AI on my essay

And after that, the reports just started to flood in:

The possibilities here are:

All of those students are lying, and they did really use AI
They aren’t lying, and the AI detection software screwed up

Seems obvious enough. Let’s figure out how AI detection software works. To do that, we need a base example. Let’s go with Turnitin’s AI detector.

Why Turnitin?

Let’s get the bias out of the way: I have a deeply-seated hatred toward Turnitin.

Back in high school, Turnitin accused me of plagiarizing an essay that I wrote on my own, and gave one of my classmates a 100% plagiarism score because they submitted the essay on a separate, testing Turnitin environment to make sure they didn’t accidentally plagiarize anything.

But that’s before the AI tools started to flood the market. Turnitin’s pre-AI tool “checked” for “plagiarism” by essentially doing a compare between all the text submitted to their platform. If two copies matched and the match rate was above a certain threshold it would be flagged for review.

Obviously, that wouldn’t work anymore with GPT-based cheating. Depending on the prompt and the model and the platform used, the output could vary drastically, even between runs! Turnitin had to come up with a new solution to avoid becoming irrelevant overnight with their already-flawed, outdated method of comparing text content.

Enter…

Turnitin’s “AI writing detection”

Turnitin capitalized on the scare of “AI-based cheating” by creating an entire page dedicated to showing off their new “AI detection” solution.

If you ever go to that page accidentally, you’ll see a whole lot of marketing speak, corporate mumbo-jumbo (“AI Innovation Lab”), but nothing of substance. How does the damn detection work, Turnitin?!

That nugget of info is buried in their FAQ page, and even the information listed there is vague and unhelpful. I mean, read this:

How does it work? (…blah blah technical details…) The segments are run against our AI detection model and we give each sentence a score between 0 and 1 to determine whether it is written by a human or by AI. (…more technical stuff…) Currently, Turnitin’s AI writing detection model is trained to detect content from the GPT-3 and GPT-3.5 language models, which includes ChatGPT. Because the writing characteristics of GPT-4 are consistent with earlier model versions, our detector is able to detect content from GPT-4 (ChatGPT Plus) most of the time. We are actively working on expanding our model to enable us to better detect content from other AI language models.

Okay, so it appears Turnitin checks if the submission was generated by an AI by… feeding it into another AI model and asking it to predict whether or not it was written by a human or an AI. And look at the last sentence – they need to make a new model for each AI language model that crops up on the market.

So Turnitin went from a objective measure (how much of the text was copy-pasted) to a completely subjective measure made out of a AI black-box. Obviously, this new system is much more trustworthy. (/s)

And they expect instructors to trust them on this and completely ruin students’ lives based on this prediction score!

Well, actually…

Even Turnitin itself acknowledges that this method of detection is flawed. In their blog post titled “Understanding false positives within our AI writing detection capabilities”, Turnitin writes the following:

Know before you go—make sure you consider the possibility of a false positive upfront and have a plan for what your process and approach will be for determining the outcome. Even better, communicate that to students so that you have a shared set of expectations.

Assume positive intent—in this space of so much that is new and unknown, give students the strong benefit of the doubt. If the evidence is unclear, assume students will act with integrity.

Be open and honest—it is important to acknowledge that there may be false positives upfront, so both the instructor and the student should be prepared to have an open and honest dialogue. If you don’t acknowledge that a false positive may occur, it will lead to a far more defensive and confrontational interaction that could ultimately damage relationships with students.

So why are these horror stories occurring across different colleges? Well, this disclaimer is tucked away into a blog post, that’s why. Now, I’m not sure if they put a giant warning banner on top of their AI prediction score, but I’m pretty confident in saying that even if they did it won’t read anything like “This score may be completely inaccurate because we’re basically asking an AI to perform a Turing test on fellow robots”, because if they actually wrote that they’d lose the trust of educators and go out of business.

Therefore, some educators assume the AI detection model of Turnitin is battle-tested and ready for general use, not taking into account that the prediction score itself has a compounded margin of error.

But let’s stop bashing on Turnitin for a moment. Because I want to talk about “AI detection” in general.

AI detection, models, “hallucination” and datasets

All this “AI detection” sucks because the very idea of “detecting AI” sucks.

Look at it this way: we’re warned against trusting output from AI models because they may “hallucinate” and spit out completely incorrect information. AI detectors are built off of AI models. So how come we’re asked to trust AI detectors?

Furthermore, the power of these GPT-based tools come from the giant dataset that they use to give us information. Stuff like writing code, creating a recipe, etc. are easy for AI models to do, since they only have to regurgitate what they learned from the datasets. But with AI detection, the models are asked to operate on a completely new input (generated from the aforementioned GPT models) and determine something that was never included in their dataset – whether or not a given piece of text was AI-generated. The very idea of AI-detection only existed as Turing tests on the Internet, and it never could’ve accounted for all the GPT models flooding the landscape right this moment.

Case in point: one of the “AI detectors” named GPTZero actually marked the Declaration of Independence as AI-generated. ~~I never knew the founding fathers were GPT models!~~

So, what now?

Instructors around the world need to adapt, just like they did when the Internet first came out and allowed dishonest students to copy-paste whatever they found online.

Instead of the AI detection prediction score becoming a measure, it should only be used as a reference. If the student performs badly all the time, then it can be used as part of the evidence set to show that the student is committing academic dishonesty. If the student is a model student and one of their essays is flagged as AI-generated, then educators will know that there was a false positive result.

For this to happen, all these companies should become much more transparent about their detection capabilities, and emphasize that their tool should only be a single part of an arsenal used to determine academic honesty, not a be-all-end-all solution. This may be hard to do, since these tools are sold to educational organizations and distributed in bulk to educators. Without proper documentation and training, educators may have a false understanding of the tool and use it in ways that it wasn’t intended to be used.

And honestly, writing out that last sentence reminded me of the pre-AI Turnitin. And GPT chatbots. And virtually every other piece of software or tool in existence. If you don’t fully understand the limitations and characteristics of what you’re using, then you probably shouldn’t blindly trust the results when everything’s said and done.

I hope this blog post was useful! If you or any other student you know was misidentified as a robot, try sharing this blog post with your instructor and let them know the dangers of relying on AI detectors.

Update (2023-07-27)

OpenAI recently pulled their AI detector because it had poor accuracy.

When the most popular GPT-based chatbot maker shuts down their detector, it really begs the question: how do other companies manage to make detectors that surpass that of OpenAI? (Hint: they can’t, and don’t.)

How to reverse proxy properly with Caddy and Docker

Sat, 18 Mar 2023 09:52:54 GMT

This is a tutorial on how to properly set up Caddy running in a Docker container.

The prerequisites

A server with the Docker service enabled. Let’s (host)name the server timmy.
Some services you want to expose to the web
A custom Docker network that houses these services (let’s say proxynetwork here)
(optional) Some services you don’t want to expose to the web
(optional) A VPN service such as Wireguard to access those services

Why reverse proxy?

Because typing service.timmy.example.com is a whole lot better than 192.168.1.200:4343 or timmy:4343.

Especially once you have more than two or three services to access. Good luck remembering all the port numbers!

Part 1 - The outer layer

First off, install Caddy with the host networking option. (I’ll explain why later.) Then in the configuration, map the domains according to your needs:

# Set up logging
(logs) {
    log {
        output file /data/logs/access.log
    }
}

# Hide the services from search engines
(no_robots_txt) {
    respond /robots.txt 200 {
        body "User-agent: *
Disallow: /
"
        close
    }
}

# Main page
timmy.example.com {
    # You can either reverse proxy to a service...
    reverse_proxy 192.168.1.200:8080
    # Or respond like this (uncomment the following line)
    #respond "Hello World!"

    import no_robots_txt
    import logs
}

# Different services
*.timmy.example.com {
    import logs

    @plex host plex.timmy.example.com
    handle @plex {
        # `172.18.0.1` is the Docker host IP
        reverse_proxy 172.18.0.1:32400
        import no_robots_txt
    }
}

Pretty standard-fare stuff. Once you have the container running, Caddy will take care of things like SSL certificate management with Let’s Encrypt, assuming timmy.example.com is pointing to the public IP of the server, and *.timmy.example.com is a CNAME to timmy.example.com.

If that’s all you wanted to do, you can stop here! But what if you have some internal services you want to access over VPN? Then read on.

Part 2 - Internal services

This is the tricky part, because we want to restrict the people that can access internal services to those that are connected over VPN only.

Let’s set up the internal Caddy server first. Create the following Caddyfile:

# Set up logging
(logs) {
    log {
        output file /data/logs/access.log
    }
}

:80 {
    @main host timmy.private.example.com
    handle @main {
        reverse_proxy foo:8080
    }

    @jenkins host jenkins.timmy.private.example.com
    handle @jenkins {
        reverse_proxy jenkins:8080
    }
}

For this to work, timmy.private.example.com must point to the private IP inside the VPN network, and *.timmy.private.example.com must be a CNAME of timmy.private.example.com. You can publish those to the public DNS – they’re internal addresses anyway so it’s not like people can access them.

Now, you might be wondering why we are using :80 for the server block, instead of something like timmy.private.example.com or *.timmy.private.example.com. And that’s because since this is an internal Caddy server that gets reverse-proxied-to by another Caddy server, we don’t want it automatically generating SSL certificates or what not. In fact, having multi-layered HTTPS in a reverse proxy setup is generally a Bad Idea™, which is why we will only listen on the standard HTTP port 80.

Also, you may have noticed that we are using hostnames to refer to services, like jenkins. This only works if you use the aforementioned custom Docker network, so you need to make sure that both the service (Jenkins, for example) and the internal Caddy server is on the same network! In this case, I would create the internal Caddy server on the proxynetwork, and forward port 80 to 680 on the host machine.

Great, so now all we have to do is join those two together!

Part 3 - Joining the two servers

On the outer Caddy server, add the following to the Caddyfile:

# Reverse proxy to internal Caddy
timmy.private.example.com {
        import logs

        reverse_proxy 172.18.0.1:680
}

*.timmy.private.example.com {
        import logs

        reverse_proxy 172.18.0.1:680
}

Now you should be able to access the services. All set, right?

Not so fast!

Not so secure

You’d think that since timmy.private.example.com points to a private IP address inside the VPN network, people on the Internet cannot access those services.

But see the host keyword? Caddy checks what host the client is visiting and forwards them to the appropriate blocks. So what does Caddy check? It checks the Host header embedded into every HTTP/S request.

Do you see the problem yet? HTTP/S requests are made by clients, and their contents can be arbitrary.

Try a simple test: disconnect from your VPN network, open up the hosts file on your operating system, and add an entry that points timmy.private.example.com to the public IP of your server. Then visit timmy.private.example.com. What do you see?

Because this check can easily be bypassed with something so simple as a hosts file, it is NOT secure, so we have to do something about it.

Part 4 - Hardening the outer shell

Back at the outer Caddy server layer, add the following snippet:

(block_nonvpn) {
    @notVPN not remote_ip 10.10.0.0/24
    handle @notVPN {
        respond "Access denied" 403
    }
}

You will need to replace 10.10.0.0/24 with the actual IP range of your VPN network.

You might be tempted to not respond at all, and terminate the session immediately upon figuring out that a public IP is trying to access a private server block:

(block_nonvpn) {
    @notVPN not remote_ip 10.10.0.0/24
    handle @notVPN {
        abort
    }
}

However, this is not recommended, as you can set up something like fail2ban to find abusers with the 403 entries in the access log, and ban them from the network and reduce load.

Of course, for this to work, the outer Caddy layer must be in the host network mode. In my experiments, any other network mode causes Caddy to recognize all clients as originating from 172.18.0.1, or the internal IP address of the Docker network layer that points to the Docker machine host.

Then, add the snippet to the private services, like so:

# Reverse proxy to internal Caddy
timmy.private.example.com {
        import logs
        import block_nonvpn

        reverse_proxy 172.18.0.1:680
}

*.timmy.private.example.com {
        import logs
        import block_nonvpn

        reverse_proxy 172.18.0.1:680
}

If you try the hosts file trick again, you should see that it no longer works!

Conclusion

I hope this helps with configuring Caddy for reverse-proxying to different Docker services!

Thanks to

@fvbommel on the Caddy forums for the security advice

Handwashing on Apple Watch is useless

Sat, 04 Feb 2023 00:00:00 GMT

By far, the most disappointing and useless feature on the Apple Watch is the Handwashing Timer. Which is ironic, because when it was announced back in 2020 I thought it was a really neat idea.

The problem: the trigger… doesn’t trigger.

Apple says the trigger is audio and motion, so it probably detects the sound of running water, then checks if the user is rubbing their hands together.

But this never works reliably. When it does work it is magical. But more often then not it thinks I’ve only washed for five seconds when I’ve already scrubbed for forty seconds trying to get it to trigger, or won’t trigger at all.

And there are false positives: any rubbing motion while water is running sets it off. So it activates when you’re washing dishes, for example.

My naive solution: when the Apple Watch hears the sound of running water, prompt the user if they’re washing their hands. But since we obviously can’t touch the watch with dirty hands, have the user do some sort of gesture to start the timer. Maybe like a double-chop in mid-air, just like the Motorola phones that wait for the gesture to turn on the flashlight?

This solves the issue of false positives, since users can just not do the gesture to not start the timer if they’re not washing their hands, and it also means it’s easier to trigger, since the only condition to fulfill is to get the Apple Watch to hear the sound of running water.

Update (2023-04-15)

So after a ton of trial and error, I got frustrated enough to research exactly what the trigger for handwashing on the Apple Watch is. And it seems like it isn’t water.

Brian Heater (@bheater) on TechCrunch:

The system uses machine learning models to tackle different methods, but the system gets an additional nudge from the Watch’s microphone. Along with motion, the app listens for the sound of running water. Even that’s not enough, though — after all, eco sinks have become increasingly popular, meaning that there’s often less water sound to be listening for. The sound of squishing soap takes care of that last bit. It’s got a unique enough audio signature so as to confirm that handwashing is taking place.

Alex Guyot on MacStories:

Handwashing detection uses a combination of wrist movement and ambient sound tracking to make its determinations. Apple says that the unique squelching sound of soap is one of the main indicators. (…)

Jacob Krol on CNN Underscored:

(…) And the Apple Watch will now track your hand-washing in two core ways: It will monitor and listen for the soap pump, as well as water and wrist movement, to ensure you’re washing your hands for 20 seconds, and will remind you to wash your hands when you return home. (…)

Which makes a ton of sense, because then the Apple Watch wouldn’t detect any handwashing sessions where the water has been switched off, so as to not waste any. So I tried making the squelching sounds obvious as much as possible during handwashing, and it seems to have improved the detection rate by quite a bit. I haven’t been nerdsniped to such a degree as to actually track the detection rate, but in my subjective thoughts I think the rate has gone from 10% to around 70 or 80%.

Get rid of Naver's fearmongering browser banner

Tue, 24 Jan 2023 00:00:00 GMT

What the hell is this, Naver?

No, I’m not using an outdated browser. Naver is just pushing for their self-developed browser, Naver Whale. The problem is that the banner makes users believe that the browser they’re currently using is vulnerable in terms of security, when it might not be (as I get this banner on the latest versions of Firefox and Safari).

But Naver Whale isn’t some special browser. It’s just a skin and some customizations on top of Google’s Chromium (which is a base of Google Chrome). As Naver has to re-modify and re-distribute Chromium every time Google releases a new version, Naver Whale could actually be slower in distributing security updates.

So how do we get rid of this banner? We can just block it with our browser’s ad-blockers. The HTML element to block is as follows:

<div id="NM_TOP_BANNER" ...>

To convert this into an ad-block rule (on uBlock Origin, for example):

###NM_TOP_BANNER

I wish they’d refrain from false advertising. Actually, wasn’t it illegal in the first place?

TextEdit leaving behind weird folders on SMB

Mon, 23 Jan 2023 00:00:00 GMT

When saving text files to an SMB server with TextEdit on macOS, you may run into this issue where it leaves behind a ton of directories every save, like so:

name-of-text-file.txt
name-of-text-file.txt.sb-xxxxxxxx-xxxxxx

Where xs are replaced by some random string of characters and numbers.

And sometimes, TextEdit will completely fail to save a file.

Well, it might be because you’re disallowing dot files on your SMB server with something like the following configuration:

# Get rid of macOS dot files crap (fuck you macOS)
veto files = /._*/.DS_Store/

While this does disallow macOS dot files it also breaks saving with TextEdit, because these .sb directories house ._name-of-text-file.txt files, which is presumably used to save file attributes.

I dislike TextEdit doing this, and I’m pretty sure there is some solution to turn off the functionality, but since this is a server used by multiple people, many of whom are tech illiterate, I just decided to remove those lines from the configuration. Damn you, macOS.

[Edit: Do NOT use] Setting up Time Machine on any SMB server (feat. automount)

Sun, 08 Jan 2023 13:36:19 GMT

Update at the end of this blog post!

Time Machine on macOS does a lot of things just right. It’s incremental, so you save disk space on the destination. It runs seamlessly in the background, and if you enable Power Nap it will run even when the lid is closed.

What it is absolutely terrible at is backing up to anything other than a directly-attached storage device.

Want to back up to a remote storage? Great, choose from one of the following options:

~~Buy a readymade device from Apple that does this for you~~ Nope! That was the AirPort lineup and Apple discontinued them centuries ago.
~~Back up to a NAS that supports AFP~~ Nope! AFP is also gone. If your NAS advertised Time Machine support based on AFP, you have a terribly outdated NAS and should get rid of it yesterday.
Buy a NAS that has SMB and hope that it supports the “Apple extensions” (we’ll get to that in a second) so that Time Machine will actually work. (And chuck the NAS out the window when you discover that it won’t work reliably because the NAS manufacturer did a terrible job configuring Samba.)
Spend days and days wrestling with the configuration of your DIY NAS in order to get it to work. I tried this. This is not pretty. You will regret this route. (Oh, and it involves the “Apple extensions” I talked about earlier. What are those? Coming up soon!)
Throw it all out and work around it on your Mac.

Okay, we’ll start from the second one and work our way down.

AFP?

AFP stands for Apple Filing Protocol, and I won’t get into it much because it is older than dirt. It’s also gone in the latest versions of macOS, by the way, so you won’t be able to use it for Time Machine, even if you really wanted to force it.

”Apple extensions?”

Apple just had to tack on something to the SMB protocol developed by Microsoft. So they added these “extensions” that make SMB servers work well on Apple products.

The open-source SMB project, Samba, attempts to implement these in the vfs_fruit module, but I’ve had instances where Time Machine would just NOT play nice, even when the module was enabled.

If Time Machine suddenly stopped working on your “Time Machine-compatible” NAS one day, it’s probably because macOS is chucking a fit because it didn’t get the special vfs_fruit data that it likes, in just the right way it wants it.

DIY NAS?

So what if you have a DIY NAS, like something running unRAID and OpenMediaVault instead of Synology and QNAP, and attempt to build a Time Machine server off of it?

Well, a lot of headache. I tried setting up Time Machine with my unRAID NAS. While in theory it was supposed to work OOTB, the backup kept failing sporadically and family members reported the same as well. I spent weeks fiddling around with the configuration but to no avail. Sometimes, it would suddenly work without any issues, then stop working again the next hour, even when I hadn’t changed anything.

It was maddening and I don’t recommend anybody try this route.

The Mac workaround

So here is the method I settled on, and it has worked rather flawlessly for the past couple of days:

Make your Mac back up to an image stored on the SMB server.

So I’m going to show you the steps to achieve just that.

Connect to your server.
Open up Disk Utility and press Command-N to create a new image. Set the options:

Name: “Time Machine”
Size: Whatever you want, but I recommend making it bigger than your Mac’s drive space
Format: “APFS”
Encryption: “128-bit AES encryption (recommended)” (You will be prompted for a password)
Partitions: “Single partition - GUID Partition Map”
Image Format: “sparse bundle disk image”

It is important that you save this locally, like in the “Downloads” folder! Attempting to save this directly to the server will result in the following error:

Operation failed with status 73: RPC version wrong

You can choose whatever you want for the image name (I’ll just call the sparse bundle an image for brevity), but I recommend setting it to the name of your Mac so that you can distinguish the images.

Once it is created, macOS will automatically mount it. Eject it, then move the file over to your server.

Mount the image. Make sure to click on the checkbox that says “Remember password in my keychain”. This is important if you want to auto-mount the image later.
Give the “Full Disk Access” permission to your terminal app of choice.
In your terminal app, run:

sudo tmutil setdestination /Volumes/Time\ Machine

Make sure to replace /Volumes/Time\ Machine with your actual volume name! If you’re unsure, delete it, then drag the volume (NOT the image) to the terminal window.

Once you run it and enter your password, the volume will be set as the Time Machine destination. Your desktop may flash a couple of times. This is normal.

Set up automatic backups in Time Machine.

Note: in some cases, Time Machine may refuse to let you change the schedule to automatic. In this case, quit the “System Settings” app completely, then go back into the Time Machine settings page.

Select “Options”, and change “Back up frequency” to “Automatically every hour”:

You should probably not turn on “Back up on battery power” unless you really need hourly backups, no matter what.

Note: If the setting keeps reverting back to “Manually”, try step 7 first, then come back here.

Run a manual backup.

Go into the Time Machine settings, right click on the destination, and select “Back up to ‘Time Machine’ now”:

If your disk showed up as “0 KB available”, this step should fix that.

(optional, but recommended) Set up auto-mount.

I ended up using a paid app called “AutoMounter” on the App Store, but I am pretty sure that there are other options out there.

Add your SMB share to the app, then add this script to run whenever the share is mounted:

#!/usr/bin/env bash

# Eject previous Time Machine volume if it exists
diskutil eject /Volumes/Time\ Machine

# Sleep 10 seconds because macOS is janky
sleep 10

# Open disk image file
open /Volumes/smb-share/TimeMachine/Erics-MacBook-Pro.sparsebundle

Make sure to replace the paths with your own.

Now, Time Machine will back up whenever it sees the volume mounted, and AutoMounter will mount the volume whenever the SMB share is available!

Conclusion

I can’t believe using Time Machine is this user-unfriendly. Ideally there should be a button in the Time Machine settings that does all of the above for us. But for now, this will have to do.

Update (2023-01-26)

Don’t use this method. When Time Machine backs up to a sparse bundle hosted on a network share, it thrashes the network quite heavily, slowing everything down. I think it has something to do with packages actually being directories containing lots and lots of small files. Because Time Machine can’t get the metadata streamed through with Apple’s SMB extensions, it resorts to fetching the entire file, which slows things down.

At this point, I’ve given up completely with network-based Time Machine backups. Use an external drive: it’s idiot-proof and easy to restore from.

Hello, Mastodon!

Fri, 16 Dec 2022 08:12:55 GMT

After deleting my Twitter account, I’ve been doing some research about Mastodon and how it works. Suffice to say, I now have a Mastodon account over at tilde.zone!

My handle is: @ericswpark@tilde.zone

Quick tip for those joining: I was stuck on the choosing-a-server step for a very long time, until I realized account creation is a bit like creating an email account. You don’t really care whether someone has an email at Gmail, Yahoo, or their own self-hosted server. So just pick a server that has a content moderation policy and ideology you most agree/identify with and sign up there! And thanks to federation, you can always contact users on other servers, so don’t worry if you can’t sign up on a particular server.

ffmpeg: convert HDR to SDR

Wed, 14 Dec 2022 00:00:00 GMT

(Warning to mobile users: this post has a lot of images with huge file sizes, so it may be slow to load. I considered compressing/resizing the images but I wanted the details to be preserved so I left them as-is. If the images don’t load, try viewing this post on a computer. Thanks!)

If you have a large media collection like me, you may have some content, like movies and videos, that are shot or rendered in HDR (High Dynamic Range).

If you also have a large collection of devices, you’ll know that most recent devices play back HDR content just fine. Just for a quick reference, here are some popular device lineups and when they started supporting HDR:

Apple
- iPhone 8/8 Plus and up¹
- iPad 9th-generation and up
- iPad Air 4th-generation and up
- iPad Mini 6th-generation and up
- All iPad Pro models (except the 1st-generation 12.9-inch)
- Macs with Apple Silicon
Samsung
- Galaxy S10/S10+/S10e and up²
- Galaxy Note 10/10+ and up²

In addition, on devices that do not support HDR playback, some platforms and video players (such as VLC) allow you to “tone-map” HDR videos (we’ll get into what that is later) down to SDR, or Standard Dynamic Range. Which means you’ll still be able to enjoy your HDR content for now without upgrading your hardware.

Unfortunately, you start running into issues when you try and play back HDR content on devices that absolutely do not support HDR content in any way or form. Devices like old Android phones or tablets, or old Apple devices, etc. that do not allow you to load an external player that support HDR tone-mapping, will still allow you to play back the content, but you will notice something wrong about the video. The colors will all be washed out, and the brightness levels will be off. So what gives?

Color-clipping

To begin, let’s look at the “color space” that SDR videos use. SDR videos typically use the Rec. 709 color space, which looks a little something like this:

< From https://en.wikipedia.org/wiki/Rec._709 >

In contrast, HDR videos use the Rec. 2020 color space, which looks like this:

< From https://en.wikipedia.org/wiki/Rec._2020 >

Inside the cone shapes, you can see the black triangle that marks what part of the color spectrum the color space can represent. As clearly seen above, Rec. 2020 covers even more colors than Rec. 709.

This becomes a problem, because to properly display Rec. 2020 colors, your hardware (your device and your screen), platform, and video player must support displaying Rec. 2020 (obviously). For combinations of hardware-platform-software where proper tone-mapping is possible, you will see the correctly mapped color output where colors outside the Rec. 709’s color space has been “mapped” back in to the supported regions (that’s basically what tone-mapping is here).

But if your playback combo (hardware-platform-software) does not have proper tone-mapping support, the colors outside of the range of Rec. 709 are forcibly shifted in to the supported range (or “clipped”) during playback, and as a result, you get a grayish, washed-out image that looks terrible.

So how do you solve this problem?

Solutions

Here are some of the solutions, in the most preferable order:

Upgrade your hardware to a HDR-supported device
Use video players that support tone-mapping on-the-fly
Obtain SDR versions of the content if it is available
Re-encode your videos with ffmpeg

In an ideal world, we’ll all have HDR-capable hardware, but this is not a utopia and there are devices that are being released right now that do not have proper support (or any support whatsoever) for HDR. And also, even if you only pick out HDR-compatible devices, it will be expensive, and it’s no reason to immediately replace your old devices when alternatives exist. (To be clear: if you were about to upgrade anyway and HDR was one of the reasons, buy away. But if you are upgrading simply because your device doesn’t support HDR, keep in mind that most devices right now, especially computers, do not support HDR, so it’s probably not worth it to upgrade just for HDR support alone.)

The next best solution would be to use a video player that supports tone-mapping, like VLC. This is applicable to desktop OSes where an alternative video player can be sideloaded at any time. But what if you’re using a device where sideloading in HDR support is hard or even impossible?

You could attempt to get an SDR copy of the content, if one is available. Going this route is probably easier and faster, since downloading will usually beat out encoding in terms of speed. But what if the HDR copy is the only copy?

That’s where re-encoding comes in!

Before we begin

I’d like to mention really quickly that most of the HDR to SDR conversion stuff that I write about in the next couple of sections is referenced from this now deleted blog post (it looks like the entire site is gone). You can check out the archived version on Wayback Machine here. Thanks to the original author, Daniel Stevens, for his blog post on the topic!

Original

For this demonstration, I’ll be using this video from YouTube to show the different conversion methods of HDR to SDR. (As the video is too big to attach here, I’ll stick with single frames from the middle of the video. You can follow along with the comparisons by using the same commands below!)

Let’s extract a single HDR frame and see how it looks in Rec. 709, without any tonemapping:

ffmpeg -ss 00:01:10.871 -i hdr-original.mp4 -vframes 1 original.png

Looks rather washed out, which is what we expect. So what should we run to convert this to SDR properly?

Tonemap algorithms

There are several tonemap algorithms – mobius, hable, and reinhard. Let’s look at each one!

`mobius`

Extract the same frame and apply the mobius tonemap preset:

ffmpeg -ss 00:01:10.871 -i hdr-original.mp4 -vf 'zscale=t=linear:npl=100,format=gbrpf32le,zscale=p=bt709,tonemap=tonemap=mobius,zscale=t=bt709:m=bt709:r=tv,format=yuv420p' -vframes 1 mobius.png

And here’s what we end up with:

Okay, we see more colors! But something still feels off. The colors look too vibrant.

Let’s try the other two.

`hable`

The command:

ffmpeg -ss 00:01:10.871 -i hdr-original.mp4 -vf 'zscale=t=linear:npl=100,format=gbrpf32le,zscale=p=bt709,tonemap=tonemap=hable,zscale=t=bt709:m=bt709:r=tv,format=yuv420p' -vframes 1 hable.png

The result:

Okay, that looks… more like what we’re aiming for. What about…

`reinhard`

The command:

ffmpeg -ss 00:01:10.871 -i hdr-original.mp4 -vf 'zscale=t=linear:npl=100,format=gbrpf32le,zscale=p=bt709,tonemap=tonemap=reinhard,zscale=t=bt709:m=bt709:r=tv,format=yuv420p' -vframes 1 reinhard.png

The result:

It might be difficult to pick out the difference between this and hable, so I’ve made a little comparison thing below:

(hable on left, reinhard on right)

And in case you want to see how badly oversaturated mobius is:

(mobius on left, hable on right)

(mobius on left, reinhard on right)

Now that we’re done with the available presets, it’s time to go over one tweakable value within each preset. And that is…

Desaturation

From ffmpeg’s documentation:

Apply desaturation for highlights that exceed this level of brightness. The higher the parameter, the more color information will be preserved. This setting helps prevent unnaturally blown-out colors for super-highlights, by (smoothly) turning into white instead. This makes images feel more natural, at the cost of reducing information about out-of-range colors.

The default of 2.0 is somewhat conservative and will mostly just apply to skies or directly sunlit surfaces. A setting of 0.0 disables this option.

This tracks with the explanation from the blog article from Daniel Stevens. However, he recommends using the value of 0 to turn it off. But the documentation makes it sound like it’s a good setting to leave on to prevent “unnaturally blown-out colors for super-highlights.”

Let’s try generating a mobius image with desaturation set to 0 and compare it with the regular mobius (again, the defaults are 2.0. If I don’t specify a desaturation value, assume 2.0):

ffmpeg -ss 00:01:10.871 -i hdr-original.mp4 -vf 'zscale=t=linear:npl=100,format=gbrpf32le,zscale=p=bt709,tonemap=tonemap=mobius:desat=0,zscale=t=bt709:m=bt709:r=tv,format=yuv420p' -vframes 1 mobius-desat-0.png

Since it doesn’t make sense to just show the image on its own, I’ll make another comparison slider below:

(mobius on left, mobius with desaturation set to 0 on right)

And the rest:

ffmpeg -ss 00:01:10.871 -i hdr-original.mp4 -vf 'zscale=t=linear:npl=100,format=gbrpf32le,zscale=p=bt709,tonemap=tonemap=hable:desat=0,zscale=t=bt709:m=bt709:r=tv,format=yuv420p' -vframes 1 hable-desat-0.png
ffmpeg -ss 00:01:10.871 -i hdr-original.mp4 -vf 'zscale=t=linear:npl=100,format=gbrpf32le,zscale=p=bt709,tonemap=tonemap=reinhard:desat=0,zscale=t=bt709:m=bt709:r=tv,format=yuv420p' -vframes 1 reinhard-desat-0.png

(hable on left, hable with desaturation set to 0 on right)

(reinhard on left, reinhard with desaturation set to 0 on right)

Let’s try a different value. I’ll just generate a 0.5 for reinhard, though you can substitute whatever you want for different presets. And here’s the comparison:

(reinhard with desaturation set to 0.5 on left, reinhard on right)

I think this might be a matter of personal preference. If someone can tell me exactly why this should be disabled, I will update this section.

So, which one should you use to convert HDR videos into SDR?

(Personal) comparisons and thoughts

These are my personal thoughts based on the experiments I carried out above.

I immediately ruled out mobius because the algorithm distorts the colors and oversaturates them a lot. If you like that kind of punchy color, then it might be a good option, but I feel like it messes up the video’s color too much to be usable.

That leaves hable and reinhard. I found that reinhard produced brighter images, but hable looked more in-line with the original SDR source (when using content where HDR and SDR were both available so I could compare the output from ffmpeg). I think it’s a matter of personal preference, again, but I think I’ll go with reinhard, as I value being able to see things in a dark scene, which is harder to do with hable.

Usage examples

I wondered what algorithms were being used by various software that implemented HDR to SDR tonemapping and found the following:

A lot of implementations and code examples on Stack Overflow preferred using hable with desaturation set to 0.
On Jellyfin, the original issue thread about HDR to SDR tonemapping had a lot of commenters saying that they used hable with desaturation set to 0.
On Jellyfin, the pull request that implemented tonemapping had reinhard as the default value, with a recommended desat range between 0 and 0.5.
Inside the aforementioned pull request, one commenter asked why hable was not being used, and a Jellyfin developer (I assume) stated that hable wasn’t producing enough brightness as reinhard.

Converting actual video

So once you have your preferred algorithm, converting an entire video is as simple as removing the -ss and -vframes arguments and adding parameters for the used encoder, etc. like so:

ffmpeg -i input.mp4 -vf 'zscale=t=linear:npl=100,format=gbrpf32le,zscale=p=bt709,tonemap=tonemap=reinhard,zscale=t=bt709:m=bt709:r=tv,format=yuv420p' -c:v libx264 -preset veryfast -crf 18 -c:a aac -b:a 160k -movflags +faststart output.mp4

Conclusion

While there is no one-size-fits-all solution for HDR-to-SDR tonemapping, the experiments above and the explanations should give you a pretty good understanding of how the process works and what you should test out to figure out your preferred algorithm.

While all iPhones above 8 and 8 Plus support HDR playback, that’s only on a software level. Some iPhones (including the aforementioned 8 and 8 Plus and probably some “budget” tier models like iPhone SE) do not support displaying actual HDR on a hardware level. ↩
Technically, Samsung supported “mobile HDR” playback starting from Galaxy S8/S8+ and Note 8. However, support for HDR10+ was only added starting with the devices listed above. ↩ ↩²

ffmpeg: cut videos to the exact frame

Sat, 03 Dec 2022 00:00:00 GMT

When cutting videos using ffmpeg using the following command:

ffmpeg -i input.mp4 -ss 00:00:24.183 -to 00:03:22.183 -c copy output.mp4

You may notice that ffmpeg may sometimes not cut the video to the correct frame. It may start a bit later than the time specified, 00:00:24.183, by a couple of frames or a couple of seconds. Worse yet, the video may appear frozen until it reaches the arbitrary frame ffmpeg started on, upon which it will start playing normally. What gives?

Well, it all comes down to keyframe types (again, if you’ve seen my previous posts about ffmpeg), but the short gist of it is that certain keyframes (P-frames and B-frames) rely on I-frames in order to render. So if your supplied timecode does not start on a I-frame, ffmpeg skips over until it finds the first I-frame, then repeats that to the start of the video, like this:

Original file:

IPPPBIPPPBIPPPBIPPPB
       ^ Your supplied start timecode

Where ffmpeg will start:

----------IPPPBIPPPB
          ^

What ffmpeg will do for the missing frames:

-------IIIIPPPBIPPPB

Finally cut down to size:

IIIIPPPBIPPPB

So how do we tell ffmpeg to just re-encode based on the previous I-frame, before your start timecode? Well, do you see the -c copy parameter in the original command? That’s what’s causing the issue. The parameter tells ffmpeg to copy the file without re-encoding anything, which is fast, but it won’t let ffmpeg re-encode by rendering the frames on top of each other. The solution is to just replace that parameter with a instruction to re-encode with an encoder:

ffmpeg -i input.mp4 -ss 00:00:24.183 -to 00:03:22.183 -c:v libx264 -crf 18 output.mp4

Goodbye, Twitter

Sat, 26 Nov 2022 00:00:00 GMT

By the time you’re reading this post, my Twitter account with the handle of @ericswpark will be gone. If you’re reading this way in the future, it might have been snatched up by a bot.

I don’t think I’ll have to worry about impersonation because I’m not famous enough. But just in case: I do not and will not have a Twitter account. Ignore any communications claiming to be me on Twitter.

The official methods of contact can be found by clicking on the “About” section in the navigation bar.

Anyway, noticed that I’ve had my handle on Twitter since July 2011. Goodbye, Twitter.

Update (2022-12-16)

Apparently Twitter has started preventing account deletions. If you haven’t gotten off the train yet, now would be a good time to (attempt to) do so.

Smooth scrubbing videos

Mon, 07 Nov 2022 00:00:00 GMT

Update

The new revision of this blog post can be found here.

You may have noticed that some videos you play in video players allow you to “scrub” smoothly. That is, when you “scrub” the video by moving the playhead back and forth, the frame is instantly shown on screen without any stuttering or “jank,” as long as your playback device can keep up, of course.

Not only does the player scrub frame-by-frame, some videos even let you scrub backwards, too. Which is great if you’re analyzing a replay or trying to find a specific moment in a video.

Well, in this blog post, I’ll explain how some videos manage to scrub so well, and how you can re-encode videos so that they scrub perfectly!

A quick overview on video encoding and decoding

Note: this is a simplified version of how video encoders and decoders work. For the purposes of this blog post, we don’t need to completely understand them, but we still need to know what keyframe types are so that the next part makes sense. If any experts are wincing at the parts below I’m sorry!

As we all know, video files are just containers containing one or more video streams and one or more audio streams, as well as other stream types (like subtitles, etc). We’ll ignore audio streams and other stream types for now, because they’re not important. What we’ll focus on is the video stream.

A video stream is just a collection of photos, or frames of photos. But storing photos as just one raw frame is rather large and wasteful. Think about it.

A pixel is made up of red, green, and blue values (RGB), each from 0 to 255 (we’ll assume that the video is encoded in 8-bit color here).
That means there are three color types, each with 8 bits of information. 8 bit is 1 byte, so we have 3 bytes of data per pixel to store.
For a given 1080p video file, there will be 1920 * 1080 pixels to store. 1920 * 1080 = 2,073,600. Each pixel has 3 bytes, so we’re up to 6,220,800 bytes for a single frame. (That’s 6,221 kilobytes, or 6.2 megabytes of data.)
Let’s say the video file has 24 frames per second (typical for movies and what not). 6,220,800 * 24 = 149,299,200 bytes, or 149,299 kilobytes, or 149 megabytes. For a single second of video!
Let’s say it’s a short video file, about 30 seconds long. 149,299,200 * 30 = 4,478,976,000 bytes, or 4,478,976 kilobytes, or 4,479 megabytes, or 4.4 gigabytes.
60 seconds. 149,299,200 * 60 = 8,957,952,000 bytes = 8,957,952 kilobytes = 8,958 megabytes = 9 gigabytes!
How about a two-hour long movie? 149,299,200 * 60 * 60 * 2 = 1,074,954,240,000 bytes = 1,074,952,240 kilobytes = 1,074,952 megabytes = 1,075 gigabytes = 1 terabyte.

Obviously, you don’t want to store that much data. And that’s where video encoders and decoders come in.

Video streams are encoded and decoded by various standards: H264 being one, with H265 and AV1 competing to replace it. (There are more, of course.) A video encoder’s job is to make keyframes out of the frames of video. There are three types of keyframes: I-frames, P-frames, and B-frames.

I-frames are like the frames we talked about before. They contain all of the data for a single frame of video.

P-frames reference I-frames. Most video content have some sort of pattern (for example, a static background with a moving subject in front). In this case, the video encoder can just make an I-frame containing the entire scene, then make a P-frame that says “hey, the subject in the video moved right by two thousand pixels and moved up by four hundred pixels.” Then the decoder uses that data to just re-draw the changed parts on top of the I-frame.

B-frames reference frames forwards and backwards. They save space the most, at the cost of being hard to encode and decode.

So that’s a very brief and dumbed-down overview on video encoding and decoding. So how does that relate to scrubbing, anyway?

Keyframes and scrubbing

When you scrub back and forth in a video, the player must first find the closest I-frame to the playhead. Then it builds up the P-frames and B-frames on top of the I-frames until you get the exact picture you want. (Some players skip this and just forcibly land you on the nearest I-frame. You may have experienced this if your playhead jumps back or forward a bit from where you let go of it.)

This is because P-frames and B-frames are partial frames. You can’t just display them because they describe how the frame has changed relative to the I-frame preceding them. (Like I said before, if I-frames are instructions like “draw a blue background sky with white clouds and a person wearing a green dress in front”, P and B-frames are like “the green dress moved right by two hundred pixels.” You can’t draw P and B-frames without reading the I-frame instruction, and so can’t a computer.)

Now, devices (modern ones, anyway) can decode I-frames and P-frames relatively fast. So if you scrub through a video that is made up of I and P-frames only, it will be smooth. But B-frames take much more time and compute power to process, which means devices may start to lag and jank around when you scrub fast across the timeline.

The solution?

Be gone, B-frames!

You can re-encode videos to remove all B-frames from them! Here’s a quick ffmpeg command:

ffmpeg -i input.mp4 -bf 0 output.mp4

Note that depending on the encoder used, you may need to type something different, like:

ffmpeg -i input.mp4 -c:v libx264 -x264-params bframes=0 output.mp4

Videos that scrub smoothly

If you want to try a video that scrubs smoothly, and if you own a Nintendo Switch, you’re in luck. Gameplay footage saved on a Nintendo Switch are comprised completely of I and P-frames. Just grab one and try scrubbing through it! This is a quick and easy example to check if you can’t be bothered with re-encoding video.

Please stop using the stale bot incorrectly

Fri, 21 Oct 2022 00:00:00 GMT

A lot of projects on GitHub use the “GitHub Stale Bot” to automatically close issues (and pull requests) that have not been updated in a while. The bot automatically goes through the issues and leaves a comment asking if the issue is still relevant, then auto-closes the issue if no comment reply is left within a certain time period configured by the repository owner.

This is absolutely terrible, both for the user and also the developer.

Old issues are buried

Issues are not out of sight, out of mind – even if you close them off with the stale bot that doesn’t mean your project has one less bug.

In fact, it’s even worse for your project, because now all of the relevant information regarding the bug has been buried into the “Closed” section of GitHub issues. People can’t find the existing issue, so what do they do? Create a new issue. Which means you need to:

a) mark the new issue as a duplicate and re-open the old one, or

b) find some way of merging the issue chains, or

c) upset your users by having them copy and paste all the relevant information from the old issue

Which leads to…

More work

Rather than reducing the burden of the developers, the stale bot ironically creates even more administrative work down the line as issues are buried and duplicate ones are newly filed, doing the polar opposite of what the bot originally set out to achieve. So instead of spending your time writing code, you need to babysit the bot and deal with the backlash when it inevitably pisses off the users of your project.

Messy threads

So let’s say users of your project are active and can reply to the bot, indicating that a given issue is still relevant. However, as long as the bot stays active, the back and forth like the following will continue:

GSB (GitHub Stale Bot): Hey, this issue seems inactive. Close it?

GSB added the stale tag.

User: No, it’s still relevant.

GSB removed the stale tag.

(a few moments later)

GSB: Hey, this issue seems inactive. Close it?

GSB added the stale tag.

User: No… it’s still relevant.

GSB removed the stale tag.

Developer: I’m still working on the fix, but we’re blocked on dependency X at the moment.

GSB: Hey, this issue seems inactive. Close it?

GSB added the stale tag.

Developer: kill me

GSB removed the stale tag.

Same conversation, without the annoying bot:

Developer: I’m still working on the fix, but we’re blocked on dependency X at the moment.

(a few moments later)

Developer: Okay, upstream fixed their stuff, now we can finally create a patch!

Developer merged feature-fix branch.

Developer closed as completed.

I know which thread I prefer, both as a developer and as a user.

But…

Okay, I’ll admit there is one use for the Stale Bot. And that is when you’re awaiting user feedback.

If the user doesn’t reply in X amount of time (X here depends on your patience), it’s totally fine for the stale bot to drop the issue, because in my opinion it usually means the issue wasn’t that important to them and therefore they didn’t bother with following up with further information, like debugging logs and such.

So have the bot only monitor issues with a specific tag, like awaiting-user-feedback, and start the countdown once the tag has been added to an issue.

This is honestly the only valid use case I found for the Stale Bot, that actually relieves some of the hassle of dealing with “stale” bug reports.

Conclusion

Just because a given issue doesn’t have a reply for a while doesn’t mean it’s stale! Please stop using the stale bot incorrectly. Your project users (and developers) will thank you. :)

Manually installing packages on UnRAID

Sat, 24 Sep 2022 00:00:00 GMT

Update

UnRAID now has a plugin available named NerdTools. It is pretty much a continuation of the now-discontinued NerdPack plugin. Check it out! The original article is as follows, but is now outdated.

I noticed today that there was a new update for our home server, UnRAID 6.11.0. I didn’t think much of it as I clicked on “Update,” then rebooted the server. Well, it failed to come back on to the access panel after a reboot, and I panicked for about half an hour trying to get it to come back up.

Eventually, I figured out what went wrong. Starting from UnRAID 6.11.x, the NerdPack plugin had been deprecated, which meant it was automatically removed from the system during the update. One of the utilities provided by NerdPack was screen – which, if you don’t know, is a utility that provides persistent terminal sessions (I’m pretty sure screen has multiple other uses but that’s what I use it for) – and it had been removed alongside NerdPack. Unfortunately, the script that I used to update and run Tailscale (a VPN platform that allows you to link your devices together) relied on screen, which meant the next time the server rebooted, it couldn’t connect to Tailscale, which is why I couldn’t access it remotely.

After fixing that problem, I wanted to document how to manually install packages on UnRAID, since the solution is strewn across multiple forum posts and comments and I just want one post I can refer back to when I need to install packages again. I will link all the forum posts and comments I referred to at the bottom of this post.

Figure out UnRAID base

UnRAID is built on top of Slackware, which means we need to figure out which Slackware version UnRAID is based off of. To do this, run the following command:

cat /etc/slackware-version

It should spit back something like:

Slackware 15.0+

Find the package you want to install

This page lists all the packages available on Slackware 15.0. (If you’re reading this in the future, change the URL based on the underlying Slackware version you found above.)

https://slackware.pkgs.org/15.0/slackware-x86_64/

Once you find it, click into the link and find the download URL. For example, the screen package’s URL was https://slackware.pkgs.org/15.0/slackware-x86_64/screen-4.9.0-x86_64-1.txz.html, and once I went inside the download URL was next to the text “Binary Package,” with the following value: https://slackware.uk/slackware/slackware64-15.0/slackware64/ap/screen-4.9.0-x86_64-1.txz . Copy the URL into your clipboard.

Download the package to UnRAID

SSH (or mosh) into your UnRAID server and go into the /boot/extra directory:

ssh tower
cd /boot/extra

The second part is important, because UnRAID automatically installs all packages found within that directory on first boot.

Then download the package using wget:

wget <package download URL here>

For example, to download screen, I ran:

wget https://slackware.uk/slackware/slackware64-15.0/slackware64/ap/screen-4.9.0-x86_64-1.txz

Start using the package without rebooting

At this point the package should be available for use if you reboot your UnRAID server. If you don’t want to reboot and want to start using the package immediately, run:

installpkg <package>

For example, to install screen, I ran:

installpkg screen-4.9.0-x86_64-1.txz

You need to be in the directory where the package was downloaded!

Sources

Thanks to all of the users and developers on the UnRAID forums! I referenced the following posts and comments while writing this blog:

Frequent disconnections on GaN chargers

Fri, 23 Sep 2022 00:00:00 GMT

I was working on my laptop today when my phone started to emit the charging chime, over and over again, every tens of seconds or so. There was no rhyme or reason to it. The C-to-Lightning cable was in good shape, the charger itself was firmly plugged into the wall, and yet the issue persisted even after I reseated all the connections a couple of times and checked the charging port to make sure there was no debris preventing a good connection.

The only likely culprit I could think of was the charger itself. I’d picked up this nice gallium nitride (GaN) charger in April this year, that could output 200 watts and could charge four of my devices at once. (Note: this is not a sponsored post or anything. I just linked what I bought because the product description page has the warning which I will show further down in this post.)

I initially assumed I’d gotten a dud, and was looking through my purchase history to see if I was within the exchange window, when something in the product description caught my eye.

(Translated from the Korean description:)

Warnings during use:
(...)
3. When using two or more ports, or when the charging output values fluctuate significantly, charging may temporarily stop and then resume to route power between devices.
(...)

That’s when it finally clicked: I had my phone and laptop connected to the same GaN charger. Opening up the power meter on my laptop, I could clearly see that the power was fluctuating based on the usage:

The GaN charger was stopping charging for a while based on the fluctuating needs of the laptop, which was causing my iPhone to stop charging and start charging again every couple of seconds. To test if this was truly the culprit, I unplugged my laptop and continued working. The problem didn’t come back.

The temporary solution?

Flip the mute switch, face down on desk. No more interruptions.

Note: this might not be a GaN charger specific issue. There may be chargers made with conventional tech that does the same thing that I may not know about. But I only first saw this disclaimer when purchasing GaN chargers, hence this blog post.

Keep SMART tests from failing from idle timeout

Sat, 17 Sep 2022 00:00:00 GMT

If you have a hard drive with a large capacity, extended SMART tests will take a long time to complete. If the operating system parks the head of the hard drive because of inactivity, then the SMART test will get interrupted.

If the SMART test is interrupted, smartctl will often report that the test is still running, preventing you from running another test. However, smartctl -a will not show that the test is running.

To get out of this borked state, you can issue a smartctl -X, followed by another smartctl -t long (with the drive mapping, of course) to run an extended SMART test.

And this time, to prevent the SMART test from being interrupted by the idle timeout, run a separate terminal instance (through something like screen or tmux) and issue the following command:

watch -n 10 smartctl -a /dev/sda

Remember to replace /dev/sda with your drive mapping!

This should poll the hard drive every ten seconds and keep it from going into an idle state.

Thanks to u/SI100km’s comment for the watch command.

Jonsbo N1: brief text review

Mon, 04 Jul 2022 00:00:00 GMT

This is my brief review of the Jonsbo N1 case after using it for our home NAS build.

The Good

It’s sleek and fits well on my desk.

The Bad

The fan on the case is weak, and drives usually go above ~~48C~~ 54C (!) when under load. Not the end of the world, but I generally aim to keep my drives around the 30-40C mark, and the fan is NOT adequate for that.

Good news is, the fan is replaceable (I think), but the problem is I’m not sure if it will improve the airflow situation since the case is already constrained. I’ll replace the fan when it fails and update this post if it helps any.

The Ugly

The structure and design of the case may interfere with your motherboard SATA ports (it did for me). So I only had two out of my four SATA ports usable.

If it doesn’t, you still have to source one more SATA port, since most M-ITX motherboards only come with four SATA ports and the N1 has five drive bays. If your motherboard has a M.2 slot, you can stick a M.2 to SATA card in there (being mindful of the M.2 accepted “keys” – my motherboard only supports the non-SATA, NVMe “key”). There are plenty of SATA controller M.2 sticks on AliExpress that you can use, although I cannot guarantee data integrity with those sticks.

Alternatively, you can get a LSI RAID card and flash it into IT mode, but that takes up one of the PCIe ports.

Conclusion

Next time, I’ll just build my NAS in a larger case, even if it’s more difficult to lug around and transport. M-ITX cases don’t make sense for building NASes. The Jonsbo N1 is certainly a nice M-ITX NAS case for casual home users, but if you start to expand past several terabytes it might be worthwhile to consider your options.

Update

July 14th, 2022

I sent an email to the Jonsbo customer support team and they sent back this response:

Dear Eric,

In summer time, the HDD temperature is usually a little bit higher, but usually if it is under 60℃ it should be okay.

In any event, if you really want to change to use a more powerful fan, the standard is 14025, which mean 140 x 140 x 25 mm. Noctua may be a good choice.

I hope my information is useful for you.

Have a good day.

Best regards, [name redacted]

Once one of the hard drives die from the heat, I’ll replace the fan then along with the dead hard drive. It’s good to know they used standard dimensions! Good job, Jonsbo.

GiGA Genie turns off my TV problem

Sat, 25 Jun 2022 00:00:00 GMT

We had a weird malfunction today with our home TV, and I’m not sure why the hell the KT (Korea Telecom) engineers designed and deployed this buggy implementation.

(Context: the GiGA Genie is an IPTV set-top box line-up from KT, Korea Telecom, sold here in South Korea for users that have a service contract with KT for Internet and TV. This article talks about the GiGA Genie 3 device. Other legacy devices may have unrelated problems.)

The Problem

When I press the “combined power” button on the GiGA Genie remote to turn on the TV, the TV turns on, then immediately turns off. When that happens, the HDMI-CEC sync kicks in, and the GiGA Genie unit shuts off as well, which means we’re now stuck in a loop where the TV and the GiGA Genie unit never turns on.

(In rare circumstances you can spam the power button to turn on the units before they have a chance to sync their status over HDMI-CEC, but this only worked once every five times during testing.)

During this loop, when the TV and the GiGA Genie unit turns on, you can see two dots on the GiGA Genie unit (resembling a little face, almost), where the LED clock usually is. And then once the GiGA Genie boots, the TV shuts off.

The Solution

Really simple. Inside “Genie Settings”, find the menu named “Use IR to control TV” (IR로 TV 제어) or “Use voice control to control IR household appliances” (음성으로 IR 가전 제어), and turn off the “TV control” (TV 제어) option.

Cause

There are three reasons why a TV connected to a GiGA Genie turns on:

The GiGA Genie remote’s “combined power” button, or the “TV power” button has been pressed
While the GiGA Genie unit and TV are connected over HDMI-CEC, the GiGA Genie unit has been switched on
The GiGA Genie unit receives a request (“Hey Genie, turn on the TV”) to power on the TV using the built-in IR blaster

Before, the last option – IR blaster – only emitted IR signals when you used voice commands, but a recent firmware update seems to have broken the functionality. Now, when the GiGA Genie unit turns on, it detects that the TV is off and tries to turn it on using IR, and that’s where the bug lies.

TL;DR: Turn on the TV and GiGA Genie unit using the “combined power” button -> TV turns on -> GiGA Genie unit turns on and turns on the TV using the IR blaster -> The TV, having received the signal from the GiGA Genie unit, switches off -> Through HDMI-CEC, the GiGA Genie notices the TV has shut off and powers off as well -> Infinite loop

Please fix this, KT :(

Setting write cache on drives on UnRAID

Sat, 25 Jun 2022 00:00:00 GMT

You might have run into this issue where the “Fix Common Problems” plugin gave you this warning:

Write Cache is disabled on parity/disk1/diskX

You may experience slow read/writes to parity/disk1/diskX. Write Cache should be enabled for better results. Read this post ( https://forums.unraid.net/topic/46802-faq-for-unraid-v6/page/2/?tab=comments#comment-755621 for more information. (…)

If you follow the link, you will see a recommendation to run hdparm -W 1 /dev/sdX and see whether it is successful, then add these commands to a script under the “User Scripts” plugin and set the scheduler so that it runs when the array is first mounted.

So you may write a script like this:

#!/bin/bash

hdparm -W 1 /dev/sdb
hdparm -W 1 /dev/sdc
hdparm -W 1 /dev/sdd
# ... and so on ...

This script can be improved in two ways.

Since we are running the same command with different parameters, group them into an array and iterate over it, like so:

#!/bin/bash

declare -a drives=("sdb" "sdc" "sdd") # add more here

for drive in "${drives[@]}"
do
    hdparm -W 1 /dev/"$drive"
done

Do not use /dev/sdX to access disks!

Why? Because these are not permanent, and may change across reboots as Linux sees fit!

A better solution would be to utilize the IDs that the drives come with. Run the following on your UnRAID server:

ls -al /dev/disk/by-id | grep "ata" | grep -v "\-part"

This will list the drives on your system, with their IDs and what /dev/sdX they map into:

# Example IDs, obviously
lrwxrwxrwx 1 root root   9 Jun 25 21:33 ata-WDC_WD1234ABCD-567890_WJAN01234567 -> ../../sdb
lrwxrwxrwx 1 root root   9 Jun 25 21:33 ata-WDC_WD1234ABCD-567890_WJAN01234568 -> ../../sdc
lrwxrwxrwx 1 root root   9 Jun 25 21:33 ata-WDC_WD1234ABCD-567890_WJAN01234569 -> ../../sdd
# ... and so on ...

Once you re-write the script, you should end up with something like this:

#!/bin/bash

declare -a drives=("WDC_WD1234ABCD-567890_WJAN01234567" "WDC_WD1234ABCD-567890_WJAN01234568" "WDC_WD1234ABCD-567890_WJAN01234569") # add more here

for drive in "${drives[@]}"
do
    hdparm -W 1 /dev/disk/by-id/ata-"$drive"
done

Stick it in your “User Scripts” and set the schedule, and you should be good to go!

UnRAID encryption auto-start

Wed, 22 Jun 2022 00:00:00 GMT

You want to start your encrypted UnRAID array automatically after a reboot. Normally you’d follow the procedure outlined in this thread, but what if you didn’t want to run another SMB share? What if you didn’t want a server that constantly serves the password file, unprotected?

Well, here’s another solution you can opt for.

Procedure

On another computer on the same network as the UnRAID server, create and run the following Python script:

main.py:

#!/usr/bin/env python3
from os.path import exists
import http.server

# Define settings here
PORT = 9999
PASSWORD_FILE_NAME = "password.txt" # in current directory
TIMEOUT = 300   # in seconds

# Read or get password
if exists(PASSWORD_FILE_NAME):
    print(f"Password file {PASSWORD_FILE_NAME} exists, reading password from it")
    with open(PASSWORD_FILE_NAME) as password_file:
        PASSWORD_TO_SEND = password_file.readline().strip()
else:
    from getpass import getpass
    print("Password file does not exist. Please enter one now.")
    PASSWORD_TO_SEND = getpass()

# Set up webserver
class RequestHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(s):
        s.send_response(200)
        s.send_header("Content-Type", "text/plain")
        s.end_headers()
        s.wfile.write(str.encode(PASSWORD_TO_SEND))

httpd = http.server.HTTPServer(('', PORT), RequestHandler)
httpd.timeout = TIMEOUT
httpd.handle_request()

Some notes:

Create a password.txt file in the same directory as the script and save the encryption password there.
Set the timeout longer than the time it takes your UnRAID server to reboot.
If you want to manually enter the password and not have it saved as a text file on your other computer, just delete the password.txt and the script will prompt you to enter a password when it runs.

Modify the UnRAID flash so that it fetches the key from your other computer.

(Special thanks to @bonienl on the UnRAID forums for the original script. I’ve tweaked it slightly for it to work with this alternate solution.)

If you have the USB stick mounted on another computer, you can omit the /boot/ part from the file path.

Edit /boot/config/go and add/modify the following lines:

# ...snip...

# Copy scripts to emhttp event directories
install -D /boot/custom/keyscript/fetch_key /usr/local/emhttp/webGui/event/starting/fetch_key
install -D /boot/custom/keyscript/delete_key /usr/local/emhttp/webGui/event/started/delete_key

# Set execute permission
chmod a+x /usr/local/emhttpd/webGui/event/starting/fetch_key
chmod a+x /usr/local/emhttpd/webGui/event/started/delete_key

# Start webGUI
/usr/local/sbin/emhttp &

Create /boot/custom/keyscript/fetch_key:

#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  curl other-computer:9999 > /root/keyfile # Make sure to substitute port here if you changed it!
fi

Create /boot/custom/keyscript/delete_key:

#!/bin/bash

rm -f /root/keyfile

Now, when you need to reboot your UnRAID machine, remote into your other computer, execute the Python script, and reboot. Upon reboot, the UnRAID server will get the encryption password from your other computer and unlock and mount the array automatically.

Here’s a script that does the above automatically for you:

#!/bin/bash

# Start encryption password server script
python3 main.py &

# SSH into server and issue reboot command
# Make sure to change hostname to correct value
ssh root@unraid-server-hostname reboot

Troubleshooting

Bonjour issues

If you get an error about either the UnRAID server or the other computer not being able to find the host, your network may not support hostname-based discovery. To mitigate this, give your machines (both your UnRAID server and your other computer) a static IP, and use static IPs in the scripts instead.

Benefits

Here are some of the benefits with this approach compared to other solutions:

The password is only exposed to the local network for a brief period, instead of a server constantly running that exposes the password. Once the timeout is reached, the script that emulates a simple HTTP server terminates.
If someone gains unauthorized access to your UnRAID server and can inspect the contents of the flash drive, they will be able to tell that the server fetches the password from the other computer in order to start up, but they will not be able to know what the password is (unless, of course, the server is already running, then in which case they can simply inspect the memory).
If someone gains unauthorized access to your other computer, they will be able to tell that there is a script that serves the password to the UnRAID server, but they will not be able to know what the password is, unless you’ve opted to save the password as a text file. In that case, you can simply lock the computer remotely and they will not be able to access the password.

Downsides

You may want to review a couple of flaws with this approach:

The communication between your other computer on the network and the UnRAID server is unencrypted. Normally this shouldn’t be an issue on your home network with trusted devices only, but if there is an eavesdropper on your network then they can intercept your encryption password. Consider reviewing your network security before implementing this.
This requires another computer to be on and accessible on the same network as the UnRAID machine. If your UnRAID server has, for example, your DHCP server, then this approach will not work as the UnRAID server won’t be able to reach your other computer until it has the array started. To mitigate this, ensure that your UnRAID server is not responsible for any part of your network stack.
The password file sits on your other computer unprotected. You can mitigate the potential risk by typing in the password every time instead of keeping it saved.

Conclusion

As I was writing down this blog post I realized that if you already have access to another computer on the same network as the UnRAID server, you could simply access the WebUI and type in the password after the UnRAID server starts up. So this approach is stupid, right?

Well, this approach will also work for computers where you don’t have graphical access to (such as a headless machine without VNC/RDP access). You will still be able to reboot the server by running this script before rebooting.

As this approach is a bit risky in terms of security, you should carefully evaluate your network security and your threat model before you deploy it.

[Update: Blocked] Use a different launcher on Vivo phones

Mon, 20 Jun 2022 00:00:00 GMT

The problem

Vivo phones come with this weird restriction where you cannot change the default launcher… without signing into a Vivo account.

You can try and change the default launcher. But even though the menu looks like it will let you, as soon as you hit the home button, the default launcher will be reset to Vivo’s own.

…but I don’t want to create a Vivo account and have no intentions of giving over any data to Vivo, and even if I could make a burner account I find the entire process to be too much hassle. Instead, we’re going to force the phone to accept another default launcher, dammit!

(Note: this was tested on the Vivo Y93, the only Vivo phone I have right now. Fortunate because it’s the only crappy Vivo phone I’ll ever own, unfortunate because this was not my decision and because it’s a leftover phone obtained from a family member. If I don’t find an alternative use for this phone, it’s basically e-waste. This may not work on all Vivo phones and if the process fails the device will be soft-bricked! Be careful and proceed at your own risk!)

The solution

Step 1: Install a different launcher, like Nova Launcher. I downloaded the APK from apkmirror.com and installed it with ADB, since Chinese phones do not have the Google Play Store. (I’m pretty sure I can somehow wrangle it on there, but I don’t think I want to, since that would involve logging in with my Google account, and I don’t want to on this device.)

Step 2: Enable developer options and run:

adb shell pm disable-user --user 0 com.bbk.launcher2

(Note: the package name com.bbk.launcher2 may be different if you are using a different Vivo phone. Also, the command may fail if they patched out this method in newer phones. In that case, you may be out of luck :( )

Step 3: The Vivo default home launcher will now be removed, and hitting the home button should bring up a menu showing you which launcher you’d like to set as default. Select the different launcher you installed in step 1 and make sure the “Make default” checkbox is checked.

Done! Screw you, Vivo.

Update

As of October 21st, 2022, this method is now blocked. Disabling the built-in launcher will result in an infinite loop of selecting the default launcher, which will make the phone unusable. The only way back is to either restore the built-in launcher through adb or through a factory reset.

Properly install Docker on macOS

Mon, 06 Jun 2022 00:00:00 GMT

TL;DR: You want to run

brew install --cask docker

to install Docker Desktop, not anything else. Read on for more information.

First I tried:

brew install docker docker-compose

and the command finished successfully. So I ran docker --version and docker-compose --version and both commands correctly displayed their respective version strings.

So I went inside a directory with a docker-compose.yml file and tried to start up the services with docker-compose up -d, but then Docker complained that it couldn’t find a daemon running. So I wasted twenty minutes checking if Homebrew had a service I could enable, or if there was some other way of starting the Docker daemon.

Turns out, the command brew install docker only installs the Docker client, not the server service required to actually run the Docker Engine and all the stuff underneath. That’s not available on macOS, because it’s not Linux, and doesn’t support all the containerization technology that Linux has, like cgroups and what not. The workaround that the Docker team came up with is to run a minimal version of Linux on a VM that the Docker client can communicate with.

So we need to run the following:

brew install docker-machine
brew install --cask virtualbox

to install the Docker Machine scripts and VirtualBox, which the Docker Machine scripts rely on. This requires a system reboot, because VirtualBox still uses kernel extensions. Um, okay, then. Time to save all my work and reboot.

Now we need to create a machine the Docker daemon can run on. So I ran:

docker-machine create --driver virtualbox default

But the command errored out after a while with a VBoxManage: error: Code E_ACCESSDENIED. So I dug deeper. It turns out that Docker Machine was deprecated sometime in September 2019, so we shouldn’t use it.

Okay, what then? Well, we use Docker Desktop, which is available as a Homebrew Cask and has (apparently) support for the new Apple Silicon-based Macs.

So we remove all the nonsense I did for the past couple of hours:

docker-machine rm default   # press `y` to accept
rm -rf .docker              # Be careful! Make sure there's nothing in .docker/ you wish to keep
brew uninstall docker-machine docker docker-compose virtualbox

And we now install the correct Docker Desktop Cask:

brew install --cask docker

So we got Docker working, right? Well, yes. But I really wanted to use just the Docker engine and not Docker Desktop, because Docker Desktop is proprietary and subject to license agreements with the corporation behind Docker. Only the Docker Engine is open-source and free to use, but it’s not available on macOS.

In the end, you’ll have to either use Docker Desktop on your macOS development machines, or set up another Linux instance that you can run Docker containers on.

Update: since writing this post I’ve come across the colima project, which aims to provide container runtimes on macOS through QEMU. It’s not perfect and still being actively developed ~~and doesn’t have support for Apple Silicon Macs yet~~, which is why I won’t detail them here in this post. But it is definitely a project you should keep an eye on. I might switch to this once it matures.

Update 2 (2025-11-01): A reader reached out to let me know that Colima now has support for Apple Silicon Macs! Thanks to Wolf Eggers for the heads-up.

Netflix hates my HDMI dongle

Thu, 19 May 2022 00:00:00 GMT

Just a warning to anybody trying to mirror Netflix using Apple’s Digital AV to Lightning adapter: it won’t work.

(There used to be a tweet embedded here but it’s gone as I deleted my account.)

Thanks, Netflix DRM!

Update

The Netflix CS team sent me a couple of replies since the initial tweet. In case you’re wondering what the Netflix team did, mostly nothing at this point. They contacted me via Twitter DM and told me they are “investigating,” and that they had forwarded my “report” to the “Research Team.” I haven’t heard back from them as of writing this (May 20th, 2022). I will update this post accordingly if I hear back from them.

Terminal incognito mode

Sat, 13 Nov 2021 00:00:00 GMT

Sometimes you have to run a bunch of commands that you would rather not get saved to your terminal history, such as commands that manage GPG keys, for example. In which case, the following snippet might be useful for you.

Add the following to .zshrc if you use zsh, or .bashrc (or even .bash_profile) if you use bash:

function incognito() {
    unset HISTFILE
    export PROMPT='[INCOGNITO] %n@%m %1~ %# '
}

You may need to edit PROMPT to say PS1 depending on the terminal you are using. I’ve borrowed the PS1 prompt from the default set on macOS. Edit to your liking and OS defaults if desired.

Now, when you run incognito, the current terminal session will not get saved to the history file. Happy coding!

If you would like an explanation as to how this works, it’s quite simple. Terminals use a history file, such as .bash_history or .zsh_history to record your previous commands so that you can bring them up with the history command or the Ctrl-R keystroke (reverse search through your command history). This is set in the HISTFILE variable, and unsetting it prevents the terminal from finding the history file, which means your current session is not saved.

Update

If you have Powerlevel10k (a ZSH theme) installed like I do, the prompt customization with export PROMPT won’t work. Thankfully, the theme is awesome, and it lets you define custom segments to put on your prompt bar.

Edit ~/.p10k.zsh and add the following to the end:

# Custom incognito segment
function prompt_is_incognito_mode() {
    if (( ! ${+HISTFILE} )); then
        p10k segment -f red -i '🥷'
    fi
}

Then find the part that defines POWERLEVEL9K_LEFT_PROMPT_ELEMENTS and add is_incognito_mode to the front (or anywhere you prefer):

  # The list of segments shown on the left. Fill it with the most important segments.
  typeset -g POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(
    # Incognito mode indicator
    is_incognito_mode
    # =========================[ Line #1 ]=========================
    # os_icon               # os identifier
    dir                     # current directory
    vcs                     # git status
    # =========================[ Line #2 ]=========================
    newline                 # \n
    prompt_char             # prompt symbol
  )

Also, you can change the incognito function in ~/.zshrc like this:

# Function for "incognito" mode
function incognito() {
    unset HISTFILE
    echo "Done! This terminal session will not be recorded into history."
}

Now, when you run incognito, you’ll be greeted by this cute little ninja:

> incognito
Done! This terminal session will not be recorded into history.

 🥷  | ~
>

FUSE mounting quirks on Linux (with VeraCrypt)

Wed, 10 Nov 2021 00:00:00 GMT

If you get a

Permission denied: file.hc

VeraCrypt::File::Open:232

error when attempting to mount a VeraCrypt volume on Linux, this is the post for you!

Why does this happen?

This usually occurs because the encrypted VeraCrypt file resides on a FUSE mount that VeraCrypt cannot access.

To explain further, FUSE is used whenever you need to mount a custom filesystem, say a filesystem based on SSH (SSHFS), or a Samba share (such as from your NAS), or from another encryption software (such as a mount from VeraCrypt itself or Cryptomator). FUSE assigns a mount point, does the complex translation between your computer and the save medium, and you can happily write away at the mount without knowing of all the details.

The issue occurs because on Linux, FUSE restricts who can access a given mount based on who mounted the volume in the first place. This applies to the superuser as well, on defaults, anyway. If this sounds complicated, just know that whoever first mounted the filesystem is the only one who can access the mount, and nobody else can.

VeraCrypt requires superuser permissions, since it tries to mount the volume at /mnt, or some other system mount directory that requires superuser permissions. Therefore, it runs as the root user. Remember the restriction from above? Even as the root user, FUSE disallows access to the previous mount that holds the encrypted VeraCrypt file, which means VeraCrypt can’t access the file to open it.

How can you solve it?

One of several ways:

Mount as `root`

You can simply mount the underlying filesystem as the root user, which will allow VeraCrypt to mount the file without any problems. Unfortunately, this has the side effect of not allowing you, the user, to actually modify any files on the underlying mount, which is cumbersome if the mount is, say, a Samba share from a NAS and you want to actually change any other file on your NAS.

Configure FUSE to allow other users (or `root`)

Add the following to your /etc/fuse.conf file:

user_allow_other

If the line exists, make sure it is uncommented so that it is enabled.

Then, when mounting the underlying filesystem, you can pass in an optional parameter that allows other users to access the mount, or the root user.

To allow other users (including root):

-o allow_other

To allow only the root user:

-o allow_root

Charging from untrusted sources

Sat, 11 Sep 2021 00:00:00 GMT

Have you ever thought about the USB ports that are available in public places? I’m talking about USB ports on the side of airport chairs, or the ones built into the table at restaurants and coffee shops.

Well, turns out plugging your devices into untrusted USB ports isn’t such a great idea. Dubbed “juice jacking” by the media, you never know if the plug is just a regular old power supply plug with only power supplying capabilities, or a sinister device with circuitry to connect to your device and siphon data off of it. Because of this, people started to buy things like USB condoms that have the data pins cut so that no data exfiltration can take place.

I thought that was quite a nice idea and was about to purchase one of these for when I’m out and about (that is, if the coronavirus restrictions lift again), then realized that these don’t make much sense. Here are the two major reasons why I think they aren’t worth looking into:

1. The ports can still be malicious, even without data pins

One way the ports can still damage your devices is by injecting a ton of voltage through the power pins of the USB port. It’s similar to a USB killer in how it works.

Your phone is only rated for a certain amount of voltage, such as 5V (most common) or 9V (fast charging), etc. Therefore, a good way to kill your device or at least fry the charging circuitry of it is to inject more voltage than it is capable of receiving. And because the voltage can be injected through the power pins, these USB condoms will have no effect whatsoever, since they only disconnect data pins.

And sure, I think having malicious ports at your local coffee shop is a bit far-fetched, but we’re talking about charging from any untrusted source, which includes actively hostile environments where adversaries have installed malicious chargers like the one described above. In this case, the USB condom won’t save you.

2. Fast charging is disabled

Fast charging on modern devices work by exchanging signals through the data pins. If I remember correctly, Apple devices use resistors across the data pins to signal the maximum amount of current the devices can draw, while Android handsets use twenty different protocols (Qualcomm Quick Charge, for example) just to figure out how to quick charge, something I won’t get into here because this blog post will become horrendously long.

But because the USB condom breaks the data pins, fast charging cannot be negotiated through these lines and therefore your devices will charge more slowly.

What’s the solution?

Use your own USB charger, or use a small powerbank as a regulator.

AC plugs obviously can’t exfiltrate data, and any voltage tampering will result in the death of your USB charger, not your phone, if your USB charger is made by a reputable company with all the safety features like fuses. And it’s obviously far more cheaper to replace a broken USB charger than your phone.

If you do not want to purchase a USB charger, or if you are in a environment where the only option is to use a USB port, then I would use a powerbank as an intermediary. Charge your powerbank from the untrusted USB port, and then charge your phone using the powerbank. Since the powerbank only works as a regulator between the device and the power source, you don’t even need to get a bulky powerbank with high capacity.

Django: Switch to custom User model mid-project

Tue, 13 Jul 2021 00:00:00 GMT

This is an overview of how you can switch to a custom User model in your Django codebase if you’re already using it in production and don’t want to lose any data.

I had to go through this process myself because I didn’t know that using a custom User model was a must, even if you didn’t need any extra fields. In fact, the Django documentation recommends it for new projects, even though the warning is not prominent in any of the quick start tutorials and guides. Maybe they can emphasize this a bit more?

Anyway, if you’re stuck in the same situation as me, here’s how to dig yourself out of the mess.

Warning

Always make sure you have a backup of your database so you can downgrade back to a stable state!

1. Locate a Django app with an initial migration

If you already have a Django app you can place your custom User model in, congratulations! Skip to step 6.

Important: this existing Django app MUST have an initial migration (something like 0001_initial.py in the migrations/ directory). It doesn’t matter if the Django app no longer has any models associated with it.

If not, let’s continue with creating a Django app.

2. Create a new Django app

Create a new Django app in your codebase with the following command:

python3 manage.py startapp accounts

You can name it whatever you want, like users. I already had an accounts app in my project, so that’s what I’ll use for this tutorial.

3. Create a fake model to create an initial migration

Go into your new app and open up models.py. Create a new fake model:

from django.db import models


class FakeModel(models.Model):
    pass

We’ll remove this model later after everything is done.

4. Create an initial migration

Run:

python3 manage.py makemigrations

You should now have an initial migration in your app. For example, my migration was in accounts/migrations/0001_initial.py with the following content:

# Generated by Django 3.2.5 on 2021-07-12 16:28

from django.db import migrations, models


class Migration(migrations.Migration):

    initial = True

    dependencies = [
    ]

    operations = [
        migrations.CreateModel(
            name='FakeModel',
            fields=[
                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
            ],
        ),
    ]

5. Release this go-between release to admins

Now, make a new release and make sure all server admins update to this version first. All instances must perform a migration on this release at least once.

The reason is because Django keeps track of what migrations it has applied. If we created a new migration that created a new table for the User model, Django would try to apply that migration, but fail because the table already exists.

To solve this problem, if we migrate all previous instances using a go-between release, and then patch the migration with the User model migration information, then existing instances will not apply the migration twice, and new instances will be able to create the User model since it’s an initial release.

6. Create a custom user model

If you came here straight from step 1, then use the app that you chose that already has an initial migration. For context, my app is accounts.

We need to now create a custom user model. Edit models.py and add the following:

from django.contrib.auth.models import AbstractUser


class User(AbstractUser):
    class Meta:
        db_table = 'auth_user'

The db_table field is important because we’re trying to seamlessly transition from the existing User model table. I recommend naming the custom user model as User as well to preserve relations in the database. Don’t worry, you should be able to rename it after this is done.

If you followed steps 1-5, your models.py should look something like this:

from django.contrib.auth.models import AbstractUser
from django.db import models


class User(AbstractUser):
    class Meta:
        db_table = 'auth_user'


class FakeModel(models.Model):
    pass

Don’t worry if you came straight from step 1 and don’t have the FakeModel model.

7. Manually patch the initial migration

Now, edit your app’s initial migration. You should see a lot of migrations for the other models in your app.

WARNING: this patch is valid as of July 13th, 2021, and with Django version 3.2.5. Newer Django versions may have different fields and migrations. To make sure, create an empty project, make a custom user model, and create an initial migration and compare it to this section. If it has been updated, then use the values from the empty project!

First, import the necessary dependencies:

import django.contrib.auth.models
import django.contrib.auth.validators
import django.utils.timezone

Under dependencies, add:

        ('auth', '0012_alter_user_first_name_max_length'),

Your dependencies section should now look like this:

    dependencies = [
        ('auth', '0012_alter_user_first_name_max_length'),
    ]

Inside operations, add:

        migrations.CreateModel(
            name='User',
            fields=[
                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
                ('password', models.CharField(max_length=128, verbose_name='password')),
                ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')),
                ('is_superuser', models.BooleanField(default=False,
                                                     help_text='Designates that this user has all permissions without explicitly assigning them.',
                                                     verbose_name='superuser status')),
                ('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'},
                                              help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.',
                                              max_length=150, unique=True,
                                              validators=[django.contrib.auth.validators.UnicodeUsernameValidator()],
                                              verbose_name='username')),
                ('first_name', models.CharField(blank=True, max_length=150, verbose_name='first name')),
                ('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')),
                ('email', models.EmailField(blank=True, max_length=254, verbose_name='email address')),
                ('is_staff', models.BooleanField(default=False,
                                                 help_text='Designates whether the user can log into this admin site.',
                                                 verbose_name='staff status')),
                ('is_active', models.BooleanField(default=True,
                                                  help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.',
                                                  verbose_name='active')),
                ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
                ('groups', models.ManyToManyField(blank=True,
                                                  help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.',
                                                  related_name='user_set', related_query_name='user', to='auth.Group',
                                                  verbose_name='groups')),
                ('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.',
                                                            related_name='user_set', related_query_name='user',
                                                            to='auth.Permission', verbose_name='user permissions')),
            ],
            options={
                'db_table': 'auth_user',
            },
            managers=[
                ('objects', django.contrib.auth.models.UserManager()),
            ],
        ),

If you followed steps 1-5, your migrations file should now look something like this:

# Generated by Django 3.2.5 on 2021-07-12 16:28

import django.contrib.auth.models
import django.contrib.auth.validators
import django.utils.timezone

from django.db import migrations, models


class Migration(migrations.Migration):

    initial = True

    dependencies = [
        ('auth', '0012_alter_user_first_name_max_length'),
    ]

    operations = [
        migrations.CreateModel(
            name='FakeModel',
            fields=[
                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
            ],
        ),
        migrations.CreateModel(
            name='User',
            fields=[
                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
                ('password', models.CharField(max_length=128, verbose_name='password')),
                ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')),
                ('is_superuser', models.BooleanField(default=False,
                                                     help_text='Designates that this user has all permissions without explicitly assigning them.',
                                                     verbose_name='superuser status')),
                ('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'},
                                              help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.',
                                              max_length=150, unique=True,
                                              validators=[django.contrib.auth.validators.UnicodeUsernameValidator()],
                                              verbose_name='username')),
                ('first_name', models.CharField(blank=True, max_length=150, verbose_name='first name')),
                ('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')),
                ('email', models.EmailField(blank=True, max_length=254, verbose_name='email address')),
                ('is_staff', models.BooleanField(default=False,
                                                 help_text='Designates whether the user can log into this admin site.',
                                                 verbose_name='staff status')),
                ('is_active', models.BooleanField(default=True,
                                                  help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.',
                                                  verbose_name='active')),
                ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
                ('groups', models.ManyToManyField(blank=True,
                                                  help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.',
                                                  related_name='user_set', related_query_name='user', to='auth.Group',
                                                  verbose_name='groups')),
                ('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.',
                                                            related_name='user_set', related_query_name='user',
                                                            to='auth.Permission', verbose_name='user permissions')),
            ],
            options={
                'db_table': 'auth_user',
            },
            managers=[
                ('objects', django.contrib.auth.models.UserManager()),
            ],
        ),
    ]

8. Enable the custom user model in settings

In your settings.py file, add:

AUTH_USER_MODEL = "accounts.User"

Remember to change accounts to your app name!

9. Create an empty migration

Now, we need to make one last migration in order to finalize the move to the new custom User model. Execute:

python3 manage.py makemigrations --empty accounts --name change_user_type

while substituting accounts with your app name. Django should create a new empty migration for you. For context, my migration was in accounts/migrations/0002_change_user_type.py.

10. Edit the empty migration

Add the following function to the top of your migrations file (below the imports):

def change_user_type(apps, schema_editor):
    ContentType = apps.get_model('contenttypes', 'ContentType')
    ct = ContentType.objects.filter(
        app_label='auth',
        model='user'
    ).first()
    if ct:
        ct.app_label = 'user'
        ct.save()

Then, under operations, add:

      migrations.RunPython(change_user_type),

When you’re done, your migrations file should look something like this (with the dependencies section being the only difference if you used your own app with many more migrations):

# Generated by Django 3.2.5 on 2021-07-12 16:38

from django.db import migrations


def change_user_type(apps, schema_editor):
    ContentType = apps.get_model('contenttypes', 'ContentType')
    ct = ContentType.objects.filter(
        app_label='auth',
        model='user'
    ).first()
    if ct:
        ct.app_label = 'user'
        ct.save()


class Migration(migrations.Migration):

    dependencies = [
        ('accounts', '0001_initial'),
    ]

    operations = [
        migrations.RunPython(change_user_type),
    ]

11. Migrate to new `db_table` field

You may now want to generate a migration to migrate to the default table. Edit models.py and remove the Meta class. If your User model is empty, make sure to add pass as well. Your User model should then look something like this:

class User(AbstractUser):
    pass

Generate a new migration.

If you skipped to step 6 from step 1, you’re done at this point. Just push a new release and let admins upgrade. Future migrations can be generated and applied just like before.

12. Remove the temporary fake models

If you followed steps 1-5, we need to remove the fake model we created to generate an initial migration. Edit models.py and remove the FakeModel model.

Generate a new migration, and deploy. Remember to make an announcement so that server admins do not forget to upgrade to the go-between release first and perform a database migration.

Conclusion

I tested the steps above with my own Django project, which uses PostgreSQL for the backend and Docker for deploy orchestration. The migration went without a hitch and I was able to keep my existing database tables without any dirty modifications.

Let me know how the steps above worked out for you in the comments below!

Credits

This blog post is based largely on this blog post from Caktus Group and the bug report on Django’s bugtracker, specifically comment 24.

Minecraft LAN advertising

Fri, 25 Jun 2021 00:00:00 GMT

While looking for a way to “announce” a Minecraft server to local players, I found this article written 7 years ago. The included Python script works with a couple of tweaks to make it compatible with Python 3:

import socket
import time

servers = [
        ["motd1", 25565],
        ["motd2", 25566]
]

BROADCAST_IP = "255.255.255.255"
BROADCAST_PORT = 4445

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)

print("Broadcasting Minecraft servers to LAN")

while True:
        for server in servers:
                msg = "[MOTD]%s[/MOTD][AD]%d[/AD]" % (server[0], server[1])
                sock.sendto(msg.encode('UTF-8'), (BROADCAST_IP, BROADCAST_PORT))
        time.sleep(1.5)

You only need to change the server array, defined at the top of the file. Save to a file like broadcast_to_lan.py, and run with python3 broadcast_to_lan.py.

Thanks to kebian for the original script!

Why I returned the iPad Smart Keyboard

Thu, 24 Jun 2021 00:00:00 GMT

After spending about five minutes with the iPad Smart Keyboard, I decided to ship it back to Apple for a refund. Here’s why.

(The Smart Keyboard I got was for my iPad Air 3.)

Quality

When I first opened the package, I thought I had received a fake keyboard.

The “case” part of the Smart Keyboard was fine - it matched my original iPad Smart Cover’s feel and look. The material of the inner and outer parts of the “case” was identical to the original Smart Cover.

However, the “keyboard” part of the Smart Keyboard had terrible quality. I actually thought it was some sort of cheap imitation of the actual product - and then realized it was the real deal from Apple after looking at review images online. The keys are draped with this cloth-like material, which supposedly keeps out dust, but it looks and feels cheap.

Seriously. I regret not taking photos, but look up images for the Smart Keyboard online and look at the keyboard portion. The cloth-like material has a very weird texture to it, which makes it look cheap and flimsy.

Stability

Okay, the keyboard quality sucks. But maybe the keyboard works better than regular Bluetooth keyboards. After all, it connects using the connector on the iPad. It should be better, right? Right?

Nope. For the first couple of moments after attaching the keyboard, everything was fine. I could type normally and the keyboard responded properly. Then I noticed my iPad was too slanted, which caused reflections on the screen. No problem, just readjust the stand so that the iPad leans forward a bit more, and… the keyboard connection dropped.

For some strange reason, the keyboard refuses to work unless the bottom part of the iPad touches the rubber bar right above the keyboard. I thought the entire point of the Smart Connector was that it could be used at any prop point on the actual cover. So why does the keyboard stop working if I move the iPad two centimeters across to get a better viewing angle?

This is such a weird issue that I actually think my keyboard was faulty or something. The keyboard would stop working when it was tilted across. Really strange!

Key feel

Obviously, good keyboards have good “key feel,” where the keys don’t feel too spongy or tacky. While the Smart Keyboard had okay levels of key tactility, the cloth over the keys again hampered the key feel a bit.

While typing on the Smart Keyboard, I noticed a lot of missed keystrokes or duplicate keys as my fingers struggled to adjust to the weird key feel of the Smart Keyboard. Granted, I only spent five minutes with the keyboard, so it’s possible that I may have adjusted over time. Still, other keyboards provided much better key feel and comfort.

I realize that packing a good quality keyboard into such limited space like the Smart Keyboard is hard, and therefore the dimensions of the keyboard limit how good the key feel could be. However, the primary purpose of the keyboard is to type on, and if it fails at that one thing, then it’s not a good product in my opinion.

Missing keys

Speaking of keys, a lot of essential keys were missing from the keyboard.

The most important omission, in my opinion, is the Escape key, because it severely hampered development work. I use Blink to SSH into servers, and the lack of an Escape key is a real dealbreaker in many Linux programs because most expect the Escape key to be present on the keyboard, like they should. Any sane keyboard should have an escape key.

Also, the keyboard lacked any function keys, like volume and brightness control, or the button to go back to the home screen, or to control media playback. Many Bluetooth keyboards have these function keys, which makes using the iPad easier, since you don’t have to reach up to touch the iPad’s screen when adjusting settings or using the volume rocker to the side of the iPad, which is also cumbersome.

Mobility and weight

The Smart Keyboard is arguably great because it latches onto your iPad and stays available with it. However, the cost of being constantly attached to your iPad is that your iPad will get bulky to handle and carry around.

Because the Smart Keyboard attaches magnetically, it becomes harder to use the iPad in standalone mode, where you don’t need a keyboard (say, for watching Netflix). With Bluetooth keyboards, you can just pick up your iPad, whereas with the Smart Keyboard, you need to first wrestle the iPad out of the magnetic grip. Otherwise, you’re left holding a heavy iPad with the keyboard folded across the back.

I was hoping that the Smart Keyboard would be at least lighter compared to my Logitech K380, but after comparing the two in my hand I didn’t feel a significant difference. And because the Logitech keyboard is not magnetically attached to the iPad, I found it easier to use.

Price

The Smart Keyboard costs ₩199,000 here in South Korea. In comparison, the K380 costs ₩34,500, and cheaper Bluetooth keyboards retail for about ₩21,670. That’s a crazy difference. You can buy multiple Bluetooth keyboards, use them for a very long time, and still have money left over for coffee to fuel your writing sessions.

Conclusion

Judging with all of the points listed above, it’s a no-brainer: the Smart Keyboard doesn’t make sense at all. If the Smart Keyboard excelled at even just one point listed above, then an argument could be made that it’s worth it because it’s a first-party product. However, the Smart Keyboard has too many cons for it to be usable, and thus is not a good buy compared to other keyboards on the market, even if they are third-party solutions.

Speeding up invisible video players

Tue, 22 Jun 2021 00:00:00 GMT

When watching videos online, I always make sure to change the video speed to 2x if the player exposes such a control. It’s become a habit, since I can still (usually) understand everything within a video at 2x the speed, saving time.

Some players don’t expose video speed control, for whatever reason. That’s okay, because most websites nowadays use HTML5 for video playback, and the playback rate can be adjusted manually using DevTools.

However, while watching a news segment on Naver today, I went into DevTools to adjust the video playback rate and noticed that DevTools couldn’t find the video tag. Time to investigate!

How do you adjust playback speed in DevTools?

With either:

document.querySelector('video').defaultPlaybackRate = 2.0;

or:

document.getElementsByTagName('video')[0].playbackRate = 2;

(Notice the second way of speeding up the video has an extra [0] as a parameter. This is because getElementsByTagName() returns an array of elements (even if there is one element in the array) so we need to access the element in the array using [0] (get the first item in the array).)

This works 95% of the time, in my experience. But on Naver’s website, the two commands only return errors about undefined elements. So what’s going on with Naver’s site?

Testing, testing

Here’s a sample news segment that you can use to follow along. I’ll use this article in this post to show you what happened. You can try the two commands above right now if you want - they’ll spit out errors about undefined elements and won’t work.

You can see that the video playback starts when we hit the play button. So let’s jump into DevTools and look for the video tag.

Well, that’s odd! Using the picker tool to find the video doesn’t work either, because it focuses on the <div> that covers the video player. Grr!

Time to find it manually, then. I combed through the HTML file until I found the tag, buried within a thousand <div> tags:

Hmm, the video tag exists, but the find tool can’t find it. Why?

Let’s save the entire page as an HTML file, and then use a text editor and see if we can find the tag:

(Ignore the broken Korean text - this is probably because the file opened up the UTF-8 encoding instead of the proper EUC-KR encoding. As is shown above, the HTML tags survived.)

Still no! So we know now that this video player is loaded dynamically using JavaScript. My leading theory is that the browser can’t find the video element because it’s added to the DOM after the page completely loads.

But wait! Shouldn’t you be able to access the item within the console since the console executes after the page has fully loaded?

Safari time

I use Firefox as my default browser. What if this is a bug with Firefox?

Let’s test with Safari. Loading up the page and using Ctrl-F within DevTools:

Wow, Safari actually found the element! Let’s see now if the command will work:

The first command executed without any undefined errors, but didn’t have any effect on the video player (it still played at normal speed). The second command worked, however, and the video began to play back at 2x speed!

So did we uncover a bug with Firefox?

Context, people, context

Let’s go back to the Firefox console. What did we miss? Well, we missed the context in which the JavaScript debugging console ran in.

Because the website had multiple frames, Firefox decided to choose the first frame to execute JavaScript commands within. However, our video element was within another context/frame, so it wasn’t being picked up by the JavaScript console.

After choosing the correct context, the command listed above correctly picked up the video element and let me speed it up. Yay!

What did we learn today?

We learned that JavaScript in DevTools can run under different contexts, and that sometimes elements are cordoned off to specific contexts.

One area where Firefox can improve is to check other contexts if the getElement*() function fails to find elements within the current context, and ask the developer if they want to switch to a different context. Also, the button should be changed to a dropdown that clearly shows what context we are currently in.

Also, Firefox seems to have a bug where it can’t find HTML elements added to the page by scripts after the page finishes loading. Seeing as the element is correctly detected on Safari DevTools, this seems like a Firefox bug.

(P.S. Naver should really, really add speed controls to their video players.)

C pointer double-free fix on macOS

Tue, 13 Apr 2021 00:00:00 GMT

While debugging a C program I wrote today, I kept getting this error:

main(44466,0x10ae7ce00) malloc: *** error for object 0x7000000000000000: pointer being freed was not allocated
main(44466,0x10ae7ce00) malloc: *** set a breakpoint in malloc_error_break to debug
zsh: abort      ./main test_cases/test_1.html output.txt

For some strange reason, using lldb I was unable to reproduce the issue. Or that’s what I thought - after running the program on lldb multiple times, it actually stopped at the malloc_error_break breakpoint I set.

Unfortunately, the stack trace that lldb gave me didn’t really say exactly what line caused the double-free. I tried running the program on gdb, but the program refused to crash on the Linux instance. When I forced a crash by repeatedly running the program over and over, the stack trace there was also unhelpful, and valgrind didn’t report anything particularly interesting.

Well, on macOS, clang (LLVM compiler) comes with AddressSanitizer, which can be used to figure out exactly where the program is crashing. So I re-compiled my program using clang with the AddressSanitizer flag enabled:

clang -g -fsanitize=address -o main_debug main.c (... rest of the source files ...)

And then ran the program. The AddressSanitizer immediately showed me the stack trace I was looking for:

ericswpark@Erics-MacBook-Pro Project % ./main_debug test_cases/test_1.html debug_output.txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==44732==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000102e04b98 bp 0x7ffeece1ba20 sp 0x7ffeece1b9f0 T0)
==44732==The signal is caused by a READ memory access.
==44732==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x102e04b98 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)+0x48 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6b98)
    #1 0x102e4732a in wrap_free+0x10a (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4932a)
    #2 0x102de8131 in html_tag_free main.c:278
    #3 0x102de7f7c in stack_pop main.c:298
    #4 0x102de79e5 in main main.c:219
    #5 0x7fff203b9620 in start+0x0 (libdyld.dylib:x86_64+0x15620)

==44732==Register values:
rax = 0x0000000000000002  rbx = 0xbebebebebebebebe  rcx = 0x0000000000000003  rdx = 0x0000000000000000
rdi = 0xbebebebebebebebe  rsi = 0xbebebebebebebebe  rbp = 0x00007ffeece1ba20  rsp = 0x00007ffeece1b9f0
 r8 = 0x00007ffeece1ba30   r9 = 0x0000000000000001  r10 = 0xffffffffffffffff  r11 = 0x00000fffffffffff
r12 = 0x0000000000000001  r13 = 0x0000000000000000  r14 = 0x00007ffeece1ba30  r15 = 0x0000000102ea2d40
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6b98) in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)+0x48
==44732==ABORTING
zsh: abort      ./main_debug test_cases/test_1.html debug_output.txt

This showed me the error was on line 278 of my main.c file. Sure enough, the problem was because I wasn’t setting one of the character arrays in a struct variable to NULL when I was creating it. The following code block:

if (var->chararr)
{
    free(var->chararr);     // error here
    var->chararr = NULL;
}

checked to see if var->chararr was NULL, but since I didn’t set it to NULL on initialization, went ahead and freed whatever poor address space that ended up in that pointer.

So the next time you run into a weird memory bug with your program, use AddressSanitizer included with clang to figure out exactly what part of your program is the problem!

Google Photos and iCloud Photos

Sun, 07 Mar 2021 00:00:00 GMT

Here are some of the things I learned while using Google/iCloud Photos:

Moving from iCloud Photos to Google Photos

This is really easy if you still have your iDevice around.

Turn off iCloud Photos. When asked, select to download all photos/videos back to your device in original quality. If you don’t do this, photos/videos that you upload to Google Photos will be the “optimized” version, which means it will look like crap.
Download Google Photos.
Turn on Google Photos backup and wait until all the photos/videos are backed up to the cloud.
Once done, uninstall Google Photos and delete your photos/videos from iCloud Photos if you wish.

The other way

Unfortunately, going the other way around is a difficult process, which is really, really ironic.

Don’t use Google Takeout

My first attempt at moving photos/videos from Google Photos to iCloud Photos involved Google Takeout to first export the photos. Unfortunately, Google Takeout is a steaming pile of garbage, in that it actually discards all of the media metadata when exporting your archive.

Well, not quite discard. Rather, they’ll “split” the metadata into a separate .json file that sits next to your original file with the same file name. And frustratingly, some photos and videos do in fact preserve metadata - while still having a separate .json file outlining the duplicate metadata. For other photos and videos, the metadata is mangled, and the date of the metadata is set to the archival date.

~~Sure, I could probably make a script to “merge” the metadata back into the media files.~~ Don’t need to, see below. But why does Google do this metadata-stripping in the first place? What about people that can’t write up scripts when they export their files? This is horrible!

Another catch with this method is that it won’t preserve some “live photos” - although this is probably more of an Apple bug than a Google bug. In short, if your photos are in JPG/PNG format and your “live photos” video is in MP4, then it will merge cleanly back into a “live photo” once you import the two files back into the Photos app on your Mac. However, if your photo is in a HEIC/HEIF format, then Photos will create two separate entries and not merge the photos and videos back into a “live photo.”

So if you’re the poor soul who didn’t know any of these gotchas and used Google Takeout to import your photos and videos into iCloud, you’re in for a very nasty surprise. When I tried this method, my photo library got completely messed up - some of the photos surfaced to the top because of the incorrect date set in the metadata, and a lot of duplicate entries were created because of the HEIC/HEIF bug.

Update: Apparently, there already is a Python script that merges the metadata for you. Unfortunately, it doesn’t support HEIC/HEIF, so my point still stands - don’t use Google Takeout.

Moving from Google Photos to iCloud Photos

With that, here is the actual process of moving from Google Photos to iCloud Photos:

Grab an iDevice and turn on iCloud Photos.
Download Google Photos.
When asked, do not enable automatic backup.
Hold your finger on an entry for 2 seconds and then drag down to select multiple items. Do NOT select more than a couple files! Or else, the download will hang and never complete. Also, do not mix file types, as that will also cause the download to hang. Yes, the Google Photos app sucks.
Once you have selected the media to export, click on the “Share” button and then select “save to device.” Weirdly, unlike the web version, there is no “Download” option under the 3-dot menu.
Google Photos will start saving your photos/videos to your device.
Once the downloads are all done, uninstall Google Photos. Do NOT delete the photos on the Google Photos app, as doing so will wipe the photos from your device and subsequently iCloud Photos as well! Instead, if you want to do a full migration and delete photos from Google Photos, then delete the app first, and then log into the web interface and delete the photos that way.

This method, unlike Google Takeout, will preserve the correct metadata and will also merge together all live photos properly.

Unfortunately, the Google Photos app also has a couple of bugs here. First, I noticed the download and export process is horribly buggy and painfully slow. Every couple downloads, I would get a “Trouble Saving. Try again later” message. (This usually happens if I mix file types - as in, regular photos, live photos, videos, panoramas, burst shots, etc.) Now, that would be okay if Google Photos really couldn’t save my photos - I could just try again. Unfortunately, that error is a lie as well, as Google Photos does save a couple of photos from the selection before quitting. So downloading the same selection results in duplicates.

The download progress bar doesn’t help at all during the download, as it swings back and forth wildly as it moves between the different files. Sometimes, it gets stuck and never moves, only to abruptly finish or give me an error message. Why not make a progress bar with the total set to the size of the selected photos and not each photo? I don’t care if the progress bar is not linear, but it shouldn’t go backwards, at least!

And like I said above, the download process is slow. Sometimes, it hangs. When that happens, I need to cancel, and check which photos Google Photos felt like downloading during each attempt, and then deselect those before restarting the process.

The second bug I came across: any burst photos you may have in your library will not be saved. To save burst photos, you have to open the photo, and then select a frame, and then hit download, and then select another frame, and then hit download… and do this for all of the frames of the burst shot. The burst shot will show correctly in the Photos app, but this is seriously annoying!

The last bug I encountered is probably the nastiest one: Google Photos will silently corrupt some HEIC/HEIF photos. This is why the checklist above mentions turning off backup and sync. If backup and sync was on and a corrupted version was saved locally, then you would have been absolutely screwed if Google re-uploaded the corrupted file. I noticed that this bug mostly occurs if the photo was edited before. If a file becomes corrupt, it will show up as an “empty” photo on the Photos app, and there will be an exclamation mark at the bottom right corner of the photo. Tapping it will produce the following message: “An error occurred while loading a higher-quality version of this photo.” Unfortunately, re-downloading from Google Photos will not fix this problem.

Fortunately, I did find a workaround - launch the Photos app on macOS, right-click on the photo, and then select “Revert to original.” This removes any modifications you may have made, but at least the photo becomes normal again. Wait for it to sync back over to your other iDevices.

Why, Google Photos, why?!

Which one is better?

I had the opportunity to use both services, since I frequently go back and forth between iOS and Android for app development. I thought Google Photos would just beat iCloud Photos, given that it’s available on both Android and iOS, but after that horrible experience exporting photos, now I’m not so sure.

Most of my family members use Apple devices, so really it’s just a matter of not wanting to pay extra for two services. I think I’ll probably go back to iCloud Photos and keep Google Photos around as a sync solution to transfer photos/videos taken on Android devices back to iCloud Photos. The Google One membership isn’t very expensive, but in Korea the membership doesn’t even bundle other Google services, so it makes more sense to cancel it and use the 15 GB of storage as a temporary offloading space.

In my opinion, you will most likely be stuck with whatever option you choose now, as these services will probably get more and more restrictive about users leaving as time goes on. And if your entire family uses one service, then the gargantuan process of getting everybody to move across to another platform will be extremely daunting.

I heard Google Photos has more features regarding photo/video management, and that kind of matched my experience. But all the while I was using Google Photos, I didn’t really like the idea of letting Google take care of my photos library. I know I’m probably just being paranoid, but Google is an advertising company first after all, and letting them train their AI models on my photos/videos just doesn’t feel right.

I know moving to iCloud Photos is just shifting the problem to Apple, and hoping they won’t go manic one day and do a 180 on their privacy stance, but I just feel more comfortable on iCloud than on Google Photos. I’m not really sure why. And obviously, some people will not care about this at all - after all, if it backs up photos and videos in case you break your phone who would say no?

Personally, I would still recommend iCloud Photos, because it’s just really easy to back up iCloud Photos. Yes, you should back up your photo library, even if it is being synced to an online service. If you don’t have multiple copies of something, you don’t have it backed up. Worst case scenario, every datacenter owned by Apple and Google go poof and you should still have access to your photos. With iCloud Photos, Time Machine automatically backs up your entire photo library as long as you check “Keep originals” in the Photos app. With Google, there is no backup option. There is no desktop app, and you’ve seen how messy Google Takeout is at exporting all of your original photos. I think this is the one aspect where iCloud beats the pants off of Google Photos, and the one aspect that really, really matters to people that want to keep the photos in their original condition.

All in all, it’s a toss up. Choose wisely because switching later will be hard.

Can I use both?

Yes, but do a bit of setup first:

Only install Google Photos on one of your iDevices. Or, only activate the backup feature on one of your iDevices.
On that same iDevice that you activated the backup feature on, make sure to go into iCloud settings and select “Keep Original.” If you use the “optimized” option, then the photos and videos uploaded to Google Photos will look like crap.

The caveat here is that photos you take on Android or upload to Google Photos won’t automatically transfer over to iCloud Photos. So you’ll have to manually download new media on Google Photos every once in a while.

If you disable the backup feature on Google Photos, then the reverse won’t work as well, but the media that were previously uploaded will stay on Google Photos. Obviously, you won’t be able to view your photos/videos on iCloud on Android. On desktops at least, you can use the web browser to access iCloud, but the interface is still a bit clunky in my opinion compared to a regular native app.

Things to do before sharing videos

Sun, 28 Feb 2021 00:00:00 GMT

Compress the video

A popular chat app in Korea, KakaoTalk, limits video size to 300 MB or less. A video I was trying to send was about 418 MB with a resolution of 4K. Unfortunately, KakaoTalk won’t automatically convert your video to fit the size limitation, which is a shame, but thankfully ffmpeg can help you compress your video.

Run the following:

ffmpeg -i video.mp4 -crf 24 output.mp4

Experiment with the number after the -crf flag. 24 reduced my 418 MB video down to about 122 MB. Higher values will create smaller video files but reduce quality, and vice versa.

Scale down the video

If that’s not enough, you can scale down your video to decrease the file size. Use:

ffmpeg -i video -vf scale=xxx:xxx output.mp4

Where xxx denotes the video size. Make sure the original video dimension is divisible by this value. For example, my video is a 3840 by 2160 video. To scale it down to a 1080p video, I would use the dimensions 1920 by 1080 (divide by half). My ffmpeg parameter would therefore be scale=1920:1080.

After the resize, the video size dropped down to 36 MB, which is more than acceptable for my needs!

Strip location metadata

If you shot your video on your phone or a GPS-enabled camera, then your video may have location metadata embedded. You don’t want to leak your home address or anything like that if you’re sharing your video on the Internet.

ffmpeg also has a flag to strip out the location metadata (seriously, ffmpeg developers are awesome!) Run the following:

ffmpeg -i video.mp4 -metadata location="" -metadata location-eng="" output.mp4

This strips out the location metadata from your video.

Persistent access with SSH keys

Mon, 01 Feb 2021 00:00:00 GMT

Picture this: you got your new machine set up with your development tools. You fire up a Terminal, SSH into your work’s server, and… it asks for your password. Panic sets in as you realize that you decommissioned away the old machine, along with the old SSH keys. You must now remember that password to that server - a password you seldom typed in thanks to your SSH keys - or if the SSH daemon installed on that particular server disallows password-based authentication, be forced to do the call-of-shame to your colleague or the administrator of the server to let you back in.

Humiliating! Embarrassing. And most importantly, annoying.

So what if there was a way to enable persistent access to a given server or machine? What if you didn’t have to go around updating every single machine with your new SSH key?

In this blog post we’ll go over how we can do just that!

1. GitHub

The first thing you have to do is make sure that your GitHub security is top-notch. Because anybody who gets access to your GitHub account will have access to all of your servers.

So make sure your GitHub account has a strong password, preferably set with a password manager, and make absolutely sure to enable 2FA.

Once you’ve done that, go over to Settings > SSH and GPG keys, and add your SSH keys here. This is where you will add all of your SSH keys and the new SSH keys you generate whenever you get a new machine or environment to work in. You only need to update GitHub, and the other machines will follow.

Done? Now let’s move over to the server or machine you want persistent access to.

2. Script

Remote into the target server, and start!

Make a script, update-ssh.sh, wherever you like in your home directory. Paste in the following:

Make sure you replace “ericswpark” with your GitHub username.

So what does this script do? Well, it fetches your public keys from your GitHub profile, and saves them to the authorized_keys file in your .ssh directory. Then it sets the relevant permissions to make sure that the SSH daemon will not reject the file, since the daemon will ignore authorized_keys files that have too open permissions.

Set the script as executable and try running the script. Afterwards, you will be able to log into the server without actually manually adding your new SSH key.

But we want to automate this, so that whenever you add a new key on GitHub, it syncs to all of your servers.

3. Automate

To make this script run periodically, we’ll use crontab.

Don’t know how to use crontab? Me too! Let’s just go over the basics.

The basic syntax of crontab is as follows:

20 * * * * ls

The first column is minutes, which has a range of 0 to 59, and the second column is hours, which has a range from 0 to 23. The third column is the day of month (1 - 31), the fourth column is the month (1 - 12), and the final column is the day of week (Sunday 0 to Saturday 6). A wildcard value matches to all possible values in that range.

Therefore, the crontab entry above will run every hour at 20 minutes (so, 2:20 PM, 3:20 PM, and so on).

There’s also patterns to make crontab entries repeat (/2 means every 2 units, and so on), but it’s not supported by all Linux distros, so be careful when using them!

Some enthusiasts will preach about systemd tasks, but I think cron is more prevalent (not so sure, don’t quote me). I haven’t seen a system yet that doesn’t have cron. But of course this is an option if you prefer systemd.

So still in that same target server, run crontab -e. A editor should pop up. In the last line, create the following entry:

42 * * * * ~/update-ssh.sh >> ~/update-ssh.sh.log

Change 42 to a random number between 0 and 59, to help lessen load on the server.

Wait, why don’t we just refresh every minute?

The reason I set the crontab here to refresh every hour is because I don’t want to put unnecessary strain on the server or GitHub’s servers. We don’t usually update SSH keys all that often, but we want to strike a balance, because if the interval is too long then we might as well just remote in with our password and change the keys ourselves. An hour is a reasonable interval that won’t put too much strain on the servers involved. You can set it to a shorter interval, say 5 minutes, if you change SSH keys frequently, but do keep in mind that you may be rate-limited.

The log pipe is not strictly necessary, but it’s good to have in case things go wrong.

The crontab entry means that your SSH keys will be updated each hour at the random minute you specified.

Conclusion

The next time you update your SSH keys, update them on GitHub, wait until an hour has elapsed, then remote in to your usual server!

Thanks for reading! I hope this blog post helped you out.

MSI laptop USB-C charger design problem

Mon, 11 Jan 2021 00:00:00 GMT

If you have a recent MSI laptop with a type-C port, this might be relevant to you.

I discovered that my Creator 15M laptop wouldn’t connect to some USB-C devices. Specifically, my USB-C hub and my phone would never get recognized by the port, but my external SSD (Samsung’s T5) would mount properly.

Weirdly, the devices that would not get recognized did receive power. The USB-C hub showed the indicator light for power, and my Note 20 Ultra showed a “Check your charger connection” warning, but no “Would you like to allow this computer to access your data” prompt.

I first thought this was some driver issue, and spent a couple of hours diagnosing with Device Manager, deleting USB controller drivers, re-installing the Nvidia driver (because the Device Manager mentioned something about Nvidia’s type-C policy controller), and so on and so forth. But then I realized it couldn’t be a driver issue because my phone connected fine with a type-C to USB-A cable. So it was a USB-C problem.

I tried calling into MSI’s support line, but the agent on the other end was extremely unenthusiastic. His response was (paraphrasing): “if the type-C port is outputting power, then it’s out of our hands.” Even though I tried explaining the symptoms, he just said it’s probably a compatibility issue and hung up.

Out of options, I sent a ticket via the MSI’s support website. The response finally solved the problem.

Turns out, it’s a design failure. MSI’s laptops’ USB-C ports do not support Thunderbolt (that I knew), but they also do not support power delivery or display output.

So because my type-C hub had a USB-C port for charging the device it was connected to, and a HDMI port for display out, it would not work with the type-C port on the laptop. Similarly, my Note 20 Ultra would not connect with the laptop because it supported USB-PD and the laptop didn’t.

I’m not sure how much of it is true, but it does explain the weird issue I’m having. It would also explain why the external SSD gets recognized, since it doesn’t need to support USB-PD. It’s weird that connecting a device that supports USB-PD to a port that doesn’t support power delivery would disable the data lines, but that’s what the reply from MSI’s support team implies.

This really sucks, because the Creator 15M has two type-C ports and two USB-A ports, but the type-C ports are so gimped and unusable they may as well not exist. It’s going to get annoying real fast as more and more devices and accessories support USB-PD. If this is something that they can fix via a software/firmware update that would be great, but as they clearly said it’s a design choice I doubt it’ll ever get fixed.

Porting Samsung's Galaxy Note 3 Neo

Sun, 11 Oct 2020 00:00:00 GMT

For the past couple of weeks, I’ve been trying to port the Samsung Galaxy Note 3 Neo over to support modern TWRP versions and ROMs. Right now, the device only has a couple of ROM zips and TWRP builds that are all dirty-ported - as in, the images were unpacked and patched by hand. Which means they all run like absolute crap. The TWRP build is old - made back in the KitKat era with a version tag of 2.8.7.0 - and poorly ported, resulting in broken graphics and buttons.

Tip #0 - compiling is always better than patchwork porting, because you can get reproducible results every time you build, rather than a hodge-podge of things that may break at any time.

Porting Finding the kernel

First off, I spent way too much time thinking I would have to use the GPL kernel dump from Samsung, and tried to figure out exactly what kernel revision Samsung based their kernels off of. Because Samsung only provides you with a tarball and not the git repository, you need to run a script to brute-force-find the revision. But that takes too long!

Luckily, @Jackeagle from Team Bliss pointed out LineageOS already has a kernel for Samsung MSM8974 devices. Oh, so that’s compatible? Let’s use it!

Tip #1 - most SoC kernels (think samsung_msmxxxx or oneplus_msmxxxx) are compatible with your device. Someone might have done the hard work of finding the revision for you!

I forked the repository over to my GitHub and copied the lineage_hltekor_defconfig file so that I could start with lineage_frescoltekor_defconfig.

So far so good. What’s next?

Tweaking the defconfig

Next, I enabled the frescoltekor defconfigs.

CONFIG_SEC_FRESCO_PROJECT=y
CONFIG_SEC_LOCALE_KOR_FRESCO=y
CONFIG_MACH_FRESCOLTEKTT=y

When you do this, remember to turn off the hltekor defconfigs (or whatever device you’re basing your defconfig off of).

# CONFIG_SEC_H_PROJECT is not set
# CONFIG_SEC_LOCALE_KOR_H is not set
# CONFIG_MACH_HLTEKTT is not set

Tip #2 - On Samsung devices at least, there are accompanying X_PROJECT flags that must be enabled/disabled along with your device flags.

Then I tried a build. The build failed. That’s OK. What did I fail on? I2C issues. @pivcer from Team Bliss told me I was missing the proper NFC I2C flags. So I enabled them (while disabling the hltekor flags):

# CONFIG_BCM2079X_NFC_I2C is not set
CONFIG_SEC_NFC_I2C=y
# CONFIG_SEC_NFC is not set
CONFIG_NFC_PN547=y

Tip #3 - read the error messages! Often, it will tell you what variable is missing or what is double-defined. Then you have to grep -r "variable_name" . in the source and find what module the code is in, then figure out what flags you need to enable/disable in the defconfig to get it to properly build.

Then I tried rebuilding. The build failed. OK, what’s next?

Weirdly, I ran into a situation where the build system wouldn’t find a defined variable:

CC      init/version.o
  LD      init/built-in.o
  LD      .tmp_vmlinux1
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 6 of arch/arm/crypto/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 28 of arch/arm/mach-msm/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 55 of mm/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 40 of fs/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 15 of crypto/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 36 of block/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 22 of lib/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 24 of drivers/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 6 of sound/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 6 of arch/arm/oprofile/built-in.o is not in EXIDX output section
/home/users/ericswpark/arm-linux-androideabi-4.8/bin/arm-linux-androideabi-ld: warning: unwinding may not work because EXIDX input section 37 of net/built-in.o is not in EXIDX output section
drivers/built-in.o:leds-max77803.c:function max77803_led_get_en_value.part.0: error: undefined reference to 'led_flash_en'
drivers/built-in.o:leds-max77803.c:function max77803_led_get_en_value.part.0: error: undefined reference to 'led_torch_en'
drivers/built-in.o:leds-max77803.c:function max77803_led_probe: error: undefined reference to 'led_torch_en'
drivers/built-in.o:leds-max77803.c:function max77803_led_probe: error: undefined reference to 'led_flash_en'
drivers/built-in.o:leds-max77803.c:function max77803_led_probe: error: undefined reference to 'camera_class'
drivers/built-in.o:temphumidity_shtc1.c:function max77803_led_en: error: undefined reference to 'led_flash_en'
drivers/built-in.o:temphumidity_shtc1.c:function max77803_led_en: error: undefined reference to 'led_torch_en'
drivers/built-in.o:leds-max77803.c:function max77803_led_remove: error: undefined reference to 'camera_class'
Makefile:889: recipe for target '.tmp_vmlinux1' failed
make: *** [.tmp_vmlinux1] Error 1
ericswpark@buildbox:~/android_kernel_samsung_msm8974$

I spent a long time debugging this, but ultimately whittled it down to one module that wasn’t being built. This module was the Qualcomm MSM camera module, and it wasn’t being built because the configuration file left out my device flag. Adding the device flag solved the issue.

Tip #4 - Sometimes, your kernel tree may ship broken. Then it is up to you to make patches like the above. Don’t assume the kernel will work because it’s a GPL dump direct from the manufacturer or because it’s heavily used by a ROM team!

So with those patches, the build succeeded and I got a zImage file. Yay! What’s next?

Porting TWRP

I followed much of the same procedure for TWRP. I forked the hltekor device tree and based my modifications off of that. I copied the prebuilt kernel that I built earlier and tried a build.

If you try this yourself, you will probably get errors. That’s OK. Read what the errors are on about and make tweaks to your makefiles.

Yes, this is a very boring process. It took me weeks because I was getting so disappointed at the constant build failures. I really thought I would never finish.

When I finally got TWRP to compile fully it was really exciting, although not as exciting as when I fixed that stupid camera module bug detailed above in the kernel.

So what’s next?

Fin (for now)

Unfortunately, this is where my attempt draws to an end. Once I tried flashing the images, the phone wouldn’t boot with the new custom kernel I built.

My wild guess is some of the hltekor touchscreen drivers are conflicting with the Note 3 Neo hardware (the Note 3 Neo has a 720p panel while the Note 3 has the 1080p panel, so maybe they have different touchscreen chips and panel configurations).

To help debug, I tried pulling /proc/last_kmesg, but it didn’t provide any useful information. I’m guessing the kernel isn’t even getting loaded properly, which is pretty weird because even if it’s a driver issue it should still get me something. I’ve looked around for a debug cable I can use to possibly get serial access, but because I don’t have access to my soldering kit right now I guess it will have to wait.

So this is as far as I will get for now. If you want to try this process yourself, all of the device and kernel trees are available on my GitHub. Please do let me know via email if you find a fix!

Thanks to the MSM8974 kernel maintainers and the hltekor maintainers over at LineageOS for the base tree, and thanks to the members over at the Linux Kernel chat over at Telegram and the team members at Team Bliss for helping me with the kernel compilation.

Android kernel: use the proper toolchain

Mon, 05 Oct 2020 00:00:00 GMT

While trying to build an Android kernel from source, I ran into the following error:

  LD      drivers/net/built-in.o
  LD      drivers/usb/gadget/g_android.o
  LD      drivers/usb/gadget/built-in.o
  LD      drivers/usb/built-in.o
  LD      drivers/built-in.o
  LD      vmlinux.o
  MODPOST vmlinux.o
ERROR: modpost: Found 13 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'
To build the kernel despite the mismatches, build with:
'make CONFIG_NO_ERROR_ON_MISMATCH=y'
(NOTE: This is not recommended)
/home/users/ideaman924/android_kernel_samsung_msm8974/scripts/Makefile.modpost:98: recipe for target 'vmlinux.o' failed
make[1]: *** [vmlinux.o] Error 1
Makefile:947: recipe for target 'vmlinux.o' failed
make: *** [vmlinux.o] Error 2
ideaman924@build:~/android_kernel_samsung_msm8974$

Strangely, using different defconfigs or other kernel sources all led me to this weird modpost section mismatch error. I researched the issue and found some Stack Overflow posts, none of which were very helpful. Here are some of the posts I read:

But this was a well-established kernel source straight from LineageOS. I thought code being broken straight from LineageOS’s repositories was unlikely, so I looked around some more for another solution.

Turns out, it wasn’t a code problem, but rather a toolchain problem. @mochi_wwww from the Linux kernel chat on Telegram figured out that I was using the incorrect toolchain - I had been using a completely outdated toolchain from several years ago. So embarrassing.

Now, to my defense, the reference Android kernel building guide links to that toolchain. I just didn’t know that it was outdated. Using the proper toolchain magically solved the problem.

So now you know - if you ever run into these weird errors above, try using the correct toolchain for your kernel. It is usually shown in AndroidKernel.mk if you are using kernel sources from LineageOS. Don’t be an idiot like me and spend hours debugging a code problem that isn’t really a code problem!

Securely wiping Android devices

Mon, 28 Sep 2020 00:00:00 GMT

This post was last updated on January 26th, 2021. (Added information about the awipe project.)

When you sell your old Android devices, you want to make sure that your personal information is unrecoverable. On devices with proper flash firmware, the data cells are wiped with a delete command when you wipe the device from recovery. But how do you know that the firmware is doing what it’s supposed to be doing?

I searched for ways to securely wipe Android devices, but all the answers conflicted with each other. Some people said a factory reset through recovery was enough, while others said an encryption process was required before factory resetting, as the encryption process encrypts free space, leaving no data to be recovered. And some answers were more bleak, suggesting readers to just physically destroy the device if the data in question was extremely sensitive.

So, ordered in increasing levels of paranoia, here are all the ways of securely wiping your Android device.

Method 1 - Just wipe

If you have a recent Android device that is encrypted straight from the factory, just wipe!

If your device shipped with Android 10, then it must support FBE (file-based encryption).

To see if your device is encrypted with FBE, check for the following props: ro.crypto.state and ro.crypto.type set to file.

Method 2 - Encrypt and wipe

If you have a semi-recent Android device that supports FDE (full-disk encryption) then encrypt and wipe.

To see if your device is encrypted with FDE, check for the following props: ro.crypt.state.

Method 3a - dd

Original from this Reddit comment

Reading this comment I remembered most Android devices ship with a rudimentary version of Busybox, which includes the dd utility.

Thus, to quickly fill the device with pseudorandom data, one would simply run:

adb shell
cat /dev/urandom > random_file

Or, if you’re just as paranoid as the above Redditor, you can run multiple passes:

for i in 0 1 2 3 4 5 6 7 8 9; do cat /dev/urandom > $i; rm $i; done

Personally, I don’t really see the benefits of running this multiple times, given that flash memory can wear out, and I haven’t seen any articles about data being recovered from wear-leveling cells.

Method 3b - app

I had some free time and decided to turn method 3 into an app that users can run to overwrite free storage space.

There are a lot of apps on the Play Store that claim to do the same thing - but I can’t really trust them because they are proprietary. So I wrote an app myself that does mostly the same thing.

It’s called awipe, and it works by randomly generating data and writing it to a file on the internal storage. So functionally, it is the same as the dd command above.

The app is better than the other solutions for the following reasons:

You don’t need to enable USB debugging
You don’t need a computer around
The app can be sideloaded via a OTG adapter and a USB drive. Unlike Play Store apps, awipe does not require you to sign in with a Google account, as you can sideload it. Once it’s done overwriting free space, just wipe the entire device and no PII will remain.
The app shows you the progress, unlike dd
The app is open source
You don’t need to memorize that dd command
Everything happens on-device

Method 4 - Physical

If you are really, really paranoid and you want to remove any possibility of data recovery, then physically destroying the device would be an option.

If you know how to open up the device and would like to recycle the other components of your device, then grab a drill and make a hole in the flash chip. Refer to iFixit or teardown videos to see where those chips are located. Alternatively, remove the battery and burn the device.

Repasting my MacBook Pro

Mon, 18 May 2020 00:00:00 GMT

This is going to be a short article, because I forgot to record anything or take photos. I was going to initially disassemble the entire thing, then reassemble it, then start recording again as I went through the process. In reality, I only disassembled it once and vowed myself to never do it again because it is that complicated.

There are at least 4 different screw types, not to mention the countless ribbon cables scattered here and there that make disassembly a complete nightmare. Also, Apple had the smartest idea of putting the retaining screws of the heatsink on the other side of the logic board, which means re-pasting your laptop requires you to disassemble the entire thing.

So, this is the only photo I managed to take (enjoy!):

Gotta love that overboard Apple engineering 😀

But I think the trouble was worth it in the end. The stock thermal paste was all dried up and nasty, resulting in the laptop idling at around 49 degrees Celsius. Now, it idles at around 40-44 degrees Celsius, which means I scored about 5 degrees Celsius out of the entire ordeal. If you want that improvement, then yeah, sure. (Just remember, I don’t assume any responsibility for your actions.)

And by the way, here is a screw organizer:

You’ll need it if you’re attempting this crazy thing. Pay attention to all the different screw types. P5 is Pentalobe, and the various types with the T- suffix are the Torx types.

Remember to stick the screws exactly where it indicates on the paper, as you’ll find different length-ed screws literally everywhere, particularly in step 1, step 6, step 7, and step 10. I used Blu-tack so that the screws wouldn’t fall off and disappear into the fourth dimension, as all screws tend to do that when I ever do a disassembly project.

Be extremely careful with the ribbon cables. They are very fragile and I almost tore some of them. Go extremely slowly, and don’t use any force whatsoever.

Good luck!

Backup your WordPress site (manually)

Sat, 04 Apr 2020 00:00:00 GMT

TL;DR – don’t use automated solutions. Do it properly and do it manually!

Create a temporary directory to work in:

mkdir backup-20200105
cd backup-20200105

Time to dump the MySQL database! It’s not that hard.

Quick note before you run this – this is assuming your MySQL installation authenticates via UNIX sockets. If you have password authentication I suggest moving away from it if your MySQL database is on the same server as your WordPress site. Less chance of things getting messed up and you don’t have to remember yet another root password that could be leaked.

sudo mysqldump --add-drop-table -u root wordpress > database.sql

If it prompts you for your sudo password, supply it. If it prompts you for your MySQL password, then you’ve done something wrong.

Now you need to copy the static files and what not. Run:

cp -a /var/www/example.com ./

The -a flag tells the cp program to copy over all attributes. It doesn’t always work, however. In my case it rewrote the www-data user to ericswpark. Nothing a simple chown can fix, though!

Time to tarball the entire thing. Back out and then run:

tar -czvf backup-20200105.tar.gz backup-20200105/

You’ll get a neat tarball you can throw on Google Drive or something like that! Wasn’t that easy?

Restoration

Get the tarball and unpack it:

tar -xzvf backup-20200105.tar.gz

Go inside, and then run:

sudo mysql -u root wordpress < database.sql
cp -a example.com /var/www/

Restore permissions if required. Done!

GPG - The Complete Crash Course

Tue, 25 Feb 2020 00:00:00 GMT

Let’s jump right in with:

Creating a key

To create a key, run:

gpg --gen-key

If that command does not guide you through the interactive process: selecting key size, key type, and what not — then run:

gpg --full-generate-key

You should see the following:

gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/Users/ericswpark/.gnupg' created
gpg: keybox '/Users/ericswpark/.gnupg/pubring.kbx' created
Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
Your selection?

Press Enter. RSA and RSA is fine.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

For keysize, I recommend 4096 bits. Type 4096 and press Enter.

Please specify how long the key should be valid.
        0 = key does not expire
    <n>  = key expires in n days
    <n>w = key expires in n weeks
    <n>m = key expires in n months
    <n>y = key expires in n years
Key is valid for? (0)

Now, the best practice is to set a expiration date for your key. But GnuPG also has another feature else in case you don’t want to repeat this key generation process every couple of years: creating subkeys, where you just create more and more keys with your “master” key. We’ll go more into subkeys below, but for now you can just leave it to never expire. Press Enter.

Key does not expire at all
Is this correct? (y/N)

GnuPG warns us that the key won’t expire. Type y, and then Enter.

GnuPG needs to construct a user ID to identify your key.

Real name:

This part should be easy. Just fill out your information, like so:

Real name: Eric Park
Email address: me@ericswpark.com
Comment: https://ericswpark.com/
You selected this USER-ID:
    "Eric Park (https://ericswpark.com/) <me@ericswpark.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Press o, and then Enter. (If you want to change anything, just type the letter in parentheses for the field you want to change, and then press Enter!)

GPG should now prompt you for the passphrase. Type it in, then press Enter. You will need to do this twice. This will be the safeguard against anyone breaching your computer and taking the key. They won’t be able to use the key without the passphrase. (This does NOT mean, however, that you should not revoke your key. If you notice your key has been compromised, revoke the key immediately.)

Then GPG should start the process of generating your public/private key pair. This warning should come up:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

If your computer is fairly modern and fast, this process should only take 30 seconds or so. Just shake your mouse pointer around until the terminal prompt changes to this:

gpg: /Users/ericswpark/.gnupg/trustdb.gpg: trustdb created
gpg: key 56F399E7A57D6E5D marked as ultimately trusted
gpg: directory '/Users/ericswpark/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/Users/ericswpark/.gnupg/openpgp-revocs.d/475C562EBC0520048AE79ADD56F399E7A57D6E5D.rev'
public and secret key created and signed.

pub   rsa4096 2019-12-20 [SC]
    475C562EBC0520048AE79ADD56F399E7A57D6E5D
uid                      Eric Park (https://ericswpark.com/) <me@ericswpark.com>
sub   rsa4096 2019-12-20 [E]

Congratulations! You created your first GPG key.

Listing available keys

To see your available keys, run:

gpg --list-keys

This should print something like:

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/Users/ericswpark/.gnupg/pubring.kbx
------------------------------------
pub   rsa4096/56F399E7A57D6E5D 2019-12-20 [SC]
    475C562EBC0520048AE79ADD56F399E7A57D6E5D
uid                 [ultimate] Eric Park (https://ericswpark.com/) <me@ericswpark.com>
sub   rsa4096/2698CAAB8C3C9C8C 2019-12-20 [E]

Note that some distributions and operating systems may not show the key ID in full. To see the correct output, run this:

gpg --list-keys --keyid-format long

You can also use short, if you have a small number of keys and don’t want to type out the entire UUID!

Publishing your key

To give your key to others, you must first publish your key.

First, you need to find your public key ID. To do this, run the command from “Listing available keys.” In the output, find this line:

pub   rsa4096/56F399E7A57D6E5D 2019-12-20 [SC]

Anything after rsa4096/ should be different for you. That, 56F399E7A57D6E5D, is your public key ID.

Then send it off to the keyserver!

gpg --send-keys YOUR_PUBLIC_KEY_ID_HERE

Following the syntax above, I would run:

gpg --send-keys 56F399E7A57D6E5D

Receiving published keys

If you followed the steps above to publish your public keys, then it should be simple for others to retrieve your keys and start using them to encrypt data for your eyes or verify something is actually made by you.

Publish your key ID somewhere, maybe in a blog (hint, hint). Then others can just download your key using this command:

gpg --recv-keys PUBLIC_KEY_ID_HERE

So for people to get my key ID (note that this is NOT my actual key, it’s just for this tutorial, look at my GPG page for the actual public key), they can just run:

gpg --recv-keys 56F399E7A57D6E5D

If GPG throws an error, it could be that the key is not available. Search for the key:

gpg --search-keys PUBLIC_KEY_ID_HERE

Like this:

gpg --search-keys 56F399E7A57D6E5D

Using custom keyservers

If you just run gpg --send-keys or gpg --recv-keys without any other parameters, GnuPG usually uses the default keyserver, which is at hkps://hkps.pool.sks-keyservers.net. You can see that this URL is a bit unique: rather than https, it now reads hkps. hkp and hkps is what GnuPG uses for the keyserver locations.

For example, when I had to verify my Manjaro .iso, I had to download the keyfiles of Philip Müller, the project leader, from a different keyserver. Their wiki gives the address of: hkp://pool.sks-keyservers.net

So to use a custom keyserver, just specify it as a parameter:

gpg --keyserver hkps://keyserver.url.here <parameters you want to run>

So, to fetch Philip Müller’s key, I had to run:

gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 11C7F07E

Note that the --keyserver parameter must be typed before the other parameters.

As of 2019, the default SKS keyserver that GPG uses seems to be dead. Read this article from First Look Media to learn more.

They recommend using the keys.openpgp.org keyserver to upload keys, which uses the Hagrid backend for serving keys. Apparently this is better since the SKS backend has a number of vulnerabilities being abused right now.

Creating a revocation certificate

This step is needed for when you accidentally expose your private key. Maybe you accidentally sent the wrong key file when sending your public key to your friend (this is why we use keyservers, like shown above)

Execute the following command:

gpg --gen-revoke PUBLIC_KEY_ID_HERE > PUBLIC_KEY_ID_HERE_revoke.asc

So for me, it would be:

gpg --gen-revoke 56F399E7A57D6E5D > 56F399E7A57D6E5D_revoke.asc

That command will produce something like the following output:

sec  rsa4096/56F399E7A57D6E5D 2019-12-20 Eric Park (https://ericswpark.com/) <me@ericswpark.com>

Create a revocation certificate for this key? (y/N)

Press y and then Enter to confirm.

Please select the reason for the revocation:
    0 = No reason specified
    1 = Key has been compromised
    2 = Key is superseded
    3 = Key is no longer used
    Q = Cancel
(Probably you want to select 1 here)
Your decision?

Press Enter to accept defaults, unless you have a specific reason behind the revocation.

Enter an optional description; end it with an empty line:
>

This part is optional. Continue by pressing Enter.

Reason for revocation: Key has been compromised
Is this okay? (y/N)

Press y and then Enter to confirm.

GPG will then ask you for your passcode to sign this revocation certificate with your private key. Type in your passcode, and then press Enter.

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

Fun fact: Mallory is an alias the GPG community gave for “bad actors”. The more you know! Also, if you are confused about the term “ASCII armored output”, check out this section explaining the differences between regular GPG files and ASCII-armored GPG files.

Finally, save the revocation certificate somewhere safe. This can be used to completely wipe out your key pair and render it useless, as the message warns above. Some paranoid people even print the ASCII-armored output and when it’s time to use them, they utilize OCR software to read the printout! But that’s probably overkill.

Revoking the key

Get the certificate you generated in the section above. Let’s locally revoke your key first:

gpg --import PUBLIC_KEY_ID_HERE_revoke.asc

So I would run:

gpg --import 56F399E7A57D6E5D_revoke.asc

Then follow the steps in “Publishing your key” again to update the public key in the keyserver and let others know your key has been compromised. Note that once the changes have been published, you will not be able to stop the revocation locally.

Un-revoke the key

You can un-revoke your key only if you haven’t pushed the revoked public key to a keyserver.

Let’s make GPG forget that you requested the revocation:

gpg --expert --delete-key PUBLIC_KEY_ID_HERE

For me it would be:

gpg --expert --delete-key 56F399E7A57D6E5D

The --expert parameter allows you to delete the public key only.

gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/56F399E7A57D6E5D 2019-12-20 Eric Park (https://ericswpark.com/) <me@ericswpark.com>

Delete this key from the keyring? (y/N)

Type y, and then Enter to confirm.

Now we need to download the clean public key from the keyserver, that hasn’t been marked as revoked. Follow the steps from “Receiving published keys” for this process.

Alternatively, you could also import a local copy of the public key, if you had a backup available with the key not being marked as revoked.

Importing keys

Importing keys is also crucial. You will use it all the time to get keys from other sources (in case you don’t trust keyservers).

Fortunately, this process is fairly simple. You just need a GPG file, or an ASCII-armored GPG file. They usually have the following extensions: .gpg, .asc, or .key.

Run the following command:

gpg --import KEY_FILE_NAME.asc

What is ASCII-armored?

ASCII-armored basically means it’s in text form and not in a binary format. This makes it useful, for example, when you’re sending the file over email.

Usually, you can force ASCII-armored by appending the parameter --armor to your command - this will ensure your file is editable via text editor (not that you would ever want to edit something outputted by GPG).

Signing keys

This is also part of the key management process. Don’t worry, we’re getting to the fun part of encrypting, decrypting, and certifying data, but this part may actually be more fun to you.

I first have to explain the “web of trust.” Quite honestly, I like this model better than the “Certificate Authority” model that SSL uses.

Do you know how you get the padlock on your browser, next to that URL? That green padlock is letting you know that the site you’re visiting is actually the site you want, and that the contents are encrypted in transit.

To do this, the site owner must get an SSL certificate from a root authority, such as Let’s Encrypt, Comodo, DigiCert, and so on. Out of these providers, Let’s Encrypt is the only one that does this for free, but the reason they can provide it for free is that they are a) sponsored by a lot of charitable organizations, and b) because the signing window is small (i.e. you can only have it signed for like 3 months or so.) Also, Let’s Encrypt relies on an automated way of verifying websites, saving costs.

So why are the rest of those providers asking for money for SSL certificates? Well, every time they give out the SSL certificates, the providers need to make sure that they’re giving the certificates to the actual owner of the website. Bad stuff can happen if they accidentally hand out SSL certificates for the wrong owners/servers, something that has definitely happened in the past. When this happens frequently, browser developers typically de-list the specific root authority that is causing problems, so the providers have a lot of incentive to verify owners properly.

Of course, there’s that entire issue of governments spying on their citizens by installing rogue root authorities, but that’s not in the scope of this article. What I’m trying to point out here is that this model is horrible. It’s horrible because you’re relying on that one central authority to be the “good guys” and not create certificates for people that don’t deserve them.

To counter this, a different model that GPG uses is the “web of trust”. You’ll see why it’s called a web in a moment. Let’s say I have a friend, A. I know who A is as I’ve met him in person, so I sign A’s key. Later, A meets B, a close friend of A but a complete stranger to me. B asks A if A can sign his key. Because A trusts B, A does the same, and signs B’s key. Now, A suggests to me that I should host a party with B. Since I don’t know B, I need to share contact information with B. I go to B’s website and find B’s public key. Now I know I can trust B, because B is trusted by A, and I trust A.

This model works wonders because the more keys you sign, the more keys they sign, the higher this level of confidence that the keys belong to the right person. This is why it’s called a web of trust. When put together, the entire system looks like a web:

< From https://en.wikipedia.org/wiki/Web_of_trust >

People even host real-life parties to sign keys! Of course, that doesn’t mean you should just sign any random stranger’s key… You should always verify their identity!

< From https://xkcd.com/364/ >

The process is simple - you note down your public key ID on paper (you usually do not bring your computer containing your key pair since that can increase the chances of your private key being leaked) and attend a key signing party. During the event, you write down as many public key IDs as you can, provided that you have verified each individual’s identity first. Afterwards, you come home, you receive the keys, and then you sign them:

gpg --sign-key PUBLIC_KEY_ID_OF_STRANGER

And then you publish them again to reflect that you trust the key. (Note that you should publish their public key, NOT your public key.) Warning: if their key was not published in the first place, publishing them may be rude, so you should always ask for the key-owner’s permission.

For example, if I wanted to sign that Manjaro developer’s key, I would type:

gpg --sign-key 11C7F07E

This would result in the following output:

pub  rsa2048/CAA6A59611C7F07E
    created: 2012-05-05  expires: never       usage: SC
    trust: unknown       validity: unknown
sub  rsa2048/320011450576724A
    created: 2012-05-05  expires: never       usage: E
[ unknown] (1). Philip Müller (Called Little) <philm@manjaro.org>


pub  rsa2048/CAA6A59611C7F07E
    created: 2012-05-05  expires: never       usage: SC
    trust: unknown       validity: unknown
Primary key fingerprint: E4CD FE50 A2DA 85D5 8C8A  8C70 CAA6 A596 11C7 F07E

    Philip Müller (Called Little) <philm@manjaro.org>

Are you sure that you want to sign this key with your
key "Eric Park (https://ericswpark.com/) <me@ericswpark.com>" (56F399E7A57D6E5D)

Really sign? (y/N)

Type y, and then Enter. GPG will ask you for your password. Type it, then press Enter to sign the key.

Remember that you may also need to update their “trust level”. (Down below)

Key signing party guide

Do not bring your computer. This increases the chances of your computer getting infected with key-stealing malware, or you accidentally misplacing your private key. Just publish your public key, jot down your public key ID somewhere, and then bring that to the event.
For friends, just sign their keys. For strangers (like if you are at an international event or something), verify their identity with something like their passport, and make sure their identification papers are not forged.
You can always batch-sign keys after the key signing event. Weird, right? Yeah, the actual key signing happens after the event.

What is trust?

Trust, in GnuPG, is this mental note you put down in your own keyring, noting down how “trustworthy” an individual is.

Let’s say I have this great nerd friend that will only sign responsibly by verifying all identities before signing. I’ll give this friend a higher trust value because I believe that this friend will make good decisions.

Compare that to a key signing event, where I’m signing the keys of complete strangers. I don’t even know if they’re responsible or not - I’ve only just met them! Therefore, when I sign their key, I assign them a trust value of unknown, or 1.

Note that if you sign someone’s key, their default trust value will be 1 - or unknown. This is usually what you want, unless you really trust the individual to make good decisions.

To edit someone’s trust value, use this command:

gpg --edit-key SOMEONES_PUBLIC_KEY_ID

Then type trust, and Enter to edit their trust value. Press Enter to save the trust value, and then type quit to exit the application.

Backing up your keys

If you lose your key pair, horrible things can happen. And these events are all too common. Dead hard drive, lost USB, computer blows up, et cetera. Let’s prevent a catastrophe!

If you want to be lazy, just back up the entire .gnupg directory. There you go, keep that safe. But if you want a more thorough approach, run:

gpg --export-secret-keys --armor KEY_ID > KEY_ID_secret.asc

This should save your secret key to the file KEY_ID_secret.asc. Back it up somewhere safe.

For added convenience, also back up your public key. This is not strictly required, but deriving the public key from the private key is annoying:

gpg --export --armor KEY_ID > KEY_ID_public.asc

Note that if you ever re-import your keys, you may have to set their trust level to 5 again to let GPG know that the keys are yours.

Subkeys!

Subkeys are basically smaller keys made from your master key file. You can play a bit loose with them, because even if they get exposed you can easily revoke them with your master key.

Run the following command to edit your master key:

gpg --edit-key YOUR_KEY_ID

This will result in the following output:

gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/56F399E7A57D6E5D
    created: 2019-12-20  expires: never       usage: SC
    trust: ultimate      validity: ultimate
ssb  rsa4096/2698CAAB8C3C9C8C
    created: 2019-12-20  expires: never       usage: E
[ultimate] (1). Eric Park (https://ericswpark.com/) <me@ericswpark.com>

gpg>

Let’s add a key using addkey:

Please select what kind of key you want:
    (3) DSA (sign only)
    (4) RSA (sign only)
    (5) Elgamal (encrypt only)
    (6) RSA (encrypt only)
Your selection?

You probably need two subkeys: one for signing, and one for encrypting. There’s already a subkey for encrypting, so for now, I’ll show how to create a signing subkey. Type 4 and then press Enter:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Again, we will use 4096 here.

Requested keysize is 4096 bits
Please specify how long the key should be valid.
        0 = key does not expire
    <n>  = key expires in n days
    <n>w = key expires in n weeks
    <n>m = key expires in n months
    <n>y = key expires in n years
Key is valid for? (0)

Enter again, key does not expire (again, you can just revoke them if you lose them). If you need a temporary key that needs to expire, use the syntax above to set a time limit for them. For example, if you want them to expire after 3 months, then type 3m. But for now, I’ll accept the defaults:

Key does not expire at all
Is this correct? (y/N)

Press y, and then Enter.

Really create? (y/N)

y again, and then Enter. It should ask you for your passphrase, and then warn you about entropy, and then create that beautiful subkey:

sec  rsa4096/56F399E7A57D6E5D
    created: 2019-12-20  expires: never       usage: SC
    trust: ultimate      validity: ultimate
ssb  rsa4096/2698CAAB8C3C9C8C
    created: 2019-12-20  expires: never       usage: E
ssb  rsa4096/CFE50DE6144F5CA0
    created: 2019-12-20  expires: never       usage: S
[ultimate] (1). Eric Park (https://ericswpark.com/) <me@ericswpark.com>

gpg>

You can see the subkey right there, with the ID CFE50DE6144F5CA0! Now we need to save the changes. Type save, and then Enter.

To export the key and use it somewhere else, type:

gpg --export-secret-subkeys --armor CFE50DE6144F5CA0! > CFE50DE6144F5CA0_subkey.asc

The exclamation mark is extremely important. Without it, you will be exporting ALL of the subkeys, which might not be what you want (for example, you wouldn’t want to export your decryption subkey to a sensitive computer!)

Then on the target computer, type:

gpg --import CFE50DE6144F5CA0_subkey.asc

To import the subkey! If you want to revoke it at any time, just edit your master key again, and then type revkey. Finally, publish your changes to the keyserver.

To delete your main keyring, run:

gpg --delete-secret-key KEY_ID

Note that this also removes your keyring (be careful!)

Keeping keys updated

Keys constantly change. People may sign keys, revoke them, or even generate new ones! So to keep your keyring up-to-date, it’s a good idea to run this periodically:

gpg --refresh-keys

This also updates your public key, if you’ve published them on a keyserver.

Now pat yourself on the back if you’ve come this far, as we will now get into how to actually utilize those keys!

Encrypting files

You need the other person’s public key for this. Type the following command:

gpg --encrypt file.tar.gz

GPG will prompt you to enter the user ID. Enter their name if their name is unique in your keyring, or their public key ID.

You can also specify it with the parameters:

gpg --encrypt file.tar.gz -r "Eric Park"

Remember, you can ASCII-armor your GPG file here!

Decrypting files

This one is easy, since your private key file is already there. Run the following command:

gpg --decrypt file.tar.gz.gpg

Or .asc, if the file is ASCII-armored.

Signing files

Depending on how you want to sign a file, there are a couple of options. If you want to make a compressed, signed file, run the following command:

gpg --sign file.tar.gz

This command will create either file.tar.gz.gpg or file.tar.gz.asc, depending on whether or not you supplied the --armor flag.

When you send your recipient the file, you just need to send them the file.tar.gz.asc file. They can verify it using the command below, and decrypt (unpack) it using the command above, without the need for your private key. (This is because the file is merely compressed and signed - it’s not encrypted with your public key.)

However, this method has problems. What if you are sending an email, and want your recipient to be able to read it immediately, without decrypting the file?

Well, you can send your recipient a cleartext file signed with your key:

gpg --clearsign file.txt

This is used when you’re sending plaintext documents, like emails. The plaintext message is first shown, and the signature follows shortly after.

That’s great and all, but what about big files? You don’t want to necessarily create another file for the signature that will take up just as much as the original file! This is where “detached” signature files come in. Most Linux distributions and other big library/framework projects use this method for distribution. You create a detached signature using this command:

gpg --detach-sig file.iso

“Wait,” you say. “What’s the difference between this and the first command?”

The first command compresses the entire file, signs it, and then spits out a GPG file based off of that. This means that transport becomes easier, because the signature and the file becomes one file. However, the method requires you to pack the file and spend resources making a new file, and the method requires the recipient to use as much resources to unpack the signature file to get the original file.

However, this “detach” command creates a signature file that is only a couple of kilobytes in size. This in turn is used to verify the original file. This is what you see when you see files on Linux distribution websites - “Ubuntu.iso” and “Ubuntu.iso.sig” or “Ubuntu.iso.asc”. The latter two verifies the first file, and they are only a couple of kilobytes in size.

In comparison, if you used the first command to generate the signature, GPG will actually warn you that the signature is NOT a detached signature, and therefore GPG has no way of verifying the original file. You will have to unpack the signed file and then compare checksums between the two file to make sure they are not tampered with. But at that point you don’t need to download the original file. This is why the first command should be reserved for files of small size.

TL;DR - Clearsign for emails and plaintext files, detach for big files (like .isos), and finally compress and sign for regular files (couple of megabytes).

Verifying files

gpg --verify file.tar.gz.gpg

Conclusion

Thanks for following along on this long article! I hope you learned a thing or two about GPG and keys and signing and encryption.

Setting up Duplicacy on UnRAID with Backblaze B2

Sun, 10 Nov 2019 00:00:00 GMT

In this post we’re going to look at Duplicacy, a tool that allows you to backup large amounts of data to any storage provider.

So what is Duplicacy?

Duplicacy is a backup/restore tool for servers. They have a free CLI version and a paid GUI version, but you probably only need the CLI tool unless you’re extremely scared of the terminal.

Big warning before we begin

Duplicacy expects sole access to the backup destination. That means, if a backup is running and you issue a prune command on another server, it may result in a loss of ALL of your data! Always make sure that only one instance of Duplicacy is operating at a given moment.
RAID is not a backup. If someone tells you they have a bulletproof backup solution with RAID only, you have the right to laugh in their face.
If you can’t restore it, you don’t have it. If you have everything stored on Amazon Glacier and your house burns down, you’ll probably spend all your money on a new house, not for downloading your music stash from Glacier. Always make sure the backup is in an easily-accessible medium and make sure to test your backup so that you don’t have trouble restoring it later.

Onto the guide!

Steps to install

Now, UnRAID boots off of USB drives, which means that if you just blindly copy your Duplicacy executable to a system folder, the changes will be lost on next boot. So we need to install Duplicacy on a persistent partition, and then copy it across.

Navigate to your USB drive on your UnRAID server:

cd /boot/config/plugins

Download the Duplicacy executable:

wget -O duplicacy https://github.com/gilbertchen/duplicacy/releases/download/v2.2.3/duplicacy_linux_x64_2.2.3

Now it’s very certain that there is a new version by the time you are reading this article. Simply go to the releases tab on GitHub, right click on duplicacy_linux_x64_xxx where xxx is the version number, and select “Copy link location” (may vary depending on browser). Then paste it after wget -O duplicacy.

Then, make the necessary changes in your go file to copy over the executable on every boot. Type the following two lines at the end of /boot/config/go:

# Copy duplicacy
ln -s /boot/config/plugins/duplicacy /usr/local/bin/

This should symlink the executable to an executable location every time UnRAID starts up.

You’re done! Reboot the machine (or run ln -s /boot/config/plugins/duplicacy /usr/local/bin/) and make sure you can run duplicacy -h in your terminal.

Setting up a Duplicacy “repository”

You need to get Duplicacy to init a new “repository”. This means you’re marking what you want to back up. Duplicacy will create a new hidden folder called .duplicacy in your current directory.

duplicacy init repositoryname b2://servername-duplicacy -e

So what does this mean? Let’s go over this:

Let’s say we’re currently in /mnt/user, so we’re backing up everything underneath it. For example, Duplicacy will back up /mnt/user/Movies, /mnt/user/Music, and so on.
init tells Duplicacy we want to set up a repository here.
repositoryname is just a name you will give to the repository. Set it to whatever.
b2:// is the protocol (Backblaze B2). You can use other protocls if you use different providers, such as sftp:// and so on.
servername-duplicacy is the bucket name you have in B2. You should already have this created before running the command!
-e tells Duplicacy to encrypt the backups.

You can actually set up duplicacy in the root folder of your shares, /mnt/user/*. This way, duplicacy stores all the configuration and other details in /mnt/user/.duplicacy/*.

Stop Duplicacy asking for keys

The next step to automation is to get Duplicacy to stop asking for your application ID and password all the time. Otherwise, you will need to manage them yourself every time you back up, which will not work in an automated environment.

Caution: If you go through with these commands, then your application keys and encryption password will be stored as plain-text inside your .duplicacy folder. Anyone with access to this folder will be able to see your keys. Only issue the following commands if you are certain that only you will have access to the server.

Run the following commands:

duplicacy set -storage b2://servername-duplicacy -key b2_id -value b2_id_here
duplicacy set -storage b2://servername-duplicacy -key b2_key -value b2_key_here
duplicacy set -storage b2://servername-duplicacy -key password -value encryption_key_here

Excluding folders and files

You may want to customize the filters file in .duplicacy/ before running the backup. Personally, I have mine set to exclude Docker volume folders, VM folders, and the Docker image (since they can always be recreated with no loss).

For the full documentation, refer to the official documentation since I don’t know regular expressions yet.

Here is my UnRAID filters file if you are interested:

-appdata/
-backup/
-VM/
-Downloads/
-ISO/
-docker.img
-libvrt.img

Automating backups

You’re almost there! We need to automate backups with User Scripts, since we all know you won’t manually remote every day to issue the command.

Download User Scripts (plenty of guides online) on your UnRAID server. You can use Community Applications for it. Once you’re there, create a script with the following:

#!/bin/bash

# https://stackoverflow.com/a/185473/1388019
lockfile="/tmp/duplicacy.lock"

if [ -e ${lockfile} ] && kill -0 `cat ${lockfile}`; then
    echo "duplicacy already running"
    exit
fi

# make sure the lockfile is removed when we exit and then claim it
trap "rm -f ${lockfile}; exit" INT TERM EXIT
echo $$ > ${lockfile}

# run the backup with default settings
cd /mnt/user
/usr/local/bin/duplicacy -log backup -threads 2 -stats

# clean up lockfile
rm -f ${lockfile}

Let’s go over this line by line. On the first couple of lines, from the line that starts with lockfile to echo $$, we set up a lockfile. In case User Scripts mess up and run the script twice (again, two instances of Duplicacy running can seriously corrupt the backup), the lockfile prevents the script from running.

Then the two lines after that start the backup, with 2 threads. Adjust to match your CPU. -stats just shows you what it’s backing up at a given moment.

Save it with an appropriate name and description, set a schedule, and let it run in the background! The backup is now completely automated!

Deleting old backups

By the way, Duplicacy will not automatically delete old backups. To do that, you must prune your backup set.

Add the following two lines in the original script, before the “clean up lockfile” section:

# Delete any backups older than 120 days. Adjust if required
duplicacy prune -exhaustive -exclusive -keep 0:120

This deletes any previous data backups older than 120 days. Adjust the date if necessary.

How do I restore?

I’m not sure because my server hasn’t crashed yet. (knock on wood)

If it ever does I will update this section. But it should just be a matter of running something like duplicacy restore in the root directory after restoring your configuration files.

To uninstall

Delete the executable over at /boot/config/plugins/duplicacy.
Edit the go file over at /boot/config/go. Remove the two lines that we added above.
Delete configuration files if required. Go to your source directory (for me it’s /mnt/user) and then delete the .duplicacy directory.
Remove the User Scripts.

Once that’s done, reboot your UnRAID server.

Find your CPU model on macOS

Mon, 29 Jul 2019 00:00:00 GMT

When you go to Apple’s website to buy a new Mac, most promotional materials say something along the lines of “featuring Intel’s 10th-generation processors with eight-cores that turbo-boost up to 3.2 GHz”. OK, but what is the CPU’s model name?! Even if you dig into Apple’s detailed spec sheets, the model number is strangely missing. Almost like they don’t want you to find what it is.

However, you can find the Intel CPU model in your Mac by running this command:

sysctl -n machdep.cpu.brand_string

This usually prints something like:

Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz

Why can’t Apple tell me this on the spec sheet?!

Update (2020): Obviously this post is no longer relevant as Apple now lists the Apple Silicon revision on their website. I guess it’d still help if you have an old Intel Mac.

Bypassing NAT with reverse SSH tunneling

Mon, 20 Aug 2018 00:00:00 GMT

Problem

I had recently moved to China, where I discovered that the carriers used CGNAT to combat the growing problem of shrinking IPv4 assignments. No surprises there, since China is literally booming with people. However, this posed a big problem for my home server and network, since in Korea I had my very own public IP address handed out to me.

But there is always a solution - and this time, the solution came in the form of SSH. Using SSH, I could forward literally any ports I wanted, from my local network, to a remote server that did have a public facing IP address.

In this tutorial, I’ll go over how to get your own remote server set up, and tunnel your very own home server to a remote server so that you could access it from anywhere.

1. DigitalOcean

You need a remote server to get started. I chose a VPS, because it is simple and easy to just spin up an instance. Hop onto DigitalOcean, make an account, link a credit card, and spin up an instance. Size doesn’t really matter - I chose the smallest instance on there, which is $5 a month.

Note down the IP address of your instance. From now on, I will be expressing this IP as XXX.XXX.XXX.XXX.

2. Server setup

Connect to your server using ssh. Do any server-maintenance stuff you need to do. I recommend this quick start article from DigitalOcean to add a sudo user to your server. After you’ve set up your server and secured it enough, proceed to the next step. I won’t be going into detail on server hardening, because that’s a topic for another day.

Then, you want to modify /etc/ssh/sshd_config, assuming you chose Ubuntu when you set up your VPS instance. Inside there, find the line named #GatewayPorts no and change it to GatewayPorts yes(remove the hash in the front and change no to yes.)

Save, exit, and type sudo service sshd restart. In theory you shouldn’t get kicked off from the server, but if you do, just reconnect. Finally, restart the server.

3. Client setup

Let’s say you have a port you want to forward on localhost, port 9000. You want to make it so that when you connect to the remote server, you could access it on port 80.

Client —> Remote server XXX.XXX.XXX.XXX (port 80) —> Home Server —> Web instance (port 9000)

To do that, on the home server type this SSH command:

ssh -nNT -R 80:localhost:9000 username@XXX.XXX.XXX.XXX

Let’s dissect this command. ssh is the program name itself, -nNT instructs SSH to not create a TTY instance (so you will NOT get a Terminal prompt), -R tells SSH we want to make a remote port forward, 80 is the port the remote server will be listening on, localhost is the IP the home server will forward requests to (in this case, it’ll be itself), 9000 would be the port that the home server would listen on, and the rest (username@XXX.XXX.XXX.XXX) is just the typical SSH details to connect to a server.

Boiling all this down to a practical example, I have a instance with an IP address of 192.168.0.102 on my local network, such as a Raspberry Pi. It is listening on port 12984 and is hosting a web server. I want to see my website pop up when I connect to the remote server, so we would have to use port 80 or even port 443. To access this through a reverse tunnel, I would have to use this command on my home server:

ssh -nNT -R 80:192.168.0.102:12984 username@XXX.XXX.XXX.XXX # HTTP
ssh -nNT -R 443:192.168.0.102:12984 username@XXX.XXX.XXX.XXX # HTTPS
ssh -nNT -R 80:192.168.0.102:12984 -R 443:192.168.0.102:12984 username@XXX.XXX.XXX.XXX # or all in one

And this would be the diagram for how it would work:

4. AutoSSH

Sure, you could type these commands out every time you want a bridge! But personally, I’m lazy, and I want a script that does it for me every boot.

That’s where AutoSSH comes in.

sudo apt install autossh

Change to fit your distribution. In this case, I’m using Ubuntu Server. Then, we need to make a systemd configuration file.

nano /etc/systemd/system/autossh-tunnel.service

Paste the following in, adapting it for your use:

[Unit]
Description=AutoSSH tunnel service
After=network.target

[Service]
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure yes" -N -R 80:192.168.0.1:80 -R 443:192.168.0.1:443 root@server.example.com -p 22 -i /home/example/.ssh/private-key

[Install]
WantedBy=multi-user.target

Then tell systemd to look for new configuration, and then enable the configuration:

sudo systemctl daemon-reload
sudo systemctl start autossh-tunnel.service
sudo systemctl enable autossh-tunnel.service

If you want to configure how SSH connects to the server, you could utilize ~/.ssh/config:

Host example-tunnel
    HostName server.example.com
    User example
    Port 22
    IdentityFile ~/.ssh/private-key
    RemoteForward 80 192.168.0.1:80
    RemoteForward 443 192.168.0.1:443
    ServerAliveInterval 30
    ServerAliveCountMax 3
    ExitOnForwardFailure yes

You don’t really need to specify RemoteForward here since AutoSSH will take care of that for you anyway, but I just put it there for peace of mind.

For more information, you could check out this great guide over here. I learnt a lot from that post, so thanks to the authors of that guide!

Force git to sign your commits

Sun, 13 May 2018 00:00:00 GMT

Since GitHub puts a nice shiny “Verified” next to your commits if you sign them with GPG, you might be wondering how to get on this bandwagon. Not to worry! With this one simple trick, you’ll never have to remember to type git -S, ever again!

Run the following (substitute your key in the second command):

git config --global commit.gpgsign true
git config --global user.signingkey <KEYHERE>

Did you forget your GPG keys?

gpg --list-keys --keyid-format short

Alternatively, check out my comprehensive GPG guide.

Troubleshooting

If git fails to sign your commit with the following error:

error: gpg failed to sign the data
fatal: failed to write commit object

This is usually due to gpg not being able to find the current shell to launch the password prompt on. To fix this problem, append the following line in your ~/.bashrc or ~/.zshrc, depending on what shell you use:

export GPG_TTY=$(tty)

I’ve also seen this error occur on Visual Studio Code if the terminal window’s height is too small for the prompt. Resize the terminal to be longer and it should fix the problem.

Windows

If you are using GPG4Win to manage your GPG keys, you may need to run the following line in the terminal as well:

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

This makes git use GPG4Win’s gpg.exe executable instead of the one bundled with Git for Windows.

Set up a network wide VPN using Ubuntu Server

Tue, 01 May 2018 00:00:00 GMT

As a foreigner living in China, you crave Netflix and YouTube, but hate toggling over to your VPN app over and over just to watch censored content. So waht’s the solution?

Enter the network-wide VPN gateway - your very own server that you will set up to tunnel your entire home’s network!

Prerequisites

You will need:

A VPN provider that gives out OpenVPN configurations. Other protocols will probably also work, but they are not covered in this tutorial.
A server or a VM running Ubuntu Server. Using the latest version is recommended. I used 16.04 LTS at the time of writing this blog post.
Some Linux and networking knowledge
(optional, but recommended) A router that supports setting the default gateway in the DHCP server

Without proper Linux and networking knowledge, you will have a broken LAN someday with no way to troubleshoot or debug! Make sure you know what you are doing before following this tutorial.

A router that supports setting the default gateway on the DHCP server is important. Without it, you will have to manually go around each device and set up the proper configuration so it’ll route the traffic through your new Linux router! At that point, you might as well set up the VPN on each device, but the benefit of setting this up at all without a supported router is still great that you should consider setting it up anyway. Some devices that do not support native VPN (such as the Chromecast, Roku Fire sticks, your smart robot cleaner) will now connect through the VPN through a simple configuration change.

So whether you’re serious about this, or it’s just a fun experiment, it’s definitely worth it to set it up. Just understand the risks before you move on. If any problems arise, you should be able to debug them.

VPN setup

Grab the OpenVPN file from your VPN provider. The page should also list your unique username and password for OpenVPN. Grab that too.

(NOTE: If it does not show your unique username and password, then it might be your VPN provider’s account username and password. Experiment and see if it works.)

Now, depending on your VPN provider, they will give you one, in-line OpenVPN file, or separated files consisting of the client keys and server certificates. The former is better, since you won’t have to monkey around with key configurations.

Jumping onto your VM, execute this command:

ifconfig

This will show your current network configuration. Note down the interface name on the left side. For example, my network was:

enp2s0    Link encap:Ethernet  HWaddr <obfuscated>  
            inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
            <truncated>
            
lo        Link encap:Local Loopback  
            inet addr:127.0.0.1  Mask:255.0.0.0
            <truncated>

Some things to note here. First, your Ethernet interface is enp2s0, and your IP address is 192.168.0.100. These will be important later on.

Now, let’s install OpenVPN:

sudo apt install openvpn

Once it’s installed, let’s configure it. Copy the sample configuration file:

sudo cp <VPN name here>.ovpn /etc/openvpn/<VPN name here>.conf

At this point, if you have keys included with the .ovpn file, look at the keys. They will be named like ca.rsa.2048.crt or similar, depending on what key size your VPN provider uses. Simply find the key files and copy them with this command:

sudo cp ca.rsa.2048.crt crl.rsa.2048.pem /etc/openvpn

If your provider is smart enough to provide inline certificate files (OpenVPN configuration files that have the certificates attached inside), you can skip the above command. Continue down below.

Now you might be wondering why we renamed that .ovpn file to .conf. It’s because this is the only way we can use systemd to control OpenVPN. With this change, the configuration file gets registered to systemctl, and you can enable them with OpenVPN@VPN-name-here.

Next, note down your VPN username and password in /etc/openvpn/login:

username-here
password-here

An example credential file would be something like this:

ericswpark
examplepassword12345

Save and exit. Now edit /etc/openvpn/<VPN name here>.conf and look for the following line:

auth-user-pass

Change it to:

auth-user-pass /etc/openvpn/login

Now, if you have separate key files copied from above, you will need to do one more step. Find these lines:

ca ca.rsa.2048.crt
crl-verif crl.rsa.2048.pem

And change them into:

ca /etc/openvpn/ca.rsa.2048.crt
crl-verif crl.rsa.2048.pem

And you’re done!

Before you save, there’s some additional options you might want to configure. For example, you might want to disable persist-tun if you live in an environment where Internet connection is flaky. The VPN will destroy the tunnel interface when it restarts, forcing it to use your regular censored Internet for the VPN server lookup. This is handy because the VPN server lookup will fail over a dead tunnel interface.

Find this line:

persist-tun

And put a # in front of it to disable it:

# persist-tun

If you want the server to keep the connection alive, find or add these following two lines:

keepalive 10 30
resolv-retry infinite

The last line isn’t strictly needed, because the default is infinite. The first line tells the OpenVPN client to ping the server (--ping) every 10 seconds, and restart (--ping-restart) if there is no response for 30 seconds. This has been handy because the Great Firewall of China likes to send TCP RST packets everyonce in a while. Experiment with those values if you need a more reliable connection, but I’ve found 30 seconds is pretty adequate for a smooth network drop fix without unnecessarily straining the VPN server.

Save and now, we’ll have to test the VPN server. Since I’m in China, that’s super easy! Just ping Google. If you’re in a different country where that test is inconclusive, you could check ifconfig again.

Start the client:

sudo openvpn --config /etc/openvpn/<VPN name here>.conf

If you see Initialization Sequence Completed anywhere in the logs, congratulations! Your VPN is set up correctly! Press Ctrl-C to destroy the VPN tunnel and follow along with next steps.

Setting up a static IP (optional, but recommended)

At this point, you might want to set up a static IP for your VM. This is because you don’t want IPs shifting if you decide to add the IP to your default gateway settings in your router.

Log into your router administration page. The details should be underneath the router, printed out on a sticker. If you can’t find it, then just Google your router’s manufacturer and look for the IP. If that doesn’t work, check your computer’s default gateway, because usually routers push their IP through there. If all else fails then just type in addresses like 192.168.0.1 or 192.168.1.1.

If you find the IP, remember to write it down because it’ll be important later, and click on DHCP address reservations, or something named similar. Remember your MAC address from step 0? No? Then just do ifconfig again and jot down the MAC address for your Ethernet interface.

Assign it an address, then press OK. Remember that address, Now some more configurations on your VM! Edit this file, /etc/network/interfaces and find the lines:

auto enp2s0
iface enp2s0 inet dhcp

The interface name might be different. Just change it so that it looks like this (remember to keep the interface name that was in your file, NOT the ones shown here!):

auto enp2s0
iface enp2s0 inet static
    address 192.168.0.100
    netmask 255.255.255.0
    gateway 192.168.0.1
    dns-nameservers 1.1.1.1 1.0.0.1

You’re free to use any DNS nameservers you like. Personally, I like the new CloudFlare 1.1.1.1s. Remember to input the correct IP address and netmask! The IP address is the one you manually assigned on the router administration page, the netmask can be found by checking your network settings, and the gateway should be whatever it was before (check network settings on your computer) or your router’s administration IP, which is usually the default gateway on most routers.

The default gateway bit is important, because if you decide to forward the VM’s IP as the default gateway later in the DHCP push settings, your VM box will have a default gateway value set to itself. So make sure the default gateway is the current default gateway shown in your network settings.

Cool! Reboot the VM and the router and make sure both are accessible, and your Internet is working. Next!

Setting up the tunnel

First, let’s enable the OpenVPN service so it starts at boot.

sudo systemctl enable OpenVPN@<VPN name here>

Don’t write the .conf extension when you’re running this command! Then, let’s enable IPv4 forwarding. Edit this file - /etc/sysctl.conf - and find this line:

# net.ipv4.ip_forward = 1

Change it to:

net.ipv4.ip_forward = 1

Just remove that #, save and move on.

Next, reload sysctl!

sudo sysctl -p

Congratulations! Now we need to configure the firewall and routing.

`iptables`

This part is extremely hard, probably the hardest in this tutorial. I don’t even understand most of it, but will try to explain it as best as I could.

First off, we want to allow the loopback traffic through the loopback device. Execute these two commands:

sudo iptables -A INPUT -i lo -m comment --comment "loopback-input" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback-output" -j ACCEPT

Then, we want to allow traffic coming in from the network, and traffic going out to the tunnel network. (If you don’t know these or forgot from earlier, run the VPN using the command way above, and run ifconfig to figure out the interfaces.) Execute these commands, making sure to substitute the interface names from earlier:

sudo iptables -I INPUT -i enp2s0 -m comment --comment "Local network" -j ACCEPT
sudo iptables -I OUTPUT -o tun0 -m comment --comment "VPN network" -j ACCEPT

Then we need to allow the OpenVPN traffic to pass through the box. Find the port number by looking at the .conf file we talked about earlier. It should be on the line that starts with remote. Then execute this command, making sure to replace that port number and interface name:

sudo iptables -A OUTPUT -o enp2s0 -p udp --dport 1194 -m comment --comment "OpenVPN traffic" -j ACCEPT

Next up, we need to allow certain services to operate. Execute these commands:

sudo iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "NTP service" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "DHCP service" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "DNS service" -j ACCEPT

Almost there! You need to forward the traffic from the tunnel to the Ethernet interface. This bit is really important! Run these commands (and make sure to substitute the interface names):

sudo iptables -A FORWARD -i tun0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp2s0 -o tun0 -m comment --comment "Local network to VPN" -j ACCEPT

Cool, one last thing. You need to set up MASQUERADE on the POSTROUTING table on your NAT, so that the Network Address Translation works across the VPN. Execute the final command (switch these interface names, remember):

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

If you managed to follow this far, congratulations! But before you go and celebrate, you want to save these configurations so these don’t get lost over a reboot.

Run this:

sudo apt install iptables-persistent

And the installation will begin. If it asks you if it should save the current configuration, choose yes, and carry on. Let’s enable the service to run at boot:

sudo systemctl enable netfilter-persistent

If, in the far future, you add any more iptables rules, you can save them by running:

sudo netfilter-persistent save

And they will be saved.

One last, really important thing. If you want to back up these configurations, you can type:

sudo iptables-save > backup.txt

To save the rules inside a text file. This is also a handy way to edit these configurations should you decide to change them. Once you want to restore, use this command:

sudo iptables-restore < backup.txt

Nice! Your configuration is nearly finished!

Test the connection

Reboot the box. On the client device you want to test, change the default gateway’s IP address to the VM’s IP. It should start forwarding traffic through the VPN! Congratulations!

But this is tedious. I’m lazy. What should I do?

Set up router forwarding

If your router supports default gateway switching, you can do this. (Most routers support this)

Go to the router administration page (remember it?) and click on DHCP settings. Under the Default Gateway IP address, input the VM’s IP.

Now reboot the router. If it works, great!

In odd cases, the default gateway change might actually just change the administration page’s IP address. If that happens, there will be an address collision, and your VM box will either lose the IP address or lose access to the local network. In severe cases your router administration page might not come up. In that case, just disconnect the VM box, reboot the router and connect to the administration page to change the default gateway back. If this is the case, then your router does not support default gateway switching.

Connection-helping script

Now, since China is great for these TCP RST packets that drop your VPN connection sporadically (so you have to remote into your VM and fix it), I wrote a Python script that helps me out with the entire process.

Any improvements in the form of pull requests would be welcome!

Use NSSavePanel in Swift

Wed, 28 Feb 2018 00:00:00 GMT

TL;DR:

@IBAction func browseDirectory(_ sender: Any) {
    
    let dialog = NSSavePanel()
    
    dialog.title = "Save file"
    dialog.showsResizeIndicator = true
    dialog.canCreateDirectories = true
    dialog.showsHiddenFiles = true
    dialog.allowedFileTypes = ["txt"]
    
    if (dialog.runModal() == NSApplication.ModalResponse.OK) {
        let result = dialog.url
        
        if (result != nil) {
            let path = result!.path // Do stuff with 'path' variable
        }
    } else {
        return // User clicked cancel
    }
}

Don’t forget to allow the app to access the filesystem.

Okay, we need to make a dialog, so let’s make a variable named dialog and assign it the NSSavePanel.

let dialog = NSSavePanel()

Then we have to set some parameters. Let’s give the dialog a title-bar name.

dialog.title = "Save file"

The parameter names are pretty self-explanatory, but these options are for showing the “resize” button in the title bar, allowing users to create new folders, and showing hidden files.

dialog.showsResizeIndicator = true
dialog.canCreateDirectories = true
dialog.showsHiddenFiles = true

If you want to restrict users so that they can only select certain files:

dialog.allowedFileTypes = ["php"]

We then expose the dialog to the users:

if (dialog.runModal() == NSApplication.ModalResponse.OK) {
    let result = dialog.url
    
    if (result != nil) {
        let path = result!.path // Do stuff with 'path' variable
    }
} else {
    return // User clicked cancel
}

Great, so we’re done now, right? Not so fast! If you run your app now, it will crash. What gives? Well, you forgot to allow the app access to your filesystem! Simply click on your project on the left sidebar, press on your app under the smaller sidebar with the title-name “Targets”, choose “Capabilities” on the top bar, and then choose Read/Write under “User Selected File”.

You should now have a functional save panel!

Eric Park's Blog

Internet censorship in Korea, and the eventual end

How they (used to) censor the Internet in Korea

How they (currently) censor the Internet in Korea

So how can I get past it?

Great, can I use ECH now?

SSH key updating with systemd

Create the systemd unit files

Enable and start the timer

Enable lingering

Boingo Hotspot Captive Portal shenanigans

Issue #1 — DNS-over-TLS/HTTPS doesn’t work

Issue #2 — DNS hijacking doesn’t work with HTTPS

When your controller doesn't work, blame your keyboard

Why I'm moving away from NixOS

Disclaimer

Pros

Fast recovery time from scratch

Fast recovery time from bad configurations

Cons

The friction of installing things

NixOS requires you to know or learn Nix

The friction of upgrading things

The speed of compiling things

Configuring “everything” through NixOS

Conclusion

Footnotes

Bits and pieces from my Bluu internship

The report tool

The automatic time-card script

A rant about cheap proprietary IP cameras (featuring Hej Home)

Specifications

Setting up the camera on the official app

Port-scanning the IP camera

Disassembling the camera

Dumping the SPI flash chip

Looking at the firmware dump

Looking for open-source options

Cutting my losses and moving on

Fix up audio delay in Meta Quest recordings

Step 1: Figure out the delay values

Step 2: ffmpeg

I have a positive delay value

Conclusion

Buying my (Korean) name on the Internet

I nearly lost my entire home server

An ideal world where everything goes right

The new drives are… faulty?

Going down the chain

History repeats?

”Supply chain issues”

The Server of Theseus

Jumping over the first hurdle

Rebuilding

Failure Analysis

Lessons learned

Profiling with cargo flamegraph

Windows Preparations

Linux Preparations

Buffering by block in Rust

KT's outdated Wi-Fi, on Linux

Reverting DD-WRTed WRT32X back to stock

I migrated my site to Astro!

Announcements

Motivation

First try: NextJS!

A rough start to the migration

The best of all worlds

Comparisons

That’s it!

Now on Bluesky

The Esc key bug in games with the CJK IMEs

iPhone battery swap review: Apple sent me someone else's SIM?

Shipping packages from Korea to the US with EMS Premium

Django: Disallow Postgres-specific fields

I need a new browser

Features I need

WebUSB / other latest web APIs

Sync

Mobile apps

Create the `systemd` unit files

Step 2: `ffmpeg`