bryan wann :: binary fury

Dark Angel Medical training

Sep 10th, 2017 by bwann

I’m fresh off of two medical classes in August, first the NOLS Wilderness First Responder course, then a two day “Direct Action Response Training” by Dark Angel Medical. The DART course went over how to use a personal trauma kit (a/k/a individual first aid kit, or IFAK) and responding to immediate life-threatening events, such as a gunshot wound, stabbing, blast, or some other serious accident. I’m a believer in the saying “if you learn how to put holes in people, then you should learn how to patch holes.”

DART was hosted by the San Mateo County Sheriff’s Office, so about 3/4 of the class of 26-something people was either personnel from various sheriffs agencies, SWAT, police, or correctional officers, which was sort of intimidating. The rest were civilians, concealed carry holders, and/or private security. The instructor was named Ross, a former Navy corpsman, now a paramedic in San Bernardino.

There was a lot of overlap between the WFR and DART courses, such as patient assessment, wound treatment, splinting, and environmental issues, but it was far more compressed than the 10 days of WFR training. There were also a lot of differences, namely in treating life threatening hemorrhages and getting an open airway over everything else in an urban, tactical environment. This followed the military’s tactical combat casualty care (TCCC) guidelines, e.g. stop the threat to you and your patient, get them to cover, stop the bleeding, maintain an airway.

The assumption was that you would be in an urban environment and higher level care would be available relatively quickly, compared to the WFR training where we were taught help may be hours or days away. As such we practiced a lot with tourniquets. Each one of us had a CAT tourniquet and during class Ross would randomly call out a limb and we had to apply the tourniquet as fast as possible and check our pulse to ensure it worked.

I was surprised how quickly we were supposed to resort to TQs. If you can’t stop heavy bleeding with direct pressure to the wound and it’s on an arm/leg, immediately put a TQ on the limb. In WFR we were taught a TQ was a last resort after direct pressure, compression bandage, and wound packing, which makes sense because a TQ needs to be off in a few hours.

Here, if a TQ (or two) didn’t stop the bleed on a limb, or it was an area such as the hip or shoulder where a TQ couldn’t be applied, then start packing the wound with hemostatic gauze, and put a compression bandage (e.g. Israeli bandage) over it to hold pressure on the gauze, thus keeping pressure on the arteries/veins against a bone. After practicing packing a wound on a mock limb, I realized that properly packing gauze into a big wound takes quite a bit of time to do (and I’m told will be considerably painful to the patient, who might fight it), whereas stopping the flow of blood with a TQ was very fast.

I learned a several interesting things about tourniquets. While ideally they shouldn’t be on more than two hours before the next level of care, in some extreme cases they have been left on 16 hours without loss of limb. If you can see the wound, it’s okay to put a TQ on a few inches above the wound (arteries have elasticity and may retract into the body), otherwise it’s equally okay to just put the TQ as high up on the limb as possible too. This was something I was confused about as I had read conflicting ways to apply them. Once a TQ is on (more than a couple of minutes), never take it off or relieve the pressure, as you’ll be releasing blood clots and alkaline blood into the system which could cause an embolism in the heart/lungs/brain, or worse. Lastly, when using a CAT tourniquet which uses velcro, be sure the end is secure. When it goes around a leg it’s very easy to snag the tab and undo the entire tourniquet. For this it may be better to use CATs on arms and SOFTT-W (which uses a strap) around legs.

I practiced some with a SWAT-T tourniquet, which is basically just a long strip of 4″ wide rubber. I’m told the idea originally came from a Detroit SWAT officer who cut the innertube of a bicycle to improvise a TQ when he was hit. The thing needs a lot of practice to use, as it’s very hard to put on one handed, keep it really tight, and keep wide enough. It works, but I’d want something better.

The initial patient assessment was also slightly different than wilderness, instead of ABCDE, here it was HABCDE (H for hemorrhage) with an emphasis on immediately performing a much more aggressive blood sweep on the body to look for bleeding or holes. Granted, in both courses we were told the sequence isn’t set in stone, do what needs to be done in whatever order is most important, just make sure all parts of the assessment are done. Spinal control wasn’t as of an immediate concern in the D part of the assessment as wilderness, compared to stopping bleeding and opening an airway. It was explained with a brutal bit of logic, “they may be paralyzed after, but they’ll be alive”, as opposed to spending time to stabilize the spine while they asphyxiate.

Decompression needles for a tension pneumothorax seem to be a negative thing to have on you if you don’t have higher levels of training/certification. Even if an off-duty paramedic shows up, using the needle while they’re off duty opens even them up to liability. However nasopharyngeal airways are not considered intrusive and can be inserted by a Good Samaritan rescuer to keep an airway open.

Further on the train of thought that emergency care was quickly available, we were taught to splint broken bones as found even if they were compound fractures. I did learn a nifty figure-8 splint made out of triangle bandages to support a broken clavicle.

One thing that was good about the class was the “graphic” images and videos during the lecture. I guess I got over any squeamishness I had. It’s one thing to have a chest wound, flail chest, or femoral bleeding described in a textbook, it’s another thing to actually see one to really understand it. A couple of short video examples showed how quickly (less than a minute) somebody could be hit with gunfire or inhale toxic chemicals, degrade and be well into deep shock or unconsciousness without any sort of help available before dying.

Beyond first aid, the DART course also spent time on how the body reacts during a life threatening event, which I found interesting. Individuals may fight, flight/run, posture, or completely submit to a threat. As heart rate increases due to a fear/stress response, critical thinking and logic is severely impaired. Thus, a person with a better cardio conditioning can stay level headed longer because their pulse isn’t skyrocketing as fast. Not only does the body dump adrenaline during a flight/fight response, it also dumps the body’s entire supply of glucose, and ramps up production of cortisol which helps blood clotting. Also it’s common for people to lose bowel control and soil themselves in a high stress situation, something that’s not talked about much. So, if you’re going on patrol, go to the bathroom first.

In the last couple of hours of the second day we went through several quick scenarios. This was pretty familiar from the WFR training. Some of us were sent outside, the rest were inside with a mock injury (no moulage here), go in and help them. Here several of the examples involved applying tourniquets. We also practiced a Hawes carry, which was a pretty quick and easy way to pick somebody up onto your back like a backpack and carry them, while still having an arm free to work or shoot back.

Overall I really liked the class. If you’re into shooting sports, definitely take the DART class and learn how to use a medical kit/IFAK. Even if you’re not a shooter, it’ll help prepare you for other serious injuries around the home or on the road. Several of the “saves” mentioned on Dark Angel’s website are from vehicle accident injuries where somebody with the right mindset was able to use a med kit to stop bleeding on some poor soul on the road. WFR was one of the “what to do next” recommendations beyond a first aid class. If you have the time, certainly do both, they were very interesting. While there was some overlap, each class has a focus on very different things.

Posted in Uncategorized | No Comments »

Yosemite with more cowbell

Sep 10th, 2017 by bwann

[flickr: Hetch Hetchy trip]

Ever since that One Time in 2005 in Colorado where a bear tried to nose their way into my friends’ tent at night while they were still inside, I’ve been leery about camping in the forest. Usually I don’t have a problem with wild critters, I’ve spent many nights in Death Valley surrounded by howling coyotes, and I didn’t even think about bears when I camped in Modoc Forest recently.

Yosemite on the other hand has a reputation for bears, there are warning signs everywhere, from the cabins in Half Dome Park to the wilderness trailheads. “Use bear canisters. Keep food out of vehicles and tents. Lock things up.” So I was a bit apprehensive when I decided to set up my tent in a meadow in Stanislaus Forest along forestry road 1S20 right outside the entrance to Hetch Hetchy last Thursday.

I knew there were cattle in the area, at least on the other side of the road down a ways but there was a fence and I didn’t think much of it. I carefully scouted my camp site and seeing no problems set up my tent. There were some critter noises at night, mostly bats chirping and birds.

Around 2:30 AM I heard in the distance some snorting, stomping, and tree limbs snapping. Something big was there. This spooked me, so I grabbed my flashlight and shone it at the ridge beside me. After a minute of more noises I saw two eyes staring back at me, probably 100 feet away or so. I made a bunch of noise, clapping, hitting my camera tripod with a stick, but whatever it was it didn’t move.

More snorting, stomping, and tree limbs breaking. This time when I looked I saw three pairs of eyes staring back at me in the dark. I made more noise, nothing. It was around this time I started to wonder if these were cattle, because I don’t think bears travel in packs, and cattle just don’t give a fuck about anything. Then I heard a faint cowbell from the ridge. I finally realized these indeed were cattle, they were coming over the ridge into the meadow where I was staying. Several of them had cowbells on, clang clanging in the night. About 10-15 head walked by my tent to a clearing, where they apparently settled in for the night.

I figured a herd of cattle with bells on around my campsite would scare anything else off (or at least be a tasty prey), so I was finally able to fall asleep relieved. In the morning they were up grazing around my tent so I got to watch them as I was laying there. A few were curious but ran off as soon as they saw me move. [Cowbell video]

Hetch Hetchy

The point of camping out in the forest was that I wanted to go explore Hetch Hetchy lake. I had only recently heard the back story about it, how it was a large granite valley like Yosemite Valley, but it was dammed up to create a reservoir for San Francisco’s water supply.

There wasn’t any camping within the reservoir area unless you were a wilderness backpacker, thus camping in the forest. It was about a 9 mile drive from the entrance gate, down into the valley, before reaching the dam. It is a pretty place, just like Yosemite Valley with huge granite walls, just full of water.

There are several hikes around the lake, some are day hikes, others are multi-day backpacking trips to some of the other lakes and meadows in the area. I opted to hike out to Wapama Falls, which was a few miles up on the north side. It was pretty hazy out due to the two larger wildfires in southern Yosemite. By afternoon the wind was picking up and it started to cool off. Overall it was a nice hike.

Originally I had planned to stay out until Saturday, but after getting tired from hiking and not sleeping much I just opted to come home Friday night.

Tags: yosemite

Posted in Travel | No Comments »

Becoming a Wilderness First Responder

Aug 25th, 2017 by bwann

The always self-sufficient side in me has always been fascinated by wilderness medicine, how do you care for somebody who’s hurt/sick when you’re hours or days away from care? How do you improvise what you need to treat that person and make it possible to move them? When I was growing up in a rural area, we didn’t have 911, and a sheriff or ER could easily be 30+ minutes away; that was even after you got back to somewhere you could call/send somebody for help. This is part of what taught me it’s important to be able to take care of yourself.

Today I frequently go out on my own on roadtrips or hikes that put me hours into the middle of nowhere, could be west Texas, the Nevada desert, or the side of some mountain in Washington. Very often there’s no cell service, and while I have an amateur radio license and access to a transceiver that could reach dozens of miles out, it’s only useful if I know the area repeaters and if there are people listening that could help.

I learned about the NOLS Wilderness First Responder course years ago and it seemed very interesting because it went way beyond patching boo-boos and doing CPR, things taught in a basic first aid class. It covered all sorts of illnesses and problems that could happen in the backcountry, broken bones, wound management, head+spinal injuries and more. Further, it wasn’t just a textbook work, it was a hands-on course to practice doing these things. Unfortunately it was 10 days long and I never had (or put aside) the time to go to travel and take the course.

After my recent work sabbatical I dusted off the NOLS website and signed up for the WFR course here in California. One thing that bothered me from the course outline was having to pretend being a patient and using moulage/fake makeup. I totally understand and get how it’s necessary for the experience (more so now after actually doing it), but I was pretty meh about it up front. Even as a kid I never was a fan of make believe, costumes, or Halloween.

The class in San Francisco booked quickly and I signed up for the one in Sausalito. This was a long haul to make every day across the bay from Fremont, so I got a cheap motel in Mills Valley. The classroom was actually at Point Bonita YMCA, right on the coast near Golden Gate in the Marin headlands. Being August (Fogust) I expected it to be cold and foggy, and turns out it was the whole time. The weather upped the realism because we were frequently wearing multiple layers, snug jackets, and big coats, things we’d normally wear in cool environments, all which had to be dealt with during scenarios. Outside of the fog and drizzle, we had the Golden Gate Bridge and the Pacific Ocean as our backdrop to our outdoor classes. You couldn’t ask for a better setting around here.

Our instructors were Ryland and Sheri, and there were around 23 (?) people in the class. They all had varied backgrounds, such youth group leaders, park personnel, guides, and a few of us engineers who like the outdoors; all were mainly doing it for personal enrichment, some as a job requirement.

After some initial classroom time on the first day, we headed outside for our first scenario. If memory serves correctly it was how to size up the scene, approach the patient, and go through the ABCs. Another scenario worked up to head-to-toe assessments, getting vitals, and SAMPLE history. I had read a good hunk of the textbook in the months leading up to the class, but actually doing my first assessment on a real person I went into full on dummy mode and forgot everything I had read.

Each day was a combination of going over a topic in the classroom or outside in a group huddle, and going through 2-3 scenarios. For scenarios a group of students would be selected to be patients, go outside and be briefed on a story of their injuries and symptoms, then go lie/sit down somewhere and wait to be rescued. A few dabs of moulage makeup was usually used in each scenario to simulate bruising of a limb from a sprain/fracture, landing on the back, cyanotic lips, infection, rashes, and/or abrasions on faces or hands; then concealed under clothing for the rescuer to discover. Nothing outrageously gory at all, just something to help visualize the signs.

Rescuers would remain in the classroom until they were told it was time to go, given a very short summary on what happened (e.g. friend was slack lining and fell, somebody wrecked their bike, or sometimes “you just found this person”), and sent out to find the patients. At first we usually paired up two rescuers to a patient, but over time we also did a lot of solo rescues, and then got into full teams of rescuers. (Many of our mock scenarios happened at Yosemite, so watch out for that place. We also had a few oddly freak skydiving accidents for varieties sake resulting only in broken fingers, what a weird sport.)

Each time we would size up the scene, approach the patient and ask if we could help, go through our ABCDEs to check airway, breathing, circulation/bleeding, decide if we needed to stabilize their neck/spine, expose the injuries. Next we did a full, thorough head-to-to exam looking for any injuries/pain/tender areas, got a set of vital signs, a SAMPLE history, more vitals to find trends, and dug into any interesting points. Depending on the injury we’d try to do treat or immobilize the patient, decide if they needed evacuated, and come up with a verbal SOAP note to present. The SOAP was a special format of report we’d call into a search and rescue group, other rescuers, or otherwise higher level of care. (S = Subjective, information from the patient, “what could be lied about”, OPQRST details; O = Objective, facts from vital signs and observations, “the truths and facts”; A = assessment, what we thought was going on, what we did; P = plan for the patient, including long-term [e.g. overnight care]).

After each scenario we’d get together both as patient+rescuer(s) and the class as a group, go over what went well, what we missed, go over questions, and practice presenting a SOAP note to the group based on what we just went through.

We learned how to safely move people even if we were by ourselves. Once I saw where to grab and how to pull, it was no problem to move even my bigger classmates. If we suspected there was a possibility for a head/neck/spinal injury we’d control their head until we could check them out further. We frequently practiced rolling patients onto their sides for examinations, putting them on pads, putting them into recovery position in case they were to vomit or we had to leave them for help. Later we got into learning how to pack them in various litters for carrying them out as a team.

We learned how to do focused spinal exams to look for any injury/tenderness to the spine, check for things like tingling/numbness, sensation/motion in limbs, and if nothing negative was found, cleared to discontinue holding the head and letting the patient move around. I found out this is something specific to wilderness medicine protocols, an urban EMT wouldn’t do this.

Even when I was acting as a patient I found the scenarios very useful. For instance if in a scenario I was afflicted with a high altitude cerebral edema (HACE), I became much familiar with the signs and symptoms associated with HACE because I would pretend to be irritated, say I had a pounding headache, didn’t sleep well last night, pretended to be nauseous, and had ataxia which made it hard to walk.

As time went on I got more comfortable acting as a patient. Some classmates would really get into it and ad lib some awesome reaction, pains, fake vomiting, or combativeness. It was a tremendous help in the learning process because we had to react to what was happening, such as rolling them on their side immediately if they thought they were going to vomit or choke, then get back into our assessments. Based upon how we found them we may had to change up our priorities. There were often a number of symptoms and things to remember, sometimes I’d forget a key thing to present while they did their assessment so it’d made me feel bad that I didn’t give my rescuers a full shake down.

In the classroom we covered a lot of topics over the ten days. For each topic we dived in a few hours, went over what was happening in the body, what signs and symptoms a given injury or illness would present, how to tell if they were minor or severe, treatment options, whether to evacuate or immediately evacuate the patient to get to higher level care. I found it most useful to write down everything onto my workbook during class, even if it was exactly what was already on the same page, because it made it sink into my head better. Ryland and Sheri would take turns talking about a topic, and they did a great job of teaching about it. They added in personal experiences, answered a ton of questions, and throwing in copious amounts of humor to make it very engaging. Doing scenarios after class time really tied it all together and made it real.

Later into the week we got into larger scale rescues where 4-6+ people worked as a team, either on a solo patient or a group of patients. It was a bit chaotic at first as people settled into who would do what, keeping the leader out of the direct action so they could lead, and deciding on treatments.

Rodeo Beach

One memorable mass casualty scenario was a “beach rescue” where we had multiple patients on the beach (on the actual Pacific Ocean at Rodeo Beach), and multiple rescuers. The moulage was kicked up considerably with all sorts of brutal injuries, patients were screaming and running around, which made it all very real. (Bystanders on the beach had to be told this was a training exercise.)

A few students were designated as incident commander, assistant, and gear keeper, and to organizing the rest of the rescuers. As an added twist a few of our classmates selected as patients also spoke Spanish, so they decided to throw us a curve ball by only speaking Spanish during the rescue. This was a considerable difficulty with my very limited Spanish, fortunately my partner could speak Spanish and she took on communicating with our patient. There were a few other students who could also speak Spanish, so our incident commander also took care of organizing them and sending them where their language skills were needed. Between getting our patients out of the surf, watching the tide, keeping them and ourselves dry and warm, assessments and treatments, frequently communicating our patients status to the incident commander, requesting gear, re-prioritizing who gets evacuated, and translating the Spanish there was a lot going on!

Another large scale rescue happened at night. We were divided into groups and sent out to different points of the park. We didn’t know when/who/where our patient would be or what we’d find, but it became quickly apparent as things unfolded. We took our day packs with us and had to treat our patient with whatever gear we carried, so there was a good amount of dumping packs and improvisation going on. A few concerned bystanders wandered by on the trail during all of this as our patient was screaming in mock pain so I had to give them a thumbs up that we had it under control. As part of the story we were lost and had to wait until 9:30 PM or so for somebody to find us. It was cold, windy, and dark, this was to teach us what it’s like to be with a patient for an extended amount of time and tend to them long term. While we debriefed afterwards in the nighttime I learned during a tib/fib break I did a poor job by only deciding to splint the lower part of the leg below the knee of our patient instead of the entire leg. The disappointment of our instructor upon inspection was palpable because it wouldn’t have worked. The next morning we got together again, dumped all of our gear and tried to make a better leg splint out of empty packs. By using three empty backpacks and some rope, it worked out a lot better than the night before. By far it was all certainly a learning experience!

Leg split made of backpacks

As a class we did a pretty good job of bonding with each other. We learned how to help each other, divide up the workload of patient care, and give feedback to each other on what we could do better. By the end we had taken so many vital signs and did head-to-toe exams on each other, I think we knew each other better than our own doctors did. I think we wound up going through at least 20 scenarios including the two big team exercises.

For the end of the course we took both a written test and did a practical exam. The practical exam was a relatively simple dual-rescuer, single patient scenario where there were a couple of things going on with the patient to treat and manage. After all of the scenarios I had been through I was pretty confident about it, but there were a set of exam criteria that we had to get right or we’d have to re-test which made me nervous. My partner and I passed, hooray!

I would wholeheartedly recommend this course to anyone who ventures outside. I had a great time and feel like I learned quite a lot. Reading the textbook was one thing, but it was a whole ‘nother experience to constantly practice scenarios, examinations, and making mistakes. The NOLS website also has a good set of case studies, test question banks, and videos to review. I’ve learned to love how versatile triangle bandages and Ace elastic bandages are, I will always carry those in my packs!

It was stressed that our skills would deteriorate over time, and we were urged to frequently practice doing patient assessments, consider volunteering our time to an organization, search and rescue team, fire department, or even just taking vitals at a health fair to help keep our skills up to date.

I don’t know when or where these skills will come in handy. I feel much more confident in walking up on something unknown, and even if I can’t do much of anything, at least assess the situation and get information to other rescuers.

Tags: wfr, wilderness medicine

Posted in Uncategorized | No Comments »

Ubiquiti EdgeRouter, PPPoE, and BEC 8920NE bridged

Aug 24th, 2017 by bwann

Let’s say you’re an customer of an Oklahoma ISP with ADSL2 service and you use a Ubiquiti EdgeRouter for your router instead of the one they supplied. One day they decide to upgrade their customers to VDSL2, send out BEC Technologies BEC 8920NE gateways to the customer, and now use PPPoE. Your old ADSL2 modem no longer works because of the wider frequency bands on the wire used by VDSL2. Further, their DSLAM no longer uses ATM, but instead packet transfer mode (PTM), so your DSL gear at home needs to support that.

Let’s also say you want to usurp your ISP’s declaration of your new home router (the BEC 8920NE) because they lock the configuration and you have needs dammit (port forwardings, a Hurricane Electric 6in4 tunnel because the ISP doesn’t support IPv6, and site-to-site management VPN) that they’re never going to help you with. And frankly putting your router behind their router and doing double-NAT is stupid and breaks 6in4. So you want to continue using your awesome EdgeRouter as the main router for your home.

Because xDSL finding gear that supports PTM is annoying, I want to use my BEC gateway to move my bits from the phone line to Ethernet, and then use my EdgeRouter to handle the IP portion of things to my home network

To make all of this work you’re going to need to find/get/figure out things (*mystery hand wavy gesture*):

Your PPPoE username/password for your connection
Is your traffic to the ISP VLAN tagged? If so, which VLAN ID is it using?
Set up the BEC 8920NE into bridged mode
Set up the EdgeRouter for PPPoE

BEC 8920 configuration

When you first look at your BEC 8920NE configuration, it’s more than likely setup in router mode, runs a DHCP server for your home LAN, and probably a wireless network too. If you have login access to it, you’ll want to look at the Configuration -> WAN -> WAN Service -> [Edit] screen for details about your xDSL service.

Of particular note, the “type” here is “PPP over Ethernet (PPPoE)”, the 802.1Q VLAN ID is 35, your PPPoE username is foo, the BEC is going to learn DNS servers from the ISP, and the MTU is set to 1492. The BEC is also going to act as a DHCP client to get its WAN IP address from the ISP.

The VLAN ID can vary from ISP to ISP, altho a de facto standard seems to be using VLAN ID 35. This is something they set on their side, your gear has to match it. In this case the BEC will take care of taking tagged VLAN 35 traffic from your ISP, untagging it, and passing plain Ethernet frames out of the LAN interface.

To change the BEC from routed mode to plain bridging mode, change the “type” of the WAN service to “DSL” and keep the “Layer2 interface” as “PTM”. This will pass all PPPoE and IP termination on to your EdgeRouter.

Of special note here, don’t fiddle with the LAN settings on the BEC. It’s okay to leave the device/management IP address the same (usually 192.168.1.254). This will let you log back into the BEC configuration page later in case you want to change things or go back to router mode. In other words, switching to bridged mode isn’t going to lock you out of the BEC configuration. You’ll just need to configure a laptop or something with a 192.168.1.x IP address, and plug it into one of the BEC’s LAN ports, then you can go back to 192.168.1.254.

EdgeRouter configuration

Let’s say eth0 of your EdgeRouter is what faces your ISP. Before the configuration looked pretty basic, something like this (ignoring any sort of firewall bindings):

interfaces {
  ethernet eth0 {
    address dhcp
    description ISP-name
    duplex auto
    speed auto
  }
}

What we need to do next is configure a PPPoE sub-interface. We’ll also need to configure TCP MSS clamping to account for the PPPoE overhead. I’ve seen some terrible configurations on the Ubnt forums that go like “here, dump this random configuration with a ton of firewall stuff that I’ve copy pasted from everywhere”. There’s a much simpler way to do this and you’re not bringing in somebody else’s fucked up configuration.

What about the VLAN ID from earlier? Remember, the BEC is taking care of tagging/untagging traffic to your ISP, so the Ethernet connection between your BEC and EdgeRouter will have plain, untagged Ethernet frames there. No need to configure a vif sub-interface on the EdgeRouter too.

Change the eth0 configuration on the EdgeRouter to look something like this:

interfaces {
  ethernet eth0 {
    address dhcp
    description ISP-name
    duplex auto
    speed auto
    pppoe 0 {
      default-route auto
      mtu 1492
      name-server auto
      user-id <your PPPoE username>
      password <your PPPoE password>
    }
  }
}

Then configure the firewall subsystem to enable MSS clamping on pppoe interfaces. Doing it this way avoids the whole complicated business of building some firewall rule to match SYN packets and fiddle with them. I’m lazy and used 1452 (not 1492!) from another example somewhere for the MSS clamp, someday I need to do the arithmetic of packet size to see if that’s correct and optimal. If you set this wrong/too-high, you’ll see weird behavior with your Internet traffic, maybe TCP won’t establish at all and web pages hang, or maybe HTTPS/SSL connections hang.

firewall {
  options {
    mss-clamp {
      interface-type pppoe
      mss 1452
    }
  }
}

This will now give us a new “pppoe0” interface when we do “show interfaces”:

[bwann@home-gw1 ~]$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address                     S/L Description
--------- ----------                     --- -----------
eth0      -                              u/u ISP-name
eth1      192.168.10.1/24                u/u homenet
...
pppoe0    x.x.x.x                        u/u
...

[bwann@home-gw1 ~]$ show interfaces pppoe pppoe0
pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 100
 link/ppp
 inet x.x.x.x peer y.y.y.y/32 scope global pppoe0
 valid_lft forever preferred_lft forever
 RX: bytes packets errors dropped overrun mcast
 219190063 1298261 0 0 0 0
 TX: bytes packets errors dropped carrier collsns
 55727821 886979 0 0 0 0
 ...

If pppoe0 status is “UP, LOWER_UP“, and we’ve got a “inet x.x.x.x peer y.y.y.y/32” address, this means our EdgeRouter has gotten an IP address from the ISP and has established the PPPoE connection.

The interface status of eth0 is going to change because we’ve moved the IP configuration to the PPPoE interface:

[bwann@home-gw1 ~]$ show interfaces ethernet eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
 link/ether 04:11:d6:f1:07:ff brd ff:ff:ff:ff:ff:ff
 inet6 fe80::611:d6ff:fef1:07ff/64 scope link
 valid_lft forever preferred_lft forever
 Description: ISP-name

This also means we need to go adjust any NAT, port forwarding, firewall, or masquerade rules on the EdgeRouter to account for the fact that we’re now using pppoe instead of eth0.

For instance, an outbound NAT for our home->internet traffic looks like this, we need to change outbound-interface:

service {
  nat {
    rule 5003 {
      description homenet-nat
      outbound-interface pppoe0    <<< was eth0
      protocol all
      source {
        ...
      }
      type masquerade
    }
  }
}

At this point your home network should be able to use the Internet. The EdgeRouter is once again handling your routing, firewall, VPNs, tunnels, etc. The BEC gateway is simply briding traffic from the phone line to the EdgeRouter.

Tags: edgerouter

Posted in Uncategorized | 4 Comments »

Utah revisited

Jul 12th, 2017 by bwann

Virgin River in Zion

flickr: Nevada-Utah

flickr: Bryce Canyon NP

flickr: Zion NP

I recently quit my job because I got too burned out doing tech all the time and decided to take a year off to travel, camp, and explore. After my trip to eastern Utah a couple of months ago, I wanted to come back and check out Zion and Bryce Canyon national parks. I finally made that happen last week.

Instead of driving through Las Vegas, I took a northerly route through Reno and across Nevada on Highway 50. I got off to a super late start around 1 PM and hit slow bumper to bumper traffic outside Vallejo alllll the way to Sacramento. I don’t know if that was normal for a Thursday afternoon but it ate a considerable amount of time. The whole time I was pacing this brand new red Lamborghini who was also stuck in traffic with me, poor car.

I discovered that iOS location services on my phone was completely busted, which made using Waze or Google Maps incredibly frustrating. It would find my initial location but would fail to update as I traveled. No amount of resetting airplane mode, LTE, location services, nor apps mattered. I wound up falling back to my old Garmin Streetpilot which was loaded with maps from 2006. With the phone I could find out how to get somewhere from where I was previously; with the nav unit I could find out exactly where I was but maybe not necessarily how to get somewhere. Ugh. It soon didn’t matter anyways because as soon as I was off the interstate in Nevada I would lose cellular service frequently and needed the nav unit.

Fernley, NV was still there, looking like how I last saw it for Burning Man 2009. Driving along highway 50 in central Nevada I couldn’t help but notice how utterly lonely it was, there was nothing there but jackrabbits. There were a few naval air stations off the road and a couple of small run down towns and that was it. I later found out the road really is nicknamed “The Loneliest Road in America”.

After a crazy diversion in the middle of the night (a whole ‘nother story), I got to Great Basin National Park around 3 AM. I hadn’t planned on going to the park, but given how late I left it seemed like a good spot on the map to stay overnight. At 4 AM I could already start to see faint sunrise on the horizon. I slept for a few hours in the parking lot and did a bit of sightseeing in the park after.

Of interesting note, this is where a 130+ year old Winchester rifle was found by park staff leaning up against a tree in the middle of the woods. I had heard the story about it but had no idea this is where they found it. It was on display in the visitor center along with some information on how they found and preserved it.

After leaving Great Basin I cut down highway 21 to intersect I-15 in Utah, not a whole lot to see along the way. Originally I had planned to go to Zion first but because it was already noon I didn’t figure I would be able to get a campsite. Besides, Bryce Canyon was closer so it made more sense to go there first.

July 7, Bryce Canyon National Park

It turns out Bryce Canyon is a much larger tourist attraction than I thought, it looks like a deceptively small national park on the map. It was brimming with activity and the campsites were going fast, although I managed to call dibs on a spot in the northern campground. As soon as I pitched my tent a thunderstorm rolled in and it rained for 30-40 minutes. This was fortunate as it really cooled things down from 100+ F down to 80 F or so. It was getting late in the afternoon, I was dead tired so I didn’t do much exploring on Friday. There was also a full moon out so there was no star photography to be had.

Saturday I did more exploring of the park. The main amphitheatre was quite impressive to see in person. I drove down to Rainbow Point; the park is a high altitude so it has a nice view of everything around. I did a loop around the Queens Garden and Navajo Loop trails. Along one of the rock walls there were a massive collection of rock cairns that people apparently made over time. Because of the altitude and my relatively out-of-shapeness the steep switchbacks leading out of the Navajo Loop back up to the parking lot were quite a doozy to hike up. There were so many chipmunks running around and I think I only heard one person actually call them chipmunks, everyone else was calling them squirrels.

Ideally I should’ve gotten up Sunday morning at sunrise to go photograph the main ampitheatre but I was tired and lazy. I struck down my tent and headed down to Zion next.

July 9, Zion National Park

It was noontime and Zion was PACKED. I figured there would be a lull after Independence Day weekend, but I was wrong. All of the campsites were long taken, I hear I would’ve needed to get in line at 6 AM to snag a spot. This was quite a contrast to the empty park I experienced at night from the last time I passed through here. Being in a tent would’ve probably been a miserable experience anyways, it was easily above 100 F degrees there. It was even hotter in the main canyon but this did not deter people at all.

I spent all of Sunday exploring the canyon, riding the shuttle out to Temple of Sinawava and working my way back. The canyon walls were impressively tall, with huge peaks here and there. The Virgin River came through here out of the narrows and many people were swimming and playing in the blue-green water. Here, the dominant rodent was squirrels. They were well accustomed to humans and simply did not give a damn. I saw people almost trip over them on the trail if they weren’t paying attention.

Weeping Rock was pretty interesting. There is a permeable layer of sandstone from which water seeps out of far above and rains down over the trail. There’s all sorts of vegetation growing in the rock and there’s an overhang you can stand under to be shielded from the water and enjoy the view.

It was super hot and I didn’t feel like taking any long hikes. I did hike from the Grotto down to Zion Lodge to take a break, which was about a half mile. At Zion Lodge there was a large lawn with shade trees, many people were laying out on blankets. Around 5 PM the sun went behind the canyon wall, putting the whole area in the shade which was pretty nice.

After the canyon, I had dinner at one of the places across the river from the visitors center. Then I started driving through the park taking photographs. One nice place to take photos was the bridge over the Virgin River just beside the junction to the canyon. At sunset the bridge was crowded with people, cameras, and tripods, everyone taking photos of the valley. On the east side of the park the rock formations are quite interesting. There are many fine layers of sandstone and it looks like the rocks were poured out or they were a cloth draped over the ground.

At dusk I saw a bighorn sheep (apparently these are not mountain goats) on the side of the highway. I pulled over to photograph her and discovered a whole herd of about 20 busily eating brush off the side of the road. A few were on top of the rock cliff watching me and the other people that had stopped. There was a buck with impressive horns with them, I never could catch him alone to get a good photo. Eventually the herd had enough and decided to cross the highway, where they were almost ran over several times by cars.

It started to rain after it got dark, so there wasn’t much left to do outside. There were occasional lightning strikes behind Watchman but I wasn’t able to get any photos of them. Instead of truck camping at a trailhead like I did last time, I decided to leave and head down to St George to find a cheap motel. It was so nice to have a shower and a soft bed!

Note to self: next time bring the inflatable Thermarest instead of the foam pad, and buy a full sized camping chair.

Monday morning I left St George, heading home. I had debated crossing Nevada on hwy 93/375/95 and back through Yosemite so I could fill in my places traveled map but I decided it was too far out of the way and just came back through Las Vegas on the way home.

Milage

7/6
1:52 PM  312,084  Fremont, CA
4:00 PM  312,180  Sacramento, CA
7:30 PM  312,355  Fernley, NV   16.3 gal/271 mi
9:44 PM  312,493  Austin, NV
7/7
1:56 AM  312,656  Ely, NV  17 gal/300 mi
8:00 AM  ?        Great Basin State Park
8:27 AM  ?        Utah state line (Baker, NV)
?        ?        Bryce
?        ?        Zion
7/10
7:15 AM  313,230  St George, UT
8:34 AM  313,328  Garnet, UT
2:13 PM  313,682  I-5 and hwy 46, CA  20.3 gal/353 mi, 8,254.9 hr
5:40 PM  ?        Fremont, CA

Tags: roadtrip, utah

Posted in Travel | No Comments »

Moab success!

May 14th, 2017 by bwann

flickr: Arches

flickr: Dead Horse, Canyonlands

flickr: scenic drive, GS-E, Dixie

After taking my truck to the mechanic, he decided there wasn’t much to work with and misfire indicators not a big problem for now. Said it could just be a touchy airflow sensor. I took off again for Utah on Thursday, heading south along I-5, then up I-15. I left a lot later than I intended to, around 11 AM. Stopped in Barstow around 5 PM for food, it was hot, windy, and dusty af.

As a last minute idea I stopped in the Mojave National Preserve, hoping to find the spot of where the infamous Mojave Phone Booth was. Following Google I wound up I think down Cima road, which lead me to some gravel road, which lead me to a “4×4 recommended” road. The sun was just setting and I didn’t feel like looking at maps to find a better way, so I gave up and headed back to the interstate.

I love approaching the border of Nevada, no matter what interstate or highway I take through the middle of nowhere I can always find the state line because there will be some sort of casino, liquor store, and/or hotel right on the Nevada side. By 10:00 PM I hit the Arizona state line. I had sort of forgotten I-15 crossed Arizona so it was briefly worth a double look. Just 25 minutes later I was at the Utah state line. By now it was well dark and I couldn’t see any of Utah on my way through it.

Around 12:20am I finally reach I-70 to head east across Utah. Just as I turned onto I-70 I started seeing snow flurries in the headlights. Passing over the Fishlake NP the flurries were mild but it was still 24 F. When I passed through Capitol Reef NP, the snow got much worse. The road was completely white for at least an hour, I couldn’t see the lines, and barely the tire tracks in front of me. After getting down to a lower elevation the snow cleared out and everything was dry again.

Finally at 4 AM I rolled into Moab. Trip distance so far was 1,037 miles, 16 hours, essentially nonstop. It was really cold when I reached Moab, I didn’t feel like trying to find a campsite so I just checked into Motel 6 to sleep for a few hours. Pro tip: do not stay in room 111. You’ll be right next to the elevator and it noisily goes up and down nonstop by 9 AM.

April 28, morning, Moab

I finally got to see Moab in the morning for the first time, and I was surprised by the number of 4×4, ATV, OHV, and Jeeps running around. The Internets suggested Ekelcticafe for breakfast, which was this quaint little place and had amazing toast. They also had cricket protein bars. GROUND CRICKETS. wat? I headed up to Arches NP and there was barely any line as it was free entry this week. Hooray!

I soon discovered my new Canon 24-70/L lens completely stopped working. No matter what I did the body still threw error 99. Crap. At least I had a couple of other lenses with me to use. Walking around the arches was cool, then saw Delicate Arch was the stereotypical arch photo so I had to go hike up to it. Interestingly there’s a perfect rock ledge at the top that takes you right around. It’s pretty huge up there, with the summit and the big arch resting on sides of a crescent. Tons of people up there when I was, some doing back handstands under the arch, others doing group photos.

Delicate Arch

Beyond this I was getting tired and didn’t want to go walk around more, back into Moab by evening. I found our this weekend was an annual car show, so the highway downtown was full of all sorts of old cars, and the sidewalk was full of people in blankets on foldy chairs. There was more nightlife than I expected and that was pretty awesome. In a way Moab reminds me of Jackson, WY.

April 29, Canyonlands

Mesa Arch, Canyonlands

Saturday morning I headed off to Dead Horse SP and Canyonlands NP. Dead Horse had a few really awesome places where you could overlook the canyons and the Colorado River. The top of Canyonlands at Island in the Sky reminded me of Big Bend, wide open grasslands punctuated by big rocks. If you liked the Grand Canyon, you’ll probably love Canyonlands. It’s just bigger canyons to drive around.

At some point after looking at the map I discovered Shafer Canyon Road leading down to White Rim road at the canyon floor. I knew White Rim was a 4×4 road, so I figured I’d just drive down to it and come back. What I didn’t know was that Shafer was built right on the canyon wall, one lane, with very steep dropoffs, all the way down. It was very much unexpected and I was committed. Funny enough I’d also have to come back up the same way I came because I didn’t want to drive back to Moab on the back roads. It is by far the sketchiest road I’ve ever been down.

TIL Moab was also popular for Uranium mining, and there’s a Department of Energy “UMTRA” cleanup operation still going.

I was hoping to get some sunset photos, but I didn’t make it to places I wanted to in time. Back to Moab for dinner and sleep. This time I was actually staying in a motel in downtown Moab. The car show was going on again, so tons of people around again. Staying in town was worthwhile, it meant I could walk to everything. This time it started freezing drizzle+snowing later at night which sent people packing and cleared out the place.

I kinda wished I had spent the night in Canyonland instead of a motel, I think it was warmer there and would’ve been more tolerable. Star photography was out, it was still partially cloudy at night.

April 30, Hwy 12

Sunday morning I departed Moab. There was quite the line to get out of town, traffic was solid from one end of town to the other. I took me an hour to finally get out. This was a completely unplanned day, I wanted to go swing through Grand Staircase-Escalante NM to check it out but I’d get there way too late to do much. At Alex’s suggestion I headed down hwy 24 to hwy 12 to take the scenic route.

I was happy when I passed through Dixie National Forest, at the top I found hillsides still full of snow several inches deep. I fulfilled my excitement of not seeing snow in years by running around in the snow and building a snowman to leave behind.

Through Capitol Reef NP I saw a spot right on the road to see petroglyphs so I stopped. I didn’t know what I was looking for at first and then finally found the little carvings in the rock face. There were several sets here and they were awesome to see.

Petroglyphs

I mostly bypassed most of GS-E as it was already 5 PM and I was feeling pretty tired and meh. After driving through nowhere I wondered where some of these little towns got gas, then I’d drive another 15 miles and find another little town with a gas station. I saw Kodachrome State Park and thought it might be curious to visit, but wasn’t very impressed with what I saw. By now I was tired of photographing rocks, but not yet tired enough to camp, and just headed back to the highway on toward Zion and I-15. I passed up Bryce Canyon which I later learned my parents had visited once upon a time.

It was around 9 PM and had just gotten dark when I rolled into Zion. I figured I could find a nice quiet road there to go spend a while. I saw just enough of the canyon around there to perk up and get excited about these new rocks. The have some sweet tunnels running through there somewhere. I took a break at the visitors center and was consumed by the smell of campfires, mmm.

I finally wound up spending the night at a trailhead parking lot just outside of Zion. I want to come back and camp at Zion at least once, it seems like a nice place.

May 1, Zion -> Home

At sunrise at 6, I couldn’t sleep anymore and hit the road back home. It was a pretty uneventful drive back through St George, Arizona, Vegas, Bakersfield, and back home. I hit Pleasanton 5PM rush hour traffic and following the Waze detour, I found out that Pleasanton actually does have a little downtown and main street. I always assumed it was sprawled out SF Bay suburbia.

Mileage

4/27 - 4/28
11:21am  308,150  Fremont, CA
 5:57pm  308,545  somewhere
 6:50pm  308,610  Baker, CA
 7:50pm  308,687  Nevada state line
 8:30pm  308,720  Las Vegas
10:20pm  308,813  Nevada/Arizona state line  8,129 hr
10:30pm  308,847  St George
 1:20am  309,031  Salina
zomg snow
 3:45am  309,187  Moab

4/30
10:45am  309,445  Moab
12:56pm  309,589  Mountain Gas Station
 9:10pm  309,871  Zion

4/31
 6:00am  309,871  Zion
10:00am  310,120  Baker    8,156 hr
 3:55pm  310,498  Nella    8,162 hr
 6:00pm  ??? Home!

Tags: roadtrip, utah

Posted in Travel | No Comments »

Moab or bust, busted

Apr 26th, 2017 by bwann

So yeah, I’m still around! I have a month off from work so I’ve been bumming around from one thing to another. My truck just rolled 300,000 miles recently and I finally got around to having * replaced as part of regular maintenance. I’ve been wanting to head off on some roadtrips but not really sure where.

For whatever reason, yesterday I set off for Moab, UT just because it’s one of those places I’ve heard about but know nothing about. It’s about ~1000 miles from here, so one of my first ambitious non-stop trips in quite a while. Packed up, headed out Tuesday morning at 11am. I decided to take a route down south and through Las Vegas which would put me at Moab around 1 AM, wheeee. Wound up having one, then three engine misfire indicators before I got to Barstow. P0300 random/multiple misfire code. Well, crap. I didn’t know if they’d get worse and screw me out in the middle of Nevada at night somehow; I’ve already experienced a misfiring leading to melting a catalytic converter and limping home.

Of course after I headed home I never had a single misfire, regardless of acceleration, hills, or anything. Blah. Maybe I’ll try again in a few days after things get checked out.

Posted in Travel, Uncategorized | No Comments »

Hacking a Peeple

Feb 2nd, 2017 by bwann

A knock on your door

A common tactic for a burglary or casing a home is to send somebody unconcealed to the front door posing as a survey taker, lost pet owner, or some such and seeing if anyone is at home. If nobody answers it’s probably a sign that there’s nobody around and proceed.

Outdoor video cameras on the front porch can help, but they’re often mounted so high or at such a weird angle that it’s hard to get a good image to identify the person by their face. If you live in an apartment you might not even be able to put up an outdoor camera. Ever watch the evening news and hear “Police need help identifying this person, do you recognize their clothes or car”? I think the best solution to improve this is to aim a camera right in their face.

There are some solutions such as a “video doorbell” which has an exterior camera mounted lower, but the problem is that they are usually shiny and hi-tech looking, drawing attention to itself and it can easily be smashed. Ideally there would be nothing conspicuous from the outside and tamper proof. This is where an indoor door peephole camera comes in. It’s naturally face height and about as direct as you can get.

Ideally there would be a camera unit to mount on the door, have an LCD for local viewing (or at least easily removable if you actually want to look out), use wi-fi connectivity, and stream video to an existing security camera NVR. Surprisingly nothing like this exists. There are some video peephole viewers but they either don’t stream video, no wi-fi, use proprietary wireless, or they’re outside and easily bashed in. Or, you can buy just a peephole camera from Alibaba, but you have to build everything else. Axis makes some excellent pinhole IP cameras that could do the job, but they’re easily $300-$400. I tried building my own thing with a Raspberry Pi+camera module+3” LCD, but at least with the Pi2 the video lagged badly.

I’ve threatened to just find a cheap Android phone and stick it to my door. This gets me LCD, camera, wi-fi, streaming, at the price of a power cable taped to my door.

Enter the Peeple

I ran across the Peeple on Kickstarter a couple of years ago and it seemed promising so I chipped for it. It claimed to be a door mounted, wi-fi capable, battery operated camera. Whenever somebody knocked on the door, it would record video and send it to your phone. The downside was that it required “the cloud” to operate, there was no way to send video to my NVR (which already does iOS notifications). It didn’t have an LCD either, but it turned out to be easily removable so I’m not complaining too much.

After two years it finally arrived at my desk. And of course the first thing I did was tear it apart and sniffing network traffic to see what it did.

Sample video through a dusty peephole

Network traffic

I found several surprising things when I fired up tcpdump and started looking at its network traffic. (I know, I shouldn’t be surprised at an IoT thing). For one it speaks plaintext HTTP, which is terrible for a IoT thing that speaks to the cloud, but great for me because it means I can see what it’s doing.
1) When motion is detected the radio and networking fire up, and it immediately sends a DHCP request.

2) It then sends a DNS request to 8.8.8.8 for api.peeple.io, so it clearly disregards my DNS servers offered up in the DHCP reply and has Google’s resolver hard-coded. ugh.

 192.168.130.37.55551 > 8.8.8.8.53: 41216+ A? api.peeple.io. (31)
IP (tos 0x20, ttl 57, id 5688, offset 0, flags [none], proto UDP (17), length 91)
 8.8.8.8.53 > 192.168.130.37.55551: 41216 2/0/0 api.peeple.io. A 52.27.66.175, api.peeple.io. A 52.41.133.189 (63)

3) Next, it fires off a HTTP GET request in plain text to /device/v1/knock/begin.
It sends some sort of hashed or encoded string as an X-Peeple: header, which is presumably based on my unit’s serial number or some other unique identifier. It’s not base64, so I suspect a hash. The server returns a UNIX timestamp and my phone gets an iOS notification.

IP 192.168.130.37.23220 > 52.27.66.175.80: Flags [P.], seq 1:130, ack 1, win 5840, length 129: HTTP: GET /device/v1/knock/begin HTTP/1.1
E..............%4.B.Z..P...p,.7.P.......GET /device/v1/knock/begin HTTP/1.1
Host: api.peeple.io
User-Agent: Peeple
Accept: */*
X-Peeple: ycQfCce47hAwk...

IP 52.27.66.175.80 > 192.168.130.37.23220: Flags [.], ack 130, win 18760, length 0
E .(..@.+..54.B....%.PZ.,.7.....P.IH.b..
IP 52.27.66.175.80 > 192.168.130.37.23220: Flags [P.], seq 1:204, ack 130, win 18760, length 203: HTTP: HTTP/1.1 200 OK
E ....@.+..i4.B....%.PZ.,.7.....P.IH_...HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Tue, 31 Jan 2017 08:52:40 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 10
Connection: keep-alive
Access-Control-Allow-Origin: *

1485852760

Amusingly I can craft a response by hand and send a barrage of notifications to my phone without any extra authentication:

[bwann@raptor ~]$ GET -H "X-Peeple: ycQfCce47hAwk..." -H "User-Agent: Peeple" http://api.peeple.io/device/v1/knock/begin
1485892854

The server returns a UNIX timestamp of the current time.

4) After recording a few seconds of video, it does an HTTP POST request to upload the video file to /device/v1/knock/movie/<unix timestamp>. Ah hah! The payload is about 500k (466,259 bytes here)

IP 192.168.130.37.23221 > 52.27.66.175.80: Flags [P.], seq 1:166, ack 1, win 5840, length 165: HTTP: POST /device/v1/knock/movie/1485852760 HTTP/1.1
E..............%4.B.Z..P...r.=.\P...v...POST /device/v1/knock/movie/1485852760 HTTP/1.1
Host: api.peeple.io
User-Agent: Peeple
Accept: */*
Content-Length: 466259
X-Peeple: ycQfCce47hAwk...

IP 192.168.130.37.23221 > 52.27.66.175.80: Flags [P.], seq 166:1626, ack 1, win 5840, length 1460: HTTP
0x0000: 4500 05dc 000e 0000 8006 7b76 c0a8 8225 E.........{v...%
0x0010: 341b 42af 5ab5 0050 0000 1a17 fc3d d65c 4.B.Z..P.....=.\
0x0020: 5018 16d0 5f78 0000 e145 0000 b126 0000 P..._x...E...&..
0x0030: ffd8 ffe0 0010 4a46 4946 0001 0101 0000 ......JFIF......
0x0040: 0000 0000 ffdb 0043 0008 0606 0706 0508 .......C........

5) After uploading the video, it also sends a log file via HTTP POST to /device/v1/knock/log/<unix timestamp>. This revealed more interesting information about the unit.

IP 192.168.130.37.23222 > 52.27.66.175.80: Flags [P.], seq 1:163, ack 1, win 5840, length 162: HTTP: POST /device/v1/knock/log/1485852760 HTTP/1.1
E....j.....,...%4.B.Z..P......P.P....g..POST /device/v1/knock/log/1485852760 HTTP/1.1
Host: api.peeple.io
User-Agent: Peeple
Accept: */*
Content-Length: 11929
X-Peeple: ycQfCce47hAwk...

[....]

sys 390 log_start:
inf 390 user_init: Peeple Firmware Started
.inf 390 user_init: -----------------------
.inf 390 user_init: version 1611152040
.inf 391 user_init: free heap 28652
.inf 394 user_init: rboot.mode 0
.inf 396 user_init: rboot.current_rom 1
.inf 399 user_init: rboot.previous_rom 0
.inf 402 user_init: rboot.fw_updated 0
.inf 405 user_init: rboot.is_first_boot 0
.inf 408 user_init: rboot.boot_attempts 0
.inf 411 user_init: rboot.rom[0] 0x11000
.inf 414 user_init: rboot.rom[1] 0x89000
.inf 417 user_init: rboot.rom[2] 0x0
.inf 420 user_init: rboot.rom[3] 0x0
.inf 423 configLoad: 652 bytes @ 0x1800
.inf 426 configLoad: index:0 ssid:XXXXXXXXXXX
.inf 429 configLoad: index:1 ssid:
.inf 432 configLoad: index:2 ssid:
.inf 435 configLoad: index:3 ssid:
.inf 438 configLoad: activeStation:0
.inf 441 configLoad: waitingForHandOff:0
.inf 444 heapReport: 28652
.inf 458 logResetInfo: cause: 6 (sys reset)
.inf 460 internetInit:
.inf 462 webServerInit: starting
.inf 465 webServerAddRequestHandler: url:[/peeple.log] -> 0x402b2420
.inf 474 webServerAddRequestHandler: url:[/crash] -> 0x402cc784
.inf 475 webClientInit: device:ycQfCce47hAwk....
.inf 479 otaUpdateInit: start
.inf 481 webServerAddRequestHandler: url:[/ota/status] -> 0x402b35e8
.inf 487 webServerAddRequestHandler: url:[/ota/update] -> 0x402b3640
.inf 493 webServerAddRequestHandler: url:[/reboot] -> 0x402b36b8
.inf 498 webServerAddRequestHandler: url:[/sleep] -> 0x402b35c0
.inf 503 wifiInit: starting
.inf 511 wifiSetup: ssid:Peeple XXXXXXX password:XXXXXXXXX
.inf 1401 webServerAddRequestHandler: url:[/wifi/status] -> 0x402b5a14
.inf 1401 webServerAddRequestHandler: url:[/wifi/scan] -> 0x402b5968
.inf 1402 webServerAddRequestHandler: url:[/wifi/connect] -> 0x402b5ebc
.inf 1408 webServerAddRequestHandler: url:[/wifi/forget] -> 0x402b5934
.inf 1414 webServerAddRequestHandler: url:[/wifi/reset] -> 0x402b58e4
.inf 1420 wifiTaskImpl: connect to ssid:XXXXXXXXXXX
.inf 1426 wifiTaskImpl: pending ssid:XXXXXXXXXXXXX
.inf 1428 cameraInit:
.inf 1429 webServerAddRequestHandler: url:[/camera/settings] -> 0x402b393c
.inf 1444 cameraTaskImpl: starting:CAMERA_MODE_KNOCK
.inf 1444 webServerAddRequestHandler: url:[/config/createHandOffKey] -> 0x402b6560
.err 1584 cameraReadBytes: timeout in RD_CHIP_ID (100)
.inf 1584 cameraTaskImpl: failed to get chipID, assuming baudrate is already set
.inf 1585 cameraTaskImpl: chipID:0x10006431
.inf 2328 doCameraModeKnock: we have a knock!
.inf 4435 onWifiStateChange: 0x0:EVENT_STAMODE_CONNECTED / STATION_CONNECTING
.inf 5406 heapReport: 15780
.inf 7422 onWifiStateChange: 0x0:EVENT_STAMODE_GOT_IP / STATION_GOT_IP
.inf 20252 doCameraModeKnock: numPictures:33 movieSize:466259 duration:17889
.inf 20252 doCameraModeKnock: (attempt 1) start new knock
.inf 20393 heapReport: 15316
.inf 21388 doCameraModeKnock: (attempt 1) upload 466259 bytes for knock 1485852760
.inf 21504 frameDataGenerator: 2920/466259
...

One bad thing I noticed is that it sends my wireless SSID to Peeple in PLAIN TEXT. While not an outright security hole, it’s an information leak that’s certainly none of their business.
Interestingly, lines 465-1414 told me the unit actually had an embedded webserver running. While the until was active I was able to go to http://192.168.130.37/peeple.log and fetch the same file that was being uploaded.

6) Finally it does an HTTP GET of /device/v1/firmware/version/live, presumably to check if there’s any new firmware to download. The server returns an integer, which in this case matches version in line 390 of the log. Because I haven’t seen a firmware update yet, I don’t know what it does after this but assuming it would do another GET to fetch it.

Video format

It took me a while to figure out what video format this was, Wireshark wasn’t able to detect it. The JFIF plaintext and FF E0 00 10 4A was a tip off that it was some sort of JPEG video. After carefully extracting the video payload from Wireshark and removing the HTTP header, I fed it to VLC and it was clueless too.
Somebody later pointed out to me that FF D8 FF E0 was Motion JPEG. Sure enough after tweaking my process to include a few extra bytes I was able to extract the full video from the tcpdump! It’s about 15 seconds (15 frames) of 640×480 video. This means it’s not some obscure video format, and as long as I can intercept the traffic I can work with it.

Video interception

Getting the video directly instead of going to the cloud should just be a matter of pretending to be api.peeple.io and implementing my own endpoint to handle the HTTP POST and save the movie. But because it has a hardcoded DNS server, this isn’t so trivial.

So far I’ve done this:

Bound 8.8.8.8 to a home Linux box
Configured BIND to listen on 8.8.8.8 and be authoritative for peeple.io, returning my own IP address for api.peeple.io.
Configure a static route on my home router to send traffic destine to 8.8.8.8 to my Linux box.
Whip up some Apache ScriptAlias directives to point to a python CGI handler

I haven’t finished writing scripts to spoof the HTTP GET/POST requests, but so far the unit happily goes along with my traffic interception. I see the requests landing in my Apache logs. Once I do this I can save it to my NVR or whatever and be cloud free! Alternatively I could send it to both myself and Peeple, preserving original app functionality.

I may just leave the 8.8.8.8 interception in place permanently, just to see what hits it. I already run local caching DNS servers that will always be lower latency than going to the Internet. A few friends have already reported their random Google/Android devices also ignore their local DNS and go out to 8.8.8.8 too, so I’m not alone.

Hardware

There’s not a whole lot to this. Interesting all the pins and solder pads are well labeled, quite likely to aid with troubleshooting because it’s fresh out of a Kickstarter. The unit is about 3.5” in diameter and an inch thick. Right in the middle is a big lithium-ion battery.
For wi-fi connectivity, it appears to use an off-the-shelf ESP-12f module. This is over on the left side under the serial number sticker. I’m not sure how it receives the video data, it supports SPI, I2C, and GPIO. It has an embedded TCP/IP stack so that likely explains why it can’t do HTTPS (and certainly no IPv6) :(

There’s not much on the door-facing side, the camera, mini-USB port for charging, on/off and reset switches.

Underneath the battery is an ARM Cortex-M4 SoC, an STM32F411RE chip. AFAIK this is just a microcontroller, no embedded OS running. There look like there may be a UART exposed on the board, I need to play with them to see what I can discover.

ARM Cortex-M4

Out of the box I already had one problem where after unplugging the charging cable the unit would not turn on. After I took it apart I figured out the battery connector was barely making contact with the battery while in the vertical position. I bent them inwards a bit and now it works fine. I emailed the inventor about it, he said he’s seen it before and in the latest email update to kickstarters he said they’d replace them if anyone else encountered this problem.

Overall it’s a neat little device, but not the perfect thing I wanted. The fact it uses a magnet to mount to the door plate is nice, so it’s easy to remove and look outside. Long battery life is nice for what it is, although personally I’d be fine settling with running a wire along the hinge side of the door for power if it got me live video all the time. I have to subvert networking to get it to send video to me, there’s no way to integrate a doorbell with it.

At least it’s not completely security stupid like other IoT devices which do things like leave your home network exposed to an alternative SSID, sending wi-fi passwords over the clear, have default logins (you can’t log in to this afaik), or turn into a spam bot.

Tags: iot

Posted in Uncategorized | No Comments »

IPv6 only server provisioning at SREcon 2016

May 30th, 2016 by bwann

My colleague Matthew gave a presentation about bare metal provisioning servers at Facebook on IPv6-only networks at SREcon last month. He discusses the entire process from why we went v6-only, selection of DHCP server and network boot loaders, through installing CentOS on hosts, and all of the gotchas along the way. By audience survey it doesn’t seem like many people are doing v6 provisioning yet, I suspect many people are still hamstrung by v4-only infrastructure like older PXE ROMs. He also covers the work I’ve done on Anaconda to improve IPv6 reliability which I’ve written about a few times here before.

Link: https://www.usenix.org/conference/srecon16/program/presentation/almond

Tags: centos, ipv6

Posted in Uncategorized | No Comments »

UEFI PXE booting with SuperMicro A1SAI

May 2nd, 2016 by bwann

Storage and network option ROM settings

It turns out my SuperMicro A1SAI boards made a fucking liar out of me. I bitched and moaned it was 2016 and they didn’t support UEFI PXE booting despite supporting UEFI, but they do. I just didn’t know where to look. Under “PCIe/PCI/PNP Configuration” in boot setup, the “Launch Storage OpROM Policy” and “Launch Network OpROM Policy” options are by default set to “Legacy”. These are what enable legacy BIOS vs UEFI OS booting and PXE booting options. (“Option ROM policies”). Here PXE booting with IPv6 and IPv4 can be enabled with the on-board Ethernet interfaces.

Set them to “UEFI”, reboot, go back into boot configuration again and now under the “Boot” menu there will be a whole new set of boot options including UEFI network booting. Now you can install a UEFI native OS over the network with v6 or v4 without relying on a NIC’s own option ROM to provide PXE support. (My boards have quad on-board interfaces so I wind up with 10 boot options)

oh look! UEFI IP6 boot options

Once the OS is installed in a UEFI native way, we can poke at things with efibootmgr and life is grand.

[root@basic10 ~]# efibootmgr
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0006,0007,0000
Boot0000* CentOS
Boot0003* UEFI: Built-in EFI Shell
Boot0004* Hard Drive
Boot0006* UEFI: IP4 Intel(R) Ethernet Connection I354
Boot0007* UEFI: IP6 Intel(R) Ethernet Connection I354
Boot0008* UEFI: IP4 Intel(R) Ethernet Connection I354
Boot0009* UEFI: IP6 Intel(R) Ethernet Connection I354
Boot000A* UEFI: IP4 Intel(R) Ethernet Connection I354
Boot000B* UEFI: IP6 Intel(R) Ethernet Connection I354
Boot000C* UEFI: IP4 Intel(R) Ethernet Connection I354
Boot000D* UEFI: IP6 Intel(R) Ethernet Connection I354

[root@basic10 ~]# ls -l /boot/efi/EFI/centos/
total 5784
-rwx------ 1 root root     128 Dec  7 05:19 BOOT.CSV
drwx------ 2 root root    4096 May  2 22:33 fonts
-rwx------ 1 root root 1009536 Jan  5 09:51 gcdx64.efi
-rwx------ 1 root root    4349 May  2 22:38 grub.cfg
-rwx------ 1 root root    1024 May  2 22:38 grubenv
-rwx------ 1 root root 1009536 Jan  5 09:51 grubx64.efi
-rwx------ 1 root root 1283952 Dec  7 05:19 MokManager.efi
-rwx------ 1 root root 1291512 Dec  7 05:19 shim-centos.efi
-rwx------ 1 root root 1296176 Dec  7 05:19 shim.efi

Tags: centos, ipv6

Posted in Uncategorized | 5 Comments »

« Newer Posts - Older Posts »

Hetch Hetchy

BEC 8920 configuration

EdgeRouter configuration

July 7, Bryce Canyon National Park

July 9, Zion National Park

Milage

April 28, morning, Moab

April 29, Canyonlands

April 30, Hwy 12

May 1, Zion -> Home

Mileage

Enter the Peeple

Network traffic

Video format

Video interception

Hardware

Here

There

Tags

Archives