Computers in/as art, Seeing as a Singularity - Links, May and June 2023

We made it up to three non-working lamps in the house, and re-wiring them can’t be that hard, right? I have had a lot of trouble finding the supplies online, though - Amazon must have them but the search terms eluded me. Anyway I found Grand Brass Lamp Parts which was perfect, and the search terms are set wire with molded polarized plug and lamp holders. They have a knowledge base/faq section that tells you the names of the parts you need and other good details. Despite the items being reliable, UL-listed stuff, their prices are lower than amazon. Overall great, except that they don’t own a world-eating order fulfillment empire, so their fast shipping is expensive.

Here is A Tapestry of Time and Terrain - a really beautiful geological map of the USA (a North America version is also available with different colors). The colors in this map were chosen in a rainbow order of time, which is unusual as far as I know. Except for the Pennsylvanian brown in the USA version, maybe to mark the period of coal deposition? You can see the “vast depression in the earth’s crust, centered under the state of Michigan” (which remains a sick burn).

Speaking of pretty things, I ran across a couple of lovely articles on the history of computers in art and design. The first one, by Amy Goodchild, is a review of early techniques of computer-assisted art, starting with cool patterns people made on oscilloscope screens, and touching on computer-randomized dance, computer automation of physical sculpture, and many more concepts. It’s great to see how early some ideas were tried. Looking forward to the followups that will go into the 70s and beyond.

The second article, by Docubyte, shows dozens of early computers in really glorious detail, an ecstasy of industrial design with knobs and panels and blinkenlights.

Semi-relatedly, apparently you can absolutely pimp out your old iPod with better battery, storage, connectivity, case, operating system, all kinds of stuff - found via a helpful MeFi thread on how to consume music in a way that doesn’t suck

We had computer-assisted art, so continuing on that theme of greater possibilities of humans + tools or humans + humans, here’s a nice statement of a hunch that I had as a teenager:

The joke version goes thus: I believe in a supreme being, in that I think beinghood is closed under union, thus the set of all beings has a superema (a maximal element).

Larger Selves by D. R. MacIver

As a teenager I thought about this kind of thing a lot for a while, for instance I rephrased renowned deity Jesus’s “where two or three are gathered in my name, I am there among them” as “God is what happens when two or three are gathered together.” That seemed a little glib, but I went with it for a while. I was reading Hofstadter and relishing the word “emergent.” I remember explaining it to some adult, and they rephrased it as “oh, it’s like all of creation singing together” and at that point, the glibness level overwhelmed me and I abandoned the thought. But I’m glad to know that someone is having interesting, related ideas, and developing them farther than I ever did!

When you’ve got structures of information flow that are much larger than small friend groups, for instance churches or corporations or governments, they are hard to comprehend or hold to account. So much so that some people date the putative Singularity not to some moment in a decade or two when Artificial Intelligence closes a loop, but back to the start of the Industrial Revolution. Here is a great article by Henry Farrell that argues this point and also touches on Large Language Models and oppression. (When you look at the header image, RLHF is Reinforcement Learning with Human Feedback, a fine-tuning step they do to large language models).

The article also mentions Seeing Like a State, so Farrell joins MacIver in the club of people who have read that book and then written articles that I really appreciate. The book is rumored to be a slog, but maybe I have to read it sometime.

OK, I’m done with segues, here’s what else has been on my mind:

Take a look at your smoke detectors. Do they look yellowed? They are too old. They stop working as well after ten years, even if you keep replacing the battery. Also, you can now get detectors that detect smoldering fires WAY better than traditional ones. I realized that the previous occupants of my house didn’t replace the detectors at their 10 year mark, so most of mine are 20 years old! I’ve started replacing them with dual-detector (photo & ion) models.

Let’s Learn Everything is a podcast I just discovered that’s been a delight. I consume a lot of nonfiction-as-entertainment, and this is fresh and nice! (via)

I don’t know enough on Physics to know if this is actually a big new idea or not, but it does seem very correct to me - Assembly Theory, about path-dependency in the history of phenomena

I read Robin Hobb’s Farseer trilogy and found it to be a little on the intense side of what I normally like, but still worthwhile.

I also read Light from Uncommon Stars by Ryka Aoki and found it really moving. Would recommend it, although look up its trigger warnings.

It’s hurricane season, so Tropical Tidbits has started releasing videos again - if you’re vaguely curious about meteorology, they’re very watchable and you can glean things.

My computer’s wifi broke out of the blue, didn’t work after rebooting and powering off. Taking my laptop apart, removing and reinstalling the wifi card did the trick though! There’s no trick like an old trick.

Dwarf Metal music exists and is worth experiencing once!

Links, April 2023

During the powerful winter storm in the Midwest late last December, apparently it was too cold to operate a lot of natural gas power plants! We avoided more blackouts because wind energy really came through (it was awfully windy). There’s a system in place to reward resilient generation capacity, and penalize if you say your capacity is resilient but it isn’t. The link is an interesting Union of Concerned Scientists blog post about the whole thing, and the natural gas power plants’ attempts to evade the consequences.

Another interesting thing from the Union of Concerned Scientists’ blog was a few years ago - Dave Lochbaum wrote a series of articles about harrowing near-miss problems at nuclear power plants.

For instance, here is a post about arcing in electrical equipment in power plants, which includes this video of a controlled test:

A lot of the failures Lochbaum highlighted over the series felt like pretty normal industrial facility problems that could be controlled by good management, but weren’t. IIRC the UCS’s position is that nuclear plants can be run safely, but that some are clearly run more safely than others, and that the regulators are way too lax with the low performing operators.

On a tangent, strange guy / chemistry youtuber CodysLab refined Uranium metal from a rock a few years ago.

This is a nice one-hour summary of the geology of Indiana. And here’s a delightful and earnest geologist getting excited about the Great Unconformity, which yeah, I find spooky.

Jonathan Frakes asks you things: guaranteed to make you feel a feeling in 48 seconds

A powerful takedown of the panic about trans athletes, via a MetaFilter post with a few more links

I’m not a MeFite myself, but they have RSS feeds of best and popular posts that are consistently interesting to me.

Speaking of RSS, I am still leading that Google Reader lifestyle, with Feedbin and the Reeder app. Updates from sources I choose, in beautiful reverse chronological order. It’s very nice and I recommend it!

Cory Doctorow wrote a scathing article about how “gig work” companies twiddle the amount they pay workers on each job: they lure workers in with high payouts and then taper their pay down to the lowest amount each worker will tolerate. Algorithmic wage discrimination - really sickening.

Kottke had a special day of being blown away by an incredible drummer, Larnell Lewis: Drummer Plays Metallica’s Enter Sandman After Hearing It Only Once, followed by An Epic Improvisation - I’ve watched that video about 15 times and it was stuck in my head for a week.

Cool Tools featured a usable telescope for $48 which sounds amazing

Had to explain about light switch raves

A gardening song more fun and honest than Inch by Inch, Row by Row (but less depressed than Slug by Slug, Weed by Weed)

Two nice interviews about Aardman’s stop motion productions (e.g. Wallace and Gromit) - Adam Savage and Wired

A sign in the style of an official warning sign, saying "Caution: This device attracts all other objects in the universe with a force proportional to the product of their masses and inversely proportional to the square of their distance"

A sign in the style of an official warning sign, saying "Notice: Who cares? Not me! Ha ha ha"

Safety sign generator. I don’t understand why people aren’t more excited about this. My wife and I used it to make safety signs of like a dozen in-jokes, an hour well spent.

Personal Preference is getting an update - the original was a favorite

I tried ChatGPT and didn’t find it very fun, although maybe I just didn’t find a good interaction pattern?

a screenshot of ChatGPT doing a bad job drawing the state of Indiana as ASCII art

MicroPython, a stripped-down version of Python for microcontrollers, celebrated ten years of existence! I’ve gotten a lot of use out of the Adafruit fork, CircuitPython, for instance using it to control the e-ink display of the MagTag.

I re-read five of the six main Queen’s Thief novels - it turns out that blasting through the audiobooks almost one a day is a little too fast, and the sixth one was a bridge too far. But the series is still great, I’ll get back to the last one soon. Audiobooks are nice when gardening.

A photo of some rock lilies

A photo of a bottle of korean alcohol, translated with google translate as soft as the first, sweet like an apple (apologize)

Links, March 2023

I got on a little kick for old-time telephone switching systems. I started with the Connections Museum playlist about how telephone calls used to work, where Sarah’s excitement about the whole thing was totally infectious. In one of her videos, she linked to Evan Doorbell, who talks about phone phreaking with the most delicious radio voice.

The story of the invention of automatic telephone switching is truly wild, starting with a business dispute between an undertaker and his local telephone company. And it happened in 1891 - just one year after Hollerith first used automatic tabulation and punch cards in the US Census. I’m blown away by the complexity of these information systems, starting roughly 60 years before the first modern, stored-program computer.

Tim Hunkin, of Secret Life of Machines fame, has been making a lovely series of videos about different components DIYers can use, based on his decades of experience making one-off satirical arcade machines and other magnificent gadgets.

Inside a megawatt radio transmitter, and part two

This is the month I became aware of Mr. Blobby - wow

I’ve been watching through Ben Eater’s series on building a 6502 CPU into a minimal computer. 6502 assembly language is gloriously easy to understand, and he does a great job of going from simple to complex one step at a time. His series on USB and on the “world’s worst video card” are also nice.

Cookie Monster makes John Oliver totally crack up

Music from the Demoscene - click Listen in the upper right. There are so many bad tracks in the world, it’s nice to have a streaming station of 90% good ones.

Why Clip Art Was Everywhere… Until it Wasn’t

Different types of panning demo - Increase stereo image - Dave Rat, a sound guy from huge acts like RHCP, has a youtube channel. I’ve been watching his videos about making live sound work better - maybe someday I’ll run sound for contra dances again, and it would be fun to try his tips like these, or double mic’ing, etc.

Quick documentary about how the FDIC takes over a failed bank - or the audio version from This American Life. Kind of fascinating, and relevant again. Calculated Risk has links to further info about how banks are evaluated.

Wildly compelling hambone performance

Making a production run of resin-cast figures - we used his cut-mold process to copy some chess pieces and make soap in their shape, and it worked really well!

This might be my year of 3D modelling, and if so, I plan to use Michal Zalewski’s Guerilla guide to CNC and resin casting

Spending the night in a Titan II Missile Silo

See, him face?

Tax Heaven 3000, a dating sim that does your taxes (my taxes are done in a much more sedate way but this is pretty funny)

Cheating and going back to earlier this year -

A Marxist View of Tolkein’s Middle Earth (via metafilter) - “J. R. R. Tolkien’s fantasy world is a medieval utopia with poverty and oppression airbrushed out of the picture. But Tolkien’s work also contains a romantic critique of industrial capitalism that is an important part of its vast popular appeal.” Wouldn’t call myself a Marxist but this was very interesting

TikTok’s enshittification - this seems to have a lot of explanatory power for how online spaces grow and die

A low-tech way to see the TOTP secret exported from Google Authenticator

Google Authenticator’s Export functionality produces a QR code. You can scan the QR code with another copy of Google Authenticator, to transfer the Time-based One-Time Password secret to a new phone for example. But if you want to use it in another context, it’s annoying and tricky. For example, if you need to authenticate in order to run automated tests, you can’t be getting your phone out each time your CI job runs.

These instructions are for a Debian-based Linux machine.

  1. sudo apt-get install zbarcam-gtk oathtool protobuf-compiler
  2. Click the three dots menu in Authenticator, choose Export, and select the accounts you want to export
  3. Run zbarcam-gtk and point your computer’s camera at the QR code displayed on your phone
  4. Copy the URL at the bottom of the window
  5. Paste it somewhere and delete the prefix, QR-Code:otpauth-migration://offline?data=
  6. Open Python3 and run:
    from urllib.parse import unquote
    import base64
    with open("secret.proto") as out:
     out.write(unquote("the rest of the decoded QR"))
    
  7. Back in the terminal, run protoc --decode_raw < secret.proto
  8. rm secret.proto
  9. Copy the thing that looks like \123WE\012 etc – the binary representation of the TOTP secret – not including its quotation marks.
  10. Back in Python, type
    base64.b32encode(b"PASTE HERE")
    

    You should get back a bytes object that’s all letters and numbers. That’s the TOTP secret, encoded in base32.

  11. Now, any time you need a one-time password, you can run
    oathtool -b --totp the_base32_secret
    

This is less secure than your phone, e.g. your secret will be visible in your shell history file. But it can be worthwhile in certain cases.

I did it this way because I didn’t know what TOTP desktop apps were trustworthy or would send your passwords to Nocturnal Aviation Associates. I figured these tools were low-level enough that they wouldn’t be scams?

Barometz (The Vegetable Lamb)

When cotton was first introduced to Europeans in medieval times, they were mystified. What was the source of this marvelous material? Theories abounded. For a time, the source was thought to be ‘the Vegetable Lamb of Tartary’—a plant with tiny sheep on stems bowing down and grazing the undergrowth. One can only imagine how they thought all those tiny sheep were shorn.

From The Practical Spinner’s Guide: Cotton, Flax, Hemp, Stephenie Gaustad, 2014

My wife Jessica showed me this passage, and we obviously had to know more. The creature’s wikipedia page quoted some extraordinary verse by Dr. Erasmus Darwin (one of those Darwins):

E’en round the Pole the flames of love aspire,
And icy bosoms feel the secret fire,
Cradled in snow, and fanned by Arctic air,
Shines, gentle borametz,1 thy golden hair
Rooted in earth, each cloven foot descends,
And round and round her flexile neck she bends,
Crops the grey coral moss, and hoary thyme,
Or laps with rosy tongue the melting rime;
Eyes with mute tenderness her distant dam,
And seems to bleat – a vegetable lamb

(Listen, because I am telling you that there is a two-volume book of rapturous poetry about botany, by Darwin’s grandpa, available for free on Project Gutenberg: The Economy of Vegetation and The Loves of the Plants.)

I decided that this lovely misconception needed to be set to music. It’s in iambic pentameter, so I looked through Hymnary by meter and found Magda by Ralph Vaughan Williams to be suitably tender.

So! Here is the sheet music (revision 5) if you would like to sing about this earthy plant-beast. Maybe you can use it in a concert about… misconceptions? Exoticism? Evolution? Fabric? Sheep?

The sheet music is licensed CC-BY 4.0; I would love to know if you use the music, my email address is in the footer. Error reports also welcome.

Mandeville_cotton.jpg

Engraving by Sir John Mandeville, 14th century

  1. Borametz, Barometz, and Borometz all seem to be valid names. Also Scythian Lamb. 

Dissecting an asthma inhaler with a dose counter

Back in the 90s, before Le Chiffre made asthma inhalers cool, my mother taught me how to tell if my Proventil canister was empty. If there was any of that sweet sweet albuterol left, it would float vertically in water, but if it went horizontal it was empty.

Apparently, in the years since I was a wheezyboy, inhaler technology has advanced a bit. Modern ones have clockwork contrivances to tell you how much is left, which I have to admit is convenient.

Photo of part of a Symbicort inhaler, showing the dose counter

I got curious about its inner workings, so I pried the whole thing apart and took pictures. Click through to see!

Continue reading...

System76 Darter Pro 6: power supply, case screws

I like this laptop a lot! It comes with a Chicony power supply, 19V 3.42A 65W. Those are easy to find, but you have to get the right barrel connector. The nominal outer diameter of the barrel is 5.5mm, the nominal inside is 2.5mm. The tip is positive. I ordered this power adapter from amazon, and the brick part is exactly what I got from System76. The barrel fits correctly except it’s a couple mm too long, which I don’t mind. If that link is dead, try searching for “chicony toshiba satellite 19v 65w.” I like supporting System76, but not quite enough to buy replacement AC adaptors from them.

My case screws keep slowly working out somehow, which is annoying. The screws are M2 by 5 mm long if you need to order them. This screw assortment included them.

Delights of a Minnesotan Gigabit Switch (part 3, good hax!)

Welcome back! I’m rehabilitating and taking control of a Waters Network Systems GSM-2112-POE 12-port managed Ethernet switch. You can check out part 1 or part 2 if you feel like it.

In case you don’t feel like it, I’ll sum up where we are in the story: my current Ethernet switch has no character and isn’t rack-mounted so much as rack-zip-tied:

My old switch held onto a rack shelf by ignominious zip ties

I expect to need more than its four power-over-ethernet ports. I’ve bought a high-quality but decade-old switch from eBay for pretty cheap. The people who sold me the switch did not do a factory reset, and I don’t have the admin password. My attempts to hack the thing over the network have failed up to this point. They could possibly be successful eventually, but they seem like an annoying amount of work. I have bought the cable to go from my USB port to this Serial console on the back of the box:

Photo of the serial port on the back of the ethernet switch

Okay, I hook the new cable up between the Serial port and my laptop. How do I actually talk to it?

In my youth, my daddy taught me to use a program called Kermit to dial into some computer at his work so that I could read rec.pets. Fond memories, and Kermit is furthermore a great name for a program, but alas: I now find it 100% incomprehensible. GNU Screen seems to be the actual thing to use.1

The baud2 rate 57600 comes from the manual. Here’s the command line to connect and start interacting:

sudo screen /dev/ttyUSB0 57600

And rebooting the switch gives:

Read system parameters from IIC EEPROM...Done!

BIOS v1.07 

BIOS(0)> ................................................
.........................................................
............Now booting image...

Followed by the normal login prompt - the login isn’t any different from what I see on telnet. But hey, the BIOS(0)>. The > looks like a command prompt? Yes actually! Apparently you have to be quite speedy, there’s only a few seconds grace period, but after a few tries:

BIOS(0)> help
 ===========================================================
        BIOS Command line interface HELP     
 ===========================================================
 help       :  Help for bios command. 
 ls         :  Display the bios command list. 
 sysconf    :  System parameter configuration. 
 flash      :  Flash Device Utility. 
 load(r)    :  Excutable image download[load] & run[loadr] at free memory area. 
 boot       :  vLinux Boot Loader can be selected. 
 dump       :  Memory Dump Command. 
 sys        :  Usage : sys {model|mac{0|1}|prod|ser|hard|mech|ram|flash|show} value . 
 look       :  look ext 0 , 1 ,2 . 
 fill       :  fill memory (4 byte) . 
 sdram      :  SDRAM test . 
 p1         :  p1 {0|1} GBIO Port 1. 
 rd         :  rd block sublock reg 
 ===========================================================

BIOS(1)> 

Huh, sysconf looks vaguely interesting, let’s look:

BIOS(1)> sysconf view

Read system parameters from IIC EEPROM...Done!

+==================================================+
|           System Configuration Table             |
+==================================================+
|  Configuration Parameter valid !!!               |
|               Boot Configuration                 |
+--------------------------------------------------+
|  BOOT Method : manual                            |
|  Boot File Name :                                |
|  TFTP Server IP Address : 192.168.1.176          |
+--------------------------------------------------+
|             Ethernet Configuration               |
+--------------------------------------------------+
|  Host Name : RubyTech                            |
|  Ethernet IP Address : 192.168.1.1               |
|  Ethernet Default Gateway : 192.168.1.254        |
|  Ethernet Default Subnet Mask : 255.255.255.0    |
|  Ethernet H/W Address : 00:40:c7:d0:00:00        |
+==================================================+

Cool! You love to see the text-based tables, for one thing. But more pertinently, it looks like if I created a bootable firmware image, the BIOS would let me load it onto the switch using TFTP and boot into it! So how do I do that?! Actually, it’s not super easy.3 So I put this possibility in my back pocket for now. Another interesting thing we can see here is the name RubyTech. I asked Jeeves, and RubyTech is apparently a Taiwanese supplier of private label network equipment. Presumably it’s where Waters bought the hardware?

I poked around the menu a while longer, which I’ll spare you. The most useful thing turned out to be the memory dump command:

BIOS(4)> dump 0x0
00000000:0000000f   18 f0 9f e5 18 f0 9f e5  -  18 f0 9f e5 18 f0 9f e5 
00000010:0000001f   18 f0 9f e5 18 f0 9f e5  -  18 f0 9f e5 18 f0 9f e5 
00000020:0000002f   01 18 a0 e3 01 24 a0 e3  -  04 30 90 e4 04 30 82 e4 
00000030:0000003f   04 10 51 e2 fb ff ff 1a  -  58 23 5e 00 ff 10 a0 e3 
00000040:0000004f   00 10 80 e5 14 01 9f e5  -  20 10 a0 e3 00 10 80 e5 
00000050:0000005f   f8 00 9f e5 f8 10 9f e5  -  00 10 80 e5 5c 00 8f e2 
00000060:0000006f   fe 1f 90 e8 ec 00 9f e5  -  fe 1f 80 e8 f0 00 9f e5 
00000070:0000007f   01 18 a0 e3 5e 28 a0 e3  -  04 30 90 e4 04 30 82 e4 
00000080:0000008f   04 10 51 e2 fb ff ff 1a  -  5e f8 a0 e3 00 00 00 00 
00000090:0000009f   f8 3f 50 05 60 00 00 04  -  50 00 08 24 4c 00 09 25 
000000a0:000000af   00 00 00 00 00 00 00 00  -  00 00 00 00 80 03 04 20 
000000b0:000000bf   00 00 00 00 00 00 00 00  -  00 00 00 00 60 83 21 9c 
000000c0:000000cf   f8 3f 50 05 60 00 04 14  -  50 00 08 24 4c 00 09 25 
000000d0:000000df   00 00 00 00 00 00 00 00  -  00 00 00 00 80 03 00 10 
000000e0:000000ef   00 00 00 00 00 00 00 00  -  00 00 00 00 60 83 21 9c 
000000f0:000000ff   f8 3f 50 05 60 00 00 04  -  50 00 08 24 4c 00 09 25 

===========================================
=   1. Next Memory Address View![Any Key] =
=   2. New Address Input![N]              =
=   3. Exit [Q]                           =
===========================================

Well, cool - we can see the memory in hexadecimal format. That page doesn’t actually mean anything to me yet, but there’s got to be good stuff in there if we look through everything! At last, a clear direction - time to start hackin’, baby! That’s what real hackers say, right?

Here’s a script using pexpect to start the serial communication and interact with the BIOS menu to record everything to a file, memory_dump.txt.

Assuming you’ve got a Python 3 virtualenv env with pexpect installed, and the script is dump_memory.py, you’d invoke it as sudo env/bin/python dump_memory.py. Once the script is started, you would Reset the switch.

import pexpect
import time


# Start communicating with the switch
child = pexpect.spawn('screen /dev/ttyUSB0 57600')
# Tell pexpect to record one side of the conversation -
# everything the switch sends to the laptop - to a file
child.logfile_read = open('memory_dump.txt', 'wb')

# This means to ignore everything the switch sends to us,
# UNTIL we get the '> ' - the BIOS command prompt.
child.expect('> ')
time.sleep(0.1)
# Start the memory dump at address 0
child.send('dump 0\r\n')

# Keep sending Space every time it's done printing
# a block of memory
while True:
    child.expect('Next Memory Address View')
    time.sleep(0.1)
    child.send(' ')

I run it for a while - maybe an hourish? At some point, I notice that it only seems to be reading f8 3f 50 05 over and over and over again. This pattern seems to start at the 20 megabyte boundary (0140 0000 hex). There are a few other bytes thrown in, but this seems boring, so I stop the process.

I don’t want to deal with this as hex, I want to make it a binary file so that I can unzip it if it’s zipped, search for strings, and so on. So I write another small python3 script, to separate the lines with hex data from the lines with BIOS(0), the instructions, and so on, and then convert the hex to the binary characters it represents:

out = open('memory_dump.bin', 'wb')

# Example lines this will deal with:
"""
000000e0:000000ef   00 00 00 00 00 00 00 00  -  00 00 00 00 60 83 21 9c
000000f0:000000ff   f8 3f 50 05 60 00 00 04  -  50 00 08 24 4c 00 09 25

===========================================
=   1. Next Memory Address View![Any Key] =
=   2. New Address Input![N]              =
=   3. Exit [Q]                           =
===========================================
00000100:0000010f   00 00 00 00 00 00 00 00  -  00 00 00 00 13 02 04 a0
00000110:0000011f   00 00 00 00 00 00 00 00  -  00 00 00 00 60 83 21 9c
"""
for line in open('memory_dump.txt', 'r'):
    # Exclude lines with only instructions & stuff.
    # There's also all kinds of control codes and junk
    # in there, but I ignored it and it didn't
    # seem to matter?
    if line and line[0] in '01234567890abcdef':
        line = line.strip()
        # The sections of the line are separated by double spaces.
        # We don't care about the address or the dash, just the
        # first and second sections of data.
        addr, first, dash, second = line.split('  ')
        out.write(bytes.fromhex(first))
        out.write(bytes.fromhex(second))

out.flush()
out.close()

So I’ve got a 20+ megabyte binary file - what is in there? I have seen people do pretty wild stuff to firmware images with a program called binwalk, so I install that and set it loose. Unfortunately, it misidentifies basically everything. Nope, that’s not a stuffit file, and that other thing isn’t 7zip. I don’t know. It doesn’t do it for me.

Presumably there must be a kernel in there, and possibly file data, but I don’t get as far as figuring that out, because strings turns out to be the only analysis tool I need. strings is a basic Unix tool that looks inside a binary file for parts that look like text. I spend a bit of time paging through the results, but eventually I get bored, and search for admin, the administrator username from the documentation. Boom!

admin
adminpass
guest
guest
0.0.0.0
0.0.0.0
public
private

There it is! Very likely the password!4

I had been expecting a normal Linux /etc/passwd or shadow file entry like admin:$1$YjOzcqrf$Zqx4sx5CQRuEIFCdOLAJV0:0:0:admin:... but no, it seems to be sitting there in plain text, no password cracking required! Sure enough:

L2 Managed Switch - GEPoEL2-SW12

Login: admin
Password: 

waters2# 

If you’re doing this on your system and the memory layout is identical, then you should just have to dump one block, starting at 0x011b0400. This switch has the concept of two independent configurations, one that’s used when rebooting and another that can be made active by a command. So that you can really screw up the temporary config, and when everything goes to hell, reboot the switch and everything should be peachy again. Anyway, I did see another copy of the user/pass data at 0x013b0400, two megabytes after the first copy, so maybe that’s how this double config thing works.

Anyhow! Yay! The switch is mine now! My naming scheme for computers is names of fictional musicians (e.g. Jake and Elwood Blues), plus fanciful stage names of real musicians (e.g. Tank Slagknuckle and Stellar Tellar).5 So, I’m pleased to introduce Mr. Fabulous:

Beauty shot of the switch installed in a network rack Wider shot of the network rack

Mr. Fabulous been doing strong work for a month or two now, and I’m very pleased. I set up a VLAN for some of my Internet of Shit devices, and the switch’s port mirroring capability made that very easy to debug. The switch’s extremely beefy-looking internal power supply has had zero trouble taking care of the four powered devices on my network - I’ve never noticed the switch get perceptibly warmer than ambient temperature.

relaxen und watschen der blinkenlichten

Given the one to two decade old network security of the switch’s web interface, I’ve placed that off in an inaccessible subnet, and I do all my admin through the serial console. Just because I’m too lazy and simpleminded to hack this thing over the network, that doesn’t mean everyone is.

Thanks for reading!

  1. Why is Screen a serial communication console as well as a window manager and a bad process supervisor? IDK, I slightly resent Screen. Give me Tilix any day! Except the day I need to talk to a crusty ol’ serial console. Humph. 

  2. Re: data transmission, check these videos out if you want to be fascinated, or this paper if you want to be both fascinated and bored! 

  3. According to an article from hackaday,

    There is no uniform way that ARM processors are booted and there’s no uniform or even standardized boot software for ARM-based chips.

  4. It’s not the real one, since I told you too much about the institution the box came from. The real password had an air of sadness though. 

  5. I made an exception for this switch’s predecessor. I thought that since it was a Power over Ethernet (PoE) switch, it should be called Edgar Allan. But I bet everyone with a PoE switch thinks the same thing :-/ 

Delights of a Minnesotan Gigabit Switch (part 2, good fans and bad hax)

My charming blue piece of history arrived with two problems:

  1. Its fans were noisy
  2. Its management interface was locked and I didn’t know the password

Good Fans

For problem 1, the solution was obvious: new fans. It needs two of these:

IMG_0617 fan-3f7b15.JPG

The OEM parts only seems to exist in odd places now, but the concept is universal and cheap: 5 Volt 40x40x10mm fans. PCs use 12 Volt versions, you have to be careful to get 5V. And match or go under the watts of the existing item. I bought Noctua NF-A4x10 5V fans, with 3-pin connections. This worked fine, except that the original fans’ power connectors appeared to be wired backwards from the new ones. WTF wat. I checked with a voltmeter and yeah.

fans-wired-backwards.jpg

The helpful Austrians at Noctua anticipated this kind of problem, and sent some solderless, insulation displacement connectors and plenty of adaptors and extension cables. This let me fix the wiring without destroying anything actually connected to the fan. The connectors, the transparent orange thingies flopping around below, work great, but only if you squash them COMPLETELY. My fingies, my hands, and even I’m ashamed to say my teeth, were not sufficient to close them and make a good connection - pliers are a must.

fan wiring screengrab.jpg

The fans are quiet! One reason they’re quiet is that they’re lower power than the old ones, but with only three Powered Devices attached, I’ve never noticed the switch get hotter than ambient.

A weird thing is that I’m 80% sure the fans blow in opposite directions. The one you can see well in the video is an exhaust fan, but I think the other one blows on the “lee side” of the PoE power supply, so that it isn’t becalmed.

Bad Hax

Anyway, that accomplished, it was time to attempt to gain control. The switch’s model number is Waters Network Systems GSM-2112-POE. Here is its manual. As it arrived, I did not even know its IP address - I tried pinging its factory default, but no dice.

To find what it thought of as its address, I connected to it with an ethernet cable and ran sudo tcpdump -i enp38s0f1 (the latter being the name of my wired ethernet device apparently). This worked, it considered itself 10.216.0.210. I set my laptop up as its neighbor, .209, added a route, and sure enough I could ping it now. Time to telnet!

Screenshot_2020-10-22 Microsoft Word - GSM2112_poe_manual doc - GSM2112_poe_manual pdf.png

That’s from their manual - it looks so easy! But the default admin/admin login was not in place. I dejectedly tried passwords like admin, nimda, root, toor, wizard, 12345, qwerty, asdf, zxcv, xyzzy, hunter2, and so on, but alas: nuthin.

I poked around for a telnet password brute-force program, and found Hydra plus a list of the 10k most common passwords. I set it going, but it turned out that the telnet service on the box was not actually reliable enough to brute force very well. Apart from actual failed logins, it would also just disconnect pretty often.

I had noticed that if you fail to login, it will eventually provide you help:

Please keep the serial number and contact the sales representative !

213-034101000022-1


L2 Managed Switch - GEPoEL2-SW12

Login: 

This implies that there’s some way to reset the password over the network, maybe over telnet or maybe with a magic packet of some kind, computed from the serial number? Without anything more specific to go on, I didn’t feel like investigating further. I did try actually contacting sales, but Waters Network Systems’ sales staff did not get back to me despite my polite and complimentary e-mail. All the phone numbers I tried from the web site were disconnected. I tried hard in google and found a current office for the company in a town called Hayfield: it does seem to exist still, but I was making progress on other fronts so I never did manage to get in touch.

Inside the case are two jumper switches, and on the outside is a Reset button. I thought maybe it would do a factory reset if you cross your eyes, remove one jumper, hold Reset for 22 seconds, and pray to Saint Dunstan (patron saint of locksmiths)? I tried every combination of the jumpers and the button I could think of, but no joy.

The switch runs its management web site on thttpd 2.0.4, which was released in 1998.

HTTP/1.1 200 OK
Server: thttpd/2.04 10aug98

And sure enough, it has a 1998-style security hole: a buffer overflow when parsing the If-Modified-Since header, discovered by DJB (who has the coolest domain name, cr.yp.to). Unfortunately, I was not able to find a pre-made exploit for this two decade old vulnerability. And in terms of actual development of exploits, I know just nothing at all. Smashing the Stack for Fun and Profit passed me right by…

But there could still be web app vulnerabilities! Command injection! Arbitrary file reads! That would also be right in style for 1-2 decade old software! Even before I logged in, some of the pages would load skeleton versions with no data. But I was having a heck of a time guessing more than a couple page names, and the manual frustratingly did not show the URL bar on the screen caps. One feeble exception:

pdfext-001.jpg

At this point, I ordered a USB -> db9 serial cable. I hoped that the console port on the back would give me more privileged access.

Screenshot_2020-10-23 Waters Network Systems GSM-2112-POE 12-port ProSwitch PoE Gigabit Switch eBay.jpg

Spoilers, YES it did! I recommend that you get excited for PART THREE in which I… PWN! THAT! SWITCH!

Delights of a Minnesotan Gigabit Switch (part 1, background)

My old Asus wireless router was done. Dropped connections, Drawfee constantly interrupted, the black box physically hot all the time. Hardware fault? Crypto miner? Unauthorized host of copyrighted videos and malware? Who could say? I felt the pain, but an excitement was also brewing: A chance to Do It Right, read, obsess, crawl on my belly like a reptile (under the house with Ethernet cable). Yes. r/HomeNetworking shot up the ranking on my new tab screen. (I poked my head briefly into r/homelab before deciding that honestly I do have limits). After a discernment process, I bought a lightly used UniFi ensemble, and the calm blue glow cheered my heart.

9CA461AC-F847-4378-B3FE-5E52CDE93AD2.jpeg

I made what I felt were elegant loopies going up to my patch panel.

network on wall.jpeg

But what is someone who buys the fanciest system and then… stops? The boring kind of nerd. They have no ambition, only purchasing power from a good job in IT related fields. I thirsted for something more. Something rack-mounted, yeah, and old. Something inscrutable. But something supplying power over Ethernet, because a separate PoE injector is inelegant. And not 100 megabit, hey, even our Comcast is faster than that.

Many fresh faces stared at me from eBay. But too fresh.

Screenshot_2020-10-21 BV-Tech 5 Port Gigabit PoE  Switch (4 PoE  1 Ethernet Uplink) – 65W – 802 3at 813076025507 eBay.png BVTech, gadish!

Screenshot_2020-10-21 Netgear Prosafe FS728TP 24 Port 10 100 POE Smart Switch w Rack Ears 801096835138 eBay.png Netgear, at least it’s metal

Screenshot_2020-10-21 TRENDnet 10-Port Gigabit PoE  Switch Web Smart 710931161106 eBay.png TRENDnet, entertaining that the status LEDs’ arrangement has no relationship at all to the row of ports

The Cisco Catalyst and HP ProCurve stirred me a little more. Screenshot_2020-10-21 Cisco Catalyst 3560 WS-C3560-48PS-S 48 Port 100Mb s Fast PoE Ethernet Switch eBay.png Screenshot_2020-10-21 HP ProCurve 2520-8 8 Port PoE 10 100 Rack Mountable Network Switch J9137A eBay.png

Gigabit is cheap, actually, in the used market, and so is PoE. But the combination is both expensive and bulky. I realized that almost all of the charming ones were a few inches too deep for the tiny network rack I’d bought from a German roboticist in a police station parking lot outside Indianapolis.

Frustrated and increasingly frantic, I returned to the very, very end of my eBay watch list, to a box that had caught my eye a week earlier. Waters Network Systems, you say? Who the heck is that?

Screenshot_2020-10-21 Switches from Waters Network Systems.png

A website ©2011, featuring case studies of jelly bean iMacs!

Screenshot_2020-10-21 Google Maps.png

A sheet metal office in a Minnesota town literally called Hayfield!

Screenshot_2020-10-21 Waters Network Systems GSM-2112-POE 12-port ProSwitch PoE Gigabit Switch eBay.png

A blue metal case with noisy fans, for $50 OBO. Pulled from a school in Boca Ratón but currently living in Brooklyn. Yes. This is the level of mystery I want in my life. Gigabit, PoE, AND it fit the rack with whole inches to spare. I bought it for $45 plus shipping, and it arrived strong and blue, four days later.

The fans had the shottest bearings I ever did hear.

And the management interface was still password protected. The Reset button wasn’t that kind of reset button. Por favor, get excited to hear how I beat down these obstacles! You can now read part two, in which I fix the fans and don’t quite own the switch, and part three in which I break in!