Useful Resources

Reference material or other items like datasheets, articles, or whitepapers. Useful for consideration in projects or general technical reference.

If you have an Amazon device, like Alexa, Ring, etc, you soon will be sharing your internet connection publicly (at least a small portion of it).  Amazon is quietly opting-in device owners to create a new public network called Sidewalk.   This new feature will be turned on by default.   You can turn it off fairly easily by performing the following steps:

 

Should you choose to opt-out of Amazon Sidewalk, here’s how:

Open the Alexa app on your iPhone or Android
Tap More
Tap Settings
Tap Account Settings
Tap Amazon Sidewalk
Toggle the switch to Off to disable your participation

You can always change your mind later and join back in.

Abstract

You may be one of those people (like me) who prefers web content rendered in dark mode.  Often the preference for the choice is due to less eye strain and glare.  Light text on dark background is much easier on the eyes.  There’s also another thing to consider: for those who use AMOLED screens, darker pixels means using less energy for displays.  My preference is for the first reason – it’s a lot easier on my eyes when I spend hours in front of a computer as both a staple in my profession and for my hobby – that’s a LOT of screen time! (and assault on my eyes).

Solution

Fortunately, the solution is a simple one (if you’re a Chrome user).  You can enter this string in the URL field: chrome://flags/#enable-force-dark and choose Enable.  The result is pretty darned sweet!

ABSTRACT

We have an electronic Z-Wave lock on our back door.   This lock works great with our Domoticz home automation system over the Z-Wave interface.  The lock allows users to each have their own  code, but an epic fail is that you have to take the lock apart to create/change/delete codes.  I hate the way codes are managed on this lock and the task is quite onerous.  There HAS to be a better way!  My needs require:

  • to be able to have family members be able to have ability to unlock the door
  • to be able to allow access for hired house help (babysitters,contractors)
  • to easily create and distribute some kind of physical token (other than a key) that can be easily revoked/changed if lost
  • solution has to operate reliably with our existing home automation infrastructure

Of course ESP8266  and MFRC522 to the rescue!

SOLUTION

First, the shopping list (bring your own 5 volt power source):

You can build just about ANYTHING with the ESP8266 so long as you have a problem to solve, and couple imagination to the problem – you can do magic!  That’s just what I did here.  I had an RFID chip reader antenna module (MFRC522) and proceeded to see how others have implemented an RFID badge reader.   I found one project that implemented a basic reader with a relay switch to activate a solenoid.  Since I don’t have a solenoid on my lock, I had to make modifications to the code from Luis’ project:

  • use MQTT to signal to Domoticz to unlock the door over my own MQTT broker like the rest of my sensors
  • log when invalid tags are scanned
  • enter a unique client and topic name to uniquely identify the reader on the system

Here’s my fork of Luis’ code which adds improvements that include server-side MQTT support and an example for Domoticz home automation.  To connect the reader to the door lock, I had to get the Domoticz IDX address of the lock and build a statement into the code that would be sent when the database returned a match.  The statement looks like this where XXX is the IDX of the locking device:

echo shell_exec(`mosquitto_pub -h $pubHost -u $pubUser -P $pubPass -t $topic -m “{\”command\”:\”switchlight\”,\”idx\”:123,\”switchcmd\”:\”Off\”}”`);

The project workflow is as follows:

  • User scans their tag
  • 8266 calls out over WiFi to a local server to check a database of RFID tags using an HTTP POST
  • fobcheck.php script receives the POST value containing the tag ID and checks the database
  • If the database returns a match, fobcheck.php runs a shell command to the server-side MQTT client to instruct the door to unlock

The completed reader is simply powered from a 5V power source outside and placed in a convenient location near the door.   Here’s what I used to build the reader in a weatherproof case: (click for larger image)

The fobs can be attached to any keychain for easy use and are relatively cheap so if they are lost or stolen, can be easily deactivated.

To manage users, I use a database back end where each tag has a record which contains the assigned user, tag ID, and enablement value (1 for active, 0 for inactive):

To allow the ESP8266 to read the database, I wrote a PHP connector script.  It connects to the database when the ESP8266 sends an http POST request:

 

Click for larger image:

BACKGROUND

There are a number of products out there which use different methods for filtering content.  Because my home network is very customized, many of the consumer products out there don’t offer the flexibility I need as a parent without “dumbifying” my network.  I have invested a great deal of time and some money on setting up and using second hand enterprise network gear from Cisco and Ubiquiti and I did not want to sacrifice all that.  My requirements for a solution were:

  • had to be impossible to circumvent
  • had to be effective at blocking undesireable traffic, yet be flexible enough for “adult” needs
  • had to fit my network topology and environment
  • had to be secure
  • had to be easy to manage

THE SOLUTION

Because my network is built using mostly Cisco enterprise gear (router and switches), I had a lot of flexibility.  I created something I like to call “Jailed DNS”.  Jailed DNS is where you prevent local network devices from using another DNS resolver outside the network.  For those who don’t know what DNS is, I will refer you to this resource which gives a basic understanding of what DNS is, and how it is used as part of the fundamental internet machinery.  In my implementation here, the intent was to provide a local DNS server on my network that would be responsible for all internet lookups.  Here is a basic diagram of my home network (click for larger view).  You will see that the network is broken up into several zones (known as vlans).   These vlans operate as discreet internal networks that have their own subnets and host groupings.   There are many advantages to partitioning a network in this way:

  • Limit broadcast traffic within a physical switch
  • Apply different network policies to different groups of devices
  • Isolate sensitive devices from the rest of the network (control & automation)

 

In this example, you can see restricted and unrestricted areas of the network.  When devices on the unrestricted network talk to the local DNS server (DNS Jail), their query is forwarded to a public DNS server like 1.1.1.1.  This DNS server does not discriminate any queries sent to it and will refer devices to the requested resources.  Devices on the other restricted areas of the network, will query the local DNS Jail, and the DNS Jail will know to forward lookup requests to OpenDNS.  OpenDNS is configured to block a few things:

  • Undesired content categories (ie. porn, BitTorrent, etc)
  • Security scam related sites (phishing, scam, hacking, etc)
  • Blacklisted domains (ie. YouTube, Roblox, etc)
  • Anything else I would rather my kids or guests not visit

In order for a DNS Jail to work effectively, you have to have the ability to prevent local devices from using external DNS servers, or it won’t work.   I achieved this in my Cisco Router’s IOS settings by creating the following in my internet ACL (Access Control List): 

This setting does two things:  1) it prevents DNS requests from leaving the network and going out on to the internet   and 2) it allows ONLY the DNS Jail server (10.0.1.10) in this case, to be the ONLY host allowed to send queries outside the network (DNS Recursion and Forwarding).   This is one of the most important steps.   Many routers have settings to do this – consult your router’s docs.

Once this was completed, I had to create two “views” on the DNS Jail server.  The views define how the server responds based on the source network subnet of the requesting device.   This is how the DNS Jail is able to decide to forward requests to 1.1.1.1  or to OpenDNS for content restriction.   Here, you can see how I configured my DNS Jail, which is a copy of BIND9 (DNS Server) running on my network (click for a larger view).  You can see all the subnets of the “Area51” view that are for unrestricted devices, and the “Majic12” view that contain the restricted subnets.   Oh!  and look at that magic statement in there: forwarders {} where I declare the IP addresses of the OpenDNS servers which will receive forwarded requests and do the content filtering magic.

 

Once this is all done, I startup BIND on my network and it starts processing DNS requests for my networks immediately.  If we try to go to a “bad” destination from a restricted endpoint, we will see the page denying the request!  If we are on the unrestricted part of the network, we are allowed through!  YAY!  Of course no filtering solution is perfect, but if there is a false positive, then the denial page gives the user the opportunity to have the page unblocked with the network owner’s approval.

If we head on over to OpenDNS, you’ll see a nice dashboard which also lets you setup many content filtering categories & websites.   The dashboard will also have tools for you to review settings and most visited and blocked traffic.   It’s FREE and it’s pure magic!   This parental control solution is quite effective and can be setup with a small investment of time.  Over the long run of usage, it will pay you back by making it easy to manage internet content for your family or small business.

 

 

 

 

 

 

 

 

 

 

BACKGROUND

Most people don’t have this problem on a Home or Small Office network.  Being a Cisco fan (Cisco networking), I eat my own dog food when it comes to networking at my house.   We live in a two story victorian home, circa 1886 with all its charm, it has 21st century smarts.  When we moved into our home, one of my firsts projects was to put in an “enterprise” type of network, using all Cisco network equipment.  This meant, amongst other things, installing wired ethernet drops in every room.  Each room has a CAT5 drop for phones, security cameras, and access points.  Each room has a Cisco 7960 voip phone/intercom and we enjoy having room to room intercom, whole house paging, and land line (for free) using Google Voice for PSTN termination.  Sure, WiFi is great, but is best used for laptops and mobile devices.  Non-mobile devices like phones, cameras, DVR, and multimedia (TVs, set top boxes, etc) are all ethernet connected for maximum reliability and performance.  As you can imagine, fishing wired network drops through old horsehair plaster & lathe walls is NOT a fun undertaking!  The older construction of our home and the options for installing jacks in older 20th century construction requires a great deal of patience and finesse to ensure a good outcome.  That all being said, I was determined to complete this project.   

When I ran all the cables to a central point in a closet upstairs, which became the server/controls closet, I setup my core switch (a Catalyst 3750 stacked with a 12 port Cisco SFP gigabit switch) and router (a Cisco 3825).  I provisioned different vlans for differing uses:

  • Kids network
  • Multimedia
  • Home Lab
  • Automation & Control
  • Home Office
  • Guest Network
  • Network Management
  • Voice

Each vlan was established with its own 10.x.x.x/24 subnet and by building the network in this way, allowed me to ensure separation of traffic and use ACLs to provide additional security by application.  With great flexibility on how I could build this, came a level of complexity not seen in most Home networking, but by building our network in this way, allowed for some really cool features.   I had to be sure to build a backup and recovery scheme that could backup all the route, ACL, DHCP pool, NAT, VLAN, and interface configuration!  What if I lost a switch, or made a mistake and needed to recover?   Given the cost of Cisco equipment, I wasn’t buying my gear new, but rather used from Ebay for pennies on the dollar.   I had to be prepared in case a switch let go.

THE SOLUTION

I had a few Raspberry Pi boards laying around, and decided to cook up a quick and cheap solution.   I killed two birds with one stone.   I had planned to use the Pi for building a GPS time source (for accurate stratum 0 NTP time on my network).  I decided to setup a folder on the Pi and TFTP server, as well as a cron job to automate a bash/expect script to login to each Cisco device and TFTP its configuration to the folder on the Pi every week.  The script creates time stamped backup configs for each switch should I ever need to restore.  In addition, each network switch is set to be an NTP peer with the GPS clock on the Pi – BONUS!

An example of the expect script: 

Showing the TFTP folder with all the Cisco backups: 

This quick and dirty “get out of jail free” card has already saved my bacon at least once.  Restoring the config to a switch via TFTP is a well documented procedure that is in Cisco’s documentation.

BACKGROUND

Raspberry Pi computers…   they are used for many DIY projects and are even used in production environments for various roles from IoT (Internet of Things) to network servers of all kinds.  They’re great for small industrial uses as well as IoT applications and the reason why is because they have a small power footprint and no moving parts, making them extremely robust.  The Achilles heel however, is the SD card that is used in them!  Seemingly, there are many accounts abound that tell tales of card corruption which can bring down a RPi based application.

Being a seasoned Linux user, I noticed one thing that may be to blame: growing logs & swap file usage in /var/swap & /var/log.   SD cards have a limited amount of write cycles and when they’re used up, the card will likely need to be binned, and a new one written and replaced.  It seems clear that most of the read/write activity seems to be done in the /var directory and so I figure that a better solution to this problem is to setup a USB drive (SSD or thumbdrive), format it for EXT4, and mount it permanently as /var in /etc/fstab.  This article will explain how to do just that, and by doing so, you will significantly prolong the life of your sd card!  Read on:

SOLUTION

The first thing you will notice when you plug a USB drive into your Pi is that it will most likely be formatted as FAT (we want to change this).  You can see the details of your USB drive by running fdisk -l and viewing the output below:

As you can see, in my example, the USB drive is an 8GB size and is already formatted as a “linux” filesystem, but in many cases you would see FAT or NTFS here.  Our goal is to delete any partitions on the USB and create a new one that looks like this example.   You can use any size drive you want, I recommend 8GB or larger – and larger is always better!

After you have created a single Linux partition on your USB device, you then want to write the changes to the USB and then format it.  In this example, the drive is /dev/sda.  We want to format the first partition so that partition will be /dev/sda1 and so we will issue the following command once we write the partition and close fdisk:

mkfs.ext4 -L var /dev/sda1  NOTE: be SURE you know which device you are about to format!!!   we assume your device will be /dev/sda but it could be different so check when you run fdisk -l.   The format can take a few minutes to a while depending on the size of your USB device, so be patient and wait until you are returned to a prompt.  Once back at the prompt, you will have a formatted EXT4 partition on your USB device, and you will be ready for the next step, copying your /var directory to the USB.

To copy the contents of /var to your USB, become root or use sudo and then mount the USB to a mountpoint.  I suggest we create /mnt/usb and mount to that to keep things simple.   execute:   sudo mount /dev/sda1 /mnt/usb then you will now be ready to move your /var contents to the USB.

To move your /var contents to the USB execute:  mv /var/* /mnt/usb/. NOTE: you may get an error on moving the swapfile, this is OK, do not worry about it.  We need to then check /mnt/usb and verify that all our /var stuff is in there by running ls /mnt/usb  and you should see the same directories and files in there as you did in /var.   You are now ready to setup your USB device as the permanent home for the /var location.  To do this, you need to modify /etc/fstab and add an entry to the file showing the usb device mounted as /var as follows (use your favorite text editor – carefully!):

Once you have the fstab file looking similar to this example, you can then save the file, and reboot your Raspberry Pi.   When the Pi reboots, it will now mount /var to the USB drive and no longer use the SD card for swap or for logs and log rotation.   This will greatly save a huge number of write cycles to your SD card!  After you make this change you can also ensure swapping is turned off by running these commands:

sudo dphys-swapfile swapoff
sudo dphys-swapfile uninstall
sudo update-rc.d dphys-swapfile remove

I hope you find this info useful!

 

Because I am an active Ham Radio enthusiast, it is hard to pass up the chance to try new things that come out, especially new radios!  My first experience with digital Ham Radio was D-Star, and while D-Star is great and a lot of fun, I *had* to try DMR eventually.  Unlike D-star, in the beginning, it was hard to come by dual band DMR radios, but a lot has changed since the DMR mode has matured in the Ham Radio community.  DMR, has its roots in commercial land mobile communications, typically business, municipal, and public safety services.  The system was initially developed by Motorola and released as TRBO (MotoTurbo).  TRBO allowed the interlinking (via IP networks) of various repeaters and radio systems in the commercial world.  Each system was often referred to as a zone and a zone consisted of one or more channels and/or talk groups.

Enter 2017, and DMR (compatible with TRBO) is now available by many 3rd party OEMs and even in dual band flavors!  My first DMR radio was the TYT MD-390 (A great radio!) but when I first purchased mine, I paid $179 for a UHF only version without GPS!  Definitely cheaper than your average D-Star radio (most D-Star radios average $350).  It is no wonder a lot of Hams flocked to DMR, you could get TWO DMR radios for the price of ONE D-Star radio!  That simple economic fact allowed DMR to explode and now DMR radios are everywhere, and significantly less expensive.

Recently, I purchased a pair of Radioddity GD-77 Dual Band DMR radios from a trusted vendor on Ebay for $169/pair shipped.  The radios are a bit thinner than the ubiquitous MD-390, and upon unboxing them, I soon realized they were decently made and came with the following items in each box (though I ordered a pair, each radio ships individually):

  • Radio
  • 2200mAH battery
  • Programming Software (Windows)
  • Programming Cable (USB)
  • Belt Clip
  • Antenna
  • Manual
  • Drop-in charger
  • Power cord

Everything you need to operate is in the box!  You just need to install the software and figure out how to program the radio, which is not difficult if you are used to doing this sort of thing.  You basically create channels, then zones, add contacts, add channels to zones, and put your DMR ID in the proper field.  For advanced users, you can enable “expert mode” in the programming software by holding down CTRL ALT SHIFT + F11, and then entering this password: DMR961510.

STERN WARNING: It should be noted that the radio does ship with apparently random frequencies programmed by the factory and these frequencies (if used) would put you in serious trouble if used!!!   If you are a Ham, you are advised to program your radio with the proper frequencies before use.  If you are not a licensed Ham, I recommend you use the radio on the MURS frequencies, or (dare I say it) on the FRS frequencies (the ones often used by the popular bubble pack radios frequently available in stores).  DO NOT TRANSMIT ON THE RADIO UNTIL YOU PROGRAM IT TO PROPER FREQUENCIES, OR YOU COULD BE IN SERIOUS TROUBLE!!!!

The radio has a simple display, (I actually like it more than the MD-390 display, as you can read it without the backlight unlike the display on the MD-3X0.  I had my radios programmed in 5 minutes, and was on the air in no time, without reading the manual.  Who needs a manual anyway?  I have two uses for my GD-77 (I am buying 3 more handsets), 1) Ham Radio  2) FRS/MURS for family communications (keeping tabs on my kids as they play in the neighborhood).  In the later use (kiddie comms) one of the great feature of these radios is that:

  • They can use traditional FM mode – makes them compatible with other non-digital (analog) radios commonly available in stores.
  • TWO WAY TEXT MESSAGING! (across a talk group or 1-on-1) – digital mode only.
  • In digital mode, range is slightly increased and there is NO noise or static.
  • In digital mode, eavesdropping is largely eliminated since most MURS/FRS radios use analog FM – BONUS!
  • In digital mode, these radios can make use of optional encryption just by turning it on – eliminating any eavesdropping opportunity – just as private as a cellphone!
  • In digital mode, you can have one or several “Talk Groups” or privately message 1-to-1 – not possible with traditional FM radios.
  • These radios can enable “remote monitor” which lets you command another radio to start transmitting for a preset time interval so that you can listen to nearby sounds, or conversation that is happening near the far unit.  This is FANTASTIC for keeping tabs on your kids!  There’s no visible indication when you “open their mic” and listen in on what’s going on around them!  This allows parents to proactively check-in on their kids!
  • Programmable buttons for quick sending of alerts or activating functions.

Amazon has the GD-77 with prime shipping for $89/radio.  This is perfect if you are an experienced radio user and quite convenient.

PARENTS & SCHOOLS:  I am willing to offer parents a value added service:  you can buy the radios through me, and I can pre-program them to proper frequencies & with some “secure” channels if you wish to buy several as part of a group.  With this option, you can simply unbox and use them.  If interested in this offer, please call 617-651-1492 and ask for John & I’ll be happy to help.  This offer is available to non-commercial & family end users only.   For commercial users, please look up your nearest radio shop/dealer.

 

 

Sonoff: A Versatile WiFi Switch

I have been playing a lot with home automation technologies and the ESP82XX/arduino platform as hardware interfaces to my ever expanding control system. Most of the stuff I’m implemented has been Z-Wave, but though Z-Wave is an excellent technology, it is rather pricey to acquire. Since the ESP8266 & ESP8285 chips have started showing up in some finished electronics, it is now possible, now more than ever, to reprogram these devices with your own custom firmware!

One such device is made by iTead Studio and is called Sonoff. Sonoff allows you to switch an AC load using your mobile device or PC from anywhere via their own cloud. In my home automation implementation, I want as little cloud involvement as possible – to minimize attack risk, and to keep other firms from data mining my habits at home. The only way to do that is to use technologies that allow local control and without cloud reliance. Unmodified, the Sonoff is an excellent device and generally available for $7 per unit. If you don’t mind sharing your usage data with iTead Studio or relying on their cloud infrastructure to operate your device, then there’s no need to modify it – just use it as prescribed.

For those who want total control and privacy, you can easily use 3rd party firmware or write your own! In my case, I wrote my own firmware which enables a simple HTTP interface which can be called by my Domoticz controller or manually. Since I have a VPN connection to my home on a DDNS hostname, I can easily and securely operate any devices from anywhere in the world with no need for an outside 3rd party, right from my mobile. To flash a custom firmware, you will need a few things:

  • Sparkfun FTDI Basic 3.3v USB to Serial interface
  • 5 pin header (to solder into the Sonoff unit)
  • Arduino IDE software – to program the ESP8285 chip in the Sonoff
  • Screwdriver
  • Soldering Iron
  • Custom Firmware of your choosing or your own
  • Male to Female Dupont wires to wire the FTDI breakout to the header you’ll install (see diagrams)

*** WARNING *** WARNING *** WARNING ***

This project/information deals with MAINS CONNECTED equipment!  You should NOT attempt to undertake anything described herein unless you are familiar with and confident with working with electricity and electrical safety!  Risk of DEATH, FIRE, ELECTRIC SHOCK, and PROPERTY DAMAGE can result if you are attempt anything described here without being familiar with the concepts and safety herein.   I will not be liable for your use of any of this information should you or someone else be killed or injured.  I implore you to seek qualified and experienced help if you are unfamiliar with or unsure of anything described here.  PLEASE BE SAFE!

Let’s Get Started!

First, you will CAREFULLY disassemble your Sonoff unit and remove the curcuit board inside.  You will notice an unpopulated header where you will solder your 5 pin header to.  This is the programming interface.  (click for larger view)

Once you have soldered on the 5 pin header, you will now connect your FTDI serial breakout to your Sonoff:  (Click for larger view)

Once connected, now you will load your firmware into the IDE and choose the “Generic ESP8285” board and 1M size flash as shown: (click for larger view)

To flash: (NOTE: there is NO WAY to go back to stock firmware!  this is a final operation!!!)

  1. Remove 3.3v lead
  2. Hold down button & reconnect 3.3v lead (at the same time)
  3. Release the button
  4. Flash your firmware

That’s it!  Reassemble your Sonoff switch and your Sonoff should be ready to use!

Here’s my firmware.  You are free to use/modify it.   In my application I wanted the IP hardcoded, but you can easily change this to be DHCP.  I’m currently (at the time of this writing) trying to figure out how to serve the HTTP interface from SPIFFS but not quite there yet so for now, it is hardcoded and functional.

Here’s how mine looks:

Very simple!  You’ll notice that in my code, the switch responds to the URLs of /on and /off which makes it stupid simple to integrate with controllers like Domoticz, Wink, Smartthings, etc:  (click for larger view)

Once you configure this in your controller, you can then operate it as any other part of your system, and even with Amazon Echo (Alexa)!

Simple Download Manager for Linux/Mac

If you’re like me and you travel often, you know all too well how badly hotel wifi sucks.  Often, any attempt to download a large file is often met with frustration when the signal drops and you have to restart your download all over again.  Fortunately, there is a simple and blissful answer to this.  Enter, the persistent wget download script:

download-mgr2

As you can see here, only a minimum of code is needed to ensure you get that large file, no matter how many times your hotel connection craps out.  Simply create a password file (if downloading from a SSL site) and supply any needed user/password credentials.  This allows you to simply paste in a link and then walk away while the script does its magic.

Dependencies:

You need to install wget into your linux or mac machine.  Once you have that package installed, then this script will work just fine.

In this example, I’m downloading a large movie file from my NAS at home while I’m overseas.  You can see how this works here:

download-mgr