Hardware: multiple avm fritz!box router, isdn telephones attached to these routers

  • normal internet connection: router can register sip numbers
    – the router gets a public ip on the wan side
  • mobile data connection: router fails to register most voip providers
    – mobile data modems/routers get a private ip (at least in my setup)
    – private ip means listening for incoming traffic is not possible
    – smartphone clients (e.g. bria) seem to be able to use push notifications to enable incoming calls (with optional codec g729 good voice quality and rather low data rates)
  • openvpn connection through mobile data to a server with public ip:
    – router can register sip numbers and outgoing calls work
    (until the firewall of the mobile provider gets active if voip by mobile data is forbidden)
    – incoming calls are still a problem; maybe the vpn tunnel responds to slowly.
  • reliable incoming calls by usb gsm modem with voice sim card attached to the router
    – fritzbox 7270v2 and higher of voice connections by voice capable usb gsm data sticks

Openvpn tunnel server side (official howto):

  • apt-get install openvpn
  • enable ipv4 forwarding
  • set iptable rules (reference1, reference2)
    – nat routing from tunnel interface to wan interface
    – disable direct forwarding from wan to tunnel
    iptables -A FORWARD -s -j ACCEPT
    iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
    iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
    iptables -A FORWARD -j REJECT
  • create keys following this tutorial (and it’s openvpn sample config file) using easy-rsa
    (which is part of the debian openvpn package); no passwords except for ca signing key
    – inside easy-rsa directory, edit vars file and run
    source vars; ./clean-all; ./build-ca; ./build-key-server your_server_name;
    ./build-key-pass client_name1;
    (openssl rsa -in client_name1.key -des3 -out client_name11.3des.key for mobile clients)
    openvpn –-genkey –-secret keys/ta.key

Openvpn tunnel client side:

  • use freetz to modify the router firmware and add openvpn (plus dropbear server)
    (might be tricky with older routers with only 4MB flash; needs squashfs 128kb block size
    and many of the removal patches; be prepared to recover your router with rukerneltool)
  • detailed howto here; (64 bit linux needs sudo apt-get -y install libc6-dev-i386 lib32ncurses5-dev gcc-multilib lib32stdc++6);
  • to fetch the current stable version:
    svn co http://svn.freetz.org/branches/freetz-stable-2.0 freetz-2.0
  • make menuconfig; make
  • the freetz web interface allows to configure openvpn udp tunnel client
    – use certificates and tls auth (ta.key goes into “static key” field)
    – redirect client traffic
  • additional note: echo “clear_id 87” > /proc/tffs allows to remove the message
    unsupported changes (reference); freetz has an option to do this from web interface.

Receiving calls with usb data modem in voice mode (e.g. with huawei e1552; at command configuration): ippf forum thread

  • voice capability might have to be unlocked with dc_unlocker
    (tool shows status of usb modem (free) and is able to unlock voice (paid))
  • testing voice capability with huawei mobile partner software on windows might require editing of config\PluginsConfig.xml to enable (voice) call menu entry (reference)
  • huawei sticks with newer firmware (“hilink”) act as router and not as modem; this seems to block voice modem usage (reference)
  • alternative: raspberry pi with asterisk (RasPBX) with chan_dongle (openvpn tunnel described here)
  • to make the option gsm voice telephony appear on a fritzbox router, attach the usb data stick, open menu Internet / Mobile Connection, enter SIM PIN number (if set) and press apply; press refresh until the data stick is booked into a mobile network; then press again apply; if the data stick has (enabled) voice capability and is supported by the fritzbox router, then the menu entry gsm voice calls should appear
  • fritzbox routers with vendor branded firmware might disable gsm voice (which requires installation of generic avm firmware with rukerneltool)
  • if the firmware of the fritzbox router is modified by freetz the program minicom can be installed to display sms messages (reference)
    – ls -l /var/gsm/ displays which ttyUSBN (N=0,1,2…) is the data port (huawei e1552: USB0)
    – stty -F /dev/ttyUSB0 displays the baudrate setting of this port (which is accessed by umtsd; in my setup baudrate 9600 is used)
    – minicom -o -b 9600 -D /dev/ttyUSB0 allows to send at-commands (ctrl+a e enables local echo)
    – at+cmgl=”all” displays all SMS stored on the SIM card
    – at+cmgr=4 displays SMS with index 4 (described in detail here)
    – the commands might fail and have to be repeated if umtsd gets active at the same time

Using firmware evb1_06x from fatcatlab.com; hardware is a beaglebone black (revision c) with evb cape.
(To access the firmware image from linux, unzip it and run fdisk -l evb1_06x.img, multiply the start position of partition 2 by 512 and run mount -o ro,offset=53477376 evb1_06x.img /your_mountpoint)

Console access: the ethernet port fetches an ip address by dhcp; telnet allows access as root without password
(Adress fetched by dhcp is also shown on serial console of beaglebone; only accessible when evb cape is removed.)

To upload files to the beaglebone black with evb cape
python -m SimpleHTTPServer 8080 (cd to directory which has content to be downloaded)
wget http://your_server_ip:8080/filename
(builtin busybox unzip does not keep symlinks and executable attributes)

Toolchain used to build evb1_06x firmware:
uname -r displays 3.12.10-ti2013.12.01 and kernel_config is available in /proc/config.gz
which is TI SDK 7.0 (forked github repository of linux kernel here). The ti download page for sdk 7.0 is somehow hidden because the current sdk version is sdk 8.0 and later; the toolkit uses 32 bit binaries and here is listed which libraries (might) have to be installed on 64 bit ubuntu 14.04.

  • apt-get install libc6:i386 libx11-6:i386 libasound2:i386 libatk1.0-0:i386 libcairo2:i386 libcups2:i386 libdbus-glib-2.0-0:i386 libgconf-2-4:i386 libgdk-pixbuf2.0-0:i386 libgtk-3-0:i386 libice6:i386 libncurses5:i386 libsm6:i386 liborbit2:i386 libudev1:i386 libusb-0.1-4:i386 libstdc++6:i386 libxt6:i386 libxtst6:i386 libgnomeui-0:i386 libusb-1.0-0-dev:i386 libcanberra-gtk-module:i386 gtk2-engines-murrine:i386
  • uses linaro toolchain (gcc 4.7, 2013.03): download
    (copy contents into /usr/ except /usr/share/aclocal|gdb|locale)
  • create directories /opt/bbb/lib and /opt/bbb/usr/include and create symlinks
    inside /opt/bbb/lib for all files in /usr/arm-linux-gnueabihf/libc/lib/arm-linux-gnueabihf/:
    cd $d; for f in *; do cd /opt/bbb/lib; echo ln -s $d/$f; cd $d; done
    and inside /opt/bbb/usr/include for all files in /usr/arm-linux-gnueabihf/[libc/usr/include|]:
    cd $d; for f in *; do cd /opt/bbb/usr/include; echo ln -s $d/$f; cd $d; done
    cd $d; for f in *; do cd /opt/bbb/usr/include; ln -s $d/$f; cd $d; done
  • sdk source code: download
    (copy linux-3-12-10-ti2013.12.01 to /usr/src)
  • precompiled sdk binaries: download
    (contains tisdk-rootfs-image-am335x-evm.tar.gz with all binaries of the sdk root file system)
  • getting started guide: pdf document
  • handling PRU: overview

To test the kernel build environment, backup .config and copy kernel_config to .config, then run:
cd /usr/src/linux-3.12.10-ti2013.12.01
export ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf-
make oldconfig
And to prepare external and/or internal module compilation run
make clean
make prepare
make zImage (this is required to create that part file Module.symvers which belongs to modules built into the kernel; else modules compile but fail to load with exec error)

For access point mode with rtl8192cu chipsets like edimax ew-7811un wireless usb adapter (ap.tar.zip) the driver from realtek has to be used (module 8192cu_ko; version patched for newer kernels on github). The Makefile has to be edited:
… (and after ifeq ($(CONFIG_PLATFORM_I386_PC), y) … endif):
KSRC := /usr/src/linux-3.12.10-ti2013.12.01
ARCH := arm
KVER:= 3.12.10
Then run
arm-linux-gnueabihf-strip –strip-debug 8192cu.ko
Copy the module to /lib/modules/3.12.10-ti2013.12.01/extra/ and run depmod -a

UNUSED and kept for reference: The module coming with the linux kernel source does not allow access point mode (error: ioctl[SIOCSIWMODE]: Operation not supported):
make menuconfig to select the ew-7811un kernel module (micro wifi usb dongle)
Device Drivers > Network device support > Wireless LAN > Realtek rtlwifi family of devices
<M>   Realtek RTL8192CU/RTL8188CU USB Wireless Network Adapter
and run make modules (rtl8192cu_ko):
Copy modules to /lib/modules/3.12.10-ti2013.12.01/extra/ and copy rtl8192cufw.bin to /lib/firmware/rtlwifi/
modprobe rtl8192cu; ifconfig -a
should show interface wlan0

Modified hostapd binary which works as access point with ew-7811un:
Go to realtek downloads (which is referenced here), select RTL8188CUS and download the linux driver.
This archive contains wpa_supplicant_hostapd-0.8_rtw_r7475.20130812.tar.gz (in wpa_supplicant_hostapd/ directory)
export CC=arm-linux-gnueabihf-gcc
export LDFLAGS=”-L/opt/bbb/lib -L/opt/bbb/usr/lib”
export CFLAGS=”-I/opt/bbb/usr/include -I/opt/bbb/usr/include/arm-linux-gnueabihf”
export PKG_CONFIG_PATH=/opt/bbb/usr/lib/pkgconfig
(the exported variables shown above are used for all compilations below!)
cd wpa_supplicant_hostapd-0.8_rtw_r7475.20130812/hostapd
make; make install DESTDIR=/opt/bbb

Compile dnsmasq-2.73 (dnsmasq):
export CC  as shown for hostapd and edit the Makefile to set prefix = /usr
edit src/config.h: uncomment HAVE_BROKEN_RTC and comment out HAVE_TFTP
make; make install DESTDIR=/opt/bbb

To install the access point on the beaglebone, download and extract ap.tar.zip (reference):
wget https://blog.spblinux.de/wp-content/uploads/2015/07/ap.tar.zip
unzip ap.tar.zip
tar -C / -xf ap.tar
and edit the wlan0 entry of /etc/network/interfaces:
iface wlan0 inet static
(or copy interfaces.ap to interfaces if file interfaces has not yet been edited)
Change of settings might require a reboot. The wlan driver kernel module 8192cu.ko is automatically loaded at boot time.

Editor nano (nano.tar.zip):
First compile libncurses-5.9 with
./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc –with-shared –enable-widec –enable-pc-files –with-ticlib
make; make install DESTDIR=/opt/bbb
./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc –with-shared –disable-widec –enable-pc-files –with-ticlib
make; make installDESTDIR=/opt/bbb
Then compile nano-2.4.2 with
./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc –enable-utf8
make; make install DESTDIR=/opt/bbb
Install on beaglebone by:
wget https://blog.spblinux.de/wp-content/uploads/2015/07/nano.tar.zip
unzip nano.tar.zip
tar -C / -xf nano.tar

Compile midnight commander (mc.tar.zip) approximately following this reference
(use mc -a in case of missing line drawing characters; might disappear by switching from telnet login to ssh login)
libz (zlib-1.2.8)
CHOST=arm-linux-gnueabihf ./configure –prefix=/usr
make; make install DESTDIR=/opt/bbb
libiconv (libiconv-1.14)
./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc
make; make install DESTDIR=/opt/bbb
libgettext (gettext-0.19.4)
#bug: make fails if libiconv.la and libiconv.so* from /opt/bbb/usr/lib
# are not symlinked to /usr/lib (at least on a system without installed libiconv)
cd /usr/lib
ln -s /opt/bbb/usr/lib/libiconv.la
ln -s /opt/bbb/usr/lib/libiconv.so
./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc –enable-shared –disable-csharp –disable-java –disable-openmp –disable-c++ –disable-native-java –with-libiconv-prefix=/opt/
make; make install DESTDIR=/opt/bbb
[ -L /usr/lib/libiconv.la ] && rm /usr/lib/libiconv.la
[ -L /usr/lib/libiconv.so ] && rm /usr/lib/libiconv.so
libffi (libffi-3.2)
./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc
make; make install DESTDIR=/opt/bbb
glib (glib-2.45.3)
echo “glib_cv_stack_grows=no” >config.cache
echo “glib_cv_uscore=no” >>config.cache
echo “ac_cv_func_posix_getpwuid_r=yes” >>config.cache
echo “ac_cv_func_posix_getgrgid_r=yes” >>config.cache
LIBFFI_CFLAGS=”-I/opt/bbb/usr/lib/libffi-3.2.1/include” LIBFFI_LIBS=”-L/opt/bbb/usr/lib -lffi” ./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc -C –with-libiconv=gnu
make; make install DESTDIR=/opt/bbb
slang (slang-2.1.4)
./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc
make: make install DESTDIR=/opt/bbb
midnight commander (mc-4.8.14)
GLIB_CFLAGS=”-I/opt/bbb/usr/lib/glib-2.0/include -I/opt/bbb/usr/include/glib-2.0″ GLIB_LIBS=”-L/opt/bbb/usr/lib -lglib-2.0″  ./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc  –with-slang-includes=/opt/bbb/usr/include –with-slang-libs=/opt/bbb/usr/lib –with-libiconv-prefix=/opt/bbb/usr –with-libintl-prefix=/opt/bbb/usr
make; make install DESTDIR=/opt/bbb
[ -L /usr/lib/libiconv.la ] && rm /usr/lib/libiconv.la
[ -L /usr/lib/libiconv.so ] && rm /usr/lib/libiconv.so
On the beaglebon fetch mc.tar.zip with wget and extract it:
wget https://blog.spblinux.de/wp-content/uploads/2015/07/mc.tar.zip
unzip mc.tar.zip
tar -C / -xf mc.tar

ssh server dropbear (dropbear-2015.67)
./configure –host=arm-linux-gnueabihf –prefix=/usr –sysconfdir=/etc –with-zlib=/opt/bbb/usr/lib
make; make install DESTDIR=/opt/bbb
make scp; cp scp /opt/bbb/usr/bin
On the beaglebone (dropbear.tar.zip), first set a password for root user,
then fetch dropbear.tar.zip with wget and extract it:
wget https://blog.spblinux.de/wp-content/uploads/2015/07/dropbear.tar.zip
unzip dropbear.tar.zip
tar -C / -xf dropbear.tar
Now scp can be used to transfer files.
(The first login by ssh will take about a minute because dropbear creates a key in /etc/dropbear)

Hardware settings (pinmux), defined by device tree file am335x-boneblack.dtb in folder /boot:
Use dtc in /usr/src/linux-3.12.10-ti2013.12.01/scripts/dtc to convert the binary dtc file to am335x-boneblack.dts
dtc -I dtb -O dts am335x-boneblack.dtb  -o am335x-boneblack.dts
Here is an online Device-Tree Overlay Generator which helps to understand pinmux settings.
(The beaglebone black reference manual documents the expansion header pin names:
Expansion Header P8 Pinout, Expansion Header P9 Pinout, tables 12, 13 on pages 84, 86)

The current pinmux setting can be fetched from debugfs with
cat /sys/kernel/debug/pinctrl/44e10800.pinmux/pins |sed “s,(44e108, ,” |sed “s,(44e109,1,” |sed “s,.0) 000000,: ,”
Firmware evb1_06x runs with these settings: pins.txt (more info; compact list of bbb expansion header pinout)
(The sed commands replace the memory offset 44e10pqr by relative offset used by dts file entries
pinctrl-single,pins = <0xpqr 0x10>;)

  • motors A, B, C, D use ehrpwm2B, ehrpwm2A, ehrpwm1B, ehrpwm1A
  • sensors A, B, C, D use uart4, uart2, uart1, uart5
  • lcd uses spi1

Receive your own ads-b signals and display them on a map like flightradar24.com does.

Required hardware: tv-usb-receiver with rtl2832u chipset (like this offer with rafael r820t2 tuner); router tplink tl-mr3020; small portable charging device. – In this blog entry you find a photography of a similar setup.

Software: openwrt (14.07 barrier braker)  with libsdr and dump1090 (both available as openwrt packages).


  • Install openwrt on tl-mr3020 as decribed by openwrt wiki here.
  • Connect with telnet to and set a root password with passwd.
  • Change network settings to enable (preferably wired) internet access; (login as root with ssh and/or use the web interface); you might want to disable the dhcp server on interface “LAN”. – Configuration files are in /etc/config/.
    (In case you get locked out: power off; power on again; while led blinks quickly move the switch on the router; blinking gets faster and you are in safe mode with telnet login and default ip; run mount_root and repair settings with command uci)
  • Install packages (as described here and here): opkg update; opkg install librtlsdr; opkg install dump1090
    The router has only 4MB onboard flash storage; 640k is configured as writable overlay; librtlsdr (+dependencies) and dump1090 increased used overlay space from 216k to 364k.
  • run dump1090 without arguments to check if the tv-stick gets recognized

Configuration as wireless access point serving data only from (no internet access using this accesspoint):

  • Enable wifi in web interface (open accesspoint without password in my case)
  • define a new “interface “WIFI” inside the web interface. Use the physical settings tab of interface “WIFI” and of interface “LAN” to ensure that only eth0 is bound to “LAN” and only wireless is bound to “WIFI”
  • use setting network / firewall, create a new zone wifi with input: accept, output: accept, forward; reject (no masquerading, no clamping); add interface “WIFI” to this zone; do not allow interzone forwarding:
    Clients of the access point are not allowed to get  internet access and they cannot access the lan zone.
  • Enable the dhcp server on interface “WIFI”, use advanced dhcp server settings to send empty dhcp options 3 and 6 by writing 3 instead of 3, into the first dhcp-options field and 6 into the second option-field. This tells the client that this access point does not offer a default gateway or a dns server: that is, no internet access through this access point (reference).
  • Connect your mobile phone to the access point using dhcp and enable internet access by mobile data.
    The mobile browser should have access to (openwrt config page) and to any internet page.

Display ads-b messages of airplanes in reach of your antenna:

  • simple terminal view: connect by ssh to the router and run
    dump1090 –interactive
  • browser view:
    first connect with ssh and run
    dump1090 –net –quiet &
    then open with your browser
    and use ssh to stop dump1090 with command killall dump1090
  • the cpu load on the router seen by command top is about 60%. So cpu power seems to be sufficient.

Refinement: move openwrt web interface to port 8088 and run dump1090 on port 80:

  • ssh into the router and run
    sed “s,:80′,:8088′,g” /etc/config/uhttpd
    if the output is correct run sed with option -i (=edit in place)
    sed -i “s,:80′,:8088′,g” /etc/config/uhttpd
  • to create a shell script called dump which starts dump1090 with options run (inside /root directory)
    echo “#!/bin/sh” >dump
    echo “#” >dump
    echo “dump1090 –net –quiet –net-http-port 80 &” >dump
    chmod +x dump
  • now dump1090 can be started after ssh login as root by running
    and the webpage produced by tcpdump1090 is available at

Some screenshots of output of dump1090 can be found on this page (written in german).

Using the buttons of the router:

The current states of all buttons can be shown with
cat /sys/kernel/debug/gpio
3 way switch positions:

  • cat /sys/kernel/debug/gpio |grep gpio-18 |sed ‘s,^.*in *,,’
    lo = middle, hi = left or right
  • cat /sys/kernel/debug/gpio |grep gpio-20 |sed ‘s,^.*in *,,’
    lo = left, hi = right or middle

and to monitor the button change events the directory /etc/hotplug.d/button has to be created. Then any script inside this directory gets sourced by the script /sbin/hotplug-call. The environment variables $BUTTON, $ACTION and $SEEN are set

  • $ACTION: pressed, released
  • $BUTTON:
    wps: push button with led,
    BTN_0: switch: released = middle position, pressed = left or right
    BTN_1: switch: released =left, pushed = middle or right
    fast switching from left to right: no event for BTN_0 (remains pressed)
  • $SLEEP: seconds since last action for this button

Example script to monitor button events:

  • mkdir /etc/hotplug.d/button
  • echo ‘echo button $BUTTON with action $ACTION and seen $SEEN>>/tmp/buttons.log’ >buttonlog.sh
  • tail -f /tmp/buttons.log

Scripts to toggle wifi with wps button and to start and stop programs (reference)

  • /etc/hotplug.d/button/00-button.sh
  • /usr/sbin/BTN_0_pressed and /usr/sbin/BTN_1_pressed
  • /usr/sbin/handler_wifi_toggle.sh
  • /usr/sbin/handler_dump1090.sh
  • /usr/sbin/handler_rtl_tcp.sh
  • /usr/sbin/handler_stop.sh
  • all scripts have to be made executable with chmod +x
    and the suffix .txt should be removed
  • to attach the handler scripts to hardware buttons wps/left/middle/right
    (left: triggered by quickly moving the mode switch from right to left
    right: triggered by quickly moving the mode switch from left to right
    middle: triggered by moving the mode switch to the middle)
    uci add system button
    uci set system.@button[-1].button=wps
    uci set system.@button[-1].action=released
    uci set system.@button[-1].handler=handler_wifi_toggle.sh
    uci set system.@button[-1].min=1
    uci set system.@button[-1].max=3
    uci commit system


  • Install rtl-sdr package from this source: download to your computer, then copy it per scp to the router. Install it with opkg install rtl-……_ar71xx.ipk
    • look at the bottom of this page to stream the signal of the tv-receiver with rtl_tcp
    • rtl_tcp -a -n 8 -b 8
  • as receiver osmocom fft analyzer can be used (osx install requires macports: port install gr-osmosdr +full; port install gr-fosphor; port install Gqrx)
    osmocom_fft -W -s 2000000 -f 144000000 -a ‘rtl_tcp=’
    optionally with -W or -S or -F
    (sample rate 2 MHz gives 30% cpu load on the router)
    Tested with wired connection.
  • fm radio receiver gqrx runs with
    Device settings:
    device: rtl_sdr spectrum server
    device string (as displayed by rtl_test): rtl_tcp=
    sample rate: 1500000 (automatically set by gqrc)
    bandwidth: 0 MHz
    LNB LO: 0 MHz
    (Reboot router if transmission does not work properly)
    Receiver options: WFM (stereo)
    Input controls LNA gain: sensitivity of tuner
    Audio: Gain 0 dB
    Wired connection
  • fm radio receiver sdr# on windows 8.1:
    wireless connection
    sample rate 1.024 MSPS
    start rtl_tcp to listen on wireless interface
    rtl_tcp -a -n 8 -b 8

Features of Mediawiki extended with free version of BlueSpice:

code sourcery is now part of of mentor.com:

– command line binary arm toolchain is somehow hidden in favour of the (non free) codebench product of mentor.com

. os x binary toolchain based on code sourcery sources offered by http://www.carlson-minot.com/

– on their download page they offer a build script which reference the code sourcery source archives

– using google reveals download links for these source archives at http://sourcery.mentor.com/public/gnu_toolchain/


Rooting: there are some fine guides like this. The first step, unlock bootloader, resets the phone to factory: backup data first. (To see developer options on the phone: settings / about / tap 7 times on the last line / build number). In developer options: activate oem-unlock to unlock the boot loader and later usb debug mode to allow adb shell access.

  • fastboot and adb shell (reference): windows installer (=minimal fastboot and adb; tested: flashing with fastboot needs cmd window with admin rights); linux: apt-get install fastboot; osx: google mfastboot-v2 download.
  • twrp for moto e 2nd 4g: reference; download (version 2015-03-08)
  • supersu 2.46 (2015-03-29) from chainfire.eu: download
  • search for moto e 2nd logo.bin to hide the unlocked bootloader warning (fastboot flash logo logo.bin)

USB OTG: moto e 2nd 4G (xt1524) does support usb on the go (check settings / storage with attached usb storage device)

Tools (from google playstore):

  • Android Terminal Emulator (even tapping works with mc, if enabled in settings, using terminal type xterm). On first start run
    su -c ” supolicy –live ‘allow untrusted_app untrusted_app_devpts chr_file setattr’ “
  • sshelper ssh daemon (comes with busybox)
  • Midnight Commander Installer (installation requires busybox in /system/xbin/)
    Use terminal emulator to copy busybox to system app directory /system/xbin/:
    su; mount -o remount,rw /system
    cd /data/data/com.arachnoid.sshelper/bin; cp -a * /system/xbin/
    Then edit shell script /system/xbin/mc (e.g. with mc editor)
    export TERM=xterm
    /system/xbin/mc.real $@
  • juicessh ssh client
    currently needs a policy modification
    su -c ” supolicy –live ‘allow untrusted_app untrusted_app_devpts chr_file setattr’ ”
    (or permissive selinux mode) to access /dev/pts. Run in terminal emulator:
    su; setenforce 0 (and reenable with setenforce 1; getenforce shows status)
    or  with ssh:
    su -c sh -i; setenforce 1
    then logout and login again
  • Root Explorer: file manager


  • YouMap: duplicates screen to rplay software on raspberry pi
  • with raspberry pi configured as wlan access point and connected to the internet by ethernet both screencast and internet access use the same wlan connection
  • transmission is very stable and efficient in terms of battery life. But the first connection might have to be tried multiple times: turn on server, connect to rplay device (stop server, disconnect device, repeat from beginning). – Much better than google chromecast app and stick (phone not in list of supported devices, 2015-03).


  • C4droid with gcc and sdl plugin
  • recommended to use bluetooth keyboard
  • working directory is:
    and uses temp.c and temp as compiled binary
  • storage directory is
  • in depth tutorial for qt app
  • selinux support:
    copy libselinux.so from /system/lib/ to
  • download selinux header files from android.googlesource.com: platform/external/libselinux: include (e.g. android-5.1.0_r3)
  • create directory selinux inside
  • copy the header files into this directory
  • In C4droid settings / G++ arguments add after -lz: -lselinux; stored in
  • test selinux with (idea from serverfault.com)
    #include <stdio.h>
    #include <stdlib.h>
    #include <selinux/selinux.h>
    int main() {
    security_context_t con;
    if (getcon(&con) < 0) {
    perror(“Cannot getcon”);
    return 1;
    printf(“%s\n”, con);
    return 0;
  • this program should compile and run with output:
  • if and only if enforcing mode of selinux is active
    su -cn u:r:system_app:s0 test
    allows to run the program test in a different security context (su is part of supersu)

Android build environment:



Mallory is a comfortable python based man in the middle tool. Using a patched version (mallory.diff) version with PyOpenSSL sockets adds SNI support.

Importing the ca certificate (mallory/src/ca/ca.cer) into a mobile device, allows to see all ssl encrypted traffic of the mobile device. (Import: either upload ca.cer to a webserver or send it as an email attachment; clicking on ca.cer installs the ca certificate.)

Installation on a raspberry pi with raspbian and configured access point:

apt-get install mercurial
apt-get install python2.7-dev python-setuptools
apt-get install python-pyasn1 python-netfilter libnetfilter-conntrack-dev
easy_install pynetfilter_conntrack
# ??? apt-get install libnetfilter-conntrack3-dbg

hg clone http://bitbucket.org/IntrepidusGroup/mallory
ln -s /usr/lib/arm-linux-gnueabihf/libnetfilter_conntrack.so /usr/lib/libnetfilter_conntrack.so.1

apt-get install python-pip python-m2crypto python-qt4 pyro-gui
apt-get install libffi-dev
pip install pyopenssl
apt-get install python-twisted-web python-qt4-sql libqt4-sql-sqlite sqlite3
pip install netlib
apt-get install python-imaging
apt-get install python-paramiko

Apply patch (which uses some code of this fork, especially the global config class commit, restoring of iptables when closing mallory gui. additionally it transfers code of mitmproxy into mallory to get SNI support)

Instructions to get started with mallory can be found here and here. – Acquiring of dhcp leases on client side currently only works when mallory gui is closed.

The rules and the streams tab in mallory gui might be unreliable. But mallory writes all packets into a sqlite3 database, which can be browsed on the advanced tab (db view, create sql, then execute).  – You could use sqlitebrowser as gui to view the data (apt-get install sqlitebrowser).

ipt.sh mallory2.diff mallory2cap.py.diffOn the bottom of this article you find a script which converts the mallory sqlite db into a pcap file which can be read by wireshark. (here with some error handling added: patch)

This patch adds a plugin to mallory to download the ca certificate at http://ip_of_mallory_host:8080. (Furthermore this patch fixes some issues in http.py)

The script ipt.sh allows to start and stop port redirection for mallory. This script and mallory (cd mallory/src; python mallory.py) have to be run as root. The mallory gui (cd mallory/src; python launch_gui.py) runs as normal user, if port redirection is done by ipt.sh.

  • BerryBoot allows to put multiple operating systems on one sd card.
  • the low power micro wifi adapter edimax ew-7811un is used in accesspoint mode
  • PirateBox 1.01 exists as arch linux based raspberry pi image

Install BerryBox (reference)

  • download latest berryboot zip archive from sourceforge
  • reformat an sd card with one fat32 partition
  • copy the contents of the zip archive into this partition
  • attach screen, mouse and wired ethernet to raspberry pi and boot from sd card
  • follow the instructions and install one “standard os”, e.g. “webserver”

Install PirateBox raspberry pi image

  • download latest piratebox raspberry pi image (ArchLinuxARM) from downloads.piratebox.de (using a bit torrent client like deluge)
  • this image has to modified on a linux machine (e.g. ubuntu 14.04 lts):
    /lib and /sbin which are symbolic links in the image have to be changed to real directories (reference)
    the resulting root partition has to be copied into a squash filesystem (reference)
  • unzip the image and use kpartx as helper to mount the second partition
    kpartx -av filename_of_unpacked_image
    mount /dev/mapper/loopNp2 your_mountpoint (with N=0, 1, 2 … as displayed by kpartx
  • use mc, navigate to the root directory of the mounted image.
    i) Remove the symlinks lib, bin  and sbin.
    ii) Move usr/lib to the root directory of the image; also move usr/bin to the root directory of the image.
    iii) Inside the root directory of the image rename bin to sbin and make a symlink from sbin to bin (ln -s sbin bin).
    iv) inside usr/ create symlinks for lib, bin and sbin to the root directory (ln -s bin ../bin; ln -s sbin ../sbin; ln -s lib ../lib)
  • create the squash filesystem image (excluding the kernel modules because the kernel of BerryBoot is used)
    mksquashfs your_mountpoint archlinux.img -comp lzo -e lib/modules
  • copy archlinux.img to an usb stick, plug this usb stick into the usb port of the raspberry pi running berryboot “edit boot”
    and copy archlinux.img to the sd card (using a long mouse click on “Add OS”)
  • set archlinux as default boot entry and exit the boot menu configuration
  • the raspberry pi should boot to the arch linux boot prompt (alarmpi: user: root; password: root)

Configure PirateBox with edimax ew-7811un wifi as access point (reference)

  • replace /usr/bin/hostapd by this version (reference)
  • use editor nano and change the line driver=… in /opt/piratebox/conf/hostapd.conf
  • edit /opt/piratebox/www/board/config.pl and uncomment and set
    ADMIN_PASS (=forum administrator password) and SECRET (seed for cryptography)
  • workaround: piratebox.service (version 2014-10-10) needs to be started with a delay (else it fails to start hostapd):
    use nano and create /etc/systemd/system/piratebox.timer:
    Description=piratebox delayed start
  • activate this timer with
    systemctl enable piratebox.timer
  • test if piratebox runs with
    systemctl piratebox status
    and try to rerun it with
    systemctl piratebox stop
    systemctl piratebox start
    systemctl piratebox status
  • connect to piratebox access point; reboot; wait about 2 minutes; try again to connect
  • use passwd to set your own root password
  • reboot without wired lan connection and without keyboard, mouse and monitor

For a clean shutdown without keyboard ssh could be used (use hostname piratebox.lan)

To upload files from ios other than photos and videos from photo roll and camera:

  • install icab-mobile (has an affordable price)
  • on the settings page of icab-mobile set Network/Upload to icab mobile mode (defaults to ios mode)
  • even with this setting the iframed upload page uses ios upload mode, but
    opened as a separate page (and not as iframe) allows to upload files (which have been previously downloaded by icab-mobile)
  • documents displayed in safari can be transferred to icab-mobile download folder using “open with …” / icab mobile;
    then icab mobile asks if the document should be downloaded.

Raspberry Pi works as airplay receiver using xbmc (only for non copyrighted content)

More or less working (tested on iOS 7.1):

– builtin youtube video app for some content
– fileapp 4 (by fileapp.com) media player (mp4 videos have to be stored with extension m4v; uses builtin iOS player)
– app has to be closed to make freshly uploaded folder content visible (iTunes upload for this app)
– viewing of photos
(videos have a significant time lag between image and sound – but xbmc-kodi is still in alpha status: 2014-10-14)

Not working:
– videos taken by camera of iPhone 5s.
– copyright protected videos (e.g. any iTunes purchase)


– handbrake: apple tv1 (format mp4, saved with extension m4v)
– adobe premiere elements 11: iPad high quality
plug player (if content gets played it can be transmitted to airplay)


Only sound:

oplayer (outputs only sound to airplay; maybe always sets bit for copyrighted videos)
builtin video app playing videos synchronized by iTunes

xbmc: raspbmc with kodi built from  here

To tweak audio settings use this reference

To setup raspbmc as wifi accesspoint refer to this post

Install iPhone app xmbc (official app made by the makers of xbmc)
(sometimes it is useful to connect  an iOS ssh client; currently (build20141012) required to make a clean shutdown:
login as user pi (default password raspberry) run sudo poweroff)

Alternative: rPlay by vmlite.com
(feature rich; needs free beta license; 12 months no change)


Adding a web frontend (LAMP server) to a local windows application with mssql database (Windows 2008R2 server with mssql 2008). ms access 2003 installed on windows 2008 server is used to synchronize data from mssql to mysql.

  1. mssql database -> ms access 2003 (passthrough query using odbc)
  2. ms access -> mysql (passthrough query using odbc with mysql tunneled by ssh)
  3. windows task scheduler runs ms access (vba code to run queries)

Other software which has to be installed:

  • MySQL Connector/ODBC 5.1 (32 bit)
  • plink.exe, putty.exe (PuTTY)

Configure odbc:

ms access 2003 (usually) is a 32 bit application, stored in program files (x86), so 32 bit odbc connectors have to be used (reference).
To setup 32 bit odbc dsn files open %windir%\SysWOW64\odbcad32.exe (on 64 bit windows searching for odbc opens 64 bit odbc).

  • Create a file dsn for mssql
  • Run PuTTY, connect to the mysql server host with port forwarding: local 3306 to on mysql server.
    Then create a file dsn for mysql: tcp/ip, port 3306
  • Run ms access and create linked tables with create table wizard: linked table / file type odbc / open file dsn.
    Select source table(s) in mssql and destination tables in mysql (activate save password option).
  • Tools / database tools / linked tables manager has to be run if the layout of a linked table has been changed on the server.

Passthrough queries in ms access:

  • Create a new query, do not add tables into the query, switch to SQL mode and set the type of the query to SQL / Pass-Through
  • Open the properties window and set ODBC-Connection to
    and additionally for mysql
    (The field values, except PWD (password), can be found, if the odbc file dsn is opened with a text editor)
  • To run passthrough queries automatically the odbc password has to be stored in clear text(!);
    so both database servers, mssql and mysql, should have a user and password only used for odbc.
  • To test the SQL code for passthrough queries the statements should be run on the server:
    mssql with SQL Server Management Studio and mysql with PHPMyAdmin

Transfer of data from mssql to mysql: tblSrc to tblDest

  • on mysql server create tblDest_tmp with same layout as tblDest and create a linked table tblDest_tmp in ms access
  • in ms access setup a mysql passthrough query with name step1 and SQL code
    TRUNCATE TABLE tblDest_tmp
    (set property return records to false)
  • setup a mssql passthrough query with name qrySrc_mssql and SQL code which converts the data of tblSrc to the layout of tblDest, e.g.
    SELECT tblSrc.phonenumber AS phone FROM yourdb.dbo.tblSrc
  • setup a ms access append query with name step2 which uses source “table” qrySrc_mssql and destination table tblDest_tmp, e.g.
    INSERT INTO tblDest_tmp (phone) SELECT phone FROM qrySrc_mssql;
    (it is possible to choose fields in ms access design view mode)
  • setup a mysql passthrough query with name step3 which uses tblDest_tmp to update tblDest, e.g.
    INSERT INTO tblDest (phone) SELECT t.phone FROM tablDest_tmp AS t
    UPDATE phone=t.phone
    (set property return records to false)
  • to transfer data start ssh port forwarding and run the queries
    step1 (which removes all data from tblDest_tmp)
    step2 (which copies data from qrySrc_mssql (fetching data from tblSRc) to tblDest_tmp)
    step3 (which updates tblDest with data from tblDest_tmp)
    stop ssh port forwarding
    (bug: if port forwarding has been stopped, ms access has to be closed and reopened;
    else the queries fail with an odbc error (mysql); some reinitialization of odbc seems to be needed.)

Preparations to run the queries automatically by VBA:

  • Simple preliminary setup: create a form and use the create button wizard to put 3 buttons on the form
    which run the queries step1, step2, step3.
  • Two other buttons can be created which start and stop ssh port forwarding:
    with the create button wizard choose run application and choose as command line
    “your_path\plink.exe” -L 3306: -i “your_path2\keyfile.ppk” -ssh -2 -l your_user -N your_server.com
    and (assuming a non administrative user is logged in and only one instance of plink.exe runs in the account of this user)
    taskkill /f /im plink.exe
    With PuTTYgen an openssh public key can be converted into ppk format used by plink.exe.
    To be able to run these commands by windows task scheduler all network drive mappings have to be replaced by unc names
    (e.g. \\yourbox\tools\plink.exe, not N:\tools\plink.exe)

Using VBA code to run queries:

  • to make it easier to maintain the SQL code of the queries, VBA makes temporary copies of existing queries
    (vba code based on inspiring work of mdlueck)
    Sub deleteQDF(name)
    On Error Resume Next
    End Sub
  • passthrough query: (step1 and step3)
    Dim daoDB As DAO.Database
    Dim daoQDFbe As DAO.QueryDef
    Dim strQryNameBe As String
    Set daoDB=CurrentDb()
    Set  daoQDFbe=daoDB.CreateQueryDef(strQryNameBe)
    With daoQDFbe
    .Connect=daoDB.QueryDefs(“yourExistingQuery(replace by step1 or step3)”).Connect
    .SQL=daoDB.QueryDefs(“yourExistingQuery(replace by step1 or step3)”).SQL
    .Execute dbFailOnError
    End With
    Set daoDB=Nothing
    Set daoQDFbe=Nothing
  • append query (step2; with passthrough query qrySrc_mssql as source):
    Dim daoDB As DAO.Database
    Dim daoQDFbe As DAO.QueryDef
    Dim strQryNameBe As String
    Dim daoQDFfe As DAO.QueryDef
    Dim strQryNameFe As String
    Set daoDB=CurrentDb()
    Set  daoQDFbe=daoDB.CreateQueryDef(strQryNameBe)
    With daoQDFbe
    End With
    Set  daoQDFfe=daoDB.CreateQueryDef(strQryNamefe)
    With daoQDFfe
    .Execute dbFailOnError
    End With
    Set daoDB=Nothing
    Set daoQDFbe=Nothing
    Set daoQDFfe=Nothing
  • run application (start plink.exe for ssh port forwarding; run taskkill to terminate plink.exe; use Chr(34) to insert double quotes into commandline):
    Dim strAppName as String
    Dim qq
    strAppName= qq & “path1\plink.exe” & qq & ” -L 3306: -i ” & qq & “path2\key.ppk” & qq & ”  -ssh -2 -l dbUser -N dbserver.com”
    Call Shell(strAppName, 1)

    strAppName=”taskkill.exe /f /im plink.exe”
    Call Shell(strAppName,1)

Autostart version of ms access database mdb file:

  • Evaluate command line argument:
    open mdb database with:
    “yourPathToMsOffice\msaccess.exe” “yourPathToMdbFile\yourDb.mdb” /cmd autostart
  • Create a macro with name AutoExec by new macro wizard of ms access, choose macro type run code and write to field function name:
    and create a VBA function with VBA-Editor (inside a standard module of VBA editor; not inside a form_module)
    Function AutoExec(ByVal strCmd As String) As Boolean
    If strCmd=Command Then
    ‘ autostart VBA code

    End If
    End Function
  • The code inside the if condition of the VBA function Autostart(strCmd) gets only executed
    if the command line of ms access.exe ends with /cmd autostart. (DoCmd.Quit closes the ms access application.)
    Else the macro AutoExec calls the VBA function AutoExec(strCmd) and returns immediately.

Use Windows Task Manager to run the queries:

  • For security reasons a normal non administrative user account should be used to autorun the queries.
    This user needs the privilege to login as batch user (reference):
    Start / Administrative tools / Local Security Policy
    Security Settings / Local Policies / User Rights Assignment / Log on as a batch job
    click right mouse button and choose Properties
    Click Add user or Group to give the privilege to the user.
  • Batch user login does not map network drives. Use UNC names instead:
    replace N:\yourSharedFolder by \\yourServer\yourShare\yourSharedFolder
    (e.g. ssh port forwarding: path of plink.exe and path of ppk file in VBA code)
  • Batch tasks do not display any window. So code run by task manager has to be checked on the desktop.
    Single stepping through VBA code inside VBA editor is recommended.
    Batch tasks are only shown in task manager if show all users is active.
  • Open Windows task manager with administrative privileges, else new tasks cannot be created.
    Use right mouse click run now to immediately try out a scheduled task.
  • Create a new task (not simple task):
    – define user to run the task
    – run independently of user login (=run with batch login) and store password
    – run with high priority
    – trigger by timer, e.g. daily
    – action: run program:
    “C:\Program Files (x86)\Microsoft Office\OFFICE11\MSACCESS.EXE”
    use arguments
    “yourPath\yourDatabase.mdb” /cmd autostart
    working directory can be left blank
    – properties: stop after 1 hour and force exit

Watch how local windows application data automagically displays in web frontend.