Sunday, October 28, 2018

Shortening a Fly Fishing Rod

My wife is an avid fly fisherwoman.  I wanted to join her, so I ordered a fly rod and reel off of amazon.com, and when it arrived, I had a distinct worry.  I do love the outdoors, and backpacking, so I had ordered a 9' rod that came in 4 sections.  When I assembled the rod, it seemed way too long for some of the places I have hiked to (tight corners in the streams, lots of overgrowth and trees covering the waterway).  I wanted to be able to hike with a 9' for lake-side fishing, but shorten the rod in a pinch for other places.

Maybe I simply thought that this was a good excuse to head out to the shop.

Either way, that's what I did.  I had a chunk of 1/2' aluminum rod from Home Depot from a previous task, so I chucked it up in the lathe and turned it down to an outside diameter 1/8" larger than the ferule side of the butt-end of the rod.  Then I turned down one side of it to the outside diameter of the next section (which has a taper, BTW), and then drilled it out to fit over the butt-end, ferule-side.  Essentially, it's a lightweight part that eliminates the section of rod that connects to the butt-end, and it fits in the cap of the case.





Granted, it DOES change the speed of the rod.  The rod becomes much more stiff down low (which means the rod becomes "fast").  The purpose was not to have two moderate rods of different lengths, it was to have a single rod that could work in a pinch for a different situation.  You simply have to change your casting method.  It fits, it is extremely light, and now I can pop into odd situations and still spend a day doing nothing (like that's going to happen).

Sunday, September 30, 2018

Tailstock Die Holder

For all of those wonderful times when you want to thread, but you are too lazy to switch change gears for the right thread pitch, I give you my version of a tailstock die holder.  Essentially, it is a thread-cutting tool to sit in the tailstock.


Mine was made using 5/8 tool steel road that was drilled for a 3/8-24 thread in one end, and screwed onto an MT2 arbor that was 3/8-24 on it.  Then, a cylindrical piece of aluminum was cut, turned, faced, and bored out, and then some set screw holes put in it.


Mine had a 1.5" hole bored, as well as a 1" hole.  Then, I can use two different types of dies.  Also, it was turned to a 2" diameter so I can use a 2" inner diameter tube and hold a 2" die, too.  It means I can hold the vast majority of dies for easy threading on the lathe!

Sunday, September 23, 2018

Starting RMAV (Remotely Manned Arial Vehicle)

I'd wanted to build a quad-copter.  Out of curiosity, I found a carbon fiber frame on a Chinese website for $30, and I ordered it.  I took it into the office (we have a guy that loves anything RC), and he talked about it being just like the one he paid $100 for.  After realizing I had a Chinese knock-off, I decided to keep building.  I'd like to buy one of those $100 frames just so the guy gets credit, but that will come when my wife thinks FPV is cool and takes over mine.  Anyway, here we go.

I think green is cool.  So, I ordered green tubes (I needed 34mm and a 28mm tubes) and green cone washers.  The 34mm tubes didn't come in the size required for the quad frame, so I needed to turn them from 35mm down to 34mm down on the lathe.  Being cheap aluminum, the first one bent.  I chucked up the second one closer to the collet, and was successful :





My quad now has KV2600 T-Motors in green.  Since then, I've added the flight stack, and added some heat shrink tubing to secure the motor wires to the arms.  I've also added green antenna tubes in order to get a little more complete.  My propellers are a 3-blade HQ with a pitch of 4.3.  I know they sell 4.8 for quick response, but I'd like something a tad bit more gentle.



The above picture was taken before the green lock nuts arrived.  As of October 28, 2018, I have picked up an orange RunCam Swift 2 camera, and I removed the case and painted it some random color.


I have also picked up a DX6 (made by Spektrum) to control this thing.  My list of stuff to acquire and put on is :
  • FPV transmitter and Antenna
  • FPV goggles (Fat Shark Dominators)
  • Radio Receiver
  • Batteries and Chargers
Kinda excited to get this thing done.

Wednesday, August 22, 2018

When Your Truck is Missing Parts?

Last week, someone was stopped aside the freeway with emergency flashers.  The last thing I wanted to do was to get to work, so I stopped to help.  I quickly found out that the individual could not get their jack underneath the car (hint: don't lower your cars, folks).  I finagled the jack underneath, and lifted the car.

Then we found out they didn't have a lug wrench.

So I headed back to my new-to-me truck to see if I could find mine.  I'd only had the truck for a half month, so this was something I needed to learn.  And that's when the new realization hit me ....

I didn't have a lug wrench or a jack for the truck!

I didn't even have the bracket that holds the jack and wrench down.  It typically sits underneath the front passengers' seat, but where it was was a threaded hole that would allow water to permeate the interior.  Not good.

So, a quick call to a dealership, and they can't even find a part number to order.  A check to eBay, and someone out there is charging $120 for the assembly.  I fired off an offer that was rejected.  Rather than face up to a low-ball and buy it, I grabbed parts from Home Depot, picked up my spare Kydex sheets, and bought a bottle jack from Harbor Freight.  Then it was a matter of assembling a frame.  I heated the Kydex and formed it around the jack (I didn't want a potential hydraulic fluid leak), and then riveted the thing together.




I did have to trim a panel to get it to fit, but unless you know what you are looking for, you'll never see it.



The other thing was that I didn't have a 6mmx1.0 hold-down bolt, so I turned some 1/4" threaded rod to the outside diameter and used a metric die to cut it, coated it with Loctite, and created my own hold down bolt.



Not bad!

Wednesday, July 4, 2018

Bullet Ear Buds

At one point, I had made a pair of these (not my video) :


But, since I use them most when traveling on aircraft, I wanted some that worked a little better with not-so-short wires, but that could make it through TSA without being confiscated due to the gun powder residue.

This resulted in a little different approach.  Here's what went into these :


  • Unused and unloaded .40 caliber brass cartridges, nickel plated
  • TDK EB760 Ear Buds for the drivers
  • A cheap pair of braided-wire ear buds from china (the color I wanted), primarily because the TDK wires are too short for me, even before cutting them out
  • A small chunk of round aluminum about a half inch in diameter
Tools used :
  • A cheap harbor freight heat gun
  • A small tool vise
  • Soldering iron
  • Small, round file
  • Drill bit just larger than the to0be-used speaker wire
  • My metal lathe with some collets (you can use a drill as shown in the video, but my experience was better with the lathe as explained later)

Once I had everything, I started by using the lathe to cut a brass plug that would press into the primer spot in the cartridge casing.  It was about 0.172 in diameter and pressed into it perfectly (make sure it's the right side when cutting the fake primer).

Place the casings into the small tool vise, take them over to the drill press, and (using the drill bit just larger than the wires) punch a hole in the side of the casing as shown in the video.  Use a counter sink to remove the raised edges and clean it up.  Do this for the other casing as well.

Next, I measured about 12mm in length from the back of the casing.  I need the line as I will put the casing into a collet with the primer side in the collet to both protect it during the cut, and also allow me to clean it up after the cut.  Make that cut, then bevel the outside edge.  Using a small, round file with a handle bevel the inside edge of the casing as well.  Because we are using un-spent brass, there is no expansion, which results in the casings being a little too snug in comparison to what is in the video, so we absolutely need a centering bevel on the inside.

Using the heat gun, heat all around the TDK ear buds until they come apart.  Don't get them too hot or you could destroy the drivers, and that is what we need out of them.  Once they come apart, cut the wire to release the speaker driver and the casing that holds it (and the rubber/silicone things that hold them in your ears).  The driver and the casing the driver sit in are what you want.

You now need the wire from the other ear buds.  Cut them free from the cheap ones, and then push the wire through the small hole from the outside of the casings to the inside.  Tie a knot to prevent them from coming out.

Use a soldering iron, release the old speaker wire still attached to the drivers, and attach the new wire that was fed through the casing side.  You may need to clear insulation on the new wire until you get to the colored speaker wire on the inside.  Solder them up like the old wires were (colored wire to colored pad, copper wire to the other pad).

Finally, I crushed the driver housing when I tried to press the housing into the un-spent brass.  I ended up using the small aluminum round after drilling a hole through it about a 0.25" in diameter, and them putting a concave surface.  I then took that with the driver housing and casing back to the small tool vice.  The round went over the top of the driver housing so I could press on the sides of the driver housing rather than the front, then centered everything up, and pressed them together.





I put the silicone parts back on, and tested them out.  They are pretty slick and pretty nice!  Great sound, cool look, and I HOPE it should get through TSA without confiscation.  Note, I have not yet tried to get these through TSA, so I don't know if they'll make it through.  I certainly hope they will.

Sunday, June 24, 2018

Milling Stand and Ball Turning Attachment

I had a brief moment to work on some "projects", so I took that and ran with it.  First up was a ball turning attachment for the lathe.  I picked up some 5" x 12" x 5/8" steel plate, and drew up the fork on it.  Then I drilled a few holes to make turning corners in the bandsaw a little easier :


Once that was complete, I drilled along the swing arm on the inside (the blade wouldn't be able to make that turn, even with a drilled hole), and then cut along the lines.  I simply used a hammer to break out the inside chunk since I drilled along the base line of it.  Before freeing the entire pieces, I drilled sideways (which will become vertical when complete) to ensure that the pivot points are lined up.  You will see that in the second picture :



Then, the final cut along the hilt where it will sit in the tool post holder to free it all up.  Here is an exploded view of where everything ended up in the plate steel :


The "forks" were still a little rough :



At that point, I used a flap disc on the angle grinder and the milling machine to clean things up.  My biggest worry was making sure the drilled holes when expanded remained on the same axis.  If the top axis was even slightly not lined up with the bottom axis, it won't pivot very easily.  This meant that I MUST drill the final holes in line with the other end.  A drill press won't cut it because it wouldn't guarantee that the axis' would be parallel.  So, I used the live center to keep the points lined up, and a drill bit in a collet.  This allowed me to swap sides, and drill them out.  I did both the frame and the c-channel that pivots.  The large channel was drilled with 3/8" (0.375"), and the c-channel was drilled with a 1/4" (0.250").  On the c-channel, because it was smaller than the swing, I had to use a board between the ways to keep it solid.


Once done, I verified that I could put a 3/8" rod through the holes (meaning they were parallel).  Perfect!


I then had to cut some bushings.  They were first turned down (with a flange) to a minor outside diameter of 0.375" to match the holes.  I drilled them to 0.250" to match the sizes of holes in the c-channel holes.


I pressed the bushings into the frame.


Then, to make sure the whole thing would work properly, I grabbed a 0.250" (1/4") rod and placed it through all of the holes, and ensured that everything turned properly.


The next steps are to broach the tool holder in the c-channel/swing arm (you can see it in the picture above) into a square hole, cut some flats on the 0.250" rod and install some set screws for the rods and tools.  After that, a simple handle and we're good to go!


Notice the square broach.  I built a broach out of 7mm HSS.  Being a stupid idiot, I first tried turning it on a lathe.  That is a bad idea - it will break your carbide tooling, and does nothing to the square.  Next, I used a grinder to make it "round" and cut "reliefs" in it.  This did nothing more than get it jammed into the round hole.  So, I used files to make the hole a little more square, then fed a 6mm HSS blank through it (squared up the hole to 6mm, still less than the 1/4" I wanted for tooling).  So, I then fed the 7mm "rounded" broach.  I was puckered up a little, but I ended up with a square hole.  I then locked it onto my mill, cut a flat, and then drilled a hole for a set screw.  Another note, I didn't see many options for a #12 set screw, so I had to go up to a 1/4" set screw.



After tapping that, I took all thread, and put a bend in it using heat and a press, then put it all together.  All I need now is an XL tool holder for the AXA, and I can tell everyone I have balls of steel!




Speaking of the milling machine, I also built a stand, since it is heavy and I don't like moving it around.  I also have limited space on tool storage, so I had to make it "mobile".  Turned out okay :



Wednesday, May 16, 2018

Mechanical Science Curriculum

It has been a while, but that doesn't mean things have slowed down.  In fact, they are getting busier.  I wanted to find out why I am so busy, but I just can't find the time to do it.

To add to the problem, a neighbor has a son who wants to get some mechanical studies in this summer (kind of a mentorship).  The lad is in high school, and has had some issues with mathematics.  I accepted for two reasons.  First, he's a brilliant kid, and if I can help channel that into actionable understanding, he will go a long way.  Second, when someone wants to learn about things, who am I to stop it?  So, I am now starting a new [temporary] mentorship.

The topic he requested is mechanics.  Not mechanical engineering (he is a bit tentative of any engineering right now because of the math, though I think he's got it down pat) or physics.  Mechanics.  That means I have to bridge both physics and mechanical engineering in a way that will get him to the water hose in ways he can understand.  Everyone who has worked with mechanics will be aware that there is definitely engineering involved, and definitely physics.  In fact, mechanics are the common ground of the two in a Venn diagram.  So, I have to get him to that point, then branch him out.

My thoughts are as follows.  First, we need to teach basic principles of physics without a book or "homework" of doing math.  It has to be an applied method.  I have a few resources at my disposal.  I can always tap into the MIT OpenCourse for mechanical engineering.  I started trying to map out how to teach the principles by searching for pre-made kits that one could buy, but the wide range I needed to cover was not available in one place, so an additional resource smacked me in the head like a 2x4 - I have a 3D printer.  I can design and print small "gadgets" that demonstrate application of physics.  Here's what I'd like to cover :

Basic concepts
  • Work
  • Horsepower
  • Torque
  • Pressure
  • Location of energy (e.g. Internal/External (thrust vs. pushing), pulling, etc
Types of energy or motion
  • Cyclic/Oscillational
  • Rotary
  • Linear
Converting, transfer, and scaling of energy or motion
I have my work cut out for me - I have less than a month to start crafting a curriculum and getting prints created.

Saturday, February 24, 2018

No-Kit CNC for X2 Mini Mill

Finally found a good set of instructions.  It's a series, so not a single video, and this guy runs through the whole process of making his own kit.  Check it out :


Now I have to build a stand to get it into an operable position, then I can use the machine to build accessories for the machine.

Saturday, February 3, 2018

Remote Control Cheapness Turns Into New Part

Today was my first Saturday that I could do anything.  I had some stuff to do (like cleaning bathrooms, vacuuming, and mopping the floor).  I also had a request from someone that I needed to do.  They had a radio-controlled car that had a piece of plastic in the controller.  That little piece had snapped - it wasn't built well enough (many people had that same problem).  He wanted me to make a replacement (probably thinking 3D printing, but I ultimately chose brass).

I initially tried to glue it together to get it solid enough to get an outline.  Epoxy didn't do very well.


Again, if I'm going to make a part that has stresses applied on it, I'm going to make it solid, so I chose brass.  There was one issue, though - the part was 0.1" deep.  Nobody makes anything exactly 0.1" thick.  I grabbed a chunk of brass cutoff from a local shop (I love my local supply store).  It came at 0.1875" thick (3/16"). I needed to break out the mill, but I had to clean it first to have it ready to run.  I took it apart.


Once it was dismantled, I started cleaning things off (lots of cosmoline coating everything on it).  I grabbed a few photos of the cleaning process, just to show how much cosmoline was on that thing.  Appearances of the differences are pretty stark.






Next up was the actual intent for breaking it out - I needed to machine the brass from 0.1875" down to 0.1".  I don't have a hold-down clamping set for this thing, so instead I found some 3/8" threaded rod, grabbed some scrap and punched holes in it, and bolted it down.  I found the top, then milled it out :



Now that I had the brass "plate", I could cut the part out.  This was when I tried to epoxy the two pieces together.

It didn't work, but I was able to clamp both parts down in place enough to get a trace of the part.  Once I had that, I used a cutoff wheel on the Dremel to slot down to the outline.  Once I was "close enough", I used some small needle files to finish it to size.  I also filed some of the edges down to get it to the right part.



Next up is giving it back over to that guy to see if he can make it work.

Wednesday, January 24, 2018

IPC Camera Hacking

After my run-in with HikVision and HoSafe cameras (no provided firmwares that they would send to me), I decided to try another cheap camera.  What I settled on had someone claiming that the cameras wouldn't dial home to China.  They were Camius BoltV cameras.

When I checked, they were all based on the same chinese maker, and branded with their own firmwares.  For example, the first ones were HoSafe, and returned the model "JVS-HI3516CS" (see the More on Chinese Camera Hacking post).  The second, HikVision cameras returned something similar (but I do not have that as the camera was phased out quickly due to a hardware failure), and the latest Camius BoltV returns :
    root@kali:~# strings CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw |head -n5
    RSUp
    IPC3516D
    IPC3516D
    V170913
    V170911
    
Hm. Looks like a new company in the same old market, base model of HI3516, so let me ask you a quick question.  It doesn't "dial home" because someone on the Internet said it doesn't. Is that , right?  Let's see.  Let's boot one up inside of my no-access network and see what we get.
    Jan 24 17:59:12 hostname dhcpd: DHCPDISCOVER from 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:12 hostname dhcpd: DHCPOFFER on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:13 hostname dhcpd: DHCPREQUEST for 192.168.1.30 (192.168.1.1) from 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:13 hostname dhcpd: DHCPACK on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
    
Looks good so far.  I wait for a few minutes, and no DNS lookups.  Looks great!  I load up the browser, and....
    09:26:39.253127 IP 192.168.1.30.46294 > router.example.com.domain: 11532+ A? p2p.anlian.co. (31)
    09:26:39.253347 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:39.255060 IP 192.168.1.30.35474 > router.example.com.domain: 11533+ A? p2p.anlian.co. (31)
    09:26:39.255171 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:39.256390 IP 192.168.1.30.38702 > router.example.com.domain: 11534+ A? p2p.anlian.co. (31)
    09:26:39.256489 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.272833 IP 192.168.1.30.37976 > router.example.com.domain: 11535+ A? p2p.anlian.co. (31)
    09:26:41.273096 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.273923 IP 192.168.1.30.50096 > router.example.com.domain: 11536+ A? p2p.anlian.co. (31)
    09:26:41.274022 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.274857 IP 192.168.1.30.36165 > router.example.com.domain: 11537+ A? p2p.anlian.co. (31)
    09:26:41.274956 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.292613 IP 192.168.1.30.58809 > router.example.com.domain: 11538+ A? p2p.anlian.co. (31)
    09:26:43.292800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.293694 IP 192.168.1.30.33953 > router.example.com.domain: 11539+ A? p2p.anlian.co. (31)
    09:26:43.293800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.294944 IP 192.168.1.30.37312 > router.example.com.domain: 11540+ A? p2p.anlian.co. (31)
    09:26:43.295039 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.312929 IP 192.168.1.30.34936 > router.example.com.domain: 11541+ A? p2p.anlian.co. (31)
    09:26:45.313133 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.315165 IP 192.168.1.30.32893 > router.example.com.domain: 11542+ A? p2p.anlian.co. (31)
    09:26:45.315265 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.316177 IP 192.168.1.30.60287 > router.example.com.domain: 11543+ A? p2p.anlian.co. (31)
    09:26:45.316273 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:46.287401 ARP, Request who-has 192.168.1.30 tell router.example.com, length 28
    09:26:46.288148 ARP, Reply 192.168.1.30 is-at 58:e8:76:01:05:fe (oui Unknown), length 46
    09:26:47.332854 IP 192.168.1.30.57413 > router.example.com.domain: 11544+ A? p2p.anlian.co. (31)
    09:26:47.333058 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:47.334285 IP 192.168.1.30.35320 > router.example.com.domain: 11545+ A? p2p.anlian.co. (31)
    09:26:47.334409 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:47.335774 IP 192.168.1.30.51734 > router.example.com.domain: 11546+ A? p2p.anlian.co. (31)
After connecting with the browser, it appears to dial home to China, to a peer-to-peer network.   People seem to answer questions they know nothing about.

With that out of the way, let's see what we have.  I first ran NMAP against the camera :
    root@kali:~# map -sT -O 192.168.1.30
    Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-20 08:33 MST
    Nmap scan report for 192.168.128.31
    Host is up (0.0031s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE
    23/tcp   open  telnet
    80/tcp   open  http
    554/tcp  open  rtsp
    7000/tcp open  afs3-fileserver
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.60%E=4%D=1/20%OT=23%CT=1%CU=39315%PV=Y%DS=2%DC=I%G=Y%TM=5A63616
    OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=11%GCD=FA00%ISR=9C%TI=I%CI=I%TS=U)OPS(O1=
    OS:M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FFFF%W2=FFFF%W3=FFFF
    OS:%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=N%T=41%W=FFFF%O=M5B4%CC=N%Q=)T1(R=Y%
    OS:DF=N%T=41%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=100%W=0%S=Z%A=S%F=AR%O=%RD
    OS:=0%Q=)T3(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=100%W
    OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
    OS:)T6(R=Y%DF=N%T=100%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=100%W=0%S=Z%
    OS:A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=37%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
    OS:UCK=G%RUD=G)IE(R=N)
    
    Network Distance: 2 hops
    
    OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 15.18 seconds
    
    root@kali:~# 
    
That looks like the last one, except the ports are different.  Aside from that, pretty near perfect.  This seems to be better in security, though, as every request from Hydra gave us false positives (a basic redirection to another location).
    workstation:~ username$ curl http://192.168.1.30/cgi-bin/something.pl
    <root>
    <port>9988</port>
    <devtype>5932089570895921152</devtype>
    <langstrs>ENU FRA DEU ITA PTG RUS ESN</langstrs>
    <curlang>ENU</curlang>
    <custom>CAMIUS</custom>
    <logo>CAMIUS</logo>
    <uiversion>0</uiversion>
    <sdcardpageshow>0</sdcardpageshow>
    <title></title>
    <firstloginflag>0</firstloginflag>
    <pluginfile>0</pluginfile>
    <devicetime>2015-01-14_12-39-53</devicetime>
    </root>
    workstation:~ username$
    
So, I can't explore this one like I did HikVision or Hosafe.  Next try is to see if I could find the firmware.  Lo and behold!  A company that allowed the firmware to be downloaded!  Here's why this is beneficial.  We can dismantle the firmware to see what we have in there.  I'd never done this before, so it was an exercise in learning.  Maybe this will help.

Everything I read online explained to use binwalk, then firmware-mod-tools.  I ran binwalk (like I was supposed to), and then firmware-mod-tools to explode what binwalk found :
    root@kali:~# binwalk CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    
    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    179268        0x2BC44         CRC32 polynomial table, little endian
    180292        0x2C044         CRC32 polynomial table, little endian
    245840        0x3C050         uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
    263908        0x406E4         gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
    2997312       0x2DBC40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
    5733440       0x577C40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
    10749816      0xA40778        CRC32 polynomial table, little endian
    10750840      0xA40B78        CRC32 polynomial table, little endian
    10756235      0xA4208B        LZO compressed data
    10818104      0xA51238        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10
    
    root@kali:~# /opt/firmware-mod-kit/trunk/extract-firmware.sh CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    [... a whole lot of compilation errors ...]
    @kali:~#
    
Apparently, the distribution for Kali doesn't compile the firmware-mod-tools.  Then I found a nifty little flag in binwalk that gave me what I needed, which was a nifty little -e option to explode what was found :
    root@kali:~# binwalk -e CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    
    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    179268        0x2BC44         CRC32 polynomial table, little endian
    180292        0x2C044         CRC32 polynomial table, little endian
    245840        0x3C050         uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
    263908        0x406E4         gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
    2997312       0x2DBC40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
    5733440       0x577C40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
    10749816      0xA40778        CRC32 polynomial table, little endian
    10750840      0xA40B78        CRC32 polynomial table, little endian
    10756235      0xA4208B        LZO compressed data
    10818104      0xA51238        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10
    
    root@kali:~# ls -ltr
    total 86448
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Videos
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Templates
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Public
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Pictures
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Music
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Downloads
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Documents
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Desktop
Sweet!  I started immediately exploring the system after finding every file now available to me :
    root@kali:~# ls -ltr
    total 86448
    [... snip ...]
    drwxr-xr-x 5 root root     4096 Jan 21 08:00 _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted
    root@kali:~#
    root@kali:~# cd _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls
    2DBC40.squashfs  577C40.squashfs  squashfs-root    squashfs-root-1
    406E4            A51238.squashfs  squashfs-root-0
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls squashfs-root
    bin   etc   lib         mkimg.rootfs   moudle   plugs  root   sys  var
    boot  home  linuxrc     mknod_console  nfsroot  ppp    sbin   tmp
    dev   init  lost+found  mnt            opt      proc   share  usr
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# cd squashfs-root
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root# cd etc/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# ls
    boa    fs-version  group   inittab     mtab    passwd-  profile    resolv.conf  udev
    fstab  goahead     init.d  mime.types  passwd  ppp      protocols  services
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# cp passwd ~/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc#
    
And now I only needed to run john-the-ripper on the password file and locate the proper RTSP stream for motion detection.  However, after a few days of running John, I still didn't have a matching password.  So, I started looking for other ways to gain that access.  But, let's keep digging, just because I am curious.  In the exploded web squashfs, we see just a bit more information :

Hm. A lot of binary files, but some configs.  So, what service is running HTTP?  I believe it is BOA, and in the root FS filesystem's /etc/boa/boa.conf, there is this interesting little setting for the server to run as :
    User 0
    Group 0
    
Huh?  Wow.  If you can run anything on the service, you have ROOT ACCESS! So, let's see what else is in there :
    DocumentRoot /plugs
    [... snip ...]
    CGIPath /plugs/cgi-bin:/bin:/usr/bin:/usr/local/bin
    
[SARCASM] Beautifully secure [/SARCASM]! It looks like if you can get any of the jobs in the cgi-bin directory of the second squashfs, you have a successful breach, because it will run any command as root that is in the /bin or /usr/bin or /usr/local/bin directories.  Unfortunately, there is only one thing in /cgi-bin, and that is media port.cgi, which is an ELF tool :
    root@kali:~# file mediaport.cgi
    mediaport.cgi: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
    root@kali:~#
    
This might not be as easy as I was hoping.

Monday, January 15, 2018

One Small Step for Machine Kind

After having a metal lathe for a while, and really wanting to be able to mill some stuff (for no reason), and (after receiving a 25% off coupon at Horror Fright) I finally knuckled under.  I bought their mini mill.  I ordered it two weeks ago, and received it within 4 days of the order (uh, for freight, that's pretty good).  It shipped via FedEx, and it was boxed up pretty well :



I didn't have immediate time to do anything with it, so the crate sat in the garage for a week and a half.  Today, in order to celebrate diversity, I cracked white wood open to reveal a tool of many colors.  I have to say, it was packed to be protected, too.  Full of styrofoam, my sweet wife said I looked like I cussed a few times trying to get it out.  Ultimately, I dismantled the crate to get to the styrofoam, and then the styrofoam easily popped out.



After taking a quick inventory, I was wondering why I had another handle for the milling head wheel.  The paper said it was a "drawbar".  Someone in China probably didn't realize that a drawbar is a bit different, but hey, it appears like what it was intended for will work fine..


The chuck came mounted in the spindle (R8), and it definitely looks like it is not square (tipped sideways).  That is something easily remedied after tramming a drill press table.  Once I get the space for the mill, I'll clean it all the way up and tram it in.  Hearing that the thread pitch for the tables was not on the half inch, the second thing I did was check the wheel dials, and sure enough, the table is on 0.625" per full turn, while the headstock is 0.60 or 0.060" per rotation :




Well, that is definitely not a deal breaker.  For as cheap as this was, I think it will get my foot in the door on milling, and it will fit my current needs well.  Here is my list of to-do's :


  1. Belt Drive Upgrade (big difference in noise and reducing chattering of endmills from the plastic gears)
  2. Changing headstock spring and moving to a constant force piston
  3. Add a DRO
  4. Square vice or vice jaws
  5. Collets instead of the chuck (already done)
  6. Light on the work area
  7. Traverse endmills (better end mills than the cheap Chinese stuff)
  8. Plastic covers  for the tables/ways (so you have less to clean up)
  9. Depth gauge to work in tight areas (e.g. under the headstock)
  10. Leather wrapping the motor to reduce noise.
  11. Change lead screws from 0.625 pitch to 0.50 pitch)
  12. CnC changes