Wednesday, July 4, 2018

Bullet Ear Buds

At one point, I had made a pair of these (not my video) :


But, since I use them most when traveling on aircraft, I wanted some that worked a little better with not-so-short wires, but that could make it through TSA without being confiscated due to the gun powder residue.

This resulted in a little different approach.  Here's what went into these :


  • Unused and unloaded .40 caliber brass cartridges, nickel plated
  • TDK EB760 Ear Buds for the drivers
  • A cheap pair of braided-wire ear buds from china (the color I wanted), primarily because the TDK wires are too short for me, even before cutting them out
  • A small chunk of round aluminum about a half inch in diameter
Tools used :
  • A cheap harbor freight heat gun
  • A small tool vise
  • Soldering iron
  • Small, round file
  • Drill bit just larger than the to0be-used speaker wire
  • My metal lathe with some collets (you can use a drill as shown in the video, but my experience was better with the lathe as explained later)

Once I had everything, I started by using the lathe to cut a brass plug that would press into the primer spot in the cartridge casing.  It was about 0.172 in diameter and pressed into it perfectly (make sure it's the right side when cutting the fake primer).

Place the casings into the small tool vise, take them over to the drill press, and (using the drill bit just larger than the wires) punch a hole in the side of the casing as shown in the video.  Use a counter sink to remove the raised edges and clean it up.  Do this for the other casing as well.

Next, I measured about 12mm in length from the back of the casing.  I need the line as I will put the casing into a collet with the primer side in the collet to both protect it during the cut, and also allow me to clean it up after the cut.  Make that cut, then bevel the outside edge.  Using a small, round file with a handle bevel the inside edge of the casing as well.  Because we are using un-spent brass, there is no expansion, which results in the casings being a little too snug in comparison to what is in the video, so we absolutely need a centering bevel on the inside.

Using the heat gun, heat all around the TDK ear buds until they come apart.  Don't get them too hot or you could destroy the drivers, and that is what we need out of them.  Once they come apart, cut the wire to release the speaker driver and the casing that holds it (and the rubber/silicone things that hold them in your ears).  The driver and the casing the driver sit in are what you want.

You now need the wire from the other ear buds.  Cut them free from the cheap ones, and then push the wire through the small hole from the outside of the casings to the inside.  Tie a knot to prevent them from coming out.

Use a soldering iron, release the old speaker wire still attached to the drivers, and attach the new wire that was fed through the casing side.  You may need to clear insulation on the new wire until you get to the colored speaker wire on the inside.  Solder them up like the old wires were (colored wire to colored pad, copper wire to the other pad).

Finally, I crushed the driver housing when I tried to press the housing into the un-spent brass.  I ended up using the small aluminum round after drilling a hole through it about a 0.25" in diameter, and them putting a concave surface.  I then took that with the driver housing and casing back to the small tool vice.  The round went over the top of the driver housing so I could press on the sides of the driver housing rather than the front, then centered everything up, and pressed them together.





I put the silicone parts back on, and tested them out.  They are pretty slick and pretty nice!  Great sound, cool look, and I HOPE it should get through TSA without confiscation.  Note, I have not yet tried to get these through TSA, so I don't know if they'll make it through.  I certainly hope they will.

Sunday, June 24, 2018

Milling Stand and Ball Turning Attachment

I had a brief moment to work on some "projects", so I took that and ran with it.  First up was a ball turning attachment for the lathe.  I picked up some 5" x 12" x 5/8" steel plate, and drew up the fork on it.  Then I drilled a few holes to make turning corners in the bandsaw a little easier :


Once that was complete, I drilled along the swing arm on the inside (the blade wouldn't be able to make that turn, even with a drilled hole), and then cut along the lines.  I simply used a hammer to break out the inside chunk since I drilled along the base line of it.  Before freeing the entire pieces, I drilled sideways (which will become vertical when complete) to ensure that the pivot points are lined up.  You will see that in the second picture :



Then, the final cut along the hilt where it will sit in the tool post holder to free it all up.  Here is an exploded view of where everything ended up in the plate steel :


The "forks" were still a little rough :



At that point, I used a flap disc on the angle grinder and the milling machine to clean things up.  My biggest worry was making sure the drilled holes when expanded remained on the same axis.  If the top axis was even slightly not lined up with the bottom axis, it won't pivot very easily.  This meant that I MUST drill the final holes in line with the other end.  A drill press won't cut it because it wouldn't guarantee that the axis' would be parallel.  So, I used the live center to keep the points lined up, and a drill bit in a collet.  This allowed me to swap sides, and drill them out.  I did both the frame and the c-channel that pivots.  The large channel was drilled with 3/8" (0.375"), and the c-channel was drilled with a 1/4" (0.250").  On the c-channel, because it was smaller than the swing, I had to use a board between the ways to keep it solid.


Once done, I verified that I could put a 3/8" rod through the holes (meaning they were parallel).  Perfect!


I then had to cut some bushings.  They were first turned down (with a flange) to a minor outside diameter of 0.375" to match the holes.  I drilled them to 0.250" to match the sizes of holes in the c-channel holes.


I pressed the bushings into the frame.


Then, to make sure the whole thing would work properly, I grabbed a 0.250" (1/4") rod and placed it through all of the holes, and ensured that everything turned properly.


The next steps are to broach the tool holder in the c-channel/swing arm (you can see it in the picture above) into a square hole, cut some flats on the 0.250" rod and install some set screws for the rods and tools.  After that, a simple handle and we're good to go!

Speaking of the milling machine, I also built a stand, since it is heavy and I don't like moving it around.  I also have limited space on tool storage, so I had to make it "mobile".  Turned out okay :



Wednesday, May 16, 2018

Mechanical Science Curriculum

It has been a while, but that doesn't mean things have slowed down.  In fact, they are getting busier.  I wanted to find out why I am so busy, but I just can't find the time to do it.

To add to the problem, a neighbor has a son who wants to get some mechanical studies in this summer (kind of a mentorship).  The lad is in high school, and has had some issues with mathematics.  I accepted for two reasons.  First, he's a brilliant kid, and if I can help channel that into actionable understanding, he will go a long way.  Second, when someone wants to learn about things, who am I to stop it?  So, I am now starting a new [temporary] mentorship.

The topic he requested is mechanics.  Not mechanical engineering (he is a bit tentative of any engineering right now because of the math, though I think he's got it down pat) or physics.  Mechanics.  That means I have to bridge both physics and mechanical engineering in a way that will get him to the water hose in ways he can understand.  Everyone who has worked with mechanics will be aware that there is definitely engineering involved, and definitely physics.  In fact, mechanics are the common ground of the two in a Venn diagram.  So, I have to get him to that point, then branch him out.

My thoughts are as follows.  First, we need to teach basic principles of physics without a book or "homework" of doing math.  It has to be an applied method.  I have a few resources at my disposal.  I can always tap into the MIT OpenCourse for mechanical engineering.  I started trying to map out how to teach the principles by searching for pre-made kits that one could buy, but the wide range I needed to cover was not available in one place, so an additional resource smacked me in the head like a 2x4 - I have a 3D printer.  I can design and print small "gadgets" that demonstrate application of physics.  Here's what I'd like to cover :

Basic concepts
  • Work
  • Horsepower
  • Torque
  • Pressure
  • Location of energy (e.g. Internal/External (thrust vs. pushing), pulling, etc
Types of energy or motion
  • Cyclic/Oscillational
  • Rotary
  • Linear
Converting, transfer, and scaling of energy or motion
I have my work cut out for me - I have less than a month to start crafting a curriculum and getting prints created.

Saturday, February 24, 2018

No-Kit CNC for X2 Mini Mill

Finally found a good set of instructions.  It's a series, so not a single video, and this guy runs through the whole process of making his own kit.  Check it out :


Now I have to build a stand to get it into an operable position, then I can use the machine to build accessories for the machine.

Saturday, February 3, 2018

Remote Control Cheapness Turns Into New Part

Today was my first Saturday that I could do anything.  I had some stuff to do (like cleaning bathrooms, vacuuming, and mopping the floor).  I also had a request from someone that I needed to do.  They had a radio-controlled car that had a piece of plastic in the controller.  That little piece had snapped - it wasn't built well enough (many people had that same problem).  He wanted me to make a replacement (probably thinking 3D printing, but I ultimately chose brass).

I initially tried to glue it together to get it solid enough to get an outline.  Epoxy didn't do very well.


Again, if I'm going to make a part that has stresses applied on it, I'm going to make it solid, so I chose brass.  There was one issue, though - the part was 0.1" deep.  Nobody makes anything exactly 0.1" thick.  I grabbed a chunk of brass cutoff from a local shop (I love my local supply store).  It came at 0.1875" thick (3/16"). I needed to break out the mill, but I had to clean it first to have it ready to run.  I took it apart.


Once it was dismantled, I started cleaning things off (lots of cosmoline coating everything on it).  I grabbed a few photos of the cleaning process, just to show how much cosmoline was on that thing.  Appearances of the differences are pretty stark.






Next up was the actual intent for breaking it out - I needed to machine the brass from 0.1875" down to 0.1".  I don't have a hold-down clamping set for this thing, so instead I found some 3/8" threaded rod, grabbed some scrap and punched holes in it, and bolted it down.  I found the top, then milled it out :



Now that I had the brass "plate", I could cut the part out.  This was when I tried to epoxy the two pieces together.

It didn't work, but I was able to clamp both parts down in place enough to get a trace of the part.  Once I had that, I used a cutoff wheel on the Dremel to slot down to the outline.  Once I was "close enough", I used some small needle files to finish it to size.  I also filed some of the edges down to get it to the right part.



Next up is giving it back over to that guy to see if he can make it work.

Wednesday, January 24, 2018

IPC Camera Hacking

After my run-in with HikVision and HoSafe cameras (no provided firmwares that they would send to me), I decided to try another cheap camera.  What I settled on had someone claiming that the cameras wouldn't dial home to China.  They were Camius BoltV cameras.

When I checked, they were all based on the same chinese maker, and branded with their own firmwares.  For example, the first ones were HoSafe, and returned the model "JVS-HI3516CS" (see the More on Chinese Camera Hacking post).  The second, HikVision cameras returned something similar (but I do not have that as the camera was phased out quickly due to a hardware failure), and the latest Camius BoltV returns :
    root@kali:~# strings CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw |head -n5
    RSUp
    IPC3516D
    IPC3516D
    V170913
    V170911
    
Hm. Looks like a new company in the same old market, base model of HI3516, so let me ask you a quick question.  It doesn't "dial home" because someone on the Internet said it doesn't. Is that , right?  Let's see.  Let's boot one up inside of my no-access network and see what we get.
    Jan 24 17:59:12 hostname dhcpd: DHCPDISCOVER from 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:12 hostname dhcpd: DHCPOFFER on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:13 hostname dhcpd: DHCPREQUEST for 192.168.1.30 (192.168.1.1) from 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:13 hostname dhcpd: DHCPACK on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
    
Looks good so far.  I wait for a few minutes, and no DNS lookups.  Looks great!  I load up the browser, and....
    09:26:39.253127 IP 192.168.1.30.46294 > router.example.com.domain: 11532+ A? p2p.anlian.co. (31)
    09:26:39.253347 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:39.255060 IP 192.168.1.30.35474 > router.example.com.domain: 11533+ A? p2p.anlian.co. (31)
    09:26:39.255171 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:39.256390 IP 192.168.1.30.38702 > router.example.com.domain: 11534+ A? p2p.anlian.co. (31)
    09:26:39.256489 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.272833 IP 192.168.1.30.37976 > router.example.com.domain: 11535+ A? p2p.anlian.co. (31)
    09:26:41.273096 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.273923 IP 192.168.1.30.50096 > router.example.com.domain: 11536+ A? p2p.anlian.co. (31)
    09:26:41.274022 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.274857 IP 192.168.1.30.36165 > router.example.com.domain: 11537+ A? p2p.anlian.co. (31)
    09:26:41.274956 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.292613 IP 192.168.1.30.58809 > router.example.com.domain: 11538+ A? p2p.anlian.co. (31)
    09:26:43.292800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.293694 IP 192.168.1.30.33953 > router.example.com.domain: 11539+ A? p2p.anlian.co. (31)
    09:26:43.293800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.294944 IP 192.168.1.30.37312 > router.example.com.domain: 11540+ A? p2p.anlian.co. (31)
    09:26:43.295039 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.312929 IP 192.168.1.30.34936 > router.example.com.domain: 11541+ A? p2p.anlian.co. (31)
    09:26:45.313133 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.315165 IP 192.168.1.30.32893 > router.example.com.domain: 11542+ A? p2p.anlian.co. (31)
    09:26:45.315265 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.316177 IP 192.168.1.30.60287 > router.example.com.domain: 11543+ A? p2p.anlian.co. (31)
    09:26:45.316273 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:46.287401 ARP, Request who-has 192.168.1.30 tell router.example.com, length 28
    09:26:46.288148 ARP, Reply 192.168.1.30 is-at 58:e8:76:01:05:fe (oui Unknown), length 46
    09:26:47.332854 IP 192.168.1.30.57413 > router.example.com.domain: 11544+ A? p2p.anlian.co. (31)
    09:26:47.333058 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:47.334285 IP 192.168.1.30.35320 > router.example.com.domain: 11545+ A? p2p.anlian.co. (31)
    09:26:47.334409 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:47.335774 IP 192.168.1.30.51734 > router.example.com.domain: 11546+ A? p2p.anlian.co. (31)
After connecting with the browser, it appears to dial home to China, to a peer-to-peer network.   People seem to answer questions they know nothing about.

With that out of the way, let's see what we have.  I first ran NMAP against the camera :
    root@kali:~# map -sT -O 192.168.1.30
    Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-20 08:33 MST
    Nmap scan report for 192.168.128.31
    Host is up (0.0031s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE
    23/tcp   open  telnet
    80/tcp   open  http
    554/tcp  open  rtsp
    7000/tcp open  afs3-fileserver
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.60%E=4%D=1/20%OT=23%CT=1%CU=39315%PV=Y%DS=2%DC=I%G=Y%TM=5A63616
    OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=11%GCD=FA00%ISR=9C%TI=I%CI=I%TS=U)OPS(O1=
    OS:M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FFFF%W2=FFFF%W3=FFFF
    OS:%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=N%T=41%W=FFFF%O=M5B4%CC=N%Q=)T1(R=Y%
    OS:DF=N%T=41%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=100%W=0%S=Z%A=S%F=AR%O=%RD
    OS:=0%Q=)T3(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=100%W
    OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
    OS:)T6(R=Y%DF=N%T=100%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=100%W=0%S=Z%
    OS:A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=37%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
    OS:UCK=G%RUD=G)IE(R=N)
    
    Network Distance: 2 hops
    
    OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 15.18 seconds
    
    root@kali:~# 
    
That looks like the last one, except the ports are different.  Aside from that, pretty near perfect.  This seems to be better in security, though, as every request from Hydra gave us false positives (a basic redirection to another location).
    workstation:~ username$ curl http://192.168.1.30/cgi-bin/something.pl
    <root>
    <port>9988</port>
    <devtype>5932089570895921152</devtype>
    <langstrs>ENU FRA DEU ITA PTG RUS ESN</langstrs>
    <curlang>ENU</curlang>
    <custom>CAMIUS</custom>
    <logo>CAMIUS</logo>
    <uiversion>0</uiversion>
    <sdcardpageshow>0</sdcardpageshow>
    <title></title>
    <firstloginflag>0</firstloginflag>
    <pluginfile>0</pluginfile>
    <devicetime>2015-01-14_12-39-53</devicetime>
    </root>
    workstation:~ username$
    
So, I can't explore this one like I did HikVision or Hosafe.  Next try is to see if I could find the firmware.  Lo and behold!  A company that allowed the firmware to be downloaded!  Here's why this is beneficial.  We can dismantle the firmware to see what we have in there.  I'd never done this before, so it was an exercise in learning.  Maybe this will help.

Everything I read online explained to use binwalk, then firmware-mod-tools.  I ran binwalk (like I was supposed to), and then firmware-mod-tools to explode what binwalk found :
    root@kali:~# binwalk CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    
    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    179268        0x2BC44         CRC32 polynomial table, little endian
    180292        0x2C044         CRC32 polynomial table, little endian
    245840        0x3C050         uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
    263908        0x406E4         gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
    2997312       0x2DBC40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
    5733440       0x577C40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
    10749816      0xA40778        CRC32 polynomial table, little endian
    10750840      0xA40B78        CRC32 polynomial table, little endian
    10756235      0xA4208B        LZO compressed data
    10818104      0xA51238        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10
    
    root@kali:~# /opt/firmware-mod-kit/trunk/extract-firmware.sh CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    [... a whole lot of compilation errors ...]
    @kali:~#
    
Apparently, the distribution for Kali doesn't compile the firmware-mod-tools.  Then I found a nifty little flag in binwalk that gave me what I needed, which was a nifty little -e option to explode what was found :
    root@kali:~# binwalk -e CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    
    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    179268        0x2BC44         CRC32 polynomial table, little endian
    180292        0x2C044         CRC32 polynomial table, little endian
    245840        0x3C050         uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
    263908        0x406E4         gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
    2997312       0x2DBC40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
    5733440       0x577C40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
    10749816      0xA40778        CRC32 polynomial table, little endian
    10750840      0xA40B78        CRC32 polynomial table, little endian
    10756235      0xA4208B        LZO compressed data
    10818104      0xA51238        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10
    
    root@kali:~# ls -ltr
    total 86448
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Videos
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Templates
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Public
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Pictures
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Music
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Downloads
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Documents
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Desktop
Sweet!  I started immediately exploring the system after finding every file now available to me :
    root@kali:~# ls -ltr
    total 86448
    [... snip ...]
    drwxr-xr-x 5 root root     4096 Jan 21 08:00 _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted
    root@kali:~#
    root@kali:~# cd _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls
    2DBC40.squashfs  577C40.squashfs  squashfs-root    squashfs-root-1
    406E4            A51238.squashfs  squashfs-root-0
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls squashfs-root
    bin   etc   lib         mkimg.rootfs   moudle   plugs  root   sys  var
    boot  home  linuxrc     mknod_console  nfsroot  ppp    sbin   tmp
    dev   init  lost+found  mnt            opt      proc   share  usr
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# cd squashfs-root
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root# cd etc/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# ls
    boa    fs-version  group   inittab     mtab    passwd-  profile    resolv.conf  udev
    fstab  goahead     init.d  mime.types  passwd  ppp      protocols  services
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# cp passwd ~/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc#
    
And now I only needed to run john-the-ripper on the password file and locate the proper RTSP stream for motion detection.  However, after a few days of running John, I still didn't have a matching password.  So, I started looking for other ways to gain that access.  But, let's keep digging, just because I am curious.  In the exploded web squashfs, we see just a bit more information :

Hm. A lot of binary files, but some configs.  So, what service is running HTTP?  I believe it is BOA, and in the root FS filesystem's /etc/boa/boa.conf, there is this interesting little setting for the server to run as :
    User 0
    Group 0
    
Huh?  Wow.  If you can run anything on the service, you have ROOT ACCESS! So, let's see what else is in there :
    DocumentRoot /plugs
    [... snip ...]
    CGIPath /plugs/cgi-bin:/bin:/usr/bin:/usr/local/bin
    
[SARCASM] Beautifully secure [/SARCASM]! It looks like if you can get any of the jobs in the cgi-bin directory of the second squashfs, you have a successful breach, because it will run any command as root that is in the /bin or /usr/bin or /usr/local/bin directories.  Unfortunately, there is only one thing in /cgi-bin, and that is media port.cgi, which is an ELF tool :
    root@kali:~# file mediaport.cgi
    mediaport.cgi: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
    root@kali:~#
    
This might not be as easy as I was hoping.

Monday, January 15, 2018

One Small Step for Machine Kind

After having a metal lathe for a while, and really wanting to be able to mill some stuff (for no reason), and (after receiving a 25% off coupon at Horror Fright) I finally knuckled under.  I bought their mini mill.  I ordered it two weeks ago, and received it within 4 days of the order (uh, for freight, that's pretty good).  It shipped via FedEx, and it was boxed up pretty well :



I didn't have immediate time to do anything with it, so the crate sat in the garage for a week and a half.  Today, in order to celebrate diversity, I cracked white wood open to reveal a tool of many colors.  I have to say, it was packed to be protected, too.  Full of styrofoam, my sweet wife said I looked like I cussed a few times trying to get it out.  Ultimately, I dismantled the crate to get to the styrofoam, and then the styrofoam easily popped out.



After taking a quick inventory, I was wondering why I had another handle for the milling head wheel.  The paper said it was a "drawbar".  Someone in China probably didn't realize that a drawbar is a bit different, but hey, it appears like what it was intended for will work fine..


The chuck came mounted in the spindle (R8), and it definitely looks like it is not square (tipped sideways).  That is something easily remedied after tramming a drill press table.  Once I get the space for the mill, I'll clean it all the way up and tram it in.  Hearing that the thread pitch for the tables was not on the half inch, the second thing I did was check the wheel dials, and sure enough, the table is on 0.625" per full turn, while the headstock is 0.60 or 0.060" per rotation :




Well, that is definitely not a deal breaker.  For as cheap as this was, I think it will get my foot in the door on milling, and it will fit my current needs well.  Here is my list of to-do's :


  1. Belt Drive Upgrade (big difference in noise and reducing chattering of endmills from the plastic gears)
  2. Changing headstock spring and moving to a constant force piston
  3. Add a DRO
  4. Square vice or vice jaws
  5. Collets instead of the chuck (already done)
  6. Light on the work area
  7. Traverse endmills (better end mills than the cheap Chinese stuff)
  8. Plastic covers  for the tables/ways (so you have less to clean up)
  9. Depth gauge to work in tight areas (e.g. under the headstock)
  10. Leather wrapping the motor to reduce noise.
  11. Change lead screws from 0.625 pitch to 0.50 pitch)
  12. CnC changes

Sunday, January 14, 2018

No Supervision is a Bad Idea

An engineer should never be left alone in a room full of tools and materials with time on his hand.  As an example, here's the latest conversation.

Right Brain: Hey, I could use a laptop stand for my desk.

Left Brain (this is where the argument of NOT having a laptop stand should be) : You have brass.  Brass would look cool as a laptop stand.  Why not use brass to do it?

Right Brain : Great idea!  I have rubber sheets I used to make the brake bleeder jars, and I have some brass flats.  That means I have exactly what I need!  Shall we get started?

Left Brain : I'm not so sure about this... I mean, how could we bend those flats into a laptop stand?

Right Brain : Not a problem.  We have a press, too.  I'll figure that out, you just worry about making it look good enough that Honey Woman will let it stay inside on the desk.

Left Brain : Cool!

So, here's what happened next.  First, the idea went to an "official standards document", and marked into the material :


Then, starting to get things lined up for the bending of the flats.  First, I tried using machinist clamps to bend the bars at the same time.  But that failed to keep the bars lined up (parallel, yes, but they kept pivoting on me).  My next solution worked, and that was using some steel bar as a "clamp".  The brass was drilled and tapped, then the steel was match drilled to the screws and things were screwed tightly together :



Once that was complete and tested to ensure that there was the lack of movement if I twisted the steel, I headed out to the press and started to bend.  I don't have a fancy compact bender, so I had to use the shop press.  That was difficult to work around the tool without having dies, but it still worked out well :


The hardest part of those bends was actually the lip right on the end, with as short as it is.  I ended up starting it with the press to get it marked properly, and then finished the bend using a MAP torch and a hammer on a steel square tubing chunk.  I did some sanding (all of it by hand, actually, because I didn't want concave surfaces), and then coated it with lacquer to keep it from tarnishing :


Once those were complete, I parted off four hex rod pieces.  The length was the width of the flat bars I'd already painted (they'd sit on the bent flats).  I drilled and tapped them through the side and end-to-end.  I stood things up for a quick "fit" check :


Knowing it looked good, I threw the rods into the lathe and cut threads the length of both of them and rounded the ends.  This allowed me to simply thread the rods through the hex "nuts" that were attached to the brass flats, and bind it all together.  Next was a quick run to the basement to try it all out :



Worked out well, and only took me about a day!

Tuesday, January 2, 2018

New Years Boredom

What happens on New Years' day when you have 3D printer filament, a messy cupboard containing your shaving supplies, and you are full of boredom?  You make something to hold your razors on the cupboard door, that's what.  It's a nice test of the rapid prototyping techniques and tools.  Here's the details.

First, over the last little while, I kept thinking about trying to mount the razors against the inside of the cupboard door.  It keeps them easily accessible, and leaves the rest of the shelf open for other things like shaving gels and other "keep me in a state my wife is willing to be close to me" stuff.  Yeah, this is serious stuff.  I thought about using some robe-hangers found at the local orange-box-type of store, but didn't think it would work.  (Translation: I was too lazy to go buy one of those and try it.)  New Years' morning, I woke up early (it happens a lot, even if I was up late).  It only took me an hour before I needed to do something constructive (there is only so much screen time I guy can take before his engineering kicks in, you know?).  Then it hit me - why not build my razor hangers?  I have everything I need.

I headed out to the shop and grabbed the calipers (uh, just because I might need 0.005" of accuracy), and took a few measurements of the razors in the position I'd be hanging them.  This would simply give me the basic design of the holders.


Next, I opened OpenSCAD (seriously? Yup, I grew up with POV-Ray, so I am used to using code to set up the object.  It took me an hour to get everything the way I wanted it to look.


After the design and a quick STL export, I loaded it into the printer and hit "run".


My wife and I ran and played some racquetball, then came back to a failed print.  The filament got tangled up, and prevented it from being extruded.  [sigh].  I untangled it, got it set up again (with something to keep it spooling), and hit "run" again.


We ran to see "Star Wars".  Finally saw it.  If I actually cared about my "nerd credentials", I'd have been to see it sooner, but I'm willing to wait.  Visited an "adopted" couple of boys (cute, but bouncing-off-of-the-walls kinds of energy).  Then headed and grabbed dinner, came home, and found a successful print.  I did another one (I have two razors), just for that one.  We watched another movie while we ate dinner (Disney's The Sword in the Stone), and I had two prints ready to be cleaned up and installed in less than 24 hours.


This morning, I cleaned them up (breaking support structures out of the parts), and did some sanding on them with a Dremel to remove some of the hard edges.  They turned out nice, so I grabbed some machine screws and installed them.  I know I could have used some body filler to really smooth them out and painted them, but it just wasn't worth it to me.  My wife somewhat enjoys aesthetics.  To me, it has to have a good function. We are great together, because when our heads work together, we can do some amazing work.  So, they got installed as-is, and are fully functional.


Not a bad little bit of work!