Apr 222010
 

For the longest time I’ve been on Fido with a unlocked (direct from Sony) Xperia X1a. I’ve never had any problems with it at all. Everything worked flawless. It was a great setup. Exchange, connecting to my VPN, etc…

Recently I setup a corporate plan with Rogers. Ended up getting a bunch of Xperia X1s at a discounted rate since I signed a 3 year on a bunch of lines… Turns out Rogers charges you for an “external IP” that you can use to connect to your business VPN. If you don’t add this option you will not be able to connect to a VPN.

After setting up the VPN.com apn on the new rogers (rogers firmware) Xperia X1s, I noticed that everything worked except simple web page browsing (in both browsers). No errors, just loaded completely blank pages. When changing apn back to internet.com everything worked fine. I automaticly assumed this was related to a “hidden proxy” configured somewhere on the phone.

From this behavior I went ahead and checked the config on the device, no proxies were configured anywhere. Rogers denied the proxy existed, I’m not sure if they do this because they don’t want anyone knowing their internet is being filtered/monitored, or if tech’s simply do not know.

While waiting for a call back from Tier 2 support, I went ahead and started fishing through the registry. I found a bunch of very odd registry entries pertaining to proxies. There was a SOCKS proxy configured, along with what appeared to be a HTTP Proxy, a few other entries also existed which were configured.

After removing these “odd” proxy registry keys, all of a sudden everything started working. Please note that if you modify these settings, you may break your configuration. Any of your providers “online” services (such as ring tone marketplace, application marketplace, etc…) also may cease to function properly (as these services are probably being hosted on their internal network).

To Remove:

1. Open your phone’s registry using any Windows Mobile Registry editor. I use “CeRegEditor” available at: http://ceregeditor.mdsoft.pl/

2. Open “HKEY_LOCAL_MACHINE”, then open “Comm”, then open “ConnMgr”. Under this value, you should be able to see all the devices configured GPRS/HSPA/HSDPA data connections. Browse through the folders and look for a “Proxy” entry. The “Proxy” entry is the configured hidden proxy. I simply deleted this key. If you find anything that has a value of “inet-new” or “inet-corp” you can safely ignore these as I have found they are part of the standard Windows Mobile firmware.

3. Take a look at the other folders under “ConnMgr”, you may notice a few items called “SOCKS”, and “HTTP”. Go into these folders, and remove the proxy values. As I mentioned before if you see any keys with the values “inet-new” or “inet-corp” you can safely ignore these.

Please note that this worked in my specific case. Your results may vary. Also insure that you have made a backup of the keys you have modified in case you need to revert back. Depending on the way your provider has configured your device you may also be tampering with other services (ie. MMS, WAP).

Apr 222010
 

Recently with the new vulnerabilities with Java, I needed to push the latest Java update remotely to all of my clients currently using my companies “Managed Services”.

The upgrade was being scheduled for certain dates per location, however as of Tuesday morning I noticed that some computers were being hit with some of the newer vulnerabilities recently discovered.

This all of a sudden changed the priority from “high priority” to “emergency”. I needed a  quick and efficient means of pushing this update to computers at client sites.

Active Directory allows system administrators to push, allow, or make available software installations to users. This is all controlled inside of Active Directory Group Policy Management.

To push the latest Java update to all computers on a network, I had to perform the steps below:

1. Download the “Offline Installation” of Java from the Java website. Open the file, do not proceed to continue the installation. (You will simply hit cancel after you extract the MSI and other files needed).

2. Open a explorer and browse to C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\jre1.6.0_20. After navigating to this location copy “Data1.cab”, “jre1.6.0_20.msi”, and “sp1033.MST” to a new folder (I chose a folder on my desktop).

3. Log into the remote server, create a file share (for example NetInstall), and configure users read access only.

4. Copy the folder you created on your desktop to the new file share on the server. Remember to use a naming scheme for the applications you wish to push so that they all make sense and can be organized.

5. On the server, go to Start -> Administrative Tools -> Group Policy Management

6. Either create a new GPO, or use an existing on that you have configured. If you are unfamiliar with this, it may be worth while doing some online research on GPOs. In my case I right clicked, and chose edit on the “Windows SBS Client Policy” GPO on SBS 2008.

7. Expand Computer Configuration, policies, Software Settings, Software installation. Right click on “Software Installation” and select new package. Follow the instructions.

8. When choosing the location of the .msi file, PLEASE make sure that you browse to it using your UNC network path. This location has to be somewhere where all the computers have access to. (I.E. don’t use C:\Folder\file.msi, you would rather use \\servername\sharename\programname\file.msi).

At this point you have now configured the server to force install Java on all the computers that apply to that GPO. This is perfect to make sure that all your clients are running the latest versions of free software available. It will also help with managing vulnerabilities with aging software, etc…

Please note: If this doesn’t work right away it is because the client workstations need to refresh their GPO. After the GPO is refreshed on the client workstation side, the system should install the package on next reboot.

There are some other neat things you can do with GPOs, and pushing applications on your network, however I’m not covering it in this document. For example instead of using “Computer Configuration”, you could use “User Configuration”, and instead of forcing applications you could actually make applications available for install through “Add/Remove Programs” for users to install.

Please always make sure that any applications you use are properly paid for and/or licensed.

Apr 112010
 

Some time ago, I needed to configure an SIP trunk between a Trixbox/FreePBX (Asterisk on Linux) PBX and a Cisco Call Manager PBX. It was pretty hard to find any relevant information on the internet, however eventually I figured out how to do it. Originally this article was written for Trixbox, however the same configuration applies to FreePBX (with minor differences in steps due to the UI differences).

Please note that the following configuration reflects a Trixbox/FreePBX PBX configured with phones with extensions of 1XX and the Cisco Unified Call Manager configured with extensions of 3XX.

If you are simply using CUCM for Cisco IP Phone handset connectivity, you don’t even need CUCM anymore, you can simply use the commercial “EndPoint Manager” on FreePBX to handle Cisco IP Phone connectivity to FreePBX (includes the Cisco 7961 phone’s I use).

Trixbox/FreePBX Configuration

Create an SIP Trunk (Leave settings default unless otherwise specified below)

Outgoing Settings

Trunk Name: CallManager

Peer Details:

type=friend

qualify=yes

nat=no

insecure=very

host=ip.address.of.CUCM

fromdomain=ip.address.of.CUCM

dtmf=rfc2833

disallow=all

context=from-internal

canreinvite=no

allow=ulaw

Incoming Settings

USER Context: ip.address.of.CUCM

USER Details:

type=friend

qualify=yes

nat=no

insecure=very

host= ip.address.of.CUCM

fromdomain= ip.address.of.CUCM

dtmf=rfc2833

disallow=all

context=from-internal

canreinvite=no

allow=ulaw

Create an Outbound Route to route calls made to 3XX to the Cisco Call Manager

Create outbound route “Cisco”. Check the “Intra Company Route”, and inside of the Dial Patterns type in 3XX. Under Trunk Sequence select “CallManager”.

This pretty much sums up the amount of configuration required on the Trixbox/FreePBX side of things. Now onto the Cisco stuff.

Cisco Unified Call Manager Configuration

Create an SIP Trunk

Device -> Trunk -> Add New

Trunk Type: SIP Trunk

Device Protocol: SIP

Device Name: TrixboxPBX

Call Classification: OnNet

Check the “Media Termination Point Required” checkbox (this is to handle transfers, hold music, etc…)

Check “Remote-Party-Id”

Check “Asserted-Identity”

SIP Information

Destination Address: IP.address.of.trixboxfreepbx

Uncheck “Destination Address is an SRV”

Destination Port: 5060

MTP Preferred Originating Code: 711ulaw

SIP Trunk Security Profile: Non-Secure SIP Trunk Profile

Change the “Non-Secure SIP Trunk Profile” security profile from TCP to UDP

System -> Security Profile -> SIP Trunk Security Profile

Hit the “Find” button

Select “Non Secure SIP Trunk Profile”

Incoming Transport Type: TCP+UDP

Outgoing Transport Type: UDP

Uncheck “Enable Digest Authentication”

Incoming Port: 5060

Out of the last 6 checkboxes, all should be checked except the First and Last.

Create a Route Pattern to route calls from the Cisco Call Manager to Trixbox

Call Routing -> Route/Hunt -> Route Pattern

Create New

Route Pattern: 1XX

Gateway/Route List: TrixboxPBX

Route Option: Route this pattern

Call Classification: OnNet

Enable Required Services on CUCM

I’m not too sure which ones are actually required, however the below configuration works great. To get to the CUCM services go to the “Cisco Unified Serviceability” section (Top right of web interface).

Enable Services

Tools -> Serviceability

Enable the following:

CM Services

Cisco CallManager

Cisco Tftp

Cisco Messaging Interface

Cisco Unified Mobile Voice Access Service

Cisco IP Voice Media Streaming App

CTI Services

Cisco CallManager Attendant Console Server

Cisco IP Manager Assistant

Cisco WebDialer Web Service

Select “Save”, afterwards select “Set to Default”. Please note that it may take some time to bring the services up.

It’s always a good idea to restart both the Trixbox/FreePBX PBX and the CUCM PBX.

After you have configured the above, configure phones in the 1XX range for the trixbox, configure phones on the CUCM for the 3XX range and they should be able to call each other. Please remember that if you have a PSTN line on your Trixbox or FreePBX you will need to create another route pattern for how to transfer 9XXXXXXXXXX from your CUCM -> Trixbox, then configure the applicable route in Trixbox -> PSTN.

Feedback is welcome, leave a comment!

Apr 112010
 

As with most geeks, I’m a HUGE fan of custom firmware on embedded routers.

Recently I heard about Linksys releasing their new WRT610n. This sucker had 2 radios (First operating 2.4Ghz, the second running 5Ghz). In the past I have done alot of work with WDS mesh nets, etc… so I HAD to get my hands on a few of these. I went to the local tech retailer and picked up two of the V2.0s.

Since these are new devices, most of the 3rd party firmware development is fairly fresh. I don’t know too much about the specifics but from what I understand these units use the 2.6 kernel, whereas most of the past custom development has been done on the 2.4 kernels.

Anyways, I had quite a bit of fun messing around with these, testing some firmware, until finally at one point I accidently flashed the incorrect firmware and bricked the device.

Typically with these new routers, they actually have a built in “Recovery Mode” if you’d want to call it that. Typically if you have a good firmware installed and just accidently messed something up, you can:

1) Unplug power to device, disconnect all network cables.

2) Plug in Power to device

3) Wait a few seconds (2 seconds), and then press the reset button with a paperclip, I’d hold it for about 3 seconds and release.

4) Plug in computer to device, computer will receive an IP from a DHCP Server. Point browser to http://192.168.1.1

5) Use the “Management Firmware update” site that pops up to install the normal linksys firmware.

The above method helped me out a few times, however as stated earlier in this blog entry eventually I overwrote everything and flashed an incorrect image on to the device. (I was freaking out since the method above would NOT work)

Typically in the past you could TFTP a firmware image on boot and it would accept it, however this is no longer the case with the WRT610n. It will accept the firmware file, however it will NOT flash it to the flash on the device.

Here is how I recovered it:

Please note: If you do not know what you are doing, or do something wrong you could fry your device. The serial voltages on the device DO NOT match the voltages on your computer.

You’ll notice there are serial port pins inside of the internet port on the router. This port can provide serial terminal communications to the device and it’s CFE boot loader. Unfortunately I didn’t have the electronics to chip up a voltage regulator to hook it up to my PC, so instead I came up with a different solution. I used a WRT54GS to establish a serial console on the WRT610n.

As some of you know, most of the linksys device serial ports run on 3.3v. I have a bunch of WRT54GS’s lying around so I pulled one out, installed DD-WRT. After installing DD-WRT, I went ahead and used ipkg to install picocom, which is a serial terminal communications application. I essentially could SSH in to the router, then use picocom to initate serial communications (using 3.3v ofcourse).

Unfortunately there is no special connector for the serial port inside of the internet port on the WRT610n. This is where I had to get creative…

Linksys WRT610n Serial Port

You’ll notice above that I simply just used a stripped telephone cable, and simply “touched” the RX and TX pins to the contacts on the board. Maybe you can figure out a better solution, I couldn’t!

Here is the other end:

Linksys WRT54GLinksys WRT54GS

The serial connection requires RX, TX, and ground. To establish the ground, I simply plugged a USB cable into the USB port on the WRT610n, and had the WRT54G ethernet housing touch it on the other end (ghetto, I know!).

After troubleshooting the contact points (kept having trouble with the wires staying on the board contacts, I finally got it to work. I SSH’ed into the WRT54G, opened up a picocom session on the serial port, and plugged in the power to the WRT610N, instantly I saw the CFE boot loader initializing and trying to run the firmware. I FINALLY had access to the bootloader on the WRT610n.

Now was the annoying part, it has been a while since I have done this so it may be flawed:

After confirming your serial connect is working, restart the device and tap “ctrl+c” numerous times to gain access to the CFE prompt. Issue the “flash -ctheader : flash1.trx” (without quotations) command, and then initiate a TFTP upload to the router using your desktop computer. The device should accept it, and boot the image. In my experiences I noticed that after doing this, and restarting the router it would go back to being bricked after first reboot. After performing the above flash, goto the web interface and use the “Firmware Upgrade” to re-flash the image. After completing this, all should be good!

Again, please note that I’m not sure if I used that command in the CFE. Other users have reported that it works. If not, google is your friend and you should be able to figure it out. The hard portion is getting serial access! Please feel free to post the commands you used in the comments so I can update this article.

Apr 112010
 

First off, I’d like to say this is my first post on my new personal blog. Please be sure to check out my other blog I maintain for my company at https://www.digitallyaccurate.com/blog!

I thought I’d make the first post in relation to one of my most favorite things to play with; ESXi.

All over the internet there are many tutorials on putting ESXi on to a USB key using the installer image, and dd command on a working linux install. Here at my office, we have a HP Proliant ML350 G5 running ESXi. We didn’t use the method on these tutorials as there is an easier method.

First download the applicable VMware ESXi 4.X installer image (I’ve included links to the standard installer along with the special HP installer to take advantage of the HP monitoring hardware):

ESXi 4.X Standard Install

http://www.vmware.com/go/get-free-esxi

HP ESXi 4.X Installer (Includes HP CIM Provider)

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPVM06

Please note: I’ve seen a few tech documents stating different sizes required for the USB key. However in all my cases a simple 1GB usb key has worked great!

After downloading the ISO installer for VMware, burn it to a disk.

Insert the empty USB key into the server. If you using a HP server with the hidden USB ports on the main board, insert the usb key now aswell.

Boot off the CD and proceed with the typical VMware ESXi installation, however when it asks you what disk you would like to install ESXi to, choose the USB flash drive.

Follow through with the installation, and you now have a USB key with ESXi installed on it.

In my oppinion, I find this way easier and less time consuming then manually dd’ing the image from the compressed archives onto the USB key using a Linux system. It works, but like I said this method is easier, and takes up less time. (And I always feel safer using the manufacturers installer rather than manually moving/writing hidden images inside of installers).