Posted on 2 Comments

PiHole Status Display – Official Raspberry Pi LCD

PiHole Status Display

On my home network I have a system running PiHole – a DNS server that blocks all unwanted traffic, such as ads. Since I have an official Pi LCD with a broken touch panel, I decided to use the bare LCD as a status display for PiHole.

This requires some extra packages installing onto the base system after PiHole is installed & configured, and the interface automatically starts on bootup. I used the latest Raspbian Jessie Minimal image for this system, and ran everything over a SSH connection.

First thing, get the required packages installed onto the Pi:

sudo apt-get update 
sudo apt-get install -y midori matchbox unclutter x11-xserver-utils xinit xserver-xorg

Once these are installed, it’s time to configure the startup script for Midori to display the status page. Create StartMidori.sh in /home/pi and fill with the following:

#!/bin/sh export DISPLAY=:0 
xset -dpms 
xset s off 
xset s noblank 
unclutter & 
matchbox-window-manager & 
midori -e Fullscreen -a http://127.0.0.1/admin/

This script disables all power management on the system to keep the LCD on, starts unclutter to hide the mouse pointer and finally starts the Matchbox Window Manager to run Midori, which itself is set to fullscreen mode, and the URL of the admin panel is provided.
The next step is to test, give the script executable permissions, and run the script:

chmod +x /home/pi/StartMidori.sh
sudo xinit /home/pi/StartMidori.sh

Once this is run, the LCD should come to life after a short delay with the PiHole stats screen. Close the test & return to the terminal by hitting CTRL+C.

Now the Pi can be configured to autorun this script on boot, the first thing to do here is to enable autologin on the console. This can be done with raspi-config, select Option 3 (Boot Options), then Option B1 (Desktop/CLI), then Option B2 (Console Autologin). When prompted to reboot, select No, as we’ll be finishing off the config before we reboot the system.

The next file to edit is /etc/rc.local, add the command to start the status browser up:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
  printf "My IP address is %s\n" "$_IP"
fi
sudo xinit /home/pi/StartMidori.sh &
exit 0

Here I’ve added in the command just above “exit 0”. This will start the browser as the last thing on bootup. The Pi can now be rebooted, and the status display should start on boot!

PiHole Status Display
PiHole Status Display
Posted on Leave a comment

Securing The New Server & Security In General

This was originally going to be part of another post, but it ended up getting more complex than I originally intended so it’s been given it’s own. I go into into many of my personal security practices, on both my public facing servers & personal machines. Since the intertubes are so central to life these days, good security is a must, especially since most people use the ‘net to do very sensitive operations, such as banking, it’s becoming even more essential to have strong security.

Since bringing the new server online & exposing it to the world, it’s been discovered in record time by the scum of the internet, SSH was under constant attack within 24 hours, and within that time there were over 20,000 failed login attempts in the logs.
This isn’t much of an issue, as I’ve got a strong Fail2Ban configuration running which at the moment is keeping track of some 30 IP addresses that are constantly trying to hammer their way in. No doubt these will be replaced with another string of attacks once they realise that those IPs are being dropped. I also prevent SSH login with passwords – RSA keys only here.
MySQL is the other main target to be concerned about – this is taken care of by disabling root login remotely, and dropping all MySQL traffic at the firewall that hasn’t come from 127.0.0.1.

Keeping the SSH keys on an external device & still keeping things simple just requires some tweaking to the .bashrc file in Linux:

alias ssh='ssh -i <Path To Keys>'

This little snippet makes the ssh client look somewhere else for the keys themselves, while keeping typing to a minimum in the Terminal. This assumes the external storage with the keys always mounts to the same location.

Everything else that can’t be totally blocked from outside access (IMAP, SMTP, FTP, etc), along with Fail2Ban protection, gets very strong passwords, unique to each account, (password reuse in any situation is a big no-no) and where possible TOTP-based two factor authentication is used for front end stuff, all the SSH keys, master passwords & backup codes are themselves kept offline, on encrypted storage, except for when they’re needed. General password management is taken care of by LastPass, and while they’ve been subject to a couple of rather serious vulnerabilities recently, these have been patched & it’s still probably one of the best options out there for a password vault.
There’s more information about those vulnerabilities on the LastPass blog here & here.


This level of security paranoia ensures that unauthorized access is made extremely difficult – an attacker would have to gain physical access to one of my mobile devices with the TOTP application, and have physical access to the storage where all the master keys are kept (along with it’s encryption key, which is safely stored in Meatware), to gain access to anything.
No security can ever be 100% perfect, there’s always going to be an attack surface somewhere, but I’ll certainly go as far as is reasonable, while not making my access a total pain, to keep that attack surface as small as possible,and therefore keeping the internet scum out of my systems.
The last layer of security is a personal VPN server, which keeps all traffic totally encrypted while it’s in transit across my ISP’s network, until it hits the end point server somewhere else in the world. Again, this isn’t perfect, as the data has to be decrypted *somewhere* along the chain.

Posted on Leave a comment

IC Decapping: The Process

As I’ve been posting some photos of decapped ICs lately, I thought I’d share the process I use personally for those that might want to give it a go 😉

The usual method for removing the epoxy package from the silicon is to use hot, concentrated Nitric Acid. Besides the obvious risks of having hot acids around, the decomposition products of the acid, namely NO² (Nitrogen Dioxide) & NO (Nitrogen Oxide), are toxic and corrosive. So until I can get the required fume hood together to make sure I’m not going to corrode the place away, I’ll leave this process to proper labs ;).

The method I use is heat based, using a Propane torch to destroy the epoxy package, without damaging the Silicon die too much.

TMS57002 Audio DSP
TMS57002 Audio DSP

I start off, obviously, with a desoldered IC, the one above an old audio DSP from TI. I usually desolder en-masse for this with a heat gun, stripping the entire board in one go.

FLAMES!
FLAMES!

Next is to apply the torch to the IC. A bit of practice is required here to get the heat level & time exactly right, overheating will cause the die to oxidize & blacken or residual epoxy to stick to the surface.
I usually apply the torch until the package just about stops emitting it’s own yellow flames, meaning the epoxy is almost completely burned away. I also keep the torch flame away from the centre of the IC, where the die is located.
Breathing the fumes from this process isn’t recommended, no doubt besides the obvious soot, the burning plastic will be emitting many compounds not brilliant for Human health!
Once the IC is roasted to taste, it’s quenched in cold water for a few seconds. Sometimes this causes such a high thermal shock that the leadframe cracks off the epoxy around the die perfectly.

All Your Die Belong To Us
All Your Die Belong To Us

Now that the epoxy has been destroyed, it breaks apart easily, and is picked away until I uncover the die itself. (It’s the silver bit in the middle of the left half). The heat from the torch usually destroys the Silver epoxy holding the die to the leadframe, and can be removed easily from the remaining package.

Decapped
Decapped

BGA packages are usually the easiest to decap, flip-chip packages are a total pain due to the solder balls being on the front side of the die, I haven’t managed to get a good result here yet, I’ll probably need to chemically remove the first layer of the die to get at the interesting bits 😉

Slide
Slide

Once the die has been rinsed in clean water & inspected, it’s mounted on a glass microscope slide with a small spot of Cyanoacrylate glue to make handling easier.

Some dies require some cleaning after decapping, for this I use 99% Isopropanol & 99% Acetone, on the end of a cotton bud. Any residual epoxy flakes or oxide stuck to the die can be relatively easily removed with a fingernail – turns out fingernails are hard enough to remove the contamination, but not hard enough to damage the die features.

Once cleaning is complete, the slide is marked with the die identification, and the photographing can begin.

Microscope Mods

I had bought a cheap eBay USB microscope to get started, as I can’t currently afford a proper metallurgical microscope, but I found the resolution of 640×480 very poor. Some modification was required!

Modified Microscope
Modified Microscope

I’ve removed the original sensor board from the back of the optics assembly & attached a Raspberry Pi camera board. The ring that held the original sensor board has been cut down to a minimum, as the Pi camera PCB is slightly too big to fit inside.
The stock ring of LEDs is run direct from the 3.3v power rail on the camera, through a 4.7Ω resistor, for ~80mA. I also added a 1000µF capacitor across the 3.3v supply to compensate a bit for the long cable – when a frame is captured the power draw of the camera increases & causes a bit of voltage drop.

The stock lens was removed from the Pi camera module by careful use of a razor blade – being too rough here *WILL* damage the sensor die or the gold bond wires, which are very close to the edge of the lens housing, so be gentle!

Mounting Base
Mounting Base

The existing mount for the microscope is pretty poor, so I’ve used a couple of surplus ceramic ring magnets as a better base, this also gives me the option of raising or lowering the base by adding or removing magnets.
To get more length between the Pi & the camera, I bought a 1-meter cable extension kit from Pi-Cables over at eBay, cables this long *definitely* require shielding in my space, which is a pretty aggressive RF environment, or interference appears on the display. Not surprising considering the high data rates the cable carries.
The FFC interface is hot-glued to the back of the microscope mount for stability, for handheld use the FFC is pretty flexible & doesn’t apply any force to the scope.

Die Photography

Since I modified the scope with a Raspberry Pi camera module, everything is done through the Pi itself, and the raspistill command.

Pi LCD
Pi LCD

The command I’m currently using to capture the images is:
raspistill -ex auto -awb auto -mm matrix -br 62 -q 100 -vf -hf -f -t 0 -k -v -o CHIPNAME_%03d.jpg

This command waits between each frame for the ENTER key to be pressed, allowing me to position the scope between shots. Pi control & file transfer is done via SSH, while I use the 7″ touch LCD as a viewfinder.

The direct overhead illumination provided by the stock ring of LEDs isn’t ideal for some die shots, so I’m planning on fitting some off-centre LEDs to improve the resulting images.

Image Processing

Obviously I can’t get an ultra-high resolution image with a single shot, due to the focal length, so I have to take many shots (30-180 per die), and stitch them together into a single image.
For this I use Hugin, an open-source panorama photo stitching package.

Hugin
Hugin

Here’s Hugin with the photos loaded in from the Raspberry Pi. To start with I use Hugin’s built in CPFind to process the images for control points. The trick with getting good control points is making sure the images have a high level of overlap, between 50-80%, this way the software doesn’t get confused & stick the images together incorrectly.

Optimiser
Optimiser

After the control points are generated, which for a large number of high resolution images can take some time, I run the optimiser with only Yaw & Pitch selected for all images.

Optimising
Optimising

If all goes well, the resulting optimisation will get the distance between control points to less than 0.3 pixels.

Panorama Preview
Panorama Preview

After the control points & optimisation is done, the resulting image can be previewed before generation.

Texas Instruments TMS67002
Texas Instruments TMS67002

After all the image processing, the resulting die image should look something like the above, with no noticeable gaps.

Posted on Leave a comment

RasPi Terminal Customisations


As seen in the previous post, the SSH terminal of my Pi gives some useful stats. This is done using GNU Screen, with a custom config file.

This file is .screenrc in your user’s home folder. My personal code is posted below:



~/.screenrc
startup_message off
backtick 1 30 30 $HOME/bin/disk.sh
backtick 2 30 30 $HOME/bin/mem.sh
hardstatus alwayslastline
hardstatus string '%{gk}[ %{G}%H %{g}][Disk: %1` RAM: %2`M][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}][%{Y}%l%{g}]%{=b C}[ %m/%d %c ]%{W}'
nonblock 1
defnonblock 1

I have uploaded the pair of scripts for the backticks, and they can be found here:

mem.sh
disk.sh

More to come once my new 16GB Class 10 SD Card arrives!