Well-Rounded

[avconv] Convert WMV to MP4

swinful — Mon, 28 Jan 2013 03:57:31 +0000

I just came across a great tool for converting .wmv files to .mp4 and various other formats. I needed to perform this this conversion because either my Panasonic DLNA equipped TV could not playback .wmv files or it is the fault of my QNAP DLNA server. However, .mp4 encoded files play without issue. In the past the tool of choice was ffmpeg, but it is now deprecated and it is suggested to use avconv in the near future:

`--> ffmpeg
ffmpeg version 0.8.4-6:0.8.4-0ubuntu0.12.10.1, Copyright (c) 2000-2012 the Libav developers
  built on Nov  6 2012 16:51:11 with gcc 4.7.2
*** THIS PROGRAM IS DEPRECATED ***
This program is only provided for compatibility and will be removed in a future release. Please use avconv instead.

To check the available codes on your system, the ‘-codecs’ option to avconv displays all supported codecs and whether it is possible to encode, decode and perform various other tasks as the legend shows. To the left of codec are the supported functions. For example:

`--> avconv -codecs | head -10 && avconv -loglevel quiet -codecs | egrep "(wmv)"
avconv version 0.8.4-6:0.8.4-0ubuntu0.12.10.1, Copyright (c) 2000-2012 the Libav developers
  built on Nov  6 2012 16:51:11 with gcc 4.7.2
Codecs:
 D..... = Decoding supported
 .E.... = Encoding supported
 ..V... = Video codec
 ..A... = Audio codec
 ..S... = Subtitle codec
 ...S.. = Supports draw_horiz_band
 ....D. = Supports direct rendering method 1
 .....T = Supports weird frame truncation
 ------
 DEVSD  wmv1            Windows Media Video 7
 DEVSD  wmv2            Windows Media Video 8
 D V D  wmv3            Windows Media Video 9
 D V D  wmv3_vdpau      Windows Media Video 9 VDPAU
 D V D  wmv3image       Windows Media Video 9 Image

To convert our sample file: 1-25_681_webinar_2.wmv, 44MB in size, with the following characteristics:

`--> du -sh 1-25_681_webinar_2.wmv
44M     1-25_681_webinar_2.wmv

`--> avconv -i 1-25_681_webinar_2.wmv
avconv version 0.8.4-6:0.8.4-0ubuntu0.12.10.1, Copyright (c) 2000-2012 the Libav developers
  built on Nov  6 2012 16:51:11 with gcc 4.7.2
[wmv3 @ 0xa50be0] Extra data: 8 bits left, value: 0
Input #0, asf, from '1-25_681_webinar_2.wmv':
  Metadata:
    title           : 1-25 681 webinar 2
    WMFSDKVersion   : 11.0.5721.5251
    WMFSDKNeeded    : 0.0.0.0000
    IsVBR           : 1
    VBR Peak        : 295
    Buffer Average  : 772
  Duration: 01:02:38.47, start: 0.000000, bitrate: 96 kb/s
    Stream #0.0(eng): Audio: wmav2, 44100 Hz, 1 channels, s16, 48 kb/s
    Stream #0.1(eng): Video: wmv3 (Main), yuv420p, 640x416, 37 kb/s, 15 tbr, 1k tbn, 1k tbc
At least one output file must be specified

to .mp4 we perform:

`--> sudo avconv -i 1-25_681_webinar_2.wmv -strict experimental 1-25_681_webinar_2.mp4

where the .wmv input file (-i) is encoded into .mp4 using the experimental ‘aac’ encoder (-stric experimental):

avconv version 0.8.4-6:0.8.4-0ubuntu0.12.10.1, Copyright (c) 2000-2012 the Libav developers
  built on Nov  6 2012 16:51:11 with gcc 4.7.2
[wmv3 @ 0x1bd6be0] Extra data: 8 bits left, value: 0
Input #0, asf, from '1-25_681_webinar_2.wmv':
  Metadata:
    title           : 1-25 681 webinar 2
    WMFSDKVersion   : 11.0.5721.5251
    WMFSDKNeeded    : 0.0.0.0000
    IsVBR           : 1
    VBR Peak        : 295
    Buffer Average  : 772
  Duration: 01:02:38.47, start: 0.000000, bitrate: 96 kb/s
    Stream #0.0(eng): Audio: wmav2, 44100 Hz, 1 channels, s16, 48 kb/s
    Stream #0.1(eng): Video: wmv3 (Main), yuv420p, 640x416, 37 kb/s, 15 tbr, 1k tbn, 1k tbc
File '1-25_681_webinar_2.mp4' already exists. Overwrite ? [y/N] y
[buffer @ 0x1bd8860] w:640 h:416 pixfmt:yuv420p
[wmv3 @ 0x1bd6be0] Extra data: 8 bits left, value: 0
Output #0, mp4, to '1-25_681_webinar_2.mp4':
  Metadata:
    title           : 1-25 681 webinar 2
    WMFSDKVersion   : 11.0.5721.5251
    WMFSDKNeeded    : 0.0.0.0000
    IsVBR           : 1
    VBR Peak        : 295
    Buffer Average  : 772
    encoder         : Lavf53.21.0
    Stream #0.0(eng): Video: mpeg4, yuv420p, 640x416, q=2-31, 200 kb/s, 15 tbn, 15 tbc
    Stream #0.1(eng): Audio: aac, 44100 Hz, 1 channels, s16, 200 kb/s
Stream mapping:
  Stream #0:1 -> #0:0 (wmv3 -> mpeg4)
  Stream #0:0 -> #0:1 (wmav2 -> aac)
Press ctrl-c to stop encoding
frame=56377 fps=131 q=27.9 Lsize=  163756kB time=3758.47 bitrate= 356.9kbits/s
video:92153kB audio:69879kB global headers:0kB muxing overhead 1.064378%
178.31s user 8.23s system 43% cpu 7:12.13s total

I was surprised to see the resulting .mp4 was more than twice (160M) as large of the original!

`--> du -sh 1-25_681_webinar_2.*
160M    1-25_681_webinar_2.mp4
44M     1-25_681_webinar_2.wmv

[QNAP] New NAS — TS-569L-US: Just Ordered!

swinful — Tue, 01 Jan 2013 02:25:25 +0000

My QNAP will be delivered this week, in time to start the new year (2013) off right! During my waiting period I started searching for the right memory module to upgrade from 1GB to a total (max) of 3GB. The exact type of memory to use for this QNAP NAS is not disclosed, but on the QNAP website they are selling 2GB for over $150.00 USD!! And, I am not buying that!

After searching the forums one member recommended Kingston KVR1333D3S8S9/2G, which could be found really cheap, for about $10-$30 dollars online. Another member suggested that the memory module inside their TS-269L is that made by ADATA. Based on the specs provided by QNAP on their website:2GB DDR3-1333 204Pin SO-DIMM RAM Module, I decided to purchase the following memory module from Amazon.com: ADATA Premier Series DDR3 1333Mhz 2 GB. The reviews are pretty fair and I will try my luck!

For the harddrives I am starting off with three (3) x 2TB Western Digital Red Drives, ordered right from Amazon! They will be used in a Raid-5 configuration for a total of 4TB, which should be enough for my need for now. I have been very luck for the past five (5) years without having to ever change a single drive in my Hammer N1200 and is still running fine now! **Knock on wood** .

[2012 in review] Site Stats

swinful — Mon, 31 Dec 2012 06:05:34 +0000

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

19,000 people fit into the new Barclays Center to see Jay-Z perform. This blog was viewed about 86,000 times in 2012. If it were a concert at the Barclays Center, it would take about 5 sold-out performances for that many people to see it.

Click here to see the complete report.

[Puppet] Adding The Schema for Storing Node Definitions In LDAP

swinful — Sun, 22 Jan 2012 04:19:58 +0000

Puppet allows the storage of node information in LDAP. For this write-up I will detail how to configure an Oracle Directory Server to store node information that can later be used by a puppet server for the retrieval of node classification information. The use of LDAP eliminates the need of having to use the flat file node.pp for node definitions.

On the server acting as the “puppet master”, ruby ldap client libraries are required. In the example below our “puppet master” server has already been configured on a ubuntu linux server.

Ensure ruby client libraries are installed:

After verifying the absence of the ruby client libraries we install them below:

--> aptitude search ruby | grep -i ldap
...edited...
p   libldap-ruby1.8                 - OpenLDAP library binding for Ruby 1.8
...edited...

--> aptitude install libldap-ruby1.8
...edited...
Fetched 66.8 kB in 0s (109 kB/s)
Selecting previously deselected package libldap-ruby1.8.
(Reading database ... 63468 files and directories currently installed.)
Unpacking libldap-ruby1.8 (from .../libldap-ruby1.8_0.9.7-1.1_amd64.deb) ...
Setting up libldap-ruby1.8 (0.9.7-1.1) ...

`--> ruby -rldap -e "puts :installed"
installed

Update /etc/puppet/puppet.conf to use LDAP

Change your “/etc/puppet/puppet.conf” [master] section to use ldap for node lookups on the master server. For example, the following should be placed in the /etc/puppet/puppet.conf file underneath the section [master]:

[master]
node_terminus = ldap
ldapserver = odsee.goldcoast.com
ldapbase = ou=hosts,dc=goldcoast,dc=com

Were ‘node_terminus’ was originally using file, but will now use ldap. ‘ldapserver’ should point to a valid ldap server that can be accessed on port 389. ‘ldapbase’ is where the puppet master server will look for node information. We will populate this organizational unit (ou) later on. Once the changes have been saved restart the “puppet master”. The ‘nope.pp’ file should no longer be referenced by the master server. But before discarding the file entirely we need to configure LDAP to add the custom puppet schema for our node definitions.

Adding the Puppet Schema to LDAP Directory Server

Next we need to populate our LDAP server to contain the puppet.schema definitions. I recommend visiting the following url for the latest puppet schema:

https://github.com/puppetlabs/puppet/blob/master/ext/ldap/puppet.schema

Login into your directory server. Copy the contents of ‘puppet.schema’ to a temporary file, for example to: /tmp/98puppet.ldif.tmp. The file as is, as of this writing, cannot be imported into Oracle Directory Server Enterprise (ODSEE) without modification.

The original ‘puppet.schema’ looks like:

bash-3.00# cat > /tmp/98puppet.ldif.tmp
attributetype ( 1.3.6.1.4.1.34380.1.1.3.10 NAME 'puppetClass'
DESC 'Puppet Node Class'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.34380.1.1.3.9 NAME 'parentNode'
DESC 'Puppet Parent Node'
EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.34380.1.1.3.11 NAME 'environment'
DESC 'Puppet Node Environment'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.34380.1.1.3.12 NAME 'puppetVar'
DESC 'A variable setting for puppet'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.34380.1.1.1.2 NAME 'puppetClient' SUP top AUXILIARY
DESC 'Puppet Client objectclass'
MAY ( puppetclass $ parentnode $ environment $ puppetvar ))

It can be easily converted with the following script, located at:

http://directory.fedoraproject.org/wiki/Howto:OpenLDAPMigration.

in order to work with ODSEE. For example:

bash-3.00# cd /tmp/

bash-3.00# perl ldif2dsee.pl 98puppet.ldif.tmp > 98puppet.ldif

After Conversion, the puppet schema will look like:

bash-3.00# cat 98puppet.ldif

dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.10 NAME 'puppetClass' DESC 'Puppet Node Class' EQUALITY cas
eIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'PUPPET')
attributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.9 NAME 'parentNode' DESC 'Puppet Parent Node' EQUALITY case
IgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'PUPPET')
attributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.11 NAME 'environment' DESC 'Puppet Node Environment' EQUALI
TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'PUPPET')
attributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.12 NAME 'puppetVar' DESC 'A variable setting for puppet' EQ
UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'PUPPET')
objectClasses: ( 1.3.6.1.4.1.34380.1.1.1.2 NAME 'puppetClient' SUP top AUXILIARY DESC 'Puppet Client 
objectclass' MAY ( puppetClass $ parentNode $ environment $ puppetVar ) X-ORIGIN 'PUPPET')

Copy the resulting file, /tmp/98puppet.ldif, under the ODSEE schema/ path. This is usually under instance-path/config/schema/ :

bash-3.00# cp /tmp/98puppet.ldif /odsee/config/schema/

Restart the LDAP Instance

Before restarting the instance, tail the errors log file, instance-path/logs/errors in one window and in another restart the ldap instance ensuring there were no errors. For example, after restarting the instance:

bash-3.00# dsadm restart /odsee
Directory Server instance '/odsee' stopped

Note: Notice after the restart, the message says “… ‘/odsee’ stopped”. It should have said “… ‘/odsee’ restarted

The errors window should have displayed something similiar to:

[21/Jan/2012:22:25:43 -0500] - slapd shutting down - waiting for 0 threads to terminate
[21/Jan/2012:22:25:43 -0500] - libumem_dummy_thread started.
[21/Jan/2012:22:25:43 -0500] - Waiting for 6 database threads to stop
[21/Jan/2012:22:25:44 -0500] - All database threads now stopped
[21/Jan/2012:22:25:44 -0500] - slapd stopped.
[21/Jan/2012:22:25:47 -0500] - Sun-Directory-Server/11.1.1.3.0 B2010.0630.2254 (64-bit) starting up
[21/Jan/2012:22:25:49 -0500] - Listening on all interfaces port 389 for LDAP requests
[21/Jan/2012:22:25:49 -0500] - Listening on all interfaces port 636 for LDAPS requests
[21/Jan/2012:22:25:49 -0500] - slapd started. 
[21/Jan/2012:22:25:49 -0500] - INFO: 97 entries in the directory database.
...edited...

Verify The Puppet Schema is in LDAP

While still logged into the LDAP server, perform a basic search which should return the schema that was just imported.

bash-3.00# ldapsearch -T -b cn=schema "(objectclass=*)" | grep -i puppet

attributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.11 NAME 'environment' DESC 'Puppet Node Environment' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'PUPPET' )
attributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.10 NAME 'puppetClass' DESC 'Puppet Node Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'PUPPET' )
attributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.9 NAME 'parentNode' DESC 'Puppet Parent Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'PUPPET' )
attributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.12 NAME 'puppetVar' DESC 'A variable setting for puppet' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'PUPPET' )
objectClasses: ( 1.3.6.1.4.1.34380.1.1.1.2 NAME 'puppetClient' DESC 'Puppet Client objectclass' STRUCTURAL MAY ( puppetClass $ parentNode $ environment $ puppetVar ) X-ORIGIN 'PUPPET' )

Now you should be able to add node information within LDAP.

Add a base node to LDAP

I like to use the command line tool ldapvi for manipulating my ldap entries. I will not go into detail on how to configure ldapvi, but additional information may be found online. Let’s add a base node and assign the “base class” to it. We will place “cn=base”, under the “search base” ou=hosts,cn=goldcoast,dc=com:

--> ldapvi --add -o top -o device -o puppetClient -b cn=base,ou=hosts,cn=goldcoast,cn=com

After invocation, your default editor will open up with a screen similar to this:

# -*- coding: utf-8 -*- vim:encoding=utf-8:
# http://www.lichteblau.com/ldapvi/manual#syntax

### NOTE: objectclass is abstract: top
# structural object class: device
### WARNING: extra structural object class: puppetClient
add cn=base,ou=hosts,cn=goldcoast,cn=com
objectClass: top
objectClass: device
objectClass: puppetClient
cn:
#description:
#l:
#o:
#ou:
#owner:
#seeAlso:
#serialNumber:
puppetClass: base
#parentNode:
#environment:
#puppetVar:

My default editor is “vim” and I uncommented “puppetClass:” in order to use the “base” class for the “base node”. Once done, save and quit the file and you should be presented with authentication to commit the change to ldap — something similiar to:

...edited...
~
/tmp/ldapvi-usdGC1/data: 22 lines, 457 characters.
add: 1, rename: 0, modify: 0, delete: 0
Action? [yYqQvVebB*rsf+?] b

--- Login
Type M-h for help on key bindings.

Filter or DN: 
    Password:

Cheers,
-swinful

[Solaris 11 Express] Configuring Samba via ZFS for use in ActiveDirectory

swinful — Wed, 11 Jan 2012 16:44:58 +0000

“Eh, I checked everywhere! I cannot find that smb.conf. Where could it have gone!?” And I thought he was lying when a colleague of mine mentioned this, trying to enable samba. Well, I checked and could not find any trace of the smb.conf file either. Although samba was enabled via ZFS and we could see the windows shares, we could not access them. Sure enabling samba via zfs was fairly simple and I enabled samba as follows. Considering tank is our dataset on a system called army) with the domain goldcoast.com I performed:

# zfs sharesmb=on tank

which should implicitly enable the SMF: svc:/network/smb/server:default

What was actually missing, since we are in an Active Directory environment was joining our Solaris host to the domain and mapping corresponding Windows users to Unix users — provided the Windows and Unix usernames are the same and in this case they were.

Join Solaris to the Active Directory domain:

# smbadm join -u administrator goldcoast.com

At his point the Windows shares were now accessible, but you may have noticed the file mappings were wrong. For example, on the Windows side of things if you created a new file the owner and group would appear differently on the Unix side, similiar to the below listing:

# ls -ltr
   -rwx------+ 1 2147540993 2147483653          0 May 10 16:24 New Text Document.txt

And with permissions like that, in a shared environment there are sure to be a lot of complaints.

To map all AD users that are part of domain goldcoast.com, considering the local unix accounts have the same name we performed:

# idmap add "winuser:*@goldcoast.com" unixuser:*

And samba is enabled. Try it, try to access the share from Windows using

Start -> Run: \\army\tank

If your Windows machine is connected to an ActiveDirectory Controller you should be prompted for a username/password dialog.

References:

Solaris CIFS Permissions

Oracle Solaris SMB and Windows Interoperability Administration Guide

[Perl] It is never too late to learn!

swinful — Wed, 11 Jan 2012 16:35:54 +0000

All these years and I have never had the need to seriously learn perl until now. While searching for a good beginners guide I was particularly interested in a decent Computer Based Training (CBT), but that was hard to come by — at least trying to find a free one worth my while. I wanted something similar to the old DOS Unix CBT I once used when I was learning UNIX or even something to the extent of the Tcl CBT. Well, I did did not quite find what I was looking for, so instead I checked what was already available on my BSD box for learning perl:

`--> apropos perl | grep doc
perlapi(1)               - autogenerated documentation for the perl public API
perldoc(1)               - Look up Perl documentation in Pod format
perlintern(1)            - autogenerated documentation of purely internal Perl functions
perlplan9(1)             - Plan 9-specific documentation for Perl
perlpod(1)               - the Plain Old Documentation format Xref "POD plain old documentation"
perltoc(1)               - perl documentation table of contents
perlvms(1)               - VMS-specific documentation for Perl

What stood out to me was perltoc(1). And, it is what I used for the basis of starting to learn perl. For example perltoc(1) — like its’ name suggest will provide a brief table of contents for the rest of the perl documentation set. I used it to scan for areas that interested me about perl.

`--> man perltoc | col -bx | egrep "perl.+ -+ .*" | sed 's/^ *//' | more
perltoc - perl documentation table of contents
perlintro -- a brief introduction and overview of Perl
perlreftut - Mark's very short tutorial about references
perldsc - Perl Data Structures Cookbook
perllol - Manipulating Arrays of Arrays in Perl
perlrequick - Perl regular expressions quick start
perlretut - Perl regular expressions tutorial
perlboot - Beginner's Object-Oriented Tutorial
perltoot - Tom's object-oriented tutorial for perl
perltooc - Tom's OO Tutorial for Class Data in Perl
perlbot - Bag'o Object Tricks (the BOT)
perlperf - Perl Performance and Optimization Techniques
perlstyle - Perl style guide
perlcheat - Perl 5 Cheat Sheet
perltrap - Perl traps for the unwary
perldebtut - Perl debugging tutorial
perlfaq - frequently asked questions about Perl
perlfaq  - this document, perlfaq1 - General Questions About Perl,
perlfaq2 - Obtaining and Learning about Perl, perlfaq3 -

Once I got feet wet I decided to purchase one of the O’ Reilly Books: Programming Perl 4th Edition.And, I also found the following sites useful: http://learn.perl.org and http://perldoc.perl.org.

[GnuCash] MacPorts Compile

swinful — Wed, 11 Jan 2012 16:31:16 +0000

Finally! Just finished with the compilation and installation of GnuCash using macports on my PowerBook Pro running Mac OS X 10.5.8:

...edited...
--->  Configuring gnucash
--->  Building gnucash
--->  Staging gnucash into destroot
--->  Installing gnucash @2.4.7_1
--->  Activating gnucash @2.4.7_1
--->  Cleaning gnucash
5150.53s user 1790.23s system 109% cpu 1:45:58.98s total

Now, that took long enough — one hour and forty five minutes! Thought I would share. -;)

[AIX] DBX Installation

swinful — Wed, 11 Jan 2012 16:29:06 +0000

‘Free’ online packages of the AIX debugging tool, dbx, are hard to find. In fact, I do not believe it is freely available unless someone copies it from their installation medium and places it online. My searches turned up nothing. Eventually, I just installed it from the local install media using “smitty install“.

dbx on AIX is part of the bos.adt.debug (Base Application Development) software bundle. If you have the installation media inserted (usually the first CD/DVD), typically accessible via the device ‘cd0′ you can install dbx by performing the following:

# smitty install

References:

http://www-01.ibm.com/support/docview.wss?uid=swg21222456

[TR-069] Verizon FiOS Uses It — But So What?

swinful — Wed, 11 Jan 2012 16:20:40 +0000

I became interested in TR-069 after figuring out my Verizon FiOS router had the capability to be remotely managed by it, allowing my mind to wonder about a couple of “what-if” situations. However, I can see the benefits of this feature from the perspective of the provider. For example, with Tr-069 the provider or manufacture of the device can swiftly deal with problematic issues that would have otherwise allowed for a technician to be dispatched to a customers home, which can be costly. With the ability to perform such tasks as remote firmware upgrade/patching or even the initial configuration of the device for the customer, providers can definitely save a lot of money. Imagine millions of customers needing a technician to be dispatched to their homes due to a major security flaw in the device software?

But what if the provider uses the full capabilities of TR-069 for profit and gain? That I would not be the least bit surprised. After all they do technically own the device while the customer has service with them. But what if a mid-night shift engineer used the capabilities of TR-069 to gain entry into a customers home network to snoop around? Would the customer know? Could the customer even prevent remote access into their leased modem or router and ultimately their private home network? First, what exactly is TR-069?

According to Wikipedia:

TR-069 (Technical Report 069) is a DSL Forum (which was later renamed as Broadband Forum) technical specification entitled CPE WAN Management Protocol (CWMP). It defines an application layer protocol for remote management of end-user devices.

In other words, TR-069 is a WAN Management Protocal implemented in client devices such as home routers, set-top boxes and similar equipment leased from ISP’s or cable providers. These client devices are also referred to as CPE’s or a Customer Premise Equipment. TR-069 is the technology that allows vendors to remotely interact with their CPE for such purposes as initial device configuration, troubleshooting and basic management of the device such as performing remote backups or firmware upgrades. This allows vendors to cut costs on field technicians that would have otherwise been dispatched to a customer’s home or office. The protocol allows for communication to take place via SOAP/HTTP, between the CPE and the vendors Auto Configuration Servers (ACS). With TR-069, communication can either be initiated from the vendor side or the customer side without the customer’s knowledge. An ACS can be thought of as a single point of management for all customer devices [2].

So, would the customer know if “someone” was snooping around? Possibly, but they would definitely have to be proactive and check the logs from time to time. Could the customer even prevent remote access into their leased modem or router and ultimately their private home network? This is a big NO! At least not with the equipment provided to them by the manufacturer or their ISP. Trying to disable the abilities of Tr-069 once implemented in a device is damn near impossible, especially when attempted using the FiOS router itself. Check out this screenshot:

You will notice under the “Delete” column, what would have been an option to delete this rule from the outside has been removed. Another example to show the “Verizon FiOS Service” cannot be blocked is something you can test yourself. For example, if you have Internet with FiOS and know your public-ip port “4567″ will be open. Attempting to connect to it via a web-browser should present you with a login prompt. However, not just anyone can connect and I would be surprised if you could get that Login/Password pair. But, what if someone figured out the pair? Or what is an employee at the ISP wanted to snoop around?

[Verizon FiOS] Using Juniper’s SSG 5 As The Main Router

swinful — Fri, 30 Dec 2011 03:44:07 +0000

Juniper SSG 5 Wireless

Using a Juniper SSG5 w/ ScreenOS as the main router for the Verizon FiOS service provides a number of features and benefits over using Verizon’s own wireless router. Some of which are:

Built-in antivirus, antispam and web filtering, allowing for the possibility of stopping all viruses and malware before they damage your network.
Deep (packet) Inspection that has the potential to prevent application-level attacks from flooding the network.
Seven fixed 10/100 interfaces that can each operate individually or as a group in layer 2 and or layer 3 mode, while providing high-speed LAN connectivity and redundant WAN connectivity if so desired.
And much, much more. Here is the full list of features and benefits for the Secure Services Gateways by Juniper Networks (PDF).

Also, worth nothing the is the fact that Verizon’s ActionTec routers use TR-069, a WAN management protocol, that allows the device, also known as the Customer Premises Equipment (CPE), to get and send data to authorized parties or servers. By now having the Verizon ActionTec router behind our SSG we can effectively control this type of communication and even possibly capture the traffic it sends back and forth. There has been chatter on slashdot.org namely the article, Verizon Changing Users Router Passwords, in the past indirectly about this and the infamous open port 4567 on public facing ActionTec routers. My personal experience with TR-069 is later in this post.

We have the Verizon wireless ActionTec, model MI424WR at home and it sits behind our SSG5 with an additional coaxial connection at the back of it. This coaxial is use for connecting one or more set-top boxes (STB) to receive video or provide data in the case of a MoCa setup. When using the SSG5 router from Juniper, we do not completely eliminate the use Verizon’s wireless router as it is needed for TV/Cable service via the coax cable, something the SSG5 cannot provide. I have found, though your mileage might vary, when FiOS is first setup. By default, I am told, technicians perform a MoCA setup, unless a non-MoCA is requested by the customer (what I requested).

MoCA stands for Multimedia over Coax Alliance(MoCA) protocol, which allows for both data and video over a single coaxial cable. Hence, with a MoCA setup, there is no need to run an ethernet cable directly from the Optical Network Terminal (OTN) usually on the side of the home to the FiOS router inside the home. Instead a single coaxial cable is ran that allows both data and video and sometimes voice. So, if you are to use an SSG firewall or similar device with Verizon FiOS you will most likely want the non-MoCA setup, which is what I have for my SSG and it works great! Once working, the SSG needs to be configured in order to allow Verizon’s router to sit behind it using its WAN port. The WAN port of the ActionTec router needs access to the Internet for NAT of the of LAN and Wireless devices that sit behind it. This includes the STB as they need access to the Internet for retrieving channel listing. I will explain this setup via this rough diagram:

FiOS SSG Setup

The setup is pretty straight forward. Again, this setup requires that:

A Verizon tech provision a Non-MoCA setup.
An Ethernet cable is ran from the Optical Network Terminal (ONT), a Non-MoCA configuration, directly to a port of the SSG router (eth0/0) instead of the WAN port of the Verizon router.
The WAN port of the Verizon ActionTec router will connect to a physical port of the SSG to obtain an IP address via DHCP.

The initial configuration to setup the SSG 5 will not be discussed in detail, but I assume the reader knows how to access the SSG device via the serial-console and or one of the network ports. In this setup of the SSG we:

Configure eth0/0 as the WAN interface in the Untrust security zone allow it to act as a DHCP client.
Configure eth0/4 — eth0/6 to bind to bgroup0 on network: 192.168.2.0/24, in the Trust security zone (the WAN port of the Verizon ActionTec connects to once of these ports.)
Configure bgroup0 as a DHCP server to distribute IPs in the range: 192.168.2.30 — 192.168.2.60..

Configure eth0/0 as the WAN interface in the Untrust security zone allowing it to act as a DHCP client.

set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssl
set interface ethernet0/0 dhcp client enable
set interface ethernet0/0 route-deny

Afterwards verify that ethernet0/0 on the SSG has a public verizon IP address. You may have to wait a bit up to five minutes for the new IP to come in. Worst case, you may have to call Verizon to break the IP lease. There really is no need to restart the SSG. It will actively request an IP until it is satisfied.

Configure eth0/4 — eth0/6 to bind to bgroup0 on network: 192.168.2.0/24, in the Trust security zone.

set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 ip manageable

Configure bgroup0 as a DHCP server to distribute IPs in the range: 192.168.2.30 — 192.168.2.60.

set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server ip 192.168.1.30 to 192.168.1.60

Afterwards, plug-in the Verizon ActionTec router to one of these ports, ethernet0/4, and it should receive an IP in the defined range. At this point, any communication that is to take place originating from the ActionTec must pass through the SSG.

All of the above command-line can be configured via the SSG’s web interface as well. I don’t show that here as it is pretty much self-explanatory.

Once steps 1 — 3 are complete. The WAN port of the Verizon ActionTec router may be plugged into bgroup0 to receive an IP via DHCP. Next, the policy “Trust” to “UnTrust” should be configured to allow traffic for all devices in the Trust network out to the Untrust. It is left up to the reader to allow or deny specific traffic.

Configure DefaultAllow Policy from Trust to Untrust for devices part of bgroup0

set policy name "DefaultAllow" from "Trust" to "Untrust" "Any" "Any" "ANY" permit log

My personal experience with TR-069

Since the switch to have Verizon’s router “piggy back” my SSG I have noticed periodic communication between our Verizon ActionTec router and at least two public IP addresses. Communication is initiated from the Verizon ActionTec router or CPE device about every 10 to 15 minutes to the following two IP addresses: 72.76.255.44 and 72.76.255.36. Active communication takes place on tcp port 80 and UDP port 6794.

From a whois query and reverse lookup both IPs belong to Verizon and not some third party — at least not by first glance:

OrgName: Verizon Online LLC
OrgId: VRIS
Address: 22001 Loudoun County Parkway
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US
RegDate:
Updated: 2010-08-17
Ref: http://whois.arin.net/rest/org/VRIS

A reverse lookup shows one (72.76.255.36) IP as a DNS server and the other (72.76.255.44) as something else, probably used for channel listing update by the looks of the hostname:


$ dig -x 72.76.255.36 | egrep "SOA|PTR"
255.76.72.in-addr.arpa.	834	IN	SOA	ns5.verizon.net. dns.verizon.com. 2010073001 86400 3600 604800 86400

$ dig -x 72.76.255.44 | egrep "SOA|PTR" 
44.255.76.72.in-addr.arpa. 86309 IN	PTR	mercuryipg.frhdnjbbh09.fiostv.verizon.net.

In another post, I plan on snooping the traffic initiated by the Verizon ActionTec router to the named IPs above. Stay tuned!

Cheers,
-swinful