Hacker's ramblings

This is a follow-up post on my previous post about Replacing Compaq 615 hard drive with a SSD.

It is obvious, that when you remove the old hard drive from your PC and replace it with a new one, all your stuff won't be on the new drive. "All your stuff" includes Windows operating system, your user profile information, settings, background picture of your desktop, all your precious photos, ... the list goes on. So to succesfully replace the hard drive, some preliminary steps are needed. Even in the best case, where you're prepared to lose all of your files and information, the only thing that you need to transfer is your Windows 7 license. In Microsoft lingo it is called The Activation. This literally means, that your Windows will emulate E.T. and "call home" to verify, that you are allowed to run the installation.

In this particular case following circumstances exist:

• The laptop in question is manufactured by HP/Compaq
• HP/Compaq is a Microsoft OEM partner and they get their Windows 7 licenses with special pricing
• The hardware must has a suitable identification for the OEM partner in its BIOS called SLIC
• Actual Windows 7 license (activation) will be stored on the hard drive, the OEM product key of this installation is not known
• It is impossible to transfer the activation from old hard drive to the new one. It is possible to re-activate on the new drive when the existing OEM product key has been extracted from the old Windows 7 installation.
• There is nothing illegal in this procedure. You bought the hardware, you own the hardware. With hardware you paid for the Windows 7 license. This is NOT software piracy of any kind.

Abandoned options

There are three good possibilities of transferring an existing Windows installation to the new drive. I chose not to use either of those.

It is possible to create a recovery disc from existing installation. This has been covered in articles How do I create recovery discs on a Compaq 615 and Creating Recovery Discs or Saving a Recovery Image to a USB Flash Drive (Windows 7). There was a glitch, though. The HP Backup & Recovery manager was not installed to this Compaq laptop. I found an article Download hp backup & recovery manager which points to softpaq sp45602.exe containing the installer.

Another way would be to use the Windows 7 built-in backup. There is an option to create the system recovery image. Apparently HP/Compaq chooses to go with this on consumer models.

Other possibilities would include Clonezilla, Acronis True Image, or similar to transfer the entire drive with all the partitions.

The reason why I abandoned all of those was that I definitely wanted a fresh start without any old payload. The HP Backup & Recovery would provide the cleanest start, but still there are a number of weird software being installed, which nobody actually needs or wants. Another thing is that Windows 7 fresh install on SSD takes care of setting the TRIM-flag to the partition and aligns the partitions properly on 4096 byte boundaries. Both of those settings differ when installing to a hard drive. These are pretty much the only differences when installing to SSD instead of HD, but I definitely wanted to get all of my performance settings right from the beginning.

Prerequisites for license transfer

When talking about OEM Windows 7 licenses, following license types exist OEM Channel SLP, NONSLP and COA License Product Keys. The difference of those is explained in detail in this article. To put it briefly, in every OEM machine there must be a sticker somewhere. The sticker has the Certificate of Authentication (COA) key. This OEM COA key can be used to activate a Windows 7 installation only via phone. It is a possibility, but not my first choice as there are other options available.

Every OEM Windows 7 also has an OEM System Locked Pre-installation key. The key is not available anywhere. It is hidden intentionally, for the reason that nobody would ever try anything I'm about to describe in this post. To dig out the SLP-key, you will need a special piece of software. My choice is The Magical Jelly Bean Keyfinder. There is a free edition available for download and it just magically tells you your Windows installation key. The smart thing to do is to use the export-option to an USB stick. You can copy/paste your license key from a file later when it is needed.

If you are interested in your settings and data, backup your user profile(s) with Windows Easy Transfer (migwiz.exe). I chose to save the profile data onto an USB hard drive to be restored later.

You must have OEM certificates for this the license activation to work. Download a the certificate bundle from https://docs.google.com/open?id=0Bxj5NEo7I3z9dWx3VndfenZBWVE. Your hardware manufacturer should be in the archive, if it is not, you cannot proceed.

Optional prerequisite is SLIC ToolKit V3.2. You can download one from https://docs.google.com/open?id=0Bxj5NEo7I3z9WE1NS2dVVjc4VEE. Using this tool really helps you in the process, because you can actually see if it would work and you can verify the steps.

Warning!
If you don't know your SLP-key DO NOT remove the old hard drive.

Installing Windows 7 to the new drive

Warning!
If you don't know your SLP-key DO NOT start installing to the new drive. Put the old drive back and use a keyfinder to get your key.

Update 2nd Jan 2016: My recent findings about possibility of recovering the key with USB-dock. With suitable hardware it is possible to read the key from already removed hard drive.

Update 13th Mar 2015: Microsoft took down their Windows 7 downloads from Digital River. They are not available anymore!
All the Windows 7 SP1 installation images are generally available for download. See Official Windows 7 SP1 ISO from Digital River about details. Again: This is not software piracy! You own the license for your Windows 7, you are entitled to own the installation media for it.

Download the exact version of your installation image. Language may be different, but not all OEM licenses are allowed for both 32-bit and 64-bit installations. If you are changing x86 to x64 there will be also issues with Windows Easy Transfer, it documented that the transfer wizard works only on same arcitecture. To see if your OEM license works both on 32-bit and 64-bit you simply have to test it.

If you need the language files see Windows 7 SP1 Language Packs Direct Download Links and the utility needed to install them Vistalizator. The language packs are different for 32-bit and 64-bit installations, so choose carefully. Windows 7 Ultimate can change languages from control panel, no special tweaks are needed for it.

During installation, choose not to enter a license key. You will end up having a non-activated Windows installation. The technical term is that your activation is on a "grace period". This is what we want to do. Activate later.

Re-activating the license on the new drive

Third warning: You will need your SLP-key for the re-activation to work.

In your Computer properties, there is an option to "Change Product Key". None of your OEM-keys will work there, no matter how much you try. Any activation attempts will yield something like this:

Activation Error code: 0XC004E003 (Product key already in use). There is a lengthy discussion of Clean OEM Windows 7 install returns 0xc004e003 @ Microsoft.

What you need to do is follow instructions from activating windows 7 OEM way. Open a Command Prompt (cmd.exe) and run it as Administrator.

First we confirm that the BIOS has required information in it. It definitely should as the machine had a working Windows 7 in it, but still ... run the SLIC tool to confirm:

It should say "Dump OK!". On the Advanced-tab you can confirm, that there are issues with the activation:

The SLIC status is on green and is valid, but private key and certificate have issues and display a red cert. error.

To fix this, my sequence differs a bit from the article. The first thing to do is to set your SLP-key, say something like this into your command prompt (no, that is not really my SLP-key):

slmgr.vbs -ipk J7JHT-BC3HD-73CQT-WMFJ-XXXXX

It should respond after a delay:

Next install your manufacaturer certificate, this will take a while:

slmgr.vbs -ilc HP-COMPAQ.xrm-ms

It should respond after a lengthy delay with something like this:

The last thing to do is to rebuild the certificate store, to start using all these changes:

slmgr.vbs -rilc

That should respond with a simple "Ok". Now you can confirm your activation status with a:

slmgr.vbs -dli

The response should be something like:

If you failed in this process, the response will look more like:

Upon success, the SLIC tool will also display the status as:

Slmgr.vbs is volume activation tool installed into all Windowses. See more details about it from Slmgr.vbs Options for Volume Activation @ Technet.

The successful activation can be confirmed also from Computer properties. At no part of this activation any network traffic to Microsoft or any other party is required.

Both Microsoft and your PC's manufacturer would like for you not to know anything about this. Both of their businesses rely on the fact, that hardware vendors and their partners will do all the maintenance for your PC while making money at it. Since hacking is about learning how computer stuff works, this is a prime example of hacking. With this information you can hack your own laptop.

Any comments are welcome!

This is something I've wanted to do for a long time. Ever since I got my B593. Jevgenij has been hacking his B593 and dropped me a comment that he found command /bin/lteat from his box. Obviously I had to SSH into mine to confirm this:

# ssh admin@192.168.1.1 /bin/sh
admin@192.168.1.1's password:
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
ATP>shell

BusyBox vv1.9.1 (2013-07-25 14:10:15 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls -l /bin/lteat
-rwxrwxrwx    1 0        0           34604 /bin/lteat

... and oh yes! Such a command is there. It is an interactive AT-command shell!

Warning!
Running these AT-commands will mess up with your box. The modem does not like to be messed up and my box didn't connect to internet after doing this. There is a simple fix to just reboot the router.

Let's explore some possibilities.

Manufacturer information

Running the AT-command shell:

# lteat
AT>

This is something that worked already in the 80s modems. The classic modem information:

AT>ati
Manufacturer: Huawei Technologies Co., Ltd.
Model: EM920
Revision: 11.433.61.00.07
IMEI: 868031008680310
+GCAP: +CGSM,+DS,+ES
OK

The 15-digit IMEI is broken into two pieces. First 8 numbers are the Type Allocation Code (or TAC). The second part is the 7 number unique id of my unit. That's why I'm not revealing it here.

If we punch the TAC into a http://www.nobbi.com/tacquery.php it will yield a result of:
86803100
Manufacturer = Huawei
Model = B593
Hints = LTE/UMTS Router

Which is not very surprising. That is something we already know.

Telco information

Let's see what we can get from my telco. I found a nice reference List of AT commands to be very helpful. Running command:

AT>AT+COPS=3,2
AT+COPS=3,2
OK
AT>AT+COPS?
AT+COPS?
+COPS: 0,2,"24405",2
OK

The 24405 is my PLMN code (note: this can be found from web GUI's diagnostics wireless status also). According to article Mobile country code, it breaks down to two parts:
Mobile Country Code = MCC = 244
Mobile Network Code = MNC = 05

According to the table:
MCC = 244 = Finland
MNC = 05 = Elisa

Again, something that I already know.

Location information

To dig a bit deeper ... Every cell tower has unique code. I found information about that from a discussion forum with topic Huawei USB LTE Modem, E3276 K5150 E398 (Modems). The forum says that:

AT+CREG?
+CREG: 2,1, YYYY, XXXXX, 2
OK

Y = LAC
X = Cell ID
Added: Note that both are in hex so need to convert it

Let's try that one out:

AT>AT+CREG=2
AT+CREG=2
OK
AT>AT+CREG?
AT+CREG?
+CREG: 2,1, 620C, 123ABC, 2
OK

Now we have:
LAC = 620C (hex) = 25100 (decimal)
Cell ID = 123ABC (hex) = 1194684 (decimal)

Again, I'm not going to reveal my exact location here! The cell-ID published here is something I made up.

I tested all the gathered information of:
MCC = 244
MNC = 05
LAC = 25100
cell-ID = 1194684
in OpenCellID's search engine, but they don't seem to have my coordinates in it. Maybe I should add them. Your's may very well be there.

According to Wikipedia article, there are a number of databases for cell-IDs, but most of them are commercial and I don't have a license to use them. In general they simply have exact GPS-coordinates of cell towers and they can be used to get a rough estimate of your location.

Signal quality

The last one I did was to get exact signal quality. A B593 has 5 bars in it, which is accurate enough for most users. The hardware has the quality info in much more detailed level. The AT-command list says:

Signal quality

Command: AT+CSQ
Response: +CSQ: <rssi>,<ber>

Let's try that out:

Query for the ranges:
AT>AT+CSQ=?
AT+CSQ=?
+CSQ: (0-31,99),(0-7,99)
OK

Query for the signal quality:
AT>AT+CSQ
AT+CSQ
+CREG: 1, 620C, 123AC1, 2
AT+CSQ
+CSQ: 23,99
OK

Whoa! It also returned a LAC and another cell-ID. The cell-ID is pretty close to the original one, but not exactly the same. Anyway, the Received signal strength indication (RSSI) is 23 and Bit Error Rate (BER) is 99.

By Googling I found out following information about RSSI:
RSSI (dBm) = RSRP + 10*log10(RB) + | RSRQ | + other noice, temperature noice etc.

You may also see the RSSI vs RSRP: A Brief LTE Signal Strength Primer for details about the signal math.

To put all the logarithms and four-letter-acronyms into layman terms. This table was published in the discussion forum in Finnish by user with nickname timtomi. Signal levels are from poor to excellent:

The BER is typically 99 which means that none could be measured. In general there shouldn't be any errors in the transmission, so 99 is likely what you'll get also.

This is a HOWTO instruction for replacing a spinning platter hard drive with a modern faster solid-state drive. Since Compaq 615 has Windows 7 Home Premium OEM installed, I'll blog about the Windows Activation in more detail on my next post.

This kind of Compaq laptop is quite generic PC. Majority of this information applies to almost any laptops I've disassembled. It's about the location of the drive, location and number of screws, but the information in general covers the operation of replacing a drive with another one.

I started this project with checking for Manuals for Compaq 615 Notebook PC @ HP. The good stuff is at PDF-document with title Compaq 615 Notebook PC and Compaq 610 Notebook PC - Maintenance and Service Guide.

It will contain all the information a service technician would need to successfully operate on this kind of hardware. On page 4-8 it has the hard drive replacement procedure documented.

Anyway, this is something I've done a lot. I briefly checked out the location of the drive and the screws that needed un-screwing. Here is a pic from the flipside of the laptop:

Those two screws hold a HDD-cover in place. The screws even have a HDD-symbol next to them. Un-screw both of them with a small Phillips head screwdriver:

Remove the HDD-cover by pulling up from the side you removed the screws from. The drive is visible:

The drive is held in place by a single Phillips head screw. Remove that too. Pull up from the drive screw bracket and the drive will slide left and reveal a standard S-ATA -connector:

Now you have the drive completely detached from the laptop. The actual hard drive is connected to a metal cradle with 4 Phillips head screws. Un-screw them:

As you can see, the screws are really small. The screws are quite tight, see the blue substance in the screws. It is threadlocker and its purpose is to make sure a screw is tightly attached. If you don't have the proper sized screwdriver, you will destroy the notches of these screws making removal really difficult. This is the only part of disassembly, where I needed to apply some force just to make sure that the screwdriver wouldn't slip.

The next step is to attach the new SSD-drive to the cradle:

Think really carefully which way the drive needs to be attached to the cradle. There are four possible options, but only one of them will yield success. You will see quite soon the position the cradle needs to be in the laptop. The hard part is to figure out which way the drive needs to be to succesfully connect to the S-ATA -connector of the laptop.

When the hard part is done, all you need to do is slide the cradle back to S-ATA connector and secure the screw holding the cradle at place. Then put the HDD-cover back and secure the two screws for the cover.

All this will take around 10 minutes on experienced hands. If this is your first laptop maintenance work, reserve a hour. Nothing here requires much force to be applied. If you are applying much force, you're doing something wrong.

Good luck on your project!

Jevgenij dropped me a comment about new firmware. It is from Telia Sweden and you can get it from here http://www.telia.se/privat/support/mobiltbredband/uppdaterausbmodemorouter#huaweib593formac=&tabMenu_0=huaweib593formac The direct download link is https://www.telia.se/dms/mgnl-ext-dms/www-telia-se-ui/installation-files/se_telia_r-m-h-s.tar/se_telia_r-m-h-s.tar.bz2 The firmware seems to have nice features, SMS and even to force for 2G-operation. He highly recommends this one. This looks very promising, perhaps I'll try this myself.

I upgraded my B593 with this one and can confirm that it works well. GUI-languages are: Svenska, Suomi, Pусский, Norsk, Dansk, Eesti, Lietuviu and Latviešu. No setup wizard. Has external antenna support. No VoIP. No DDNS. Mode selector has 5 options: auto, auto 3G/4g, 2G only, 3G only and 4G only. SMS in/out. No DLNA. So it is little bit light on features, but is fully exploitable and SP102!

The file will contain a SP102 for u-12. Altough The Exploit does not work, it seems to have a nice bug in it. When you're FTPing into it, it will open also SSH-port! Whaat!

Warning:
SSH passwords are reset to something the telco set. However, USB/FTP-hack will work and you can get the /var/sshusers.cfg and look at the plaintext password from there.

Windows 8 (or 8.1) is one of the not-so-popular operating systems. Even Microsoft employees admit Windows 8 is 'the new Vista'. Ok, they failed on that. Perhaps Windows 9 will be better.

Now that we have that out, there are a number of weird things in that OS. The one bugging me most is the fact that the full screen app icons that appear when you move the cursor to the top-left corner of your desktop are failing to display. This happens to me very often. It seems to have something to do with sleep/hibernate on my Win8 laptop. It should look like this:

But it looks like this instead:

Not cool.
There are some shadows from the icons, but nothing usable or nothing that I could use to identify which icon is for which app.

I don't know what's the problem, but I found a fix. The culprit is your classic explorer.exe. The fix is simple. Zap your Windows Explorer with a magic kill process -wand and create a new better one. The new explorer won't know anything about already running full-screen apps, but it will sure learn if you manage to get into one.

Here is the fix. First start the Task Manager. Since the idea is to kill explorer.exe, you'll need a tool to eradicate the old one and make sure you can start a new one. The sequence starts from Task Manager's Details tab-sheet:

After that your explorer will be back and your icons will be back after you visit all of your apps.

John do, a reader of this blog made a serious break-trough! Via SSH on B593 prompt, he found the flashtest-command. Before this I had no knowledge about such command, but see what I can do with this new information:

# flashtest
Usage: flashtest {info|read|write|erase|export|load} {addr} {len} [data]
Format:
flashtest    help
flashtest    info
flashtest    read      addr    len
flashtest    write     addr    len    {data}
flashtest    erase     addr    len
flashtest    export    addr    len

Well ... the info sound interesting. Let's see:

# flashtest info
 flash  block  size  :  0x40000 (256k Bytes)
  flash  block  num   :  0x40 (64 Blocks)
  flash  total  size  :  0x1000000 (16M Bytes)
  flash  partation  info :
  ---------------------------------------------------------------
  Name                  Address                    Usage
 ---------------------------------------------------------------
  Boot                  0x0---0x40000            Bootloader
  Image             0x40000---0xA40000           Main  image
  Image            0xA40000---0xE00000           Subject  image
  Curcfg           0xE00000---0xE40000           Curcent  config
  Faccfg           0xE40000---0xE80000           Factury  config
  Tmpcfg           0xE80000---0xF00000           Temp  config
  Fixcfg           0xF00000---0xF40000           Fixed  config
  Logcfg           0xF40000---0xF80000           Log  config
  TR069            0xF80000---0xFC0000           TR069  cert
  Nvram            0xFC0000---0xFFFFFF           Nvram

Current config! Really!? (Mis-typed as Curcent config). The run-time -only /var/curcfg.xml's real storage has eluded me this far. Let's explore that further:

# flashtest export 0xE00000 65536
Read data: addr = 0xe00000, len = 0x10000 ...
Begin write to file
Export done

What did it do? Where it wrote to? Some poking around reveals:

# cd /tmp/
# ls -l
----------    1 0        0           65536 flashinfo.bin

Oh yes! The next thing is to get my hands on to the file. In the B593 firmware's Busybox there is only a limited set of tools.

Let's use the USB/FTP-hack for transferring the file. The idea is to plug an USB-stick into B593. Any FAT32-formatted stick will do, it is totally irrelevant if there are files or not. Early firmwares are known to have a flaw in them. You can mount the entire filesystem into FTP-server and transfer file to/from the box. Setup goes like this:

Make sure you have the FTP-server running, add a user to the new mount and set the directory as ../.. It is really important to do that! That effectively breaks out of /mnt/usb2_1 into /. See this pic:

I added user with name test. Now let's see if the FTP-connection works from an external machine:

# ftp 192.168.1.1
Connected to 192.168.1.1 (192.168.1.1).
220 bftpd %v at 192.168.1.1 ready.
Name (192.168.1.1:user): test
331 Password please.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /tmp
250 OK
ftp> dir
227 Entering Passive Mode (192,168,1,1,166,124)
150 BINARY data connection established.
----------   1 0        0        65536 May 21 19:26 flashinfo.bin
226 Directory list has been submitted.
ftp>

Oh yes! The extracted NVRAM-binary is there. Let's download it:

ftp> get flashinfo.bin
local: flashinfo.bin remote: flashinfo.bin
227 Entering Passive Mode (192,168,1,1,144,190)
150 BINARY data connection established.
226 File transmission successful.
65536 bytes received in 0.06 secs (1092.41 Kbytes/sec)

A brief analysis of the file reveals:

# hexdump -C flashinfo.bin | head -3
00000000  3e 00 64 fe 3c 3f 78 6d  6c 20 76 65 72 73 69 6f  |>.d.<?xml versio|
00000010  6e 3d 22 31 2e 30 22 20  3f 3e 0a 3c 49 6e 74 65  |n="1.0" ?>.<Inte|
00000020  72 6e 65 74 47 61 74 65  77 61 79 44 65 76 69 63  |rnetGatewayDevic|

# hexdump -C flashinfo.bin | tail -5
000064f0  65 77 61 79 44 65 76 69  63 65 43 6f 6e 66 69 67  |ewayDeviceConfig|
00006500  3e 0a 00 ff ff ff ff ff  ff ff ff ff ff ff ff ff  |>...............|
00006510  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00010000

The first 4 bytes of 3e 00 64 fe are bit of a mystery. I don't know what the 3e 00 is for, but the 64 fe is obvious! It is the length of the XML-file following the header bytes. I can confirm that the entire /var/curcfg.xml is there. Unchanged. Intact!

My next move is to try altering the curcfg.xml and write it back. There is a chance of locking myself out of my own B593, so ... I need to be really careful with this. If everything works as I expect, my next move is to write tools for allowing people to access their devices as they want to.

I'd like to extend my gratitude to Mr. John do. This really is ground-breaking stuff allowing us to new lengths with Huawei B593 hacking. Thank you, sir!

This is something that has been bugging me since November. In my post about different models, I stated that I have a u-12 (and still do). Last year I did setup a s-22 to a friend and got to see that it is pretty much the same. However, "pretty much the same" is not exactly the same.

The s-22 is a newer model and it has been well established, that it has a TDD 2600 MHz added into it. All the FDD frequencies are exactly the same than in u-12.

In the comments of my post, a user suggested that s-22 differs from u-12 by having only one USB-connector. At the time I was unable to find proof of that, all the pictures I could found of alleged s-22 units had no difference for a u-12 unit.

Now the situation has changed. In my ventures of the wonderful Internet I found an article What's the difference between HUAWEI B593s-22 and B593u-12? and it has a picture of both units side by side in it. Nice! But which one is which?

Just to make sure that s-22 is in the left and u-12 is in the right, I'll post a fresh picture of my own u-12 unit:

Also to close the case I also found a vendor page with a nice picture of s-22 in it, see HUAWEI B593s-22 4G LTE CPE [B593s-22]. It has a picture of the unit in the page, and their s-22 looks exactly the same than the left unit in the picture, and exactly NOT the same than my u-12. Apparently s-22 does not have a power switch, it lacks the side USB-connector and SIM-card -slot has been changed into a tray. Lot of differences to spot, actually.

So I'm confident that s-22 is very much re-designed both in hardware and firmware. The hardware side is surely changed because of the new(ish) 4G TDD radio interface. And while Huawei engineers were at it, they changed also the firmware in number of ways, one of them being to resist hacking attempts better than their 1st gen version did. This is also a well established fact, s-22 firmware has a completely different structure than u-12 firmware.

Now me and everybody else should be able to identify the units by a simple visual inspection.

I got a comment from John, he told me that a telco in Germany called Telekom has SP104 firmware out for B593 u-12. They seem to call it Speedport LTE II. The download link to the firmware is http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speedport_LTE_II_V100R001C748SP104.zip

The UI has English language, so it should be usable for us non-German speaking users too.

As usual, I did download and extract the firmware and all looks ok to me. Also as usual, I didn't test it. If you do, please comment how it went.

Update 21th May 2014:
Today John told me that, Telekom released a security update SP105 firmware. There is little information what the fix is, but you can get the lates from this link http://www.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speeport_LTE_II_B593u-12_V100R001C748SP105.zip

The latest PHP versions are available for CentOS Plesk Panel admins. If you are using my YUM-repo as suggested, the update should be a painless one.

I managed to get the FPM running for PHP 5.4, for the PHP 5.5 it is still pending. Example:

# service php-fpm54 status     
php-fpm (pid  4318) is running...

Please note, that the FPM is still work-in-progress and it may contain bugs.

The latest PHP FPM has a fix for CVE-2014-0185. It is not a really dangerous one, it just takes care of 0666 permissions for the FastCGI unix-socket. It can be considered a security flaw if any local user can execute code via FastCGI-interface. Most web-servers don't have many local users, but this flaw can be combined with other security issues to get more gain out of it.

I got a comment about the firmware version numbers. How can you tell which one is a newer and which one is older? Well ... Huawei really does make this one difficult. I'm guessing all this has to do with the fact that any regular user should be insulated from the fact that his/hers hardware is manufactured by Huawei. Your beloved telco should be their face and you should be doing business with them and only them. Screw that! This is 2014 and the age of social networking in the Internet. Openness is the only real way to go.

Here is what I gatehered for B593 u-12. This is a list of firwares from oldest to newest:

This is for B593 s-22:

Just to be clear:
I don't know any of this to be factually correct, nor I can back any of this up from an "official" source. Feel free to correct me or suggest any other interpretation.

Update 18th May 2014:
Bilbo dropped me a comment with a link into https://app.box.com/s/0uim7fp7j4dzet2bpmhp. It provides more details about version numbering scheme Huawei uses. I did update the table headers with this new information.

Ok. The thing with trackbacks is, that they're used only for spam! Hate it.

Seven years ago it was said that 53% of all pings is spam. Today I'd say 100% of all pings is spam or sping. There is no point in allowing pings or trackbacks.

My blog software is Serendipity. It has following instructions for removing trackback links. Unfortunately the platform is well known and simply removing the links from HTML doesn't do the trick. The "official" word from Serendipity authors is to start using a plugin for managing spam trackbacks. Ok, since all of it is spam why bother!

This is what I put into my .htaccess:

# Deny trackbacks
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{REQUEST_URI} =/comment.php
RewriteCond %{QUERY_STRING} type=trackback
RewriteRule .* - [F,L]

It has three rules in it to deny a POST request into comment.php having parameters type=trackback. A trackback will look like this on my Apache log:

POST /comment.php?type=trackback&entry_id=83 HTTP/1.0

Now the spammers should be gone and stay gone!

My blog has been on a low maintenance mode, due to the fact that I had other engagements. I was moving to a new house which has an FTTH or Fiber to the Home -connection.

The incoming connection is a 1000BASE-BX Ethernet and the connection carries also a IPTV streams in it. Of the given 1 Gbit/s I'm currently purchasing 250 Mbit/s downlink and 50 Mbit/s uplink. This costs me ~60 € per month. Not very expensive for such a quality bit, huh? There is a one-time building cost for 1800+ € for the connection, but that is not slowing me down.

In detail the connection is implemented with an Ethernet fiber to copper media converter and a CATV-module doing IPTV to DVB-C (SD-channels) and DVB-C2 (HD channels) media conversion. During the setup, the fiber-guy first built couple of meters of indoors cabling connected to the thick ground fiber. Indoor fiber connects to a Swedish made Inteno FG500 box. It looks like this:

In the first picture, there are 4 gigabit Ethernet (copper) connectors and a power connector to the CATV-module. Ethernet ports 1 to 3 are routed with a firewall and NAT, but luckily the port 4 is a bridged one and that's the one I'm using. From that I can get a public IP-address directly from ISP's DHCP-server.

The box splits into two halves, CATV and the "regular" Ethernet part. Parts are connected via power and fiber connectors:

The router has internal IP-address of 192.168.1.1 and it contains very typical web-interface for managing the box. Management looks like this:

WAN-parts are configured to copper Ethernet-ports with interface grouping:

It took me a while to figure all this out. It really matters to which LAN-port the cable is connected to. The WLAN-part can be deactivated and I did just that. I dislike those integrated crappy boxes very much, they are unreliable, insecure and what else ... Being a Linux-man I want to use my favorite Linksys and DD-WRT for any wireless needs.

This has got to be the best part of having a FTTH. The speed! Oh my god! Here are some sample results:

When analysing the results, two things come to my mind. First, Speedtest.net and the measuring servers it has don't go beyond 100 Mbit/s in any conditions (the software displays a maximum of 100 Mbit/s in it). Second, when measuring really fast speeds like I have here, the measurements are very unreliable and the results vary quite a lot when running number of tests in a sequence. In all cases, the downlink measurement is never 100 Mbit/s or even near it. 88 Mbit/s is pretty far from 100, or from the 250 Mbit/s what I'm paying. The uplink measurements are even worse. Those servers don't expect to be hit that hard (perhaps they see a DoS-burst?). Finally, ping 0 ms does not sound very reliable either. I'd assume 2-3 ms to be a best reading in the optimal conditions.

I've been running with this connection for a couple days only, but the assumption is that the uptimes it can keep are amazing. An ADSL-connection is pretty stable, but a fiber should be the rock-solid way to go, that's what I'm expecting from it.

Update Oct 2014:

Speedtest.net indeed goes beyond 100 Mbit/s: