- 2022
- Oct
- 9
The SwitchBOARd, a general purpose I/O device using the ESP-03.
When I was spinning up a number of ESP-01 devices, and before I found out how much RF noise they put out, I started exploring some of the other devices that were available in the ESP family. Specifically, the ESP-02 (A SMT version of the ESP-01, hard to get) and the ESP-03.
This board was designed to be a general purpose I/O board where you could read or write three individual bits and monitor those bits for control or notification purposes. Specifically, this was designed as a door open/closed device for garages. The ESP-03 was chosen because it was small, had a built-in ceramic antenna, and had the required number of I/O pins. It also looks kind of cool.
The board featured an onboard programming port and switch, a regulated power supply with a temperature monitor for the regulator, and indicators for all of the I/O. If desired, a passthru for the power supply could be placed, as to provide power for another board of this series without needing a regulator and extra supply.
Ultimately, I never could get the ESP-03 to take a program properly, and had just started to investigate why when I found out how bad these devices were at 320MHz. This board is one of two prototypes I built, the other having been sacrificed to the prototype gods during troubleshooting. Some other WiFi devices have shown up on the market, so this board may live again someday.
The boar outline found it’s way on to other projects, including this blog - and this is where the main page gets it’s name: Red Boar Design.
- 2022
- Oct
- 5
Re-opened my github account.
Some time ago, I had a github account with a few projects on it. That was closed due to various reasons, but I’ve decided to open it again and replace some of the material that was there originally.
The repository is here, if you’d like to check it out.
- 2022
- Sep
- 22
Allow access to a webpage only if inside the LAN?
Recently, I found that I’d like to set up some kind of internal dashboard for systems running inside the LAN. I wanted it to have easy access, and not require you to remember a new address or have to use a special port - it should just automatically resolve with the main website address while inside the LAN and deny you access outside the LAN. Sounds easy, and it is - sort of.
I’m using the Apache webserver, and it has the ability to deny service to you based on the calling IP address. It’s as simple as telling the server what directory you’d like to use, and requiring an IP. I came up with this:
<Virtualhost *:443> (the external website materials) Alias /inside "/var/www/inside" <Directory /var/www/inside ErrorDocument 403 /var/www/errordocs/denied.html Require ip 192.168.1 </Directory> ... </Virtualhost>
Note that you only need to provide the portion of the IP address that you wish to match exactly. In my case, providing 192.168.1 indicates that I’d like to match the entire /24 subnet. (192.168.1.1 - 192.168.1.254)
That worked - sort of. I was able to hit the website from inside the LAN with no issue. Outside the LAN, it denied me access but threw this error:
Forbidden
You don’t have permission to access this resource.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
That’s not what I wanted.The error document was (in the interests of obfusticating the issue) the same as the 404 page (with a slight modification that hopefully wouldn’t be noticed unless you looked for it) to hide the issue from outside parties that may be hitting the website looking for entry points. I know that’s bad practice, but this is a limited access site whose users know what to look for. The error message I received tells the world what the problem is, and even though I turn identification of the server off, probably tells you what I’m running. That won’t work.
The problem here is the Require ip 192.168.1 acts like a “Deny All” when the condition is not met - it even denies the error document regardless of it’s location. I wasn’t really sure how to get over this issue, but doing research revealed that .htaccess files are parsed as soon as the directory is hit, regardless of what else is set in the main configuration file. This isn’t necessarily bad practice, but it’s not best practices. You should strive to keep everything in the main config.
So what is an .htaccess file? Simply put, it’s requirements for the local directory. If you have a directory on your webserver that has a particular access requirement that the rest of the server doesn’t need, you put it here. My case, I was simply going to use it for error documents.
What’s the first thing you do? Find a guide. Someone already answered this question: https://stackoverflo … -use-an-errordocumen. So, following this guide, I did this:
Create .htaccess files in both my webserver root directory and the errordocs directory. In the root directory file goes the error handlers for the webserver:
ErrorDocument 404 /errordocs/nopage.html ErrorDocument 403 /errordocs/denied.html
Nothing else. In the errordocs file goes a simple directive:
allow from all
This does exactly what it says, and allows from all without restriction. This can be dangerous, so don’t put anything in this directory that you don’t want the world to see!
Some permissions need to be set now:
/var/www/errordocs => 755 /var/www/errordocs/.htaccess => 640 /var/www/errordocs/nopage.html => 644 /var/www/errordocs/denied.html => 644
These permissions are pretty loose, so again: be careful. Put only the things necessary for the error handlers into these directories and files. One last step is to tell the server that you want to use these .htaccess files, otherwise it ignores them. This is part of the rewrite module https://httpd.apache … mod/mod_rewrite.html built in to Apache, so enable that and restart the server.
sudo a2enmod rewrite sudo systemctl restart apache2
With the server restarted, you should be able to hit your webpage in /var/www/inside with a local IP address, and get an error message when you’re outside the LAN. Alternately, you could redirect, but that’s an entirely different game since you’ve already denied access.
I suspect this is probably obvious to those reading this, but I’ll point it out anyway. This only works if you’re serving pages from inside your own personal LAN. It’s not going to work if you’re using a remote hosting service or if the server is somewhere that can’t see your local IP. Of course, you can always set a particular address as a requirement, but in this case it’s best to make sure you’re not going to get locked out of your own services by a dynamic address change…
- 2022
- Aug
- 27
email misadventures - security is important!
What happened?
About a year ago, I swapped my domains over to a new registrar. The old one had become stale and was gaining a weird reputation, and they had cut their extremely attractive email plans down to crap Outlook plans. The final straw was when the free-with-reg email they provided was stopped. They charged for things like domain privacy, and it was just becoming more expensive than it was worth.
The new registrar had a better email plan using a non-Outlook service, offered free domain privacy and relatively inexpensive website SSL, so the choice was clear. However, the email plans didn’t auto-config as well as they claimed.
I knew there was something screwy with my email. Gmail, the great Satan of services (but if Google likes you, everyone does) would sometimes tell me that it couldn’t verify my email was sent by pygg.xyz. That TLD is somewhat suspect due to it’s use by spammers, but that wouldn’t cause a warning to happen, it would just bounce as spam. Something else was wrong. It finally came to a head when I tried to send a mail to a particularly tight system and it bounced as blocked.
I learned three new things: SPF, DMARC, and DKIM.
In the examples below, some personally identifying or secure information has been blurred, so do not use these as your own records.
SPF
SPF is a term that stands for “Sender Policy Framework.” It looks something like this:
This record is not one of the main named types used in Internet routing, so it simply gets a type of “TXT,” or as you probably guessed, text. The 1200 is the TTL (Time to live) which I simply left at the default.
What this record means, is that for my mail service of privateemail.com, mail coming from my domain of pygg.xyz is allowed to send mail. It’s simple “match this” mechanism, and it generally works as it’s a yes/no thing. Other mail is quarantined for inspection, which is what the ‘~all’ means. It’s called a softfail. The other option here is “-all” which means that any non-matching sender is rejected. This is called a hardfail. This can be dangerous if you’re not set up correctly, so I’ve left it as soft.
The vendor’s SPF record was orginally set up with a number of IPV4 addresses hard-coded in, which can be dangerous if the vendor’s address changes (such as adding new servers.) I found it better to match the mailserver’s name as opposed to it’s address. In this case, even if an address changes, you still match the name. I’m not sure, but it seems that the vendor may have had more mailservers than the record allowed. This fixed the SPF errors recorded by various testing services online.
DMARC
DMARC is a term that stands for “Domain-based Message Authentication, Reporting, and Conformance.” It looks like this:
This record is also not one of the named types, so it also gets a record type of TXT.
What this record means is simple. If someone tries to send email as you (i.e. spoofing,) the mailserver will take this action and send any suspicious mails to the addresses specifies. It works in conjunction with SPF and DKIM records. This record didn’t exist on my domain, so receiving servers looked at my email with a suspicious eye since they had no idea what my mail service did with spoofed. This record is one purely of self-policing trust. If I can’t take care of my affairs, it makes you less likely to deal with me. It was probably the most heavily weighted reason as to why I was being bounced.
To create this record, instead of wandering through what all of the options mean, I used a helper service. In particular, a site called dmarcian, located here: https://dmarcian.com … dmarc-record-wizard/. This leads you through all the things you need to fill out and automagically creates the record. It’s up to you to create the host and type, but you can follow mine or many other examples online.
One thing of note: You can either QUARANTINE or REJECT mail that doesn’t match your sending policy. There’s also another thing you can do, NONE - this means don’t do anything, just collect data. This is usually seen by receiving systems as a failure and is not suggested - it’s essentially the same as having no record at all.
DKIM
DKIM is the last thing that was messed up on my mail server, and part of it was my fault, part of it was the vendor’s fault. My fault was that, unless you’ve done this before, you have to trust that the vendor is giving you the correct information. As I had not done this before, I simply grabbed what was presented to me and pasted it in. That was wrong. The vendor didn’t clearly say that only a portion of what they presented was needed, and didn’t really mention that you had to append extra fields to use the long strings they generated.
DKIM is a term that stands for “DomainKeys Identified Mail”. It’s a public-private key pair that’s used to “sign” your emails and encode them, and if the receiving server can decode the mail with your public key, it’s assumed that you sent it since only you should have your key. It looks like this:
This record is an object that tells the receiving server what it is, what method to use during decoding, and what the actual key is. It’s (again) a TXT record, but this one has a single characteristic that is quite important. If you look at the first field, you’ll see “default._” - this is the object’s actual name, and MUST be used. In my case, the vendor used “default” as the object name when generating the key, although yours may be different. “s1”, “server1”, “bob” - whatever your vendor’s key generator uses MUST be used here as well. I didn’t understand that and used a name I found others mentioning, that of “s1”. This had the effect of the receiving server failing to find my key, as it was looking for “s1” and the server was using “default”. Changing the object’s name to “default” immediately fixed that and the remote server found the key and decrypted it.
My vendor also presented the key wrapped in a description that they created. That’s what really threw me off - when I pasted that in, remote sites still complained about a bad key, so I needed to determine the actual requirements of the key itself. The only parts of the key you need start at “v=DKIM” (the type of key) and end at the end of the actual key itself (the long string of characters.) Some sites suggested ending the record with a semicolon, so I did. I’m not sure if that’s needed, but it didn’t complain.
DKIM is a two-part thing on your end. You must have DKIM, and it must be valid. A receiver gives you a rating based on both. You can have a key, but if it’s invalid, that may still make your mail pass. Having both a key and a good key is imperative.
After that, I used some email test services that I found online. You send an email, and it analyzes the mail for proper construction. There are a number of those online. The only thing I can say about them is they are usually used for people who are sending newsletters, so they often analyze the content of the message and look for unsubscribe links. You can safely ignore those suggestions if you’re just setting up a personal email.
So what did I learn?
Modern email systems have a lot of security features that must be in place for other email systems to trust you. SPF, DMARC, and DKIM are all required, and even that may not save you.
For example, I’ve found out that my domain, which uses a TLD of .xyz, loses trust points simply for being an .xyz domain. Apparently, that’s used a lot for spammers, but there’s not much I can do about that. I can set my security up, and if you still don’t want to trust me then that’s your business, not mine.
What should you walk away with here?
This wasn’t meant to be a tutorial on how to set this stuff up, every email vendor has different ways of doing it and using my vendor’s system as an example is going to be useless for you. I mostly wanted to tell you about what you should look for when manually setting up your email system. It’s going to be up to you to learn how to implement those practices on your service.
Did the “tight” system accept your email afterwards?
No. It blocks .xyz wholesale, as best I can tell.
Gmail, on the other hand, now loves it and happily accepts it without error.
- 2022
- May
- 22
An EAS-1 Emergency Alert Decoder
My one “big” purchase from Dayton this year, this EAS (Emergency Alert System) decoder was designed for the broadcast industry. It listens to terrestrial radio for the SAME data burst that indicates some agency (such as NOAA) has issued an alert.
This device is capable of spitting out decoded text, audio, or other formats useful for the broadcast industry, but it also has serial outputs. I plan on using this device in conjunction with a Pi that listens on a serial port, and takes the decoded text and emails it to interested parties. It’s a bit overkill, but I like being able to do this myself and not rely on someone else’s connection.
What really makes this device unique is that it was made here in the USA, is still being made, and is made by a company that’s based right here in Ohio. It’s fully supported and all data is downloadable. As soon as I can get it programmed and get a few sources for it to listen to, it goes into service.
- 2022
- May
- 4
A potato of a board.
I was laying out a power distribution board and happened to show the render to someone. They said “That’s a real potato of a board.” Thus, the line of “Power Potato” boards was born. I was even able to find a “Potato Block Letter” font to complete the tuber theme.
- 2022
- Apr
- 27
Revisiting an old project with new ideas.
A few years ago, I wanted to create a device to measure the current being consumed in my home. This isn’t a particularly new idea, especially with rising energy prices - having some sort of feedback on what you’re doing can help reduce unecessary useage.
There are a number of devices and systems out there that already do this, including some that can access the information from an electronic meter connected to the mains supply of a house. These are meant for Joe and Jane Average, and often rely on proprietary backends to do their work and don’t expose any kind of data that can be placed into a historian. If they do expose data, then again, you’re relying on someone else’s computer and your internet connection to provide said data, and those systems may change or go away at any time.
The goal, then, was to create something that could provide a universal data output that could be connected to any device capable of reading said output. An analog voltage from an analog circuit was chosen, both due to the instantaneous response, the the availability of cheap current transformers, such as the one in this picture. This device simply snaps around an incoming AC line, and provides a physically isolated output of either (in this case) current, or voltage.
This solves the biggest problem of how to get the measured current out of the fusebox without cutting AC lines. I’ve chosen voltage output devices for this particular project, and since the voltage output is small (usually in the mV range for full scale,) the first thing to do is amplify it a bit. This is accomplished with a standard op-amp circuit with a gain of 10-20, depending on the current transformer chosen. This also gives a bit of isolation, but that’s not really necessary at this point.
Next is how to feed this into something that a hobbyist would have access to. Measuring DC is much easier than measuring AC with commonly available microcontrollers, so the problem to solve is converting this signal to DC. This can be done with a simple bridge rectifier circuit, but I prefer to use something I found years ago in one of those “Big Books of Circuits” that TAB Books used to publish. The circuit in question is called a precision rectifier circuit, and the goal is to output a signal similar to the input, while minimizing losses. It works well enough, and a small capacitor and resistor on the output gives a decently filtered DC signal with fast-enough response.
While I’ve built this circuit on bread- and protoboards many times:
(I’ll put the image here when I can make it a decent size)
I decided to lay this one out on a board.
The board turned out ok, but now that I have more experience with layout, I’m not really happy with it. But it works, and all of the germanium glass diodes used as rectifiers provide a rather cool look. I’m going to go with shottky diodes for the next round, simply because germaniums are getting harder to find and the shottkys are better at handling even the low slew rate of a 60Hz signal.
Two remaining tasks at the time were to test the board and it’s output, and to choose a microcontroller platform. Testing was easy, the project had originally found a home at a former employer as a monitor for air compressors - the company wanted to run tests over the weekend requiring compressed air, but needed to know if the compressors were to become locked in an on state (which would subsequently result in overheating and damage.) I did the initial testing in the fusebox for the compressors, and was able to translate the resulting DC output into a correct current draw. The employer then lost interest as it was revealed this was going to cost more than nothing to fully develop. I had to abandon the project as the business slowed and let people go while the sky was falling.
For the next round, I’m planning on trying out some of the new microcontroller options on the market, especially the Raspberry Pi Pico. This is a fast, dual-core Arduino-like that’s extremely inexpensive, and has an Ethernet onboard option offered by a third party. My original design choice was to use an ESP8266, but that didn’t go well, so was abandoned. Read this entry for my misadventures with the ESP controllers: https://pygg.xyz/pro … of-cheap-technology/. A new board with multiple channels of input is in the works, and will offer a better onboard ADC as well as some user amenities like a display. Stay tuned for the next update!
- 2022
- Apr
- 14
1959 Blonder-Tongue Audio Baton (B9) Graphic EQ Rebuild
(See my later post for the Sams folder / schematics for the BT B9.)
A long time ago when eBay was still fairly new, a set of heavily modified Blonder-Tongue Audio Batons showed up for a cheap price. These are the first commercially available graphic equalizer, featuring 9 bands. Tube complement for this device is 5 12AX7 used as amplifiers in the EQ stages, and 1 6X4 rectifier to provide power for the unit. 3 lamps to backlight the adjustments ran off the AC filament transformer.
I’m not sure what was going on with these units, but two of the potentiometer holes were punched out on one of the chassis, and two extra tubes had been installed. Multiple modifications had been made to the electronics, which were in somewhat of a state of decay. Old carbon comp resistors had drifted, capacitors had become leaky, and all of the mods just made a mess of the unit. The other unit didn’t have mods, but the electronics were in the same state of decay.
The first thing I did was remove all the components except for sockets, transformer, and terminal strips. New components were purchased, including orange drops and mylar film capacitors, carbon film resistors, and of course, new wire. Holed punched in the chassis were re-filled with washers of the correct size. Potentiometers were saved where possible and cleaned. The chassis were re-wired and all of the new components were placed. I decided to do my own layout and wound up with a more compact layout than the OEM layout.
The original case, of which I had one, used weird bi-pin lamps to backlight plastic tubes with a candy-cane stripe on it. The stripe appeared in a slot cut in the face, and as you turned the pot the stripe “moved” up the slot. This was re-assembled and, unfortunately since the face had been damaged, I used stick-on labels to identify the bands. The odd number sticker was left on the face. I assume this is from a previous auction.
The second chassis was more of a challenge. Since I didn’t have a case, I settled on a rack chassis from SES-COM, a company that used to manufacture such items but has since transitioned to audio products. More space allowed for some added some amenities such as VU meters using a precision rectifier circuit and a push-on/off control circuit for both units. I replaced tubes as needed, using NOS RCA and other brands as available in my personal stock. A final check, and they worked - probably just as good or better than new.
I was never able to determine what the mods were, save that I’ve seen others reference strange mods where the chassis was punched out and extra tubes added.
In the end, there was more fun had rebuilding these units as opposed to using them. They’re simply graphic EQs that consume a lot of power and have the added noise of a tube circuit. A modern unit works just as well, and has more bands. I ended up relisting them on eBay around 1998 (I think?) and selling them to a studio. That’s something I kind of regret, but as I said - in the end it’s just an old version of a new circuit.
Unfortunately, since this build pre-dated digital cameras, all I have left are these photographs taken with a friend’s Samsung point-n-shoot. They’re not the best, but here they are.
- 2022
- Apr
- 3
The “gotchas” of cheap technology.
This was originally published on my Blogger page of the same name.
Some time ago, I had the idea that I’d like to develop something with the popular and inexpensive ESP line of microcontrollers. These offered a mature WiFi stack, a relatively large amount of program space, and were available in many easy to use packages that include a very cost-effective pin header version.
One of the things that I didn’t do during the development stage is pull the FCC paperwork for the device. Device is kind of a misnomer here, since there are multiple devices and only the chipset in a particular configuration seems to be certified. Had I done that, this probably would have been avoided.
I had designed and deployed a number of different boards to do temperature and humidity testing around the house. When I started to have issues with other systems, there were probably about 10 units operating in various capacities. However…
The original production run Wetbird device.
Version 2.2, cleaned up a little.
A Hotbird temp device and an OWL expansion board.
A Hotbird using an unobtanium ESP-002.
My first clue that something was amiss was the fact that my garage door opener had started acting up. It being several years old, I blamed age and potentially some new radio equipment installed at a nearby airport. This device operates at 320MHz… The next clue was that my old RF X10 control system had quit responding to the controller, and refused to operate no matter what module or receiver I tried. Since I had NOS devices available, and they didn’t work, I figured there was something amiss here. The X10 devices operate on 310MHz in the USA…
So what had changed? On investigation, I noticed that the signal indicator on the garage door opener was solid on, indicating it was receiving something. I still wasn’t sure what was going on, but I ran into another issue. The humidity sensor I used on the boards, a cheap device commonly available in the hobby market, had started failing. They would quit responding (sometimes!) and come back with a power cycle. I took them offline to try and troubleshoot the problem, and every other system started working again.
On a hunch, I grabbed my cheap SDR stick and set it up to look at the spectrum from about 305-325MHz. And right there it was, a big spur at 319.98MHz. Close enough to the opener’s frequency to kill it, and wideband enough to interfere with the X10 system’s unfiltered receiver. I took the few remaining devices offline and everything went back to normal.
It turns out that there are a number of spurs emitted by the ESP chipset. One of those, the important one for my testing, was right around 319.98MHz. You can view that particular document here: https://fccid.io/2ANHN-ESP8266 but note the device tested doesn’t look anything like the ones available for consumption.
This is a crying shame, because the ESP chipset shows up in many places and is so cheap and easy to use. The next available alternative is the Arduino WiFi devices, but those are fairly expensive at $50ish, and still have certain issues that have been poking around for years.
For now, I’ve shelved that project but have thought about reviving it. The new RP2040 chipset is available with a wired interface for about $10, and while it won’t be as easily deployed as a wireless device, the wired connection insures it won’t have any spurs knocking my garage door opener off the air.
- 2022
- Mar
- 26
Updating the Linksys WML11B media player for the modern age
It’s interesting to note that consumer grade Ethernet has been with us, in a standard comes-with-everycomputer way for about 25 years. This means there’s a wealth of Ethernet-enabled devices out there that may not be good for the professional or other use they were originally intended, but are fine for the home lab hobbyist. One of those items is the Baytech RPC-3 Ethernet connected power switch. A fully obsolete device with only a telnet server, it’s perfect for home use.
A device that came out of the early days of Web 1.0 is the Linksys WML11B Wireless-B/Ethernet enabled Internet Music Player - think those streams you played in Winamp back in the day. Officially streamed by the Shoutcast server package, there are now open source replacements (Icecast) that do the same thing. A small machine like a Raspberry Pi and some music means you can stream your own stuff, if you’re so inclined. (Keep this to yourself, the music industry giants are unfriendly towards anyone they think may be depriving them of a dime.)
While it’s common now to lock a device to a single service so the device dies with the service, this wasn’t really the case back then. The WML11B did have a music directory service provided by Linksys, and later by a third party - those are long gone. What makes this device of interest is it will still connect and play Shoutcast/Icecast streams without issue.
There are a couple of caveats, however. You need to update the firmware to the last package available, the one provided by the third party music service. However, even though this service doesn’t exist, the firmware is simply a modification of the last Linksys firmware and makes the device available on a local network. That firmware package and the updater can be downloaded from this dropbox link:
Firmware https://www.dropbox. … mls11b_files.7z?dl=0
The other caveat is that it works on Windows XP, and nothing higher. I tried Windows 7 with no luck. 8, 10, and 11 are right out. So you’ll need to find a friend with an old XP machine, or dig one up for yourself. Inside the file (You’ll need the 7zip archiver to open it) are a number of files. Start with the ones marked FAQ and you should have a good handle on where to start.
The rest of the files are various firmware versions, data and documents on the device, and other things of interest. This all came from the Yahoo! groups forum, now gone sadly. If you’d like to read those messages, you can download them here:
Message archive https://www.dropbox. … s11bmsg.tar.bz2?dl=0
This is a direct raw dump from the Yahoo! group, and is in .tar.bz2 format. 7zip should have no trouble with this.
It’s kind of a pain to get it updated, but once you do you’ll find an interface similar to other Linksys products. If you’ve messed around in a router you shouldn’t have any problem with this.
(I think it goes without saying, don’t open a 802.11b wireless network. Connect this thing with Ethernet.)
