WolfSSL Server on the Galileo

Intel has been kind enough to show us how to use WolfSSL on the Galileo board, but only in a client mode. Turns out that, there are some issues that will be encountered when running a WolfSSL server on the Galileo with the EthernetServer mode.

I’ve had to learn this the hard way.


The EthernetServer will fail to load the server certificate as the internal clock is stuck in the past. Therefore, we need to set the system date of the Galileo board to the present. Since there is no NTP client built into the Galileo 2 board, we are forced to use rdate instead.

So, telnet into the Galileo board and run the following command:

$ rdate tick.greyware.com

I suppose that the best way to do this is to incorporate a system() command into the setup() code of the Arduino sketch to automatically synchronise the date.

ECC Support

WolfSSL has removed static key based cipher-suites since 3.6.6. Therefore, it needs to be configured to support say, ECDHE based cipher-suites. Unfortunately, this is not automatically enabled during library configuration unless you’re using x86_64, which the Galileo board isn’t.

Therefore, the solution is to configure the library with the –enable-ecc option enabled.

$ ./configure --prefix=$HOME/wolfssl/ --target=i586-poky-linux-uclibc --host=i586-poky-linux-uclibc --enable-ecc

Otherwise, we will face the inability to communicate with the Galileo board when debugging using OpenSSL with the Galileo board complaining that there are no matching cipher suites right after receiving a Client Hello. The Galileo board then teminates the handshake without sending a Server Hello.

True Random Number Generator for a True Hacker

This is an interesting way to generate a sufficiently random number. We will definitely be adopting this technique for our products that need a non-cryptographic random number generator.


How can you generate random bits? Some people think it’s not easy, others will tell you that it’s pretty damn hard, and then there are those who wonder if it is possible at all. Of course, it is easy to create a very long pseudorandom sequence in software, but even the best PRNG (Pseudorandom Number Generator) needs a good random seed, as we don’t want to get the same sequence each time we switch on the unit, do we? That’s why we need a TRNG (True Random Number Generator), but that requires special hardware.

Some high-end microprocessors are equipped with an internal hardware TRNG, but it is, unfortunately, not true for most low-cost microcontrollers. There are a couple of tricks hackers use to compensate. They usually start the internal free running counter and fetch its contents when some external event occurs (user presses a button, or so). This works, but not without disadvantages…

View original post 2,536 more words

PHP-MCRYPT and Ubuntu 14.04 LTS

There is a weird problem with a default Ubuntu 14.04 LTS server installation. For some reason, php-mcrypt couldn’t run when running under FCGI mode using spawn-fcgi. It was correctly installed and configure but it is not detected correctly even under phpinfo();

However, everything seems to be work right after switching over to php-fpm instead of fcgi mode. I don’t know why.

iFlix on Ubuntu LTS

Screenshot - Khamis 04 Jun 2015 - 10:08:23  MYT.png

If you are interested to use the new iFlix service on Ubuntu, you will need to install pipelight, since iFlix has decided to use Silverlight instead of HTML5 for it’s video streaming platform.

sudo add-apt-repository ppa:pipelight/stable
sudo apt-get update
sudo apt-get install --install-recommends pipelight-multi
sudo pipelight-plugin --update
sudo pipelight-plugin --enable silverlight
touch $HOME/.config/wine-wininet-installer.accept-license

After that, do an about:config on Firefox and the silverlight plugin should show up. It works fairly well on Firefox. However, there are some issues. For one, the player does not position itself properly when the window is resized. As a result, I cannot watch it in a small window.


  1. I would like to see a popup-window option enabled for iFlix as I like to watch my videos in a small window in the corner while I do my work on the laptop. Hulu had this great feature. As it is, iFlix requires me to either watch a show or work. It does not allow me to multi-task.
  2. They spelt capacity wrong – as “capasity” – on the player settings. This appears when I try to adjust the streaming quality.
  3. Quality wise, it is quite obviously heavily compressed. Both the audio and video quality isn’t great even on the “High” settings.

As this is my first 30 mins of using the system. I shall reserve judgement until I get to try it out more extensively. However, for RM8/month, I think that I will most likely subscribe assuming that they can supply me the latest shows.

How to Build Beautiful Enclosures from FR4 — aka PCBs

This is an excellent idea! I would love to try it out one of these days.


Most hobbyists say that it is easier to build a functional prototype of an electronic device, than to make the enclosure for it. You could say that there are a lot of ready-made enclosures on the market, but they are never exactly what you need. You could also use a 3D printer to build a custom enclosure, but high-end 3D printers are too expensive, and the cheaper ones produce housings which are often not robust enough, and also require a lot of additional treatment.

Another way is to build the enclosure out of FR4, a material which is commonly used in PCB production. Such enclosures are low-cost, with thin walls but yet very strong, nice looking, pleasant to the touch and have excellent thermal and moisture stability. FR4 offers some more possibilities – efficient wiring with no wires inside the housing, integrated UHF or SHF antennas or RFID coils, capacitive…

View original post 3,078 more words

NAT64/DNS64 on OpenWRT

The latest stable release of OpenWRT – Barrier Break – makes it a simple matter to add NAT64 and DNS64 capabilities to the router. This is particularly useful if one wishes to run an IPv6 only internal LAN network while dealing with the IPv4 + IPv6 world of the Internet.


DNS64 provides a faux AAAA record for any existing A record. The easiest tool to use for this is TOTD, which is no longer in development but is found in the main OpenWRT repositories.

So, install TOTD and configure it.

# opkg update
# opkg install totd
# vi /etc/totd.conf

The totd.conf file should contain the following:

; substitute with your upstream DNS
forwarder port 53
forwarder port 53
; modify your OpenWRT ULA prefix here
prefix fd63:fab9:6ccf:64::
; this port is used later
port 5353

Enable and start TOTD, and check the logs for any errors:

# /etc/init.d/totd enable
# /etc/init.d/totd start
# logread

Finally, configure the built-in DNSMASQ to use TOTD as its upstream. Just remember to use as the upstream server. Note the use of a hash (#) symbol.

You should be able to verify that it works by querying AAAA records for pure IPv4 names. You should see that a fake IPv6 address be returned with your TOTD specified prefix.

# ping6 ipv4.google.com

You won’t be able to actually ping it over IPv6 yet at this point, until your NAT64 is setup correctly.


NAT64 provides an IPv6 to IPv4 NAT mechanism which will actually transfer the IPv6 packets by converting them into IPv4 packets and back. The tool to do this is TAYGA and is also available in the OpenWRT repositories.

First, install TAYGA.

# opkg update
# opkg install tayga

Next, edit /etc/config/network and add a new interface.

config interface nat64
 option proto tayga
 option ifname 'tayga-nat64'
 option ipv4_addr
 option prefix fd63:fab9:6ccf:64::/96
 option dynamic_pool
 option accept_ra 0
 option send_rs 0

Next, edit /etc/config/firewall and add it to the LAN zone.

config zone
 option name 'lan'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'ACCEPT'
 option network 'lan nat64'

Enable and start TAGYA, and check the logs for errors.

# /etc/init.d/network restart
# /etc/init.d/firewall restart
# logread

You should now be able to ping any IPv4 server using IPv6.

# ping6 ipv4.google.com


RAID-1E Performance

As an addendum to a previous blog entry, I built a RAID-1E array with three identical 500GB disks and ran some benchmarks. As expected, the results fell somewhere in between the pure HDD and RAID-0 performance for both reads and writes.


Version  1.97       ------Sequential Output------ --Sequential Input- --Random-
Concurrency   1     -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
XXXX        23944M   888  96 178362  11 90639   5  5192  88 253139   7 557.7  11
Latency              8913us    4412ms    6268ms   17400us   38206us     764ms    

Therefore, the advantage that it has over a RAID-0 array is the redundancy aspect as a RAID-1E is capable of withstanding a single-disk failure unlike RAID-0. However, performance suffers slightly. It is both faster and safer than a single HDD storage.

Therefore, a RAID-1E configuration is quite useful.

As for how to build a RAID-1E array, just build a RAID-10 array with an odd-number of disks. Useful, when I only have three identical disks.