2013年5月29日 星期三

T428 官方韌體更新 刷機教學說明

刷機工具 Flash tool:
RK3188 驅動程式 USB drivers:
5/28 釋出

1.首先先按住T428側邊的按鈕,

2.MicroUSB接上T428, USB接上PC

3.此時PC上會發現到新裝置後,裝上上面連結所提供的RK3188 USB驅動程式.


4.安裝驅動程式完畢後,打開下載回來刷機工具(flash tool),並選擇欲刷入之韌體檔案(update.img)
5.若有RK3188 USB成功驅動時,刷機工具程式下方Connected Devices 出現下圖綠色狀態   .

6.執行"Restroe" ,則自動開始刷機流程

8.等待出現下圖即刷機完成.

PS.(首次開機會比較久)

2013年5月11日 星期六

What firewall ports need to be open for AirPlay to work?



The ports that need to be opened are:
 
Port Number
Type
Protocol
RFC
Used by
80
TCP
HTTP
2616
AirPlay
443
TCP
HTTPS
-
AirPlay
554
UDP / TCP
RTSP
2326
AirPlay
3689
TCP
DAAP
-
iTunes Music Sharing / AirPlay
5297
TCP
-
-
Bonjour
5289
TCP / UDP
-
-
Bonjour
5353
UDP
MDNS
-
Bonjour / AirPlay
49159
UDP
MDNS (Windows)
-
Bonjour / AirPlay
49163
UDP
MDNS (Windows)
-
Bonjour / AirPlay

2013年5月8日 星期三

RK3188 取得Root權限方法 (Tromsmart T428)


方法:
1 打開 USB Debugging (Settings –> Developer Options)
2 透過USB連接你的RK3188裝置到你的電腦.
3 此時電腦將會通知偵測到新的硬體,請下載下面網址所提供之驅動程式並安裝之:
4 安裝完驅動程式之後,請下載下面的root工具:
5 解壓縮後,請點擊“ TPSparkyRoot.bat” 完成所指示的步驟後重新開機.你的設備就已經取得root權限了!

2013年5月7日 星期二

虛擬網卡 TUN/TAP 工作原理



TUN/TAP是一個虛擬網卡的介面,在 Linux 以及 window$ 上面都有支援
一些 VPN projects 像是 OpenVPN 都是基於這個介面實現 tunneling 的機制

tun (network TUNnel) 虛擬的是 點對點 設備
-simulates a network layer device
-layer 3 packets, such as IP packet
-used with routing

tap (network TAP) 虛擬的是 乙太網路 設備
-simulates an Ethernet device
-layer 2 packets, such as Ethernet frames
-used to create a network bridge

下圖是原作者麻利輝所畫的簡圖 (請查閱Reference中的網頁)



以下就已建立好的 VPN 連線來探討封包流經的順序:

1. Outgoing

首先,應用程式會利用 tun 這個網卡將資料送到 VPN 的 peer去
而這個應用程式正是圖中的「使用tun/tap驅動的進程」
在經過 TCP/IP protocol stack 之後來到 tun (Virtual NIC Part) 成為 VPN 封包

下一步,「數據處理進程(OpenVPN)」
會由 tun ( Char device Part) read 出剛剛的VPN封包
再次丟往 TCP/IP protocol stack,最後到達 Real NIC 而送往「物理鏈路」(外部網路)

下圖是就原圖所做的一點更動,明確表示出資料流的順序


2. Incoming

從物理鏈路收到給 OpenVPN 的封包,
接下來此封包經過 protocol stack 被拔掉一層層的 headers
最後就是原始封包的 data payload 部份,也就是 VPN"封包"

OpenVPN 再把這個 VPN"封包"經由 tun (Char device part) write 到 Virtual NIC

Virtual NIC 收到封包後,再把他送往 protocol stack
最後就回到使用 tun interface 的應用程式

圖例與 outgoing 一樣,只是數字順序相反


[Reference]
虛擬網卡 TUN/TAP 驅動程序設計原理 by 麻利輝
http://www.ibm.com/developerworks/cn/linux/l-tuntap/index.html
TUN/TAP - Wikipedia
http://en.wikipedia.org/wiki/TUN/TAP

2013年5月1日 星期三

Hairpin NAT


In the below network topology a web server behind a router is on private IP address space, and the router performs NAT to forward traffic to its public IP address to the web server behind it.
Hairpin nat 1.png
The NAT configuration would look like below:
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 \
  action=dst-nat to-address=192.168.1.2
add chain=srcnat out-interface=WAN action=masquerade
When a client out on the Internet with IP address 2.2.2.2 establishes a connection to the web server, the router performs NAT as configured.
Hairpin nat 2 new.png
  1. the client sends a packet with a source IP address of 2.2.2.2 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.
  2. the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 2.2.2.2.
  3. the server replies to the client's request and the reply packet has a source IP address of 192.168.1.2 and a destination IP address of 2.2.2.2.
  4. the router determines that the packet is part of a previous connection and undoes the destination NAT, and puts the original destination IP address into the source IP address field. The destination IP address is 2.2.2.2, and the source IP address is 1.1.1.1.
The client receives the reply packet it expects, and the connection is established.
When a client on the same internal network as the web server requests a connection to the web server's public IP address, the connection breaks.
Hairpin nat 3.png
  1. the client sends a packet with a source IP address of 192.168.1.10 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.
  2. the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 192.168.1.10.
  3. the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to 192.168.1.10 with a source IP address in the reply of 192.168.1.2.
The client receives the reply packet, but it discards it because it expects a packet back from 1.1.1.1, and not from 192.168.1.2. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish.
To fix the issue, an additional NAT rule needs to be introduced on the router to enforce that all reply traffic flows through the router, despite the client and server being on the same subnet. The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service.
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.2 protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade
Hairpin nat 4.png
With that additional rule, the flow now changes:
  1. the client sends a packet with a source IP address of 192.168.1.10 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.
  2. the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is 192.168.1.2, and the source IP address is 192.168.1.1.
  3. the web server replies to the request and sends the reply with a source IP address of 192.168.1.2 back to the router's LAN interface IP address of 192.168.1.1.
  4. the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of 1.1.1.1 into the source IP address field, and the original source IP address of 192.168.1.10 into the destination IP address field.
The client receives the reply packet it expects, and the connection is established.
However, the web server only ever sees a source IP address of 192.168.1.1 for all requests from internal clients regardless of the internal client's real IP address. There is no way to avoid this without either using a router that can do application level DNS inspection and can rewrite A records accordingly, or a split DNS server that serves the internal clients the internal server IP address and external clients the external server IP address.
This is called - among other terms - hair pin NAT because the traffic flow has clients enter the router through the same interface it leaves through, which when drawn looks like a hair pin.

DNSSEC安全技術簡介 作者:游子興 / 臺灣大學計算機及資訊網路中心網路組約聘幹事 DNS 是一套已經廣泛使用的Internet 服務,但因先天的技術限制導致容易成為駭客攻擊的目標。本文主要在介紹DNSSEC 之緣起與技術背景,及其使用的加解密技術如何確保資料的完整...