Posts by infinity85

Quote from raini

Initially this was my first idea and preference. So I increased the start-delay of the Raspberry without any improvement. After investigating it appears that the delay is the time between the on-signal and the first command like setting the input. The configuration-tool did not help either. Between the on-commands of the devices no delay possible. Only before additional commands.

It is hard to find in the harmony software respectively on myharmony.com or whatever you use for programming. I've captured how to find the setting:

I own an old Harmony 900 remote, so I have to use the old software. I assume you are using the myharmony.com website for programming, but the menus are quite similar. Perhaps you can find this setting there as well

Quote from marcavatar

Hello, thanks for the answer, I'll try what you have written me over, do it this way to avoid writing too much on the sd card and then use it to boot read, consider the sd card very delicate and will ruin over time, I consider the usb stick much more solid and secure.

I think you are referring to chewitt, not to me ;). I didn't suggest anything

You can specify a delay in Harmony Configuration for your Raspberry. Just insert 5s there or so and it will send the power on signal delayed by this time.

Hi, try the following command:

cp /etc/lirc/lircd.conf.rpi .config/lircd.conf

The file lircd.conf is not present under default conditions in .config directory. So you'll copy the MCE Remote Mapping with this command and override the default lirc.conf in /etc/lirc (probably default uses original Odroid Remote mapping). Then reboot the system.

If it does not help, then simply delete the created lircd.conf in .config directory (ssh) respectively Configfiles directory (SMB) and you'll be back where you started. And post here for further assistance

Okay, I've been digging a bit in a systemd manual... and I'd be glad if you could give your 2cents about pro's and con's to this :/.

Here's my preliminary solution:

• Create a file (iptables.rules) containing the rules in: /storage/.config/iptables.rules
  
  
  Code

  # perform "systemctl restart iptables.service" after editing rules
  # tun+ will filter all tunnels. Change to tun0, tun1, tunX if wanted otherwise
  iptables -F
  iptables -A INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -i tun+ -j DROP

  
  Remark to iptables -F:
  This line iptables -F is necessary, otherwise the rules will be aggregated upon manual restart of service

• Create the systemd service (iptables.service) in: /storage/.config/system.d/iptables.service
  
  
  Code

  [Unit]
  Description=VPN iptables rules for tun-interfaces on boot
  
  
  [Service]
  Type=oneshot
  ExecStart=/bin/sh /storage/.config/iptables.rules
  
  
  [Install]
  WantedBy=kodi.target

  Display More
• Enable this systemd service with following command systemctl enable iptables.service
  (This command will create a symlink in /storage/.config/system.d/kodi.target.wants/iptables.service)
  
• Now start the service with: systemctl start iptables.service
  
• Check if rules were set sucessfully with: iptables -nvL
  Output should look like this:
  
  
  Code

  LibreELEC:~ # iptables -nvL
  Chain INPUT (policy ACCEPT 2054 packets, 543K bytes)
   pkts bytes target     prot opt in     out     source               destination
      0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
      5   235 DROP       all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
  
  
  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination
  
  
  Chain OUTPUT (policy ACCEPT 1625 packets, 139K bytes)
   pkts bytes target     prot opt in     out     source               destination

  Display More

[hr]

Preceding thoughts:

At first I used the service with Type=forking:

[Unit]
Description=VPN iptables rules for tun-interfaces on boot


[Service]
Type=forking
ExecStart=/bin/sh /storage/.config/iptables.rules
Restart=on-failure


[Install]
WantedBy=kodi.target

I chose "forking" because I could define Restart=on-failure, as I thought it is good for a security related service like this to be restarted upon failure.
I'm not sure if that does make sense. Perhaps I'm wrong here and this parameter does not have any effect practically. That is because I'm not sure whether forking is some kind of daemon, which is running the whole time in background and notices whenever it gets killed, to be restarted with "Restart=on-failure" in that case. If that is the case, then I don't understand why "ExecStop" in combination with "forking" does not activate the rules. May be I'm missing some other paramter? Or is forking just invoking the rules once and then closes automatically, that would mean that Restart=on-failure is just working for the boot, but not if the service has a failure somewhen later during watching content or so.

Then I made this first Type=oneshot approach:

[Unit]
Description=VPN iptables rules for tun-interfaces on boot


[Service]
Type=oneshot
#Requires=network-online.service
ExecStart=/bin/sh /storage/.config/iptables.rules
ExecStop=/usr/sbin/iptables -F
RemainAfterExit=yes


[Install]
WantedBy=kodi.target

• The advantage of this was that you could also stop the service on demand with systemctl stop iptables.service and it would then flush the rules thanks to ExecStop=/usr/sbin/iptables -F
• The downside was that you could not use Restart=on-failure in combination with oneshot and,...(see next point)
• If I understand it correctly, oneshot with RemainAfterExit=yes would keep up the service the entire time consuming ressources, wouldn't it? And if it crashes, the service wouldn't restart automatically because of missing Restart=on-failure. So in worst case the rules would vanish until next reboot and you wouldn't notice that your network is exposed again. Unfortunately Restart=on-failure does not work with oneshot.

Finally I sticked to the short "oneshot" version without the ExecStop and RemainAfterExit=yes options to not having the service running the whole time. If I make systemctl stop iptables.service the service would ignore this I think, but the iptables rules will remain active until you invoke iptables -F

Sorry that this post is so long again -_-. However I'd really appreciate if somebody could say which one of the three services would be the best. Or how oneshot or forking handles the situation if something kills the service.

Quote from lrusak

Buy an emmc module, it's much faster then SD card or usb stick.

It surely is, if reading wrxtasys reports and from some other users, but on the other hand a fast UHS-I MicroSD Card with 32GB like a Samsung EVO+ is round about 10€ and they are pretty fast as well. Apart from boot times most won't notice the difference I guess. Even the 16GB eMMC is about 45€+Shipping usually. That does not suit for everybody

And as far as I understood OP, he is not concerned about speed, it is more like he wants to have the library on a seperate datastorage for perhaps switching the boot-disk without having to backup and restore everytime. But may be I'm wrong about the motivation.

Quote from Grimson

There is no guide I'm aware of, you will need coding experience:

First you'll need to modify the OpenSSH (or whatever ssh daemon you use) source code to log the passwords on failed attempts, then you'll have the log data in "/var/log/auth.log". Some ssh daemons might log the passwords in high debug log levels, but this will likely explode the size of your log file, so editing the source to log the passwords in the normal log level is always advised.

From there it's up to you on how you handle it. I've created a file parser in PHP, that is called by cron and writes the failed attempts into a mysql database. From there I can easily manage the data and display statistics and search for specific entries in a custom PHP based web interface. You don't have to use PHP for this, but I personally prefer it when working with mysql and simple file operations.

Okay, that sounds more like an overkill for me. The effort wouldn't be worth for this. I hoped that there might be just some package or a script ;). Fail2ban etc. will have to do it's job and I'll rely on that

Thanks anyway for your description regarding this, Grimson

Quote from escalade

Probably best done with a check-box in the provider setup dialog and then an ip-up script in the generated OpenVPN config file. I don't use any VPN addons myself so that's just a suggestion, there are a number of ways it could be done.

I don't see why an addon would throw away your autostart.sh, that would make a lot of people angry. It should be fine to use that. You can use tun+ instead of tun0 if you happen to have more than one VPN at a time as well. Yes, systemd is another way of running scripts during start.

Very, very useful tips! especially the tun+ hint is awesome, thanks!

You're right. I thought I would leave the -F rule in case that somebody has already manipulated the rules somewhere in the system, so -F would flush them and set my own rules to override the hidden ones. On the other hand this -F rule could be also deleted by an attacker haha.

I think having this included in the VPN addon itself would be the neatest solution. How would that be done the best? I mean... I do it by introducing an autostart.sh and adding these lines to it. But actually my autostart.sh contains also other lines which could get lost, if some addon starts to mess around with existing autostart.sh.
Do you have a suggestion fo a more safe solution without editing an autostart.sh, is there some other already present routine in LibreELEC for such things? (I'm no programmer unfortunately, but I see directories like: /storage/.config/system.d/ with *.samples which imply that there are more ways to achieve something during boot/after start without autostart.sh. Would that also count for iptables?

I'd like to provide these tips respectively this thread to the VPN Manager Addon developer, so perhaps he will be willing to think about implementing it.

Quote from Grimson

Well, I'm owning/running a dedicated server in a data center and among other things I log failed ssh access credentials. The root/openelec combination shows up quite regularly. The root/libreelec combination has appeared a few times in the last 2 months, so there is at least one tool out there that has it in it's database as a combination to try.

Well this thread here is a perfect example for the concerns I posted in feature request subforum some days ago: VPN: Include default iptables rule for tun0 or at least optional
I'd be somehow more satisfied if there would be some open and serious discussion about this. From my point of view this hijacking of IoT and VPN devices is a pretty up-to-date topic on systems like LibreELEC.

@Grimson
It's quite interesting to read that you logged the user/pass variations. Is it hard to achieve? I'm running a Banana Pi Seafile server and would also like to have this kind of logs after reading your post. Is there a guide/tutorial you could recommend (for linux noobs who can follow guides)?

Quote from Qualityofpicture

Hi guys really new, I mean really new. Just purchased the odroid c2 and they did not have any remotes instock, Can someone please point me to a link on how i can setup an infrared remote? I haven figured out how you guys edit the files or make changes yet. So is there a tutorial or dummys guide i would appreciate it. Setting up the software is no problem. I am just unclear how to make changes?

I havent seemed to find any info if it is even possible but I want to try and setup the Xbox One Media Remote is that even possible? I cant find much at all?

If you follow this guide from wrxtasy: Mini Guide to setting up any IR remote on the C1/C2
you'll be able to use basically any IR Remote that you can find at home to be used for LibreELEC. Just follow the steps, restart and then most of the buttons will be assigned.

If this is not enough then, so lets say you want it customized further, you can use the addon "Keymap editor" from kodi repository.

And if that is not suiting you somehow, then you can do this manually by editing/using the following files in combination:

• /storage/.kodi/userdata/Lircmap.xml
• /storage/.kodi/userdata/keymaps/remote.xml

There are loads of threads about this at forum.kodi.tv and http://openelec.tv/forum. So you'll find everything you need written somewhere. But I remember how irritating it was when I tried it myself for the first time (especially the two *.xml for custom mapping). So if you need further help, just ask here

Quote from shiro

Well, maybe next time in the future, when I will not have too much data on it. So it will not take very long to copy them back
I dont have another HDD for test.

Aah what a shame, too late again

Anyways, the Krypton builds should improve it significantly (big_writes seems included in master)

I agree completely to your post
And thanks for adding the explanation for the mentioned iptables rules.

Further example: Using these rulest the tunnel will only allow transfers to you, if you request them. So if you turn on ITPV, this is a requested URL and the stream will be started without any delay. If you search and download subtitles, this will also work as before through the tunnel.
But if somebody got your tunnels IP, lets say a bad guy at the IPTV provider that is streaming to you, then his attempt to connect to your machine will be blocked, because you did not open personally an additional connection besides the stream itself.

@lrusak or Team LibreELEC
Don't you think it would be reasonable to include an on/off switch for iptables (with at least these 3 rules) to the first boot installation wizard? Currently there is only a switch for SMB and SSH.

I'm a bit persistent here because this entire "issue" is not really prominently placed or mentioned anywhere. Also here in this forum, nobody will pay attention to it or notice that it is extremely dangerous to use a VPN for geo-unblocking, whenever somebody is going to set up OpenVPN on LibreELEC for the first time, because LibreELEC simply does not have any firewall rules set in default config. This is in some kind of contrast to LibreELECs philosophy where you choose LibreELEC because it is so easy to set up and simply running perfectly and lightweight. If you would be an advanced user who knows everything about linux, then you would take a distro like Ubuntu or whatever and you would know, that you need to set iptables, because you would use the machine for many different tasks and those persons would probably know a bit more about security or so.

Quote from milhouse

The underlying file system appears to have no bearing on the allocation roundup size - an RPi2 with 4096 byte ext4 block size still results in Windows 7 reporting 1024 bytes "Size on disk" for a 1 byte file.

Yep, that confirms my impression that there was actually a bug in Windows 7 (ignores parameter allocation roundup size), which is solved since Windows 8

Thanks a lot for solving my issue here!

Quote from lrusak

will need support added in our linux-amlogic kernel and support in the device tree before you can use it.

What exactly are you referring to? I simply think that my config is wrong somehow. Why should something be added to device tree? I doubt the display was ever integrated into device tree on 7.0.2 builds (where it worked just fine). Is the kernel different between Krypton and Jarvis LibreELEC?
Perhaps I misunderstand your reply?

Quote from Qualityofpicture

Trying to find out if Power on feature for odroid c2 was or is active with an Ir remote? I have read alot of posts but it was unclear if this was ever worked out. It sort of sucks to have to plug it in to turn it on? I havent got a remote yet so i can test it out. Thank you for your help!

It depends what Remote you use for it. You will be able to power on/off it with an original Odroid Remote and with Logitech harmony (Odroid C1 profile)
This will work for recent community builds from wrxtasy (LibreELEC 7.1 wrxtasy builds from forum.odroid.com) and with official Krypton Alpha builds, which you can find at libreelec.tv.

Here's all the testing and info regarding your question:
ODROID Forum • View topic - IR Remote: Suspend/Resume
ODROID Forum • View topic - Turning C2 on with IR/CEC Remote
And ODROID Forum • View topic - Please Laugh at Me! LIRC Harmony Remote Shutdown Related

This thread here is the perfect opportunity to confirm whether and how much ntfs big_writes mount parameter improves transfer speeds. As escalade stated, it is because of the ntfs driver and its fuse implementation.

See here the discussion and further links: Network: smb & ntfs config mods #807

I suggested and tested some months ago the big_writes parameter for ntfs mounts, which is said to achieve a big leap in transfer speeds while writing. Unfortunately I could only test it to a SBC (odroid C2) which is naturally limited. But you could test it now with your more powerful x86 based machine with GBLan, like escalades suggested back then.

@Grimson
If I'm not wrong: The current v7.90.008 ALPHA should contain the "big_writes" parameter for ntfs mounting. So if you could repeat your NTFS test from the beginning with this current Alpha build (just for testing), then I'm quite sure you'll achieve at least 60MB/s instead of the 30MB/s that you had before.
Of course it's kind of inconvenient to reformat an HDD. But perhaps you have another laying around for testing. Anyways, it would be great if you could try this to have a confirmation about the acutal effect of big_writes on more powerful systems (compared to SBCs like Raspberries and Odroids).

Cheers

Quote from awiouy

What would the command to enable /dev/i2c-2 be (i have no hw to test, need some hints for debugging)?

A1. Config folder is now in /storage/.kodi/userdata/addon_data/service.lcdd, accessible via ssh and smb

A2. Settings should be in settings folder

good question hmm... I just know that I had to modify in LCDd.conf the line Device=/dev/i2c-1 to Device=/dev/i2c-2

# Device of the serial interface [default: /dev/lcd]
#Device=/dev/i2c-1
Device=/dev/i2c-2

It is visible on my LibreELEC 7.0.x setups on RPi and C2:

And it is not present when using LibreELEC Krypton 008 alpha build. But I am not sure what is responsible that the file appears in the directory /dev/i2c-x :/.

Regarding A2: So no settings in GUI like in old builds? You mean the settings.xml or are you referring to the lcd.xml where you set what infolabels should be displayed?