rymdvarel.se

Upgrading DJI RC-N1 firmware

Thu, 27 Jul 2023 00:00:00 +0200

After been banging my head against the wall trying to pair my DJI remote control (RC-N1) with a Mini Pro 3 I thought it would be nice to share how it could get done.

The problem I got was that the DJI Fly app on iOS complained about inconsistent firmware and tried to upgrade it from V02.00.1200. All attempts failed with “Server error. Wait a moment and try again (0×115000100002)”. The app was up-to-date and it didn’t work to wait or reboot all devices in diffrent order, the attempts failed. Even tried the terrible DJI Assistant 2 app (which forced me to install Rosetta 2 😞) on my Mac which didn’t even list any available updates, only crashed a few times.

In the final moment (before total meltdown) I found this thread on DJIs forum with a solution! The magic trick was to upgrade the remote with an Android phone. The only problem with that was that I then was located long out in Stockholm archipelago and my family and relatives rocks iOS. I walked over to the closest neighbour on the island and had the luck that he had an Android phone and was willing to help me with the upgrade. Did take a few attempts to install the DJI Fly app becase it wasn’t available in Google Play, it was only available as an APK downloaded from DJI directly (what’s up with that Android and DJI?! 🤢).

After one or two failed attempts to upgrade on the Android phone it did get through and the firmware was up-to-date, we at least thought. Once again connected to my iPhone the DJI app found another version to upgrade to which it this time was able to complete and a take off with the drone was done. Happy fly times!

My best guess (without any evidence) is that the firmware version I needed to go through was located on a bad backend/CDN which the iOS version shipped though the AppStore couldn’t access for any reason (bad TLS that the Android APK didn’t care about or something like that) and that the newer firmware files were located on a “better” backend. 🤷‍♂️

IPv6 on MikroTik hEX

Sat, 18 Feb 2023 00:00:00 +0100

So the series continues… fourth router since 2015 (no worries each of every one of past hardware has reached new home(s)!).

This time a MikroTik hEX (RB750Gr3) found it’s way to me and needed to be configured for IPv6 with Bahnhof in Sundbybergs stadsnät. Unlike previous hardware this was pretty straight forward.

First of all make sure that the default firewall is enabled for IPv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

Then setup the dhcpv6 client

/ipv6 dhcp-client
add interface=ether1 pool-name=0 rapid-commit=no request=address,prefix use-peer-dns=no

Assign the bridge (LAN) interface an address from the (future) incoming prefix

/ipv6 address
add address=::1 from-pool=0 interface=bridge

Enable IPv6 and start listning to incoming Router Advertisements

/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192

And finally start broadcast Router Advertisements to your network and assign addresses to your clients through SLAAC

/ipv6 nd
set [ find default=yes ] advertise-dns=no hop-limit=64 interface=bridge managed-address-configuration=yes other-configuration=yes

Hope this will help all other (🤣) MikroTik users in Sundbybergs stadsnät. The only issue I experienced was that the route to my prefix was stuck against previous router (another address) so it took some time before upstream router sent the traffic the right way.

Must say that I’m very impressed by MikroTik so far. My first experience with the brand and everything is solid and seems priceworthy.

Build/run Docker for amd64 on Apple silicon

Sun, 16 Oct 2022 00:00:00 +0200

~~…without Rosetta!~~ Update 2023-08-07: Recently found out that since version 0.5.0 of Colima support for Rosetta is added and improves performance! 🎉

Prerequisite

Make sure that Docker Desktop is stop (or uninstalled)
Install Colima and docker
```
brew install colima docker
```
Start Colima (add –edit if you would like to modify the virtual machine)
```
colima start
```

Run

docker run --platform=linux/amd64 -it --rm alpine /bin/uname -a
Linux 6b24a487230e 5.15.68-0-virt #1-Alpine SMP Fri, 16 Sep 2022 06:29:31 +0000 x86_64 Linux

Build

docker build --platform=linux/amd64 -t path/project:latest .

Push

As usual 🙃

Client certificates can be stored in ~/.docker/certs.d/<fqdn>/.

Swedish coffee roasteries

Fri, 08 Jul 2022 00:00:00 +0200

During the pandemic Simon and I have grown in to specialty coffee. In the begining we used a list of swedish roasters hosted at kaffebryggan.com (which are now only accessable through web.archive.org) to find roasteries and coffee to try. The list was very helpful.

In order to help others find and try really good (hopefully locally roasted) coffee I recreated the list on svenska-kafferosterier.rymdvarel.se. Enjoy the reading (and coffee) and help us keep the list up to date with an issue or PR.

🇸🇪☕️

LEGO Seinfeld 21328

Sun, 06 Mar 2022 00:00:00 +0100

Got this set as a birthday gift - finally finished 😃

PostNord delivery dates in Home Assistant

Mon, 31 Jan 2022 00:00:00 +0100

Updated 2022-02-07: The template sensor now zeropads the day for the first 9 days in a month. Updated 2022-02-08: Forgot to add the updated template 🤦‍♂️

Since Maud Olofsson bought the danish postal service with swedish tax money and merged it with the swedish equivalent the service has ever declined. The “new” company PostNord recently started to deliver mail on an every other day basis which makes it almost impossible to predict when to find bills and other fun important shipments in the letter-box.

Found that PostNord “offers” an API which can be used to get the next (and the one after that) delivey date so I integrated this with Home Assistant in order to trigger automations on dates where the mailman should be around. This is configured in 4 parts:

The REST sensor

Fetches the data every hour from the API. Replace the postcode with your postcode of choice (if you aren’t interested in when the king expects a delivery).

 - platform: rest
   name: PostMord
   resource: https://portal.postnord.com/api/sendoutarrival/closest
   scan_interval: 3600
   params:
     postalCode: 10770
   json_attributes:
      - postalCode
      - city
      - delivery
      - upcoming

Mangle the REST result to ISO 8610

This creates two new sensors in the format of ISO 8601. Delivery is the closed date for delivery and Upcoming is the one after the that (nomenclature from their API).

template:
  - sensor:
    - name: "PostMord Delivery"
      state: "{{ state_attr('sensor.postmord', 'delivery') |replace('januari', '01') |replace('februari', '02') |replace('mars', '03') | replace('april', '04') |replace('maj', '05') |replace('juni', '06') |replace('juli', '07') |replace('augusti', '08') |replace('september', '09') |replace('oktober', '10') |replace('november', '11') |replace('december', '12') |regex_replace(find='^(\\d{1,2})\\s(\\d{2}),\\s(\\d{4})', replace='\\g<3>-\\g<2>-\\g<1>', ignorecase=False)}}"
    - name: "PostMord Upcoming"
      state: "{{ state_attr('sensor.postmord', 'upcoming') |replace('januari', '01') |replace('februari', '02') |replace('mars', '03') | replace('april', '04') |replace('maj', '05') |replace('juni', '06') |replace('juli', '07') |replace('augusti', '08') |replace('september', '09') |replace('oktober', '10') |replace('november', '11') |replace('december', '12') |regex_replace(find='^(\\d{1,2})\\s(\\d{2}),\\s(\\d{4})', replace='\\g<3>-\\g<2>-\\g<1>', ignorecase=False)}}"

Sensor based on date

This creates a sensor with the current date (in ISO 8610) for comparison below.

sensor:
 - platform: time_date
   display_options:
     - 'date'

Binary sensor - mailday?

Compare the sensors from above in order to create a binary sensor which can be used as trigger or condition in automations.

template:
  - binary_sensor:
    - name: PostMord Delivery today
      state: "{{ states('sensor.postmord_delivery') == states('sensor.date') }}"

Enjoy!

PEXIT!

IPv6 on UniFi® Security Gateway

Mon, 07 Dec 2020 00:00:00 +0100

Much has happened since 2015 when I wrote EdgeRouter IPv6 done right. One example is that I replaced the EdgeRouter with an UniFi® Security Gateway. If I remember correctly from when I set up the USG it worked out of the box (or possible GUI configuration) with IPv6.

But… Back in May the ISPs Access Switch for my apartment building gave up and was replaced by a new one. Since then the IPv6 stopped working. I was told that the old switch carried a special configuration only made for me as a quick fix to deliver IPv6 before official support in the rest of the ISPs infrastructure. 5 years later proper support for IPv6 was now in place but did not play well with my setup. In the beginning of this jurney I didn’t even see any IPv6 reaching my WAN port. Then summer paused everything. Slowly this autum I and the ISP started to work on the issue again and by the end of November tcpdump once again showed IPv6 packets reaching the WAN port. Unfortunately the router didn’t care. So I had to dig deeper in the USG.

I think some of the headache I got from this issue was casued by a bug in the USG. I’m not sure but it felt like all commands didn’t have the same effect depending on which order they where commited.

In the end after some tweaks and trial and error I ended up with a config.gateway.json which works for IPv6 with Bahnhof and Sundbybergs stadsnät as carrier:

{
  "interfaces": {
    "ethernet": {
      "eth0": {
        "dhcpv6-pd": {
          "no-dns": "''",
          "pd": {
            "0": {
              "interface": {
                "eth1": {
                  "host-address": "::1",
                  "no-dns": "''",
                  "prefix-id": "0"
                }
              },
              "prefix-length": "/64"
            }
          },
          "rapid-commit": "disable"
        }
      }
    }
  }
}

I think that the main issue was that the old infrastructure routed my prefix through the fe80 address and the new setup tried to route the prefix through the address provided in the DHCPv6 packet (which the USG ignored). Hope that this information can be useful for someone else.

Shibboleth and Wireguard UI

Mon, 13 Jul 2020 00:00:00 +0200

Cross-post from wg-ui#38.

This is a write-up how Stockholm University protected our Wireguard UI with a Shibboleth SP and Apache httpd. I will not cover how to configure shibd or the IdP part of this integration.

The Univerity is heavly in to Single sign-on and SAML so shibd is one of the more common tools we have and use. Together with apache it’s easy to create SSO for application that can’t speak native SAML. The combination shibd and apache handles all the authentication and in this case even a rough authorization (more on that later) and proxies the request to the service.

Most SAML attributes in the .edu world are based on LDAP attributes. eduPersonPrincipalName (or eppn as Shibboleth calls it) is our primary key to identify users so that is released from the IdP to the SP as a SAML attribute and then forward/proxied as request header to the application. The only thing that needs to be configured in the Wireguard UI end is that the application needs to be started with the --auth-user-header flag set to eppn.

The `apache` configuration

<VirtualHost *:443>
    <LocationMatch "/">
        AuthType Shibboleth
        Require shib-attr entitlement ~ ^urn:mace:swami.se:gmai:vpn:user$
        ShibRequireSessionWith idp.example.com
        ShibUseHeaders On
    </LocationMatch>

    SSLCertificateFile    /path/to/vpn.example.com.pem
    SSLCertificateKeyFile /path/to/vpn.example.com.key
    SSLCertificateChainFile /path/to/DigiCertCA-2024-11-18.crt

    ProxyPass "/" "http://127.0.0.1:8080/"
    ProxyPassReverse "/" "http://127.0.0.1:8080/"
</VirtualHost>

Configuration in depth

Require shib-attr entitlement ~ ^urn:mace:swami.se:gmai:su-vpn:user$

We have alot of users at the University and not all of them are eligible to use Wireguard UI. By default apache and shibd lets everyone through and since Wireguard UI has no knowlege about the user in beforehand we release another (eduPersonEntitlement) from the IdP to the SP and require a specific value on the user in order to be allowed to use the service.

ShibUseHeaders On

This enables shibd to publish SAML attributes to the application (in our case proxy) through request headers.

Thats is! I hope it could be useful someone else. The setup works flawless and big thanks to EmbarkStudios for a great application.

Migrate Home Assistant between Raspberry Pis

Thu, 09 Jul 2020 00:00:00 +0200

Received a new fancy Raspberry Pi 4 from a friend. This made my Home Assistant instance very jealous and requested to be upgraded/migrated to the new Pi (from an older Pi 3).

Internet made me clear that I could not just move the SD card between the devices since it is diffrent images between diffrent hardware.

I didn’t find any good migration guide that I thought was easy enough so I decided to write my own guide from this experience.

Create and download a Full snapshot from the old device’s webgui (Supervisor > Snapshots)
Power of the old device
Download the Home Assistant image for your device
Write the image to your SD card (dd if=/hassos.img of=/dev/SDCARD)
Mount the SD card (require a system which can read and write EXT4)
Copy the snapshot from your Downloads folder to the folder /supervisor/backup located in the partition called hassos-data
Boot up the new device and follow the setup wizard (you can give it foobar since it will be overwritten in the next step)
Use your snapshot to Wipe and restore Home Assisant through the webgui (Supervisor > Snapshots)
Enjoy your old Home Assistant on your new hardware!

For a more seamless experience you might consider updating your DHCP records between step 2 and 7 so that the new device receives the same IP adress as the old device.

ssh-askpass

Mon, 27 Apr 2020 00:00:00 +0200

Me and simmel’s ssh-askpass for macOS has reached 100 ⭐️ on GitHub! 🎉

Feels like decages ago since we started the project. Step by step we increased the usability and installation process with the help of our contributers.

Thanks!

Let’s hope that Apple keep the support in future macOS so we can reach 200 ⭐️.