just another web log

16 Apr 2015:
Jogging for a Google calendar OAuth winning failure
So after my Joogler fun now what to show on it?

Well I have a number of ideas but I did come across this Google calendar reader in node

Step one: Get nodejs
sudo apt-get install node npm
but its an old OLD version and not compatible with the modules in the tutorial :(

Numerous sources state that you can compile NodeJS on the Raspberry Pi
so I tried
curl http://nodejs.org/dist/v0.12.2/node-v0.12.2.tar.gz -O node-v0.12.2.tar.gz

hours later ... bleurk!
known issue with ARM/Raspberry Pis and v8 code.

I need a pre-compiled version of a reasonable age(NodeJS had been producing a few Raspberry Pi specific ARM6 builds but nothing current).
wget http://node-arm.herokuapp.com/node_latest_armhf.deb
sudo dpkg -i node_latest_armhf.deb

node -v
YMMV(That was the latest release at the time I wrote all this)
make package.json
npm install

no errors!!

Then I followed the instructions at
making sure to use "http" instead of "https" in the "Authorised Javascript Origins"
Got all the data and setup "app.js"

node app.js
Listening at

now what?

Connected from my Gentoo machine via the host name :2002 but got blocked, went back to Google app settings Credentials section and add into the
Redirect URIs

then visiting http://{PIsLOCALPIADDRESS}:2002
got me in ... and then it failed to redirect back to http://localhost:2002
that address is in the "app.js", change that and ... nope
"invalid_request device_id and device_name are required for private IP:"
then the try the host name instead of the IP address... nope
"device_id and device_name are required for private IP"

sudo apt-get install w3m
another ssh shell
w3m http://www.google.com
Try and log in. Although Google gives me an error on completion of the two authentication, a direct URL (SHIFT+U) shows I am now logged in.
quickly set the app.js back to using
and hit it
w3m http://localhost:2002
for @^%** sake, "error javascript is not enabled"

and this is a B+ so no RCA port, grrr

Find dodgy VGA monitor with adaptor ...
Start an LXTerminal and run "node app.js"
Open Epiphany browser and navigate to http://www.google.com to log in. Two auth, comes up with the allow calendar app screen and ... the Accept button is greyed out!!

Nothing on the screen appears to enable it, but is just the Pi being slow, eventually it is active and I click it and...

I get a blob of JSON

Which is actually a good thing and shows the events for the current day.

So I killed X and ran "node app.js" again then tried hitting
w3m http://localhost:2002
which gave a me the "JavaScript not enabled error" and
curl -L http://localhost:2002
just a web page with Google's optimised unreadable code.

I think killing of the node app in X has invalidated my OAuth session...

Yep, the bottom of the tutorial states

This implementation persists the OAuth refresh token in memory which is not ideal. You only get a refresh token when you initially authorize an application. If you do not have a proper refresh token, requests to Google will fail after an hour. The workaround for this is to revoke your application's access from your Google account whenever you start it or to persist the token information in a data store.

This is one of those sort of "fail wins"! POC(Proof Of Concept) works I just need to make it a bit ... better...
04 Apr 2015:
Jogging the Joggler with a larger stick finds multiple wins
I posted my Joggler failure on the Joggler Wiki and got back an interesting response, try a larger memory stick.

Well there was no reason not to, so I dug out a 16GB micro SD card with USB adaptor I had been given for Christmas and wrote the same image. Booted up and same as last time, running
sudo apt-get install openssh-server
Gave 404 errors for "python-requests" and
sudo apt-get upgrade
sudo apt-get install openssh-server
to work, but this time instead of rebooting
sudo shutdown -r now
I opted to completely shut the system down and actually pull the power out.
sudo shutdown -h now

At any rate it worked, Joggler and screen came up and I could ssh into it.

Then (via ssh)
export DISPLAY=:0
chromium-browser --app http://google.com

ran chrome with on the Joggler!

Now back to the naughty 4GB stick. I downloaded the ubuntu base server which has no desktop (and is a lot smaller) and burnt that.

This booted quickly to a console and I logged in (joggler:joggler) and ran the suggested
sudo apt-get install --no-install-recommends lubuntu-desktop
But that quickly got me into dependency hell!
So I tried
sudo apt-get install lxde
and after a few hours downloading and installing ...
"startx" needs "xinit"
"xinit" needs "Xserver", uh oh DEPENDENCY HELL!!

but wait maybe I can just display an image in the frame-buffer...
after much googling I installed "fbi"(stupid name when trying to Google anything about it!)
sudo fbi -T 1 --noverbose /usr/share/icons/hicolor/256x256/apps/gcr-gnupg.png
Where -T is not in the man page but is in the --help output and is needed for ssh sessions and --noverbose is an undocumented feature that gets rid of the info bar at the bottom. The frame-buffer runs in full 800x480, the Joggler's native resolution.
I can set this up as a sideshow of stats or other information from another machine via ssh, but there is a small problem(for me).

I am sure some people would like this issue but not me. In frame-buffer mode the screen never slept and the Joggler uses up a fair amount of power with its back-lit screen. The suggested
echo 1 > /sys/class/graphics/fb0/blank
I just could not get to work even running various commands with "sudo" and changing permissions.

Sooo I rewrote the 4GB stick with Xubuntu again and expected either for it to fail again(I still had my 16GB stick as backup) or that by following my new powering down regime that it would work correctly. What I did not expect was that it would work flawlessly. No 404 errors, no need to even run "update".

Then I also found I could run Chromium in kiosk mode via ssh to a server I control.
export DISPLAY=:0
chromium-browser --kiosk http://example.com

and because X is hosting all this the screen happily sleeps until someone touches the screen.

03 Apr 2015:
New Kindle not hackable
Got a free Kindle(long boring story)
First thing it wants to do is talk to the mother-ship, but I really do not want the device buying books for me.

I found a Kindleberry using the Kindle as a screen for the Raspberry Pi
and a weather station
which led to the jail-breaking instructions

First job was to work out what Kindle I have.
its a 90C6     Kindle Basic (2014) KT2, BASIC     [Support added in KindleTool 1.6.3]

Downloaded the required kindle-jailbreak-0.13.N.zip
Which contained

text reading Epic Fail
Turns out that my Kindle (KT2) is not supported, the only option is to solder a special cable directly to the motherboard!

So I gave up and just registered my kindle, which shows on Amazon that it is a generation 7 device.

Plugged it into Linux and was surprised to find it just shows up as a drive. Maybe there is hope for this black&white device after all.

03 Apr 2015:
Trying to jog an old age Joggler
I have a Joggler that has sat on my self for like, forever waiting to be used for something so...

Lets try Xubuntu as its light weight and the Joggler is not a power-house, but it does have wi-fi and touch screen.

Burn the image to a USB stick and wait an age for the machine to boot up, but there its is a full Xubuntu desktop!

No.1 job get ssh running, cos' it's not on by default.

Although I have the ethernet cable plugged in, the Joggler does not try and use it by default. Enable "Auto Ethernet" from the network manager icon sitting next to the Volume icon in the top right. Then run a Terminal from the menu icon top left.

sudo apt-get install openssh-server
should install the ssh server for me, but instead all I get is 404 errors about the "python-requests" packages, odd maybe I just need to update.
sudo apt-get update

That goes well and now it will install the ssh server, reboot and screen is dead, no X
text reading Epic Fail

Bu I can ssh-ing in, that works and it appears everything X related has segfaulted.

so I try sudo apt-get upgrade ... takes forever

Then when I issue the sudo shutdown -r now I can see the Xubuntu logo and some weird screen corrupts.

The Xubuntu loader comes up but I am pretty sure it did that last time.

No response from the screen, after ssh-ing in and it is libfontconfig.so.1.8.0 that is segfaulting everything else and ... nobody else on the entire internet seems to be having any problem with it.

Maybe I upgraded something that I should not have, lets rebuild the USB stick and start again, that means painful on-screen keyboard work :p
hmm, scratch that I am plugging in a hub with a keyboard.

time gzip -dc /home/rednuht/temp/xubuntu_14.04-v1.1-ext4.img.gz | sudo dd of=/dev/sdd
took 38:41

But after booting with a keyboard life is sooo much easier.
(after enabling ethernet from the network icon top right next to volume and then running terminal from menu top left)
sudo apt-get install openssh-server
which results in same 404 errors for "python-requests"

Which in turn leads to the fact Ubuntu 14.04 is EOL(end of life) and the repositories no longer support it.

Setting up old-releases.ubuntu.com just showed more broken-ness :(
text reading Epic Fail
01 Apr 2015:
XSS saves the April Fools day
At work we have two large flat screen TVs that use Raspberry Pis to display various things via a web based system called Geckoboard. One TV shows the company stats, share price etc and the one near me, is for the Developers.

The Developers have set the board up show the status of the latest builds, release codes/dates and some other dev-y type stats. The Geckoboard api makes this a breeze. Get the key from the app server and post JSON to it, job done.

I was looking at the simple Text widget and found that I could send HTML in the JSON and get larger and differently coloured fonts without too much hassle. But today is April 1st and I wanted to have some fun!

What about executing JavaScript when sending the updated JSON data package to the board?
Well, they strip anything that looks to dangerous so I started looking at known XSS attack vectors.

Like this one.
<img src/ onerror="document.body.style.backgroundColor=#F00">
Which creates an image that will always fail, causing its "onerror" function to fire which in turn sets the background RED. But that is not very exciting, what about turning the screen upside down?
<img src/ onerror="jQuery('body').css('-webkit-transform','rotate(180deg)')">
He he! the display is now upside down.

By the way to encode that attack for delivery was fun

htmlBlob="{\"text\":\"Active<img style=\\\"display:none\\\" src=/ onerror=\\\"jQuery('body').css('-webkit-transform','rotate(180deg)')\\\">\",\"type\":0}"

and then it was suggested that I make the screen spin, seemed simple enough, just pass the right angle to the jQuery call.

<img style="display:none" src=/ onerror="window.r=0;setInterval(function(){ if (r<360) r+=15; else r=0; jQuery('body').css('-webkit-transform','rotate('+r+'deg)')},30000)">

So, that's 15 degrees every 30 seconds. It worked, but with one teeny tiny problem. The Geckoboard was updating its content every 30 minutes or so without refreshing the page. Each time it did so the browser created a new setInterval. So now every 30 seconds x2 the angle increased and x3 and x4...

By now it was jumping all round the place, but luckily it was lunch time and the end of April Fools.

I quickly ssh'd to the Pi killed Chrome and restarted with the standard messages sans the XSS injection.
loading results, please wait loading animateloading animateloading animate
[More tags]
rss feed



flog archives

Disclaimer: This page is by me for me, if you are not me then please be aware of the following
I am not responsible for anything that works or does not work including files and pages made available at www.jumpstation.co.uk I am also not responsible for any information(or what you or others do with it) available at www.jumpstation.co.uk In fact I'm not responsible for anything ever, so there!

[Pay4Foss banner long]