Bitlocker: How to require Startup PIN

A lot of people use Bitlocker for full-disk encryption of their hard drives. For extra security you might want to be prompted for a PIN when you unlock your hard drive, because allowing attackers to boot your system without authentication might open up extra attack vectors. Setting a PIN can be easily accomplised if you know how… :-)

The below instructions are exact for Windows 10, but they are very similar in Windows 7, too.

Launch the Local Group Policy Editor by typing gpedit.msc into your Windows search, then when it has been found right-click on it and select Run as administrator from the pop-up menu. Then maneuver to the following path in the left “folder” pane:

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives.

This is what it looks like if you did it correctly:

Bitlocker_Group_PolicyThen double-click on the setting Require additional authentication at startup, and you see the following dialog:

Bitlocker_PINNow change option Configure TPM startup PIN to read:

Require startup PIN with TPM

Then reboot. Now you can right-click on your system drive and select Set Bitlocker PIN or Change Bitlocker PIN (I forgot to take a screenshot of this last step, so I’m not 100% how exactly this looked like, but it should be obvious) from the pop-up menu.

You’re done. Wasn’t that easy?

Please leave a message if this was helpful.

Attention changing BIOS Settings with Bitlocker

The Problem

If your laptop has been set up to use Bitlocker, by your company or yourself, you should be very cautious when playing with your BIOS settings.

Bitlocker considers BIOS settings changes a potential security breach, as somebody could e. g. change boot order to boot from an external media to try to fiddle with the boot mechanism set up on your hard drive or SSD. This is why when you change something in the BIOS or just boot from an external drive, such as a thumb stick, Bitlocker will prompt you for your recovery code.

The Solution

To prevent this you just have to disable the so-called “protector” for your boot drive. Only then should you change BIOS settings or boot from a drive other than your normal boot drive.

You do so using the manage-bde tool which is part of Windows:

manage-bde –protectors –disable <Drive>

Don’t forget to re-enable the protector after you’re done:

manage-bde –protectors –enable <Drive>

If this helped, I’d appreciate a comment from you here on my blog.

My VerizonWireless prepay experience

We just returned from a one month vacation trip to Florida. In order to be able to use the internet when on the go, and also to be able to make and receive phone calls we decided to use a prepay card from VerizonWireless (VZW), as they seem to have the best 4G (LTE) coverage. The SIM is normally $45 for a month, including unlimited texts and calls and 1 GB of data, but we got it from Walmart for about $37, plus we received a free one-time bonus of 1 GB data when we activated the SIM via phone.

Our customer experience was pretty bad, and I want to share with you what kind of problems we had so that you can avoid those if possible.

The phone I intended to use was an iPhone 6 Plus. This cell phone is among the cell phones that have the most LTE bands available in the world, and I explicitly checked to make sure that VZW’s bands are covered. But when I tried to use the phone it couldn’t attach to the network. I got in touch with VZW, and it turned out that they only let phones use their network (with their own VZW prepay SIMs, that is!) that have been sold by or for VZW. But after talking to them for a while and letting them know about my disappointment (because in Europe this doesn’t seem to be common) they agreed to make an exception and have my iPhone authorized to use the network.

Even after four days (they said it should take 48 hours max), more than 3.5 hours talking to or chatting with their support, and even changing the SIM in a nearby VZW store, my iPhone still didn’t work, so I looked into other options. It turned out that you can buy simply 4G cell phones here real dirt cheap, so I bought a Motorola Moto E (2nd Gen) for less than $50. This phone immediately worked with the SIM I had.

I logged onto their MyVerizon prepay Desktop Home page to check and update some settings. This portal was another really bad experience, something which you really cannot ask your customers to use. The issues I encountered were the following:

  • After I had entered my address here in Florida (we lived in the house of relatives), there was trailing characters in the street address which I didn’t enter, and which I could not remove by any means.
  • Furthermore I couldn’t change my device from the original iPhone 6 Plus to the new Motorola Moto E — all changes (including IMEI which was verified to be “valid” and “known” to VZW) seemed to the accepted, and change of device was confirmed, but when I went into the main menu and back to “Device” the iPhone was still listed.
  • In addition I couldn’t change my Voice Mail PIN, probably the reason why voice mail was not available for my SIM during the whole month of our stay.

As an alternative to the bad web portal I installed the “My Verizon Mobile” Android app, but that was disappointing, too. There was absolutely no way to tell the app not to ask for the password again — a bad thing as I normally use “strong” passwords which I cannot easily remember, so how to use the app when on the go?! More issues encountered were

  • “Usage” details permanently give me “An error occurred while processing your request;”
  • in “My Features” I couldn’t activate the “Block Premium Messaging” option (even though changing the switch produced a confirmation that said the change was successful); every time I return to this menu item the setting is back to allow premium messaging;
  • in “Settings” > “Contact Info” I couldn’t make any changes, as the app declared my email address invalid (as it contains a “+” in the so-called “local-part,” which is the part left of the “@”). That was of course nonsense, as RFC-2822 allows such email addresses, I constantly receive mail on such addresses and VZW’s web portal allowed it as “valid;”
  • changing my Voice Mail Password (PIN) was also impossible in the Android app. I always got an error message saying “We are sorry, but we are not able to process your request at this time. Please try again later.”

What I must admit, though, their staff were always very friendly and tried to help — but what can you do if your IT systems let you down?!

The main reason I write this blog post is to let people from Europe know about the limitations they might encounter when trying to use their own phone with a local prepay SIM. But I also want to let VZW know my frustration with their bad self-service tools. This is not how you treat your valuable customers!!!

Hacking the Genexis FiberTwist-P2410

In my previous article I described the key components the Genexis FiberTwist-P2410 is comprised of. One of these components is the serial console connector, and its presence was so tempting that I simply had to play with it…

Layout of Serial Console Connector
Layout of Serial Console Connector

So I connected a UART-to-USB converter and watched the console output while the device boots… Communications parameters were easy to guess: 115,200 bps, 8N1, no handshake (neither HW, nor SW)… Continue reading Hacking the Genexis FiberTwist-P2410

Genexis FiberTwist-P2410 dissected

By chance I got an early hands-on on a fiber network terminator (NT)/broadband gateway (such a device will soon be installed for my FTTH line provided by “Deutsche Glasfaser.”) I don’t know how it happened, but it suddenly fell apart, so I had a brief look under the hood… :-D

IMG_0673
Genexis FiberTwist-P2410 inside view

The SoC is a Lantiq PXB 4369 EL V2.1 (GRX300), which is a Gigabit Ethernet Router/Gateway SoC with int. 2×2 WiFi. There aren’t any antennas, though, and it seems you can’t add any either. The device is from the GRX 300 series, which is a “CPE Network Processor with integrated WiFi.”

A Russian web site states that its actually the GRX369 series, and that the SoC is clocked with 600 MHz. (Update: The CPU is a MIPS 34Kc V5.6 clocked at 600 MHz, 397.82 BogoMIPS.)

The device can be simply twisted on the wall junction box which is the provider’s fiber hand-over point (“fiber management unit,” FMU.)

On the WAN side we have a Mentech FGE20-N9C-35S as the optical transceiver module (2×5 form factor) for single-mode fiber in passive optical networks (PON). Optical wavelength division multiplexing (WDM) is used so a single fiber can be used for both downstream and upstream data. The maximum data rate this transceiver can handle is 1.25 Gbit/s (which suggests we’re talking EPON, 802.3ah-2004 here…). The reach without intermediate amplification is 20 km(!). Wavelengths of 1,310 nm (upstream)/1,490 nm (downstream) are used.

For LAN connectivity the gateway has 4 Gigabit Ethernet ports, driven by two FPE LG48204DH 2-port LAN transformer modules in a DIP-48 package.

The transceiver is a Marvell 88E1512-NNp2 out of the “Alaska” series, 10/100/1000 BASE-T single-port PHY (so it seems that all fiber/Ethernet ports are on the same switch), supporting Energy Efficient Ethernet (EEE) and Advanced Virtual Cable Tester functionality.

Update: The switch seems to be a Lantiq VRX318 (or compatible).

Firmware is stored in a Elite Semiconductor (ESMT) F59L1G81LA-25T single-level serial (SPI) NAND flash chip in a TSOP48 package. It operates with 3.3V at a clock of 25 ns and has a flash density of 1 Gbit and a bus width of 8 bits. The total memory size is 128 MByte.

RAM is provided by a Winbond W971GG6SB-25 chip, which is a DDR2-800 (5-5-5) SDRAM chip with a size of 128 MByte, operating at transfer rates of 800 Mbit/s per pin with a power supply of 1.8 V. (Update: The RAM is actually clocked at 300 MHz.)

It seems that the broadband gateway is equipped with a serial-console connector.

Here’s another photo that shows where the key components are located:

Genexis FiberTwist-P2410 with key components
Genexis FiberTwist-P2410 with key components

Please let me know if this in any way helps you, or you can contribute to this post.

uhttpd with a certificate chain

To secure access to my router I wanted to use SSL encryption to access LuCi, so I obtained a certificate issued by a well-known CA. The server certificate was not issued directly off the CA, but there was a certificate chain in between.

Using a certificate chain with OpenWrt’s uhttpd is really easy, although as of today this is not yet even documented to be possible on the OpenWrt web site.

I’m using uhttpd_2015-11-08 from a trunk build (r48648) of “Designated Driver”, and certificate chains can be used here without problems.

I didn’t even have to convert from PEM to DER, I just concatenated the server cert and intermediate certs into a single file:

cat /root/server.crt /root/1_root_bundle_1.crt /root/1_root_bundle_2.crt >uhttpd.crt

Hope this helps. If it does please leave a message, thank you.

Brother MFC-7840w “Internet Fax” über DUS.net

Seit einigen Tagen habe ich einen “IP-only”-Telefonanschluss, so dass ich nicht mehr wie bisher mit meinem Brother MFC-7840w-Multifunktionsgerät über einen a/b-Terminaladapter an einem ISDN-Anschluss faxen kann.

Beim Suchen nach Alternativen stieß ich auf dieses Wiki im IP-Phone-Forum, welches mir sehr weiter geholfen hat.

Zunächst musste ich ein Firmware-Update für mein Faxgerät flashen, was die benötigte Internet-Fax-Funktionalität  (T.37-Protokoll) implementiert.

Weiterhin musste ein Anbieter gefunden werden, der dieses Protokoll unterstützt. DUS.net, welches auch im obigen Wiki erwähnt wird, war mir ohnehin schon bekannt, weil ich auf der Suche nach einem guten SIP-Provider bin. Also wollte ich gerne DUS.net als Fax-Provider nutzen, jedoch gibt es da ein prinzipielles Problem:

Um das Dus.net mail2fax Gateway anzusprechen, müssen Zugangsdaten > 50 Zeichen im Betreff-Feld übertragen werden. Die Brother-Firmware (4.0) speichert aber nur 41 Zeichen ab.

Meine Lösung sieht nun so aus: Continue reading Brother MFC-7840w “Internet Fax” über DUS.net

Monitor DrayTek Vigor 130 Line Status

I recently got myself a new DSL modem, namely a DrayTek Vigor 130, as I switched from ADSL2 to VDSL2-Vectoring, so that I couldn’t use my Allnet ALL0333CJ Rev. C any longer.

As I monitor about everything (just kidding) with Nagios, I certainly wanted to implement a check of the modem’s line status.

Here’s what I came up with:

# ARG1: community
define command{
        command_name    snmp_modem_status
        command_line    /usr/lib/nagios/plugins/check_snmp -H '$HOSTADDRESS$' -C '$ARG1$' -o SNMPv2-SMI::transmission.94.1.1.3.1.6.4 -P 2c -r "53 48 4F 57 54 49 4D 45"
        }
define host {
        host_name       dslmodem
        address         192.168.0.1
        use             generic-host-internal
        parents         gw
}

Nagios is running on my intranet server. The next hop when seen from Nagios is my Internet gateway (host “gw”, my router), and from there the next hop is the DSL modem (host “dslmodem.”)

Hope this helps someone… If it does please leave a quick message here in this blog, thanks…

Vodafone VDSL-100 mit diskretem Modem und Router

Heute war endlich “der große Tag” gekommen — mein alter Arcor/Vodafone Annex.B-Anschluss (ISDN/ADSL) sollte umgestellt werden auf IP-only in Form von Vodafone VDSL-100, d. h. VDSL2-Vectoring mit einer Geschwindigkeit von 100 MBit/s für den Downlink, 40 MBit/s für den Uplink.

Bei uns kann Vodafone diesen Anschluss noch nicht basierend auf eigener Infrastruktur anbieten, sondern muss ihn als Bitstream-Produkt von der Telekom einkaufen. Das ist mir aber egal, Hauptsache es funktioniert… ;-)

Aus verschiedenen Gründen mag ich keine “All-in-One”-Produkte, insbesondere keine von den Netzbetreibern angebotene:

  • Man muss bei “All-in-One”-Produkten in der Regel immer Kompromisse machen. Wenn ich “diskrete” Komponenten kaufe, d. h. ein separates Modem, einen Router, ein SIP-Gateway, einen Intranet-Server, dann kann ich mir genau die Geräte aussuchen, die meinen Vorstellungen am nächsten kommen.
  • Tritt ein Defekt bei einem “All-in-One”-Produkt auf, dann geht gar nichts mehr. Bei diskreten Geräten bleibt ein Teil der Funktionalität erhalten.
  • Ich bin nicht darauf angewiesen, dass mir der Netzbetreiber (insb. sicherheitsrelevante) Updates (zeitnah) zur Verfügung stellt, da ich mir die jeweiligen Updates jederzeit selbst beschaffen und installieren kann, insbesondere wenn ich auf Open Source-basierende Komponenten setze.
  • Andererseits kann mir der Netzbetreiber auch keine Einstellungen oder Updates “aufzwingen” und damit womöglich meinen Anschluss oder bestimmte Funktionalitäten lahm legen.
  • Netzbetreibergeräte sind oft in den Funktionen beschnitten. Bei Unitymedia z. B. muss man für die Aktivierung des WLANs extra bezahlen!

Daher setze ich folgende diskrete Geräte ein: Continue reading Vodafone VDSL-100 mit diskretem Modem und Router

Just another WordPress weblog