NTP MON_LIST DDOS attacks. How to spot the hole.

Greetings and happy V-day.

This week I had an old forgotten server compromised by several attacks and added to a bot net. Most of them were well knowns, but the one the got my attention was a high usage of the NTP ports to a wide range of IPs.
Now I figure they were just using the NTP port for command and control ports until I saw that traffic even after I rebuilt the server. After confirming the traffic wasn't coming from an application on the server I did some more digging. With the help found out about this exploit.
DRDoS / Amplification Attack using ntpdc monlist command

Here we found some great info on what the attack was about and how to check for it.
 I won't go into too many details here, but it seems that many OSs out there have this issue which makes this even more important to beef up your systems.

Be in the Know!

So there are a few ways you can get your self in the know with this exploit. Lets start with the basics of what it preys on. NTP has a function called MONLIST, this is called by a datagram with an NTP request code of 42(MON_GETLIST_1). If you are being hit by this you will some thing like this in wireshark.

This is after I have shut down the NTP port. But you will see a lot of this one way or the other. This seems to be the thiey method, just spray requests until you get something.

The way they do this is quite simple. On Linux you can use both nmap and the ntpdc program.
ntpdc is the NTP daemon control program, with the "-c monlist" command line switch you can see if it will respond tot he MON_GETLIST_1 function. You can also use the sysinfo, version, and kerninfo switches to scrap just about everything about the service.

Nmap has a scrip, ntp-monlist, which will do about the same for you
----------------------------------------------------------------------------
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.041s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-monlist:
|   Public Servers (3)
|       199.233.236.226 209.114.111.1   217.7.239.199
|   Public Clients (52)
|       12.91.144.54    72.10.7.90      216.229.166.132 216.229.185.71
|       64.35.139.168   198.36.182.163  216.229.166.187 216.229.185.72
|       64.35.139.169   206.63.184.116  216.229.173.6   216.229.185.73
|       64.35.139.170   208.107.61.154  216.229.176.122 216.229.185.74
|       66.117.72.169   216.229.160.1   216.229.177.38  216.229.185.76
|       66.201.136.10   216.229.160.39  216.229.177.46  216.229.185.78
|       66.201.155.222  216.229.161.137 216.229.177.134 216.229.185.80
|       66.225.8.16     216.229.161.142 216.229.185.34  216.229.185.81
|       66.225.8.21     216.229.162.134 216.229.185.63  216.229.185.84
|       66.225.8.62     216.229.166.21  216.229.185.65  216.229.185.85
|       66.225.29.8     216.229.166.84  216.229.185.67  216.229.185.86
|       69.41.148.253   216.229.166.115 216.229.185.69  216.229.185.87
|       69.41.151.18    216.229.166.131 216.229.185.70  216.229.185.88
|   Other Associations (1)
|_      216.229.187.153 (You?) seen 5 times. last tx was unicast v2 mode 7

---------------------------------------------------------------------------------

Here is what ntpdc would give you:

--------------------------------------------------------------------------------

host:~ # ntpdc -c version xxx.xxx.xxx.xxx

ntpdc 4.2.6p5@1.2349-o Mon Jan 28 10:56:47 UTC 2013 (1)

host:~ # ntpdc -c sysinfo xxx.xxx.xxx.xxx

system peer:          0.0.0.0

system peer mode:     unspec

leap indicator:       11

stratum:              16

precision:            -20

root distance:        0.00000 s

root dispersion:      0.00195 s

reference ID:         [73.78.73.84]

reference time:       00000000.00000000  Wed, Feb  6 2036 22:28:16.000

system flags:         auth monitor ntp kernel stats 

jitter:               0.000000 s

stability:            0.000 ppm

broadcastdelay:       0.003998 s

authdelay:            0.000000 s

host:~ # ntpdc -c monlist xxx.xxx.xxx.xxx

remote address          port local address      count m ver rstr avgint  lstint

===============================================================================

216.229.187.153        38995 216.229.160.10         3 7 2    180      7       0

66.225.29.8              123 216.229.160.10         1 3 4    180      0       1

ppp70-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0       5

spk.go180.net            511 216.229.160.10        12 1 3    180     10       5

209.118.204.201          123 216.229.160.10         3 4 4      1     65       5

206.63.184.116           333 216.229.160.10        27 3 4      1      4       7

lanip-177-46.go180.net   123 216.229.160.10         2 3 4    180    130       7

ntp3.Housing.Berkeley.   123 216.229.160.10         3 4 4      1     63       8

12.91.144.54             123 216.229.160.10         3 1 3      1     64       9

69.41.148.253            123 216.229.160.10         5 3 4      1     32      11

ns2.deakin.edu.au        123 216.229.160.10         3 4 4      1     63      11

64-35-139-171.gohighsp   123 216.229.160.10         1 1 3    180      0      13

ppp71-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      15

198.36.182.163         38026 216.229.160.10         7 3 3      1     20      19

66-117-72-169.gohighsp   123 216.229.160.10         2 3 4    180     65      20

as2-pdt.go180.net        123 216.229.160.10         2 1 3      1     64      25

lanip-177-38.go180.net   123 216.229.160.10         1 3 4    180      0      26

host-154-61-107-208-st    10 216.229.160.10         4 1 3      1     13      26

216.229.173.6            123 216.229.160.10         1 3 4    180      0      26

sc2200-secondary.highs   123 216.229.160.10         2 3 3    180     64      26

srp5-0-br6-levy-spk.go   123 216.229.160.10         2 3 4    180     66      28

srp5-0-levy-spk.go180.   123 216.229.160.10         2 1 4    180     64      30

66.225.8.16              123 216.229.160.10         1 3 4    180      0      30

ppp76-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      31

ppp78-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      32

ppp88-as1-spk.go180.ne   123 216.229.160.10         2 3 4    180     63      40

vlan101.cr2.spk.go180.   123 216.229.160.10         2 1 4    180     65      44

barracuda.ci.walla-wal   110 216.229.160.10         2 3 3      1     64      45

ppp80-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      46

66.201.155.222           123 216.229.160.10         2 1 3      1     64      46

mail.disimaging.com      123 216.229.160.10         1 3 4    180      0      48

ppp74-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      49

69.41.151.18             123 216.229.160.10         2 3 4      1     64      53

ppp63-as1-spk.go180.ne   123 216.229.160.10         2 3 4    180     63      54

as2-levy-spk.go180.net   123 216.229.160.10         1 1 3    180      0      56

66-117-72-218.gohighsp   123 216.229.160.10         1 3 4    180      0      57

f0-0-br2-wal.go180.net   123 216.229.160.10         1 1 4    180      0      72

ppp34-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      79

ppp73-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      85

66.225.8.21              123 216.229.160.10         1 3 4    180      0      85

sc2200-primary.highspe   123 216.229.160.10         1 3 3    180      0      88

ppp67-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      94

ppp81-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0     101

216.229.166.121          123 216.229.160.10         1 1 3    180      0     101

ppp84-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0     101

64-35-142-218.gohighsp   134 216.229.160.10         1 1 3    180      0     105

66.225.8.62              123 216.229.160.10         1 3 4    180      0     116

con1-psc.go180.net       123 216.229.160.10         1 1 3    180      0     135

host:~ # 

------------------------------------------

You can see that ntpdc gives you quite a bit more, but nmap makes much quicker work of it.

What to do about it?

Well now that you know what is going on, you can stop it, right? Well this depends on your setup.

For very good info on locking down NTP take a look at http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

Sadly they don't have much for windows for windows and I was unable to find anything about hardening windows NTP servers. With this I would say, as I do about any windows server, don't expose this to the internet!!!!

Proactive!!!!

If you want to be proactive about this there are a few ways you can go about it. 

The best is the limit your public facing NTP ports, this limits what the bot nets can even get to.

If have to have a NTP port public facing then you should check and follow the link above to learn how to harden it.

Use the command 

-----------------

nmap -sU -pU:123 -Pn -n --script=ntp-monlist "Your test host here"

------------------

Once you are locked down you should be good to go!!

Conclusion

I want to mess around more with the NTP exploit to better understand how they go about implementing the attack. So look out for a post about the results of  my honeypot setup for NTP.

How to Change your Product Key on Windows Server 2008 R2

Greetings blog-sphere inhabitants!

Here is a quick post with some useful info on product keys on the CLI of windows server 2008.

I was tasked at work to take a copy of a Hyper-V terminal server from a active server and make it into a new server to use as a back up to the main server in which this new one was a copy of.
So, piece of cake, Right? So I do an export of the Hyper-V session, move it to the new physical host and fire it up without a network connection. Change the IP, hostname, etc. Golden, except the windows product key. I do some digging around and find no easy way to do this at first, CRAP!

Well its tech net to help here, I found a VBS to help with this little project. In doing so I found it to be very useful in troubleshoot problems with product keys as well!

The script is located on all installs in C:\windows\system32 and is named slmgr.vbs. Blow are some screenshots of the options for the script.

As you can see thing little script does a hell of a lot!
To replace the current key use the following commands.
slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
(replace the xxxxx with your product key)
The /ipk option, as you can see above, Replaces the current key with the new entered key.
I then,
slmgr.vbs /dlv
slmgr.vbs /dli
These two commands will give you the key info as well as tell you if the key is active or not. You can then activate the key.
Now, the script says it can do this with the /ato options, it lies. You need to use the command slui.exe which will bring the activations wizard up. Make sure you have a connection the net before you do this.

Once you get that all done you are ready to go.
This worked out great because when I change the product key on the server, the DC saw it as an all new server. But there was no installtion to do, everything I needed was already there and ready to go.

I hope this was a helpful post, it was useful info to me.

Until next time, keep on hacking!!!

Project #1:Determining Android Charging power requirements

Greetings!
Well its been a while, and life got crazy, but I'm back with our next post. This one with ADC good. :)


The Process:
The next step in my project is to determine the power requirements for an android phone while charging. The idea is plot the Voltage vs. Current curve, I.E: power, over the length of time in which it takes to charge. This will show how much power, over what duration of time the solar charging source must to provide.
The method to my madness runs something like this, charge several different types of phone, with different power sources and collect the data. This will confirm if there are any different current draws with different power sources on different phones.
With this in mind there are three different parts to this step to this part of the project, the phones, the power sources, and the data collections. Lets start with the data collections.

Analog to Digital Voltage and Current Sampling  Circuit:
To collect the charge curve data I'm using a BS2px24 Basic stamp PIC connected to a MCP-3002 2 channel analog to digital converter reading voltage from a current shunt in series the USB charge circuit for the phone. See below for the circuit:

Circuit Break down:
There are Three parts to this circuit, the current shunt in the charging circuit, the MCP 3002 and the Basic stamp. Each part is mostly KISS and should be easy to follow, but for those less familiar with Electronics I'll break it down.
First the current shut, this is composed of 4, 10 Ohm, 1/2 Watt resistors in parallel with each other. this will make for about .4 Ohms of resistance in  series with the charging circuit. Now ideally you would want to use precision resistors for this as you will need to be spot on with your measurement here. But I'm building this mostly out of scrap so I just used 10% components and then measured the resistance.
The idea of the current shut is that it will drop a small portion of the voltage from the charge circuity that is directly proportional to the current being used in the circuit  You can use : E/R=I where E=voltage, R=the resistance pack(.4 Ohms) and I=the current. So if you measure .53V DC across the resistor pack that means you have 1.32A DC flowing through the charge circuit.

This voltage that is dropped across the resistor pack, as well as the voltage applied to the charge port of the phone is picked up by the MCP3002.

The voltage from the current shunt is sent to the channel 1 input and the voltage at the phone charge port is sent to channel 0. For those who are not familiar with Analog to Digital converters let me give you a quick run down.
The whole function of a ADC(Analog to Digital Converter) is to take a very fluid analog signal and convert it into a 10 bit binary word which a computer or microprocessor can understand. A microprocessor can only understand predefined states, which in this case is >+5V DC(which is a binary 1) or <2 V DC(which is a binary 0). Well is this is not going to work for my project because I need to measure voltages like .53V DC. If I hooked this up right to the I/O(input output) pin it would read 0 all the time. This is where the ADC comes in. It has a sampler which will sample the voltage at a high rate(in this case 10,000/s), convert it into a binary word and send it to the PIC.
The next step of fun comes in getting this binary word to the PIC. This is done via synchronous serial on the Dout pin of the ADC. But before I get to far lets start with the first step of setting the ADC up.
The MCP-3002, according to the data sheet, has two different input modes, and two different read out modes. To set these, mode command bits need to be sent to the ADC in a predefined order. This also needs to be coupled with pluses on the clock pin for each command as well as toggling of the enable pin.
Below is a timing chart so the states of all the input and out pins over the duration of time it takes to send the input commands and get the 10 bit reading back.

I've labeled the different events on the chart so you can follow along with the flow of things.
Something to clarify for those who are new to this, the clock pluses on the CLK pin control when the ADC will receives or send a bit. This synchronizes the PIC and the ADC so no bits are lost in the course of data transfer.
The other thing to point out is the CS pin, this pin pulls the ADC out of standby mode. With out this pin high, the chip will do nothing!
It is important to see that the information above is critical to the functionality of the project as a whole. With out this reliable data transfer we would never be able to get the data we need for this part of the project.

This leads me into the next part of the project, the Basic Stamp, or as I have been calling it the PIC(Programmable IC)

The BS2px24:
This is where it all comes together, in the PIC. The PIC gathers the data words from the ADC, converts them to decimal numbers, formats them and then sends them out to the RS232 port. To aid us in walking in how the PIC does this lets walk through the code. Below is the code in its entirety  I'll show chunks as we walk through it.

' {$STAMP BS2px}

' {$PBASIC 2.5}

SetupPins:

'Setup the pin Functions.

'P0=RS232 in.

INPUT 0

'P1=RS232 out

OUTPUT 1

'P2=SPI in

INPUT 2

'P3=SPI out

OUTPUT 3

'P4=CS(Chip enable)

OUTPUT 4

'P5=Clk(Clock for syncing the SPI communications)

OUTPUT 5

SetupCons:

'Set freindly names for all the I/O pins.

RS232IN CON 0

RS232OUT CON 1

DIN CON 2

DOUT CON 3

CS CON 4

CLK CON 5

SetVars:

'Setup our Variables.

'VIN will be the 10 bit Value repersenting the Voltage read by the MCP3002

VIN VAR Word

'ACDIN will be the bit flag telling the MCP3002 which port to use.

'port 0 is used for Voltage readings and port 1 is use for Current.

AdcIN VAR Bit

'Setup our timing output

TickVal VAR Word

'And a temp tick Var

TickTemp VAR Word

Main:

'Make Sure our Vars are rest

TickVal=0

TickTemp=0

VIN=0

DO

  'Set our port for Voltage

  AdcIN = 0

  'First we get our Voltage

  GOSUB InitMCP3002

  GOSUB ReciveDataBits

  GOSUB Tick

  GOSUB SerialOut

  'Then our Current

  'Set the port for Current

  AdcIN=1

  GOSUB InitMCP3002

  GOSUB ReciveDataBits

  GOSUB Tick

  GOSUB SerialOut

LOOP

Tick:

'Sets up a processes timer which will time stamp all values sent out.

PAUSE 1

TickTemp=TickVal+1

TickVal=TickTemp

RETURN

InitMCP3002:

'Initaite the MCP3002 by sending config bits and a Start bit

'Set clk and cs pins high to indicate idle

HIGH CS

PULSOUT CLK, 5

'Send the start bits by brings CS low and sending a 1 to CLK and DIN

LOW CS

SHIFTOUT DIN, CLK, 0, [1\1]

'Set Mode to Single Ended Mode by sending a 1 on the DIN

SHIFTOUT DIN, CLK, 0, [1\1]

'Set the input to Port with ADCIN Var.

'0 for port 0 and 1 for port 1.

SHIFTOUT DIN, CLK, 0, [ADCIN\1]

'Setting the Format

SHIFTOUT DIN, CLK, 0, [0\1]

'One more clock cycle for the Null bit

PULSOUT CLK, 5

RETURN

ReciveDataBits:

'Read the 10 bit Digital value from the MCP3002.

'The max input(anything over Vdd) will be 1023.

'Read 10 bits from the DOUT pin

VIN = 0

SHIFTIN DOUT, CLK, 0, [VIN\10]

RETURN

SerialOut:

'This sends the raw values to the RS232 Caputer device for further processing.

'Send the voltage out the RS232 port

IF AdcIN =0 THEN

SEROUT RS232OUT, 3313, [DEC5 TickVal," ,",DEC VIN," ,"]

ELSE

SEROUT RS232OUT, 3313, [DEC5 TickVal," ,",DEC VIN," ,",CR,LF]

ENDIF

RETURN

Before we dig into the code I would like to make a few notes on this PIC. For info on the BS2px24 you can go to The Parallax Web Site see all that they have. The langues is call PBASIC, its a low level langue in the form of a high level langue in that it is formatted much like BASIC, but does more low level functions. You can got the link above and find more info on PBASIC as well. Also Note 'this is a comment.  Anything with a ' in front of it is a comment in this langue. 
Now on to the code!

Setup:

' {$STAMP BS2px}

' {$PBASIC 2.5}

SetupPins:

'Setup the pin Functions.

'P0=RS232 in.

INPUT 0

'P1=RS232 out

OUTPUT 1

'P2=SPI in

INPUT 2

'P3=SPI out

OUTPUT 3

'P4=CS(Chip enable)

OUTPUT 4

'P5=Clk(Clock for syncing the SPI communications)

OUTPUT 5

First we must tell PBASIC how to compile on load to the PIC. The first two lines do this, it tells the compiler that this is a BS2px and that its using PBASIC version 2.5.
BS2px24 PICs have 16 I/O pins labeled P0-P15, before we do anything with these pins we have to tell them what their function is going to be. This is what the "SetupPins:" Subsection is all about. You can see above each pin constant I have put a comment as to its function.

SetupCons:

'Set freindly names for all the I/O pins.

RS232IN CON 0

RS232OUT CON 1

DIN CON 2

DOUT CON 3

CS CON 4

CLK CON 5

Next we set our constants up, these are all names we give to the Pin. I've set the names up to be the function of the pins so it easier to follow the code.

SetVars:

'Setup our Variables.

'VIN will be the 10 bit Value repersenting the Voltage read by the MCP3002

VIN VAR Word

'ACDIN will be the bit flag telling the MCP3002 which port to use.

'port 0 is used for Voltage readings and port 1 is use for Current.

AdcIN VAR Bit

'Setup our timing output

TickVal VAR Word

'And a temp tick Var

TickTemp VAR Word

Here we set the variables used in the in the program, they are self explanatory for the most part. You get some more clarification when you see them used.

Sub-routines:

Tick:

'Sets up a processes timer which will time stamp all values sent out.

PAUSE 1

TickTemp=TickVal+1

TickVal=TickTemp

RETURN

Here we have a simple timing setup. Sadly PBASIC is a little limited in its arithmetic functions, so I had to do the mess with TickTemp=Tickval+1.

InitMCP3002:

'Initaite the MCP3002 by sending config bits and a Start bit

'Set clk and cs pins high to indicate idle

HIGH CS

PULSOUT CLK, 5

'Send the start bits by brings CS low and sending a 1 to CLK and DIN

LOW CS

SHIFTOUT DIN, CLK, 0, [1\1]

'Set Mode to Single Ended Mode by sending a 1 on the DIN

SHIFTOUT DIN, CLK, 0, [1\1]

'Set the input to Port with ADCIN Var.

'0 for port 0 and 1 for port 1.

SHIFTOUT DIN, CLK, 0, [ADCIN\1]

'Setting the Format

SHIFTOUT DIN, CLK, 0, [0\1]

'One more clock cycle for the Null bit

PULSOUT CLK, 5

RETURN

Here is the programming behind the first part of our timing diagram. You can see where we set out CS high and send out a pulse on the CLK pin. Here we doing it for 5 clock cycles, this makes it long enough for the ADC to see it as a clock pluse.
 Next we pull the CS low to turn the chip on and then send a 1 bit out the Din pin and send a clock pulse out. This starts off the set up process on the ADC that we spoke of above. You can see the rest of this in the comments and compare it to the timing diagram.

ReciveDataBits:

'Read the 10 bit Digital value from the MCP3002.

'The max input(anything over Vdd) will be 1023.

'Read 10 bits from the DOUT pin

VIN = 0

SHIFTIN DOUT, CLK, 0, [VIN\10]

RETURN

Here we are shifting in to our 10 bit ADC output value into the VIN variable. If you noticed in the variable set section we set this variable up as a word, which is 16 bits long. This is a limitation of PBASIC in how it sets up it variables. You can have a single bit, a nibble(4 bits), a byte(8 bits), or a word( 16 bytes). This secontion is not quite as clear, the line "SHIFTIN DOUT, CLK, 0, [VIN\10]" is doing the shifting in. The SHIFTIN DOUT is telling the PIC to recive bits on the DOUT pin. Then use the CLK pin to send sync pulse out to the ADC. The 0, [VIN/10] tells the PIC to not change the order the bits come in and to put the bits into VIN and that there are 10 bits to receive.

SerialOut:

'This sends the raw values to the RS232 Caputer device for further processing.

'Send the voltage out the RS232 port

IF AdcIN =0 THEN

SEROUT RS232OUT, 3313, [DEC5 TickVal," ,",DEC VIN," ,"]

ELSE

SEROUT RS232OUT, 3313, [DEC5 TickVal," ,",DEC VIN," ,",CR,LF]

ENDIF

RETURN

This is our last sub-routine,  Here we take our values and send them out to computer's RS232 port. We have to first figure out what port we are reading. If AdcIN is set to 0 then we are reading the port voltage and will send that info out. If we are reading port 1 then we are reading the shunt voltage and we will send that value out. Along with each value we will send out the TickVal so we know how many milliseoncds into the test we are.

Main Code Section:
Here is where it all comes together, we stitch all the sub-routines together and make it work!

Main:

'Make Sure our Vars are rest

TickVal=0

TickTemp=0

VIN=0

DO

  'Set our port for Voltage

  AdcIN = 0

  'First we get our Voltage

  GOSUB InitMCP3002

  GOSUB ReciveDataBits

  GOSUB Tick

  GOSUB SerialOut

  'Then our Current

  'Set the port for Current

  AdcIN=1

  GOSUB InitMCP3002

  GOSUB ReciveDataBits

  GOSUB Tick

  GOSUB SerialOut

LOOP

So first we make sure all variables are set to zero, then we dive into a loop. This keeps the process going none stop so we can just keep making measurements until the PIC is turned off. So in the loop we first read port 0 for our charge port voltage, we set up the ADC, read the bits, count the time, then send it to out the RS232 port. Next we do the same thing on port 1 for the shunt voltage reading. Then we loop till the cows come home!

Next up, Conclusions!!!!
Stay tuned for the test results and what the next testing step will be. :)

Holiday Hacking distraction!!!

So as a break from all the holiday madness I thought I might share a good hacking distraction for you all! *No worries I'm still working on the next installment of the Android Solar charger project.*

My brother recently acquired a Lenovo Android tablet and so had no need for his Archos 101 IT. He ditched the Archos 101 because it is not an official Android OS device, so you are not able to access things like Google play or normal Google account functions. There were some work around but they were flaky at best. So he gave me the tablet with the hopes I could do something useful with it and if nothing else have a fun toy to keep me occupied during the time of year I hate. So here is the breakdown of how I made it a bit for functional, enjoy!


The Device:

The Archos 101 IT is a gen8 device put out by Archos. From what I have read on line it is a mid level device with a comprises of cost and capability. It has a 1GHz ARMv7 processor which in the stock ROM is turned down to 800MHz. There is 6GB of on board flash, the alt OS is loaded as a loop device which is only 170MB.  This can cause a bit of a problem Cyanogenmod OS because you run out of space to install apps which are installed in the OS partition by default. The Stock OS is 500MB so there is a little more room but not much. The 101 IT also has the ability to read micro SD and microHCSD which is handy for loading files to it.
The Device screen is 21.5cm(8.5 inches) wide and 12.7cm(5 inches) tall. According to info I was able to glean out of /proc/bus/input/devices it uses a Unitech USB Touch screen interface. From the same file I found it uses a MMA7660FC Accelerometer to detect orientation of the device. I am able to get a location off of google maps but I couldn't find a GPS on any of the bus in the system so I'm not sure how that is working. I'll post more on that as I dig it up.
The 101 IT has 256MB of onboard RAM which is supplemented by a swap file on the on board flash. I was unable to find any more info on the speed or what kind of RAM it is.
It also has a Camera on the front of the device but I was unable to find much about it, and I really didn't care at this point as its not pivotal to the operation of the OS.

The Rooting:
The rooting of the device is very easy as ARCHOS gives you all the tools to do so. I must give ARCHOS cred here for having a developer flash you can load on the tablet. This is very much in the spirit of GNU/Open source on which Android is built. ArchOS calls this their SDE * Special developer edition* firmware. This is basically another image and mod to the boot rom which will give you the tools to load new kernels and zimages to the device. You can get the SDE from Here: http://www.archos.com/support/support_tech/updates_dev.html?country=us&lang=en
This will be an *.aos file which you down load from the tablet in the stock OS. Once the stock OS finds the *.aos file it will ask you to upgrade, just tell it yes.
Next we go to the people who build openaos, this is a unofficial build of Cyanogenmod for the ARCHOS tablets. You can find them here: http://www.openaos.org/
Now their site is hard to navigate so I'll save you the trouble and send you where you need to go. http://dev.openaos.org/wiki/SettingUpMultiRootGen8
At the link above they have some rough instructions on loading their kernel and zimage to the device. They say nothing about needing the SDE first so its a little confusing without that bit of info.
Hold the volume down button while powering the device up. This will bring up a recovery screen with a few options. The first two are to boot into the stock OS, labeled "Android", and the second is to boot into the SDE, labeled "Developer Edition". You want the third option, "Recovery System". Use the volume up down to move up and down and a momentary press on the power button for select.
Once in the recovery menu you will see the option for "Developer Edition Menu", thats where our goodies will be to uploaded. In that set of menus select "Flash Kernel and Initramfs" and it will ask up to hook up the USB cable and load the files.
Hook up the USB and mount the device like any other USB mass storage device. *I'm assuming you know how to do that in your OS*
http://www.openaos.org/wp-upload/gen8/2012-04-09/
 Then from the link above download the tar ball kernel_gen8_20120409_002900.tar.gz  and extract its contents. You will want the initramfs.cpio.gz and the zimage files from the tar ball. There is a modules file that is not needed in the tar ball, so just leave that be.
Copy the files over to the the USB mass storage on the device and select ok on the device. It will reboot back into the stock OS.
To test your Root, reboot the device again and as its coming up hold the volume down button and wait for the recovery menu to come up. Select the "Developer Edition" item and let it boot. You will see after the ARCHOS splash an openaos splash and then a simple GRUB boot menu. If this is indeed what you want to see, you have rooted the tablet!!! Now lets load Cynogenmod!



The Loading of the OS:
Now on the GRUB menu you will see three items, Archos, Angstrom, and Advanced Menu. The first two are the stock OS and the SDE OS. We now need to load the new OS onto the system to get the real fun going.
To do this boot into the Archos selection on the menu and hook the device back up to your computer via USB. After you have it talking as a mass storage device we will need to go back to the openaos site from above and get the OS image file.http://www.openaos.org/wp-upload/gen8/2012-04-09/
Decompress the gzip file and copy it to the root of the USB mass storage. Then take a raw text editor like notepad++ in windows or just vi in *nix and edit the menu.lst file. In menu.lst you will see the following lines already there:
Archos|ARCHOS|ARCHOS|/init|0
Angstrom||/rootfs.img|/sbin/init|1

You will need to append this line to the file:
Gingerbread||/openaos-gingerbread-bull-gen8-121502.img|/init|0

You will want to make sure that the second parameter matches the filename that you just loaded on the devices. The fourth parameter sets the frame buffer to high res, where a one in the fourth parameter 1 sets it to low res. Now save the file and reboot again. Remember to hold down the volume down button while it powers up to go into the recovery mood so you can select the developer edition. Once you do and GRUB comes up you should see an option for Gingerbread now, select that option and Gingerbread should boot. You'll see nothing at first and then the word android come up on the screen. The first boot takes some time but its faster after that. Once its up you are ready to rock and roll!! You have loaded Cyanogenmod on your tablet!!

Google Apps:
Because Cyanogenmod is not an official google OS it can not come loaded with the google apps, you have to add them yourself. The good thing is that the folks at google don't want to exclude you because of this and so make these available to the folks at Cyanogenmod. To install these apps go to the following link while in the Gingerbread OS:
http://wiki.cyanogenmod.org/wiki/Latest_Version#Google_Apps
Go down and click the mirror1 link under Cyanogenmod7 and this will take you to a mediafire page where you can download the zip file. After you download it just reboot back into Gingerbread, its that easy! The openaos guys set up a script to look for that file in the download location and it runs it on boot. Once Gingerbread comes up it will take you through the normal google setup. One tip to help you along, it will not select the right default language, so make sure to manually pick the right one to make things move smoother. Once you have gone through that google play will be installed and you can start installing stuff from google to your hearts content!


Conclusion:
So there you have it, hope you enjoy your Holidays and your hacking distractions! Thanks again to the guys at openAOS, ARCHOS, and Cyanogenmod for all the info on their pages and making all this available so you we can have fun doing it!

Thanks to the people at ArchOS they have made it a breeze to install an alternative OS on the 101 IT.  With the help of the openaos folks and their hard work there is an OS out there which you can load and have fun with.
You will have to do some tweaking with Gingerbread to make work really well for you. The CPU governer is set quite low at first and it runs very slow. But if you go into settings-->Cyanogenmod Settings--> Performance-->CPU settings you can change the governor to Performance and the max CPU speed to 1000MHz. This will speed things up greatly and make it useable.
The only other problem I have run into thus far is the space limitation with the OS image only being 150MB in size. I have had mixed luck installing apps to the external storage space, which is the on board flash, and having them work as needed. I plan on trying to expand the size of the image to around 1GB and see if that helps.

Welcome to the wild hacker view.

Greetings to all of you out in the the inter-blags!
Welcome to my new project and idea blog!

I'm sure some of you are wondering what this is all about, well let me explain. First I chose the title based on the two ideas. First I tend to spend my time more in the wilds of Northwest US more then in the city, and I'm always trying to make technology work for me out in the wilds. Second I wanted to make a blog about hacking in real life, not just hacking for hacking sake. You know the kind of projects I'm talking about, the Augmented reality Doom backpack computer system with VR helmet and 3 years dumped into it just to play Augmented reality Doom...
This blog is all about projects I(and I hope you) can use daily  and may make your life a little better because of it.

So you know why, now the question is what! The projects will be focused mostly around green tech. Using solar and wind to power devices, automated sustainable farming and gardening systems, reusing scraped electronics and doing it all the cheep! (Because none of us have much in the way of money.)

So are we ready, here we GO!!

Project #1:Portable USB style solar charger for portable devices.

I find the effects of electronic devices on society very fascinating. How things like the person computer, the calculator, and the cell phone has completely changed the way we act, our expectations, and what we consider productive in our world. Specificity the effect of the "smart phone", the current apex of portable computing. Its is the do all device, it has access to many different mediums of communications, it has any kind of function you want limited only by hardware, and it can work just as well as a PC but fits(mostly) in your pocket. Its what we hackers where dreaming of 5 years ago. But, just as with every device it has a few limitations. Its only effective when in range of the cell system, its only as capable as its OS and its operator, and its only good as long as it has battery power. This leads me to our topic, the smart phone owners constant bane,...... a dead battery!!!!
With the addition of internet access on your phone you can now stay connected 24/7, as long as your device is powered on and in range of the cell network or a WiFi AP. Every time your device talks to the network to sync email, check facebook or load a web page its transmitting. For a short period of time(the duration of the packet being transmitted) its using as much power as it would when you where on a phone call(in ratio to time duration). So of course being that the transmit duty cycle is much higher the battery lasts a shorter time. The way most people fix this is by having chargers every where they go so it only runs on battery for a short time. But what about those of us who walk, cycle or are other wise are away from a ready charger or easy power source? Well here are one of my ideas to over come this.

Charging on the go.
Most phones now charge off of a USB 5VDC power sources. So you now are finding every where 120AC to USB or car socket to USB adapters. These are great if your near a wall outlet or a car that is running. But what about on a bike, or hiking or when the car is off? My answer is solar.
Now there are several products out on the market now that are solar powered phone chargers. But my goal in this project is to build a charger that is simple, rugged and will last as long as it can with little maintenance.

Batteries vs. Supper Caps
Most products that will charge your phone from solar power use a photovoltaic panel hooked to a voltage regulator or charging circuit. This then charges a small battery which in turn charges your phone. This works as long as the battery is in good health, but over time it will fail or retain a shorter and shorter charge life and will die at some point.
The other way to do this is use a capacitor in a RC circuit. The challenge with this is to get a large enough capacitance to do this would render this device none portable. Standard capacitors with values grater than 1 farad and voltages higher than 5VDC are 3cm in diameter and at least 5cm higher, if not taller. Even though they are much lighter than a battery you would still have to carry a large pack of these things around with you. But we are in luck with the advent of double sided capacitors, or what they call supper caps. These have a value of 10 farads and a voltage of 2.5VDC and are only 3cm high and .5cm in diameter. Now with several of this our pack is looking much smaller, but how effective would they really be?
Power density
When looking at the effectiveness of a power source for a portable device one must look at power density. This has two factors to, the power(in Watt Hours) per volume and the power per weight. This will help us to determine the best balance between longevity, size, weight.
Now, most people would do research on line to out this info. But, that sounds boring! So I have put together information based on tested done in my shop to fit this required function of charging a smart phone.

What's next?
The next step in our project is to determine the power requirements of the device we will be charging. This will give us parameters to work with in when designing our power source.
Second is to test several different power sources to see which will best meet our requirements and have the highest power density.
Third, we put it all together!

In my next blog installment I'll cover the first step, determining the phones power requirements.

So stay tuned for the next installment of electrical goodness!