CCcam performance tuning

CCcam is used for satellite, cable or terrestrial DVB card sharing.  In this post I will try and give you some information on it's performance tuning to get a stable problem free cardserver.  I myself am using a smargo cardreader under Linux to take the load off my satellite receiver.  The receiver (a DM800) is totally rubbish for running a big CCcam server (I have around 100 peers).

Clean config
First things first, you need to clean up your CCcam.cfg.  I'd recommend installing an application like CCcam webinfo PHP and see what your peers are sharing and if they are resharing.  Contact the peers who aren't sharing to see what's going on there, if they do not respond; kick them.  As a default I recommend F and C lines to look like these;

F: friend password 1 0 0 { 0:0:2 } { } { } friend.dyndns.org
C: friend.dyndns.org 12000 myname mypass no { 0:0:2 }

This ensures you only receive hop1 and hop2 and only send your local and peers cards to your peers which they are allowed to reshare one more time.


The CCcam.prio file
With cardsharing it's possible that zapping channels takes some time, this can be normal as you might be trying to watch a channel for which you don't have a subscription and CCcam needs to find a valid decryption key in it's peer network.

It is annoying if you try to open a channel for which you have a valid subscription and have to wait a couple of seconds.  The trick here is to tell CCcam it should try to use your card first (if possible) as the channel might be shared between several providers and many different cards might provide decryption keys for it.  CCcam uses a seperate config file for that; 'CCcam.prio'.  On top of this file you need to add your card type as a priority card.

# CCcam.prio
# Example; first try CD-NL (100:6a), then TVV (100:6c) and use old 622:0 last.
P: 100:6a
P: 100:6c
P: 622:0
# Example: Ignore the old Sky UK card (961:0) and use new Sky UK as priority.
I: 961:0
P: 963:0

SID auto assign
A very cool feature is to let CCcam figure out which channels open with your specific card and build a list of that.  After a while (might take a few days though) you use this channel-id list and reconfigure CCcam to only request decryption keys for these channels on your card and instantly refuse all others (no need to wait on the timeout for the decryption key any more!). You can initialize this feature by setting the appropriate line in your CCcam.cfg file:

# CCcam.cfg
# for a Linux cardserver, set a maximum of 500 auto assigned SID's
SMARTCARD SID ASSIGN : /dev/ttyUSB0 500 { }
# for a Dreambox receiver, set a maximum of 500 auto assigned SID's
SMARTCARD SID ASSIGN : /dev/sci0 500 { }

Wait a few days, zap all the channels and the list will built up.  You can check this list on the CCcam webinterface under "Entitlements".  Copy the line starting with "assigned sids:", but leave that piece of text out.  Paste this list between the curly brackets of the "SMARTCARD SID ASSIGN" line in your CCcam.cfg.  If you are confident this list is complete and you feel brave enough then you can replace the "500" in this list with "0" (zero).  All channels are now statically configured for your card resulting in faster zap times (for you and your peers!) for the channels not allowed on your local card, but queried though the CCcam network.

Satellite card overclocking
While zapping you'll also have to wait until you receive a valid decryption key, this is also called the ECM (Entitlement Control Message) time of the card.  It is possible to "overclock" the satellite card in CCcam and shave 50-100 milliseconds in this process.  Some cards overclock better than others and it will also depend on your cardreader.  Be careful with builtin cardreaders as the card might run hot due to the generated heat of the receiver and the overclocking itself ;-)

I use overclocking to get better ECM times than my competitors on my peers.  My peers will notice that I take the bulk of the ECM traffic and they will cherish our F/C lines ;-) 

Here are some overclocking values I've found, I have not tested all of these myself.  Replace XXX with the path to your cardreader (TTYUSB0 for linux, sci0 for a dreambox)

# CCcam.cfg
SMARTCARD CLOCK FREQUENCY: /dev/XXX 6860002 (SECA 0.330 to 0.275)
SMARTCARD CLOCK FREQUENCY: /dev/XXX 8200000 (Irdeto 0.195 to 0.1370)
SMARTCARD CLOCK FREQUENCY: /dev/XXX 5250000 (NDS 0.210 to 0.191)
SMARTCARD CLOCK FREQUENCY: /dev/XXX 5300000 (NDS 0.191 to 0.172)
SMARTCARD CLOCK FREQUENCY: /dev/XXX 5600000 (Conax 0.275 to 0.178)
SMARTCARD CLOCK FREQUENCY: /dev/XXX 8300000 (Irdeto2 0.215 to 0.151)
SMARTCARD CLOCK FREQUENCY: /dev/XXX 8420000 (Irdeto2 0.225 to 0.140)

What are your overclocking values? :)

Added Adsense

I have added Google Adsense to this blog.  I do not expect to make any money out of it, but it's fun to find out how this stuff actually works.

I have to use a pristine Chrome install to see the ads, as I'm normally using Firefox with Adblock Plus and do not see any adverts ... at all :)  I'm always surprised to pages littered with ads when I'm using someone else's PC, especially in IE.  It would drive me crazy ;)

So I don't expect you to click on these ads (but you're welcome to) and my apologies if these annoy you.  Consider using Adblock Plus, it is free (!!) and available for Chrome and Firefox.  For you poor people still using IE, please get a proper browser and experience an ad-free internet with this splendid browser extension! You won't regret it.

Thanks for reading!

Ubuntu 11.04 & fixing broken Compiz

So I made the mistake of updating my stable 10.04 to 11.04.

I tried the new unity GUI and didn't like it. It might be a nice GUI for a touchscreen with it's big icons, but not something which I like on my dual head workstation. You can hardly tweak it to your liking, and tweaking is just exactly what I want to do :)  Now I have to say that I never really liked the gnome desktop as it always looked so crude compared to the KDE desktop, but with all that compiz spinning cube and other eye candy I started to get fond of it (especially fun when you see the jaw dropping expressions when people see your desktop and wonder what the hell it is).

Fortunately it's possible to switch to the "classic" gnome desktop, which I did hoping to have the same user experience as with the previous Ubuntu releases. I fiddled around with the compiz settings as it didn't quite seem to behave as I expected. Nothing seemed to work, I suspect it is severely broken :(  Is it some trick to push the community to this Unity desktop?

I found out I wasn't the only one severely annoyed by this, someone wrote an excellent article on how to downgrade compiz and get things back to pimpin' normal. Just copy and paste the following in a terminal as root:

apt-get purge compiz compiz-plugins-extra compiz-plugins-main

apt-get purge compizconfig-settings-manager

add-apt-repository ppa:guido-iodice/compiz-0.8.6-natty
apt-get update
apt-get install compiz compiz-core compiz-fusion-plugins-main compiz-fusion-plugins-extra compiz-fusion-plugins-unsupported compiz-gnome compiz-plugins compizconfig-backend-gconf compizconfig-settings-manager libcompizconfig0 libdecoration0 python-compizconfig  

And logout and back in of course! Many kudos for the person providing this workaround.
I got my spinning cube back and won't be using Unity for quite some time :)

Maybe I'll switch to Kubuntu as I briefly used it's live-cd and it looks awesome.  I think it can integrate with compiz just as Gnome only looks much better.  On the other hand, change ... face it - people don't like change ... I know people who have been running TWM (which was ground breaking in 1987) on their desktop for over two decades ;)

Thanks for reading!

Enabling IPv6 on the dreambox 800 satellite receiver

I'm running OpenPLI Beta-2 on my Dreambox DM800 Linux based satellite receiver.  It was pretty easy adding IPv6 support by just issuing a 'ipkg add kernel-module-ipv6'.  The box was getting an IPv6 address and I could SSH to it via v6.  But none of the other services/daemons were listening on IPv6, something which had to be fixed :-)

I was thinking on using the same library wrapper as I've used on my WL-404, so I had to build a cross-compiler as the DM800 is a mips based linux box.  I just used the instructions on building a PLI image to build my cross compile toolset.  It can be found in 'build-dm800/tmp/sysroots/i686-linux/usr/mipsel/bin/'

Cross compiling libnat64 was easy.  Just replace gcc with mipsel-oe-linux-gcc in
the Makefile.  I decided to test the LD_PRELOAD library with inetd which worked perfectly.  All services, which included the streamer were working via IPv6.  So why not take it to the next level and include the libnat64 to '/etc/ld.so.preload' ?  Unfortunately this wasn't working as I hoped as enigma2 (the dreambox core component) was crashing...

I ended up compiling xinetd specifically for this platform as it features ipv6 support unlike the very old inetd installed by default.  I was able to proxy the enigma2 web interface from v6 into v4 within xinetd as well ;-)

Replacing the broken dropbear package (it used to be IPv6 aware) with OpenSSH enables SSH over IPv6 ;)

The iPad2

It's time to update this blog as I got my wife a new toy; the iPad2.

After unboxing I got a nasty surprise; it won't do anything unless you hook it up to iTunes.  That's a bummer if you only have Linux computers at home, like me ;-)  What's up with that?  It could be ideal for people who do nothing more than browse the web, email and play an occasional game, but in this way they require you to have an additional desktop.

So i just brought up a XP VM and mapped USB to the VM and kicked off iTunes.  It worked like a charm and updated the iOS to the latest version and created a backup.  Finally I have an working iPad!

The screen looks awesome and the touch screen interface works very intuitive, even my 1 year old daughter is able to play around with it ;-)  The iPad is very well built and looks much tougher than most Korean / Taiwanese / Chinese competitors while being lighter at the same time.  Still it's too heavy for your wrist when you hold it for a long time.

To be able to acquire access to the app store you need to create an Apple-ID.  Apart from the ridiculous terms and conditions it seemed impossible to get access to the store without providing credit card details.  You have to google how to get this done as Apple has done their best to hide this as far away as possible.  They sure don't hide the fact that they are a money greedy corporation! ;-)  I'm also surprised that it is impossible to delete your Apple-ID as there must be some data protection and privacy laws requiring this.

As an Android user I have gotten used to running widgets on workspaces to instantly show me RSS feeds, email, calendar, weather and such.  Surprise, surprise - no such thing for the iPad.  It seems Apple has been banning widget apps from it's store.  What a disappointment, once you get used to these widgets you'll love them!  Apple fanboys @ work tell me this must be implemented in a new iOS version.

Another thing you won't find in the app store; applications which are able to control your torrent downloader.  I'm using transdroid on Android to control my transmission torrent server, but for some reason Apple bans all apps related to torrents....  They want you to use iTune$ for downloading entertainment, I get it ;-)  In fact, I have never seen so many $ signs as on this iPad!

What this iPad is also missing is a standard USB port (be it mini/micro) to hook a memory stick or your camera on.  There is also no multimedia card reader builtin.  Apple forces you to buy the iPad camera connection kit to be able to do that. Not very user friendly isn't it?

Next things to test; camera connection kit and linux multimedia file synchronisation. I will update this blog later on this :)

So to summarize;

Why it's good:

• Very good built quality
• Battery life
• Gorgeous screen
• Amount of available apps

Why it sucks:

• No workspace widgets
• iTunes lockin
• There is no Adobe flash available
• No builtin memory cardreader
• No (mini/micro) USB port
• Apple's moralistic app store policies

UPDATE: Steve Jobs mailed me, iOS5 will feature widgets and they will look into my other complaints ;-)

Ubuntu mailserver setup with sendmail + DKIM + ADSP + IPv6 + SPF + STARTTLS

I decided to add DomainKeys Identified Mail with an ADSP policy and Sender Policy Framework on my email server which would help in identifying spoofed spam emails apparently sent from my domain and to add some authenticity to the emails I'm sending.  Might as well add STARTTLS to enable encrypted SMTP while we're at it right?  Here is how I did it:

  sudo bash
  apt-get install sendmail (the MTA)
  apt-get install opendkim (the dkim package)
  apt-get install libmail-dkim-perl (so that spamassassin will verify dkim signatures, which it doesn't do by default in the ubuntu spamassassin package)

edit /etc/mail/sendmail.mc :

DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp')dnl

This option will make sendmail bind on both IPv4 and IPv6 sockets.

include(`/etc/mail/tls/starttls.m4')dnl

This line will enable starttls (encryption in SMTP).

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

This input mail filter ensures that sendmail starts communicating with OpenDKIM.

Generate the new configuration: m4 sendmail.mc > sendmail.cf ; /etc/init.d/sendmail restart

Now edit /etc/opendkim.conf :

  Domain: example.com

  KeyFile: /etc/mail/dkim.key

  Selector: mail

  Socket: inet:8891@localhost

  UserID: opendkim

  LogWhy: True

  SubDomains: True

Now it's time to generate a key for signing.  The private part needs to go into /etc/mail/dkim.key and the public part (mail._domainkey TXT record) in your DNS zone.

  opendkim-genkey -d example.com -s mail

  cp mail.private /etc/mail/dkim.key

  /etc/init.d/opendkim restart

By using the DKIM ADSP Wizard you be able to generate a DNS record which defines the default signing policy for your domain.  Add the result (_adsp TXT) to your DNS zone file.

Now point your browser to the SPF wizard to define the policy from which mailservers your domain will send out email.  Add the result as a TXT record in your DNS zone.

Now wait until your DNS zone is propagated and test your setup by sending a test email to either of these addresses: autorespond+dkim@dk.elandsys.com and/or check-auth@verifier.port25.com.  You will receive a report on your setup.

I had an issue where OpenDKIM signed with the server hostname when there's no domain defined in my email client.  My masquerading sendmail options didn't help out here.  So I just added the mail._domainkey.serverhostname TXT record in my zone to ensure that the recipient could find a public key for the signature.

Hacking the Sitecom WL-404 wireless webcam

I got a Sitecom WL-404 webcam from my colleague's as I have became the proud daddy of a baby girl.  Now I can watch her sleep as she lays in her bed, it's an awesome and a bit nerdy gift :)

The Sitecom WL-404 wireless webcam seems to be the same hardware as the Linksys WVC54GCA and the Xanboo or SerComm RC8021.  It is possible to enable the telnet daemon by using the following backdoor:

   http://your-camera/adm/file.cgi?todo=inject_telnetd

Unfortunately the root password is unknown.  The contents of the passwd file "root:9szj4G6pgOGeA" ... I've tried cracking it with john the ripper but the password is not as weak as you would expect from a vendor ;-)  If anyone knows the password or has cracked it, let me know and I'll update this post.

So I decided to just download the firmware source code ... why?  Because I wanted the camera to support IPv6 :)  Very surprisingly the firmware compiles fairly cleanly and it produces a firmware image which actually works.

Just set SUPPORT_IPV6=yes in scripts/features_def.env ... I had to change /bin/sh to /bin/bash on my system (Ubuntu) in order to get it to compile with ./GPLMake

If you want to login with telnet, don't forget to change the root password to root:y7hcwwIsQ7cuQ (crypt is an empty password, just press enter) in src/rootfs/etc/passwd

Hash out (or delete) the following lines in src/sysapps/userland/Makefile , else the compile will break as these sources are missing in the provided source tree.

 ifeq ($(SUPPORT_IPV6), yes)
 SUBDIRS += wide-dhcpv6
 endif

Now compile the tree and flash the generated wl404.bin (in the FW subdirectory) and if you have a working IPv6 environment (radvd set up and such) you will be able to access the web interface on it's auto-configured IPv6 address.

Unfortunately the process responsible for streaming doesn't bind to IPv6,so I explored several options how to achieve RTSP over IPv6.  I ended up with using a nat64 wrapper around hydra (via LD_PRELOAD).  The code is meant for the Nokia N900 but works perfectly fine for our purposes.  You can find the original source code at their LDPreloadNat64 project website.

If you're up and running you'll be able to access the streams on both IPv4 and IPv6. Use either rtsp://camera-IPv4-address/img/media.sav or rtsp://[camera-IPv6-address]/img/media.sav.  I'm using totem on Ubuntu as VLC does not support RTSP over IPv6 (they state it violates the RFC specifications *pfff*).

I'm sharing the firmware I've compiled with Google docs.  It features a Dropbear SSH daemon, dual stack IPv4 and IPv6 (management interface and RTSP streaming).  Login with admin / admin with SSH (IPv4 or IPv6).  I've stripped some libraries and binaries to save some extra space.  There is no additional IPv6 support in the web-interface.

I take absolutely no responsibility whatsoever if you brick your WL-404 by using the contents of this blog.  Modifying the firmware probably breaks your warranty as well :-)  Have fun hacking!