Everyone has different taste in movies; here are some that I enjoyed; they range from silly to serious and some that are just “cultural-literacy”; YMMV. The list is very far from exhaustive (even of movies I like) and I’ll add to it over time.
Is it just me or were the 1980s an unusually good decade for movies and music?
I’ve already ranted about why I still use SVN instead of Git. That said, it isn’t always obvious how to set up an SVN server securely, especially if you want fine-grained access control so certain users only get access to certain repositories or projects within repositories. It’s actually pretty easy with a few clever tricks.
My Requirements
Lightweight server – you shouldn’t need a lot of resources. In general, I run subversion in a proxmox VM with 2GB of RAM allocated and 1 processor core. I use minimal Ubuntu server as the OS.
Server access must only be via ssh. These days, nothing should be accessible over the internet that doesn’t use ssh and public key security.
The server should support multiple repositories.
You should be able to restrict user access to certain repositories and also specific projects (folders) within a given repository.
Disaster recovery should be easy.
How To Do It
1. Setup the server VM
Download the Ubuntu Server iso and store it in the /var/lib/vz/template/iso folder of your Proxmox host machine (if you don’t use proxmox, you probably should).
Create a Proxmox VM with 2GB RAM, 32GB disk space, and 1 CPU core which should be sufficient and select the Ubuntu ISO.
During installation, select the minimal install; it has nearly everything you’ll want and installing more things is easy using apt.
During installation, enable openssh access and create your superuser account.
Once installed update and upgrade as usual.
Install your public key in your home/myUser/.ssh/authorized_keys file. If you’re not familiar with how to do this, see here.
Once you have confirmed that your public key login is working, disable root login and password access in /etc/ssh/sshd_config.
2. Install Subversion and tools
Install subversion from the ubuntu repo sudo apt-get install subversion
Install your favorite editor any other tools you might want (vim, iputils-ping, etc.)
3. Create Subversion User and Repository
Create a user named “svn” sudo adduser svn
Create a folder to hold your SVN repositories: sudo mkdir /srv/svn
Assign ownership of the SVN repository to the svn user sudo chown svn:svn /srv/svn
Create an SVN repository: sudo svnadmin create /srv/svn/myRepo
Make sure the entire new repo is owned by the svn user: sudo chown -R svn:svn /srv/svn/myRepo
4. Setup SSH access
Create folder /home/svn/.ssh (should have 700 privilege)
Create file /home/svn/.ssh/authorized_keys (should have 600 privilege)
Add the SSH public key(s) for your workstation(s) to the authorized_keys file.
In front of each key add (so this and the key are all on one line): command=”svnserve -r /srv/svn/myRepo -t –tunnel-user=myUserName” An example of two lines in the file might be: command=”svnserve -r /srv/svn/ -t –tunnel-user=bob” ecdsa-sha2-nistp521 <Bob’s ECC public key>== BobLaptop1 command=”svnserve -r /srv/svn/myRepo -t –tunnel-user=alice” ssh-rsa <Alice’s public RSA key>== AliceContractorPC
You will probably want other options in addition to the command option to keep things locked down. All options should be comma-separated with no spaces unless within double-quotes; options you might want after the command option might include: ,no-port-forwarding,no-agent-forwarding,no-pty,no-X11-forwarding So a full line for alice might look like:
command="svnserve -r /srv/svn/myRepo -t --tunnel-user=alice",no-port-forwarding,no-agent-forwarding,no-pty,no-X11-forwarding <Alice's public RSA key>== AliceContractorPC
This sets up an unrestricted user with complete access to all projects in myRepo and a restricted user who only has access to projectA within my Repo SVN authz supports groups for very flexible permissions: [groups] myGroup = userA, userB [/projectB] @myGroup = rw
Users will always access the server as user svn. The trick is in the authorized_keys file which will choose the right SVN username based on the public key that matched your login. So when Bob logs in, he will use his private key (which will match his public key in the authorized_keys file which will also assign his –tunnel-user name to “bob” (for example). When Alice logs in, she will use her private key (which will match her public key in the authorized_keys file which will also assign her –tunnel-user name to “alice” (for example). SVN will further restrict their access within each repository according to their tunnel-user name in the authz file(s).
Some nifty things to note:
You don’t have to create linux login users for bob and alice. In fact the only users who should have login shell access are you (your super-user account) and svn and they should only have public key access (no password login should be allowed).
When bob and/or alice login as the svn user, they only get access to SVN (the only command they can run is svnserve per the authorized_keys file).
You can restrict bob or alice to a specific repo in the authorized_keys file by setting their svn “root” using the -r parameter. So, for example for alice: command=”svnserve -r /srv/svn/myRepo -t –tunnel-name=alice” Alice is then restricted to the myRepo repository and may be further restricted by the authz file for that repository based on her tunnel-name to limit her to specific projects. She will not even know that there are other repos; all references to projects will be relative to the root, so for example she might checkout: svn+ssh://svn@myhost.mydomain.com/myProject Where myProject is in myRepo and Alice would not know about myRepo2.
You can implement fine-grained restrictions within each repository using the authz mechanism. You can read about that in detail here.
To access the server (e.g. from TortoiseSVN or your favorite SVN client), you access using the svn+ssh protocol with a URL like this: svn+ssh://svn@myhost.mydomain.com Your private key will grant you access as the svn user and determine which user SVN treats you as for security purposes.
Backups
Although you can always backup your repo(s) using the svn dump facility: svnadmin dump /srv/svn/myRepo | bzip2 > myRepo_dump-$(date +%Y%m%d).svn.bz2 That only backs up the repository itself; it doesn’t backup all the work you did above to setup logins and permissions.
IMO, it’s much better for disaster recovery to simply backup your entire SVN server using proxmox. That way, you can stand up a new proxmox machine, restore the backup, and you’re up and running in a few minutes!
I replaced my ancient (but working) DLink NAS with a much newer and faster QNAP NAS (Model TS-464-8G). The QNAP hardware is nice: a compact package supports 4 SATA drives in a variety of RAID configurations, 2x NVMe drives, 2x 2.5GbE ports with option to add a 10GbE card, has a slick web-based user interface, and consumes relatively little power. It runs a custom linux on an a Celeron N5095. I don’t like the custom linux.
UPS Support
Naturally, I want my data storage to be protected by a UPS and to automatically and safely shut down before the UPS battery is exhausted if there is an extended power outage. I use a CyberPower CP1500PFCLCD UPS (which I am very happy with so far) to protect several NUC servers, an L2 switch, and the NAS. The UPS is connected to one of the NUC proxmox servers via USB. I run NUT on that server, including the nut-server that allows other machines (such as the NAS) to access the UPS over the network as nut-clients. The problem is that QNAP makes this more difficult than it has to be. They support nut (which is nice), but they seem to have done so mainly to allow one QNAP NAS to access another QNAP NAS connected to the UPS.
This is what I had to do to get the QNAP NAS to run as a generic nut client:
Control Panel -> External Device -> UPS Tab
Select Network UPS Slave
Enter the IP address of your nut server
Apply changes
Reset the NAS to start the upsutil (nut-client daemon) running
How did the NAS get the NUT UPS name, user name, and password used on the nut-server? It didn’t; the NUT support from QNAP hard-coded them as ‘qnapups’, ‘admin’, ‘123456’. And folks wonder why QNAP has had security issues.
You can change the user name and password by enabling the admin user, logging into the NAS via ssh as the admin user, and editing /etc/config/ups/upsmon.conf (make a .orig copy first). Find the line that reads: MONITOR qnapups@myNutServerIp 1 admin 123456 slave and replace ‘admin’ and ‘123456’ with the user name and password you have assigned for slave devices on your nut server in /etc/nut/upsd.users
Unfortunately, QNAP doesn’t let you change the UPS name; it *must* be qnapups Fortunately, NUT provides a workaround for this that doesn’t require changing all the other nut clients. On your nut server, edit your /etc/nut/ups.conf file and add a new dummy UPS named qnapups that points back to your real UPS. For example, my ups.conf ends with:
[cp1500]
driver = usbhid-ups
port = auto
desc = "CyberPower CP1500PFCLCDa"
vendorid = 0704
productid = 0601
[qnapups]
driver = dummy-ups
port = cp1500@myNutServerIpAddress
desc = "Proxy UPS for QNAP NAS"
Restart the nut-server (sudo service nut-server restart) and voila your QNAP can then see the UPS:
Ubiqiuti is a well known manufacturer of pro-sumer/small-business networking gear. They make two main lines of equipment: UniFi and UISP. The former aims for centralized control only (you can only manage devices through their management software); the latter is more traditional and allows for both direct device management (via command line and web interface) as well as centralized management through their free network management software UNMS. I’m old fashioned so I use the latter.
I use three primary types of gear: an EdgeRouter-X serves as the primary gateway into my network, a variety of EdgeMAX intelligent (layer 2) switches form the wired backbone of the network, and AirCubes provide wireless access.
The EdgeRouter is a particularly remarkable value; at $59, it provides a very full-featured comprehensive router + 4-port GbE switch. With hardware acceleration enabled, it delivers roughly 107MB/s (i.e. it routes at full gigabit speeds) while providing extensive support for features like VLAN, ipsec, dhcp management, NAT routing, etc. It has many more advanced features that I don’t presently use.
The EdgeMax switches work well and although they cost more than some other layer 2 switches, they work well and are fully supported by UNMS. One of the main advantages of this is managing firmware updates which is handled for all of the UI devices from the UNMS management console.
The UNMS network management package can be run locally (that’s how I use it) or, if you have at least 10 Ubiquiti devices, can be run on Ubiquiti’s cloud NMS. Although I have more than 10 Ubiquiti devices, I run UNMS locally (on a proxmox VM) for better security/control.
Baofeng is a Chinese radio manufacturer that produces a line of radio transceivers. Starting with their UV-5 series, they became insanely popular because they are dramatically less expensive than competing products. A good HT from Yaesu, Icom, Kenwood, or Alinco costs over $100 and usually a few hundred dollars, but a Baofeng HT can be purchased for less than $20; a price point that was unheard of previously and simply amazing.
I couldn’t resist so I bought a few several years ago. I played with them briefly, confirmed that I could hit my local repeaters in the 70cm band, and then they sat on the shelf. Recently, I became interested in amateur radio again and decided to take a closer look at the performance of the radio. Does it reach its specified transmit power? What’s the receiver sensitivity? Most importantly, part of the responsibility of being a ham licensee is making sure you transmit in compliance with FCC regulations (FCC CFR 47 part 97) is it compliant? If it causes you to lose your license, it was no bargain.
TLDR: it turns out that most Baofeng radios are not compliant with FCC rules for amateur radio. To be compliant (47CFR Part 97.307e), any signals other than the intended (fundamental) transmit frequency must be at least -40dBc AND below -16dBm. Of the 5 Baofeng radio models I tested, only one was compliant. The rest generated unwanted (spurious) signals on multiples (harmonics) of the fundamental that violate the rules. Nevertheless, the GT-5R appears to be fully FCC compliant and an incredibly value. Details of all the radios I tested are below:
GT-5R (not Pro) – PASS!
After evaluating 4 Baofeng models that were not legal to transmit with on the amateur bands, I was delighted that the 5th time was the charm! The spectrum analyzer tells the tale (see pics below). For $18.39 with free shipping through amazon, the Baofeng GT-5R is indeed a dual-band 4W+ radio with proper harmonic suppression that allows licensed amateur radio operators to legally transmit in the 2m and 70cm bands. It’s absolutely insane that they can hit this price point; kudos to Baofeng!
GT-5R transmitting on 2m through 40dB attenuation…clean as a whistle!GT-5R transmitting on 70cm – clean signal!
Transmit power (on high) was +35.54dBm (3.58W) on 2m and +36.55dBm (4.5W) on 70cm.
The measurements do not include cable or connector loss, but that should be very low at these frequencies with 12″ of RG-316. I confirmed the 10dB and 30dB attenuators were spot on using a calibrated RF signal generator. My total amplitude measurement error should have been (a lot) less than 1dB.
I also stepped through each harmonic with the analyzer zoomed in (50kHz span, 300Hz RBW, noise floor below -50dBm) and saw nothing of interest; the only measurable harmonic when transmitting on 2m was the 2nd which was below -30dBm. I was so pleased that I bought a second GT-5R which was also clean when checked (and had higher output power).
UV-17 Pro GPS – FAIL
Would 4th time be a charm? Nope. I ordered a pair of Baofeng UV-17 Pro GPS based on several internet reviews that suggested *they* would be clean and legal to transmit with. Although it’s a neat tri-band HT, sadly, the story was the same as with the other models I tested previously (below): not legal to transmit with on 2m or 1.25m, OK on 70cm. They’re going back tomorrow. The spectrum analyzer (with 40dB of attenuation in front), shows the 2nd harmonic on 2m is at +19dBm!:
UV17 Pro GPS transmitting on 2mUV17 Pro GPS transmitting on 1.25mUV17 Pro GPS transmitting on 70cm
UV-82 – FAIL
I connected my Baofeng UV-82, a dual-band (2m, 70cm) HT rated for 1W low and 5W high output power to a spectrum analyzer through a 30dB attenuator and transmitted on 2m and 70cm; the results and discussion are below:
UV82 transmitting at high power on 145MHz (2m band)
The transmitted power on 2m at the intended frequency was 3.9W which is pretty good, but the harmonics are awful. FCC regulations (47CFR Part 97.307e) state that spurious transmissions must be at least -40dBc (40dB below the carrier level) AND less than 25uW (-16dBm). The UV82 doesn’t even come close. The second harmonic is only -19.45dBc and even the third harmonic isn’t down 40dB. Both are well above -16dBm.
I switched the radio to 70cm and again transmitted at full power:
UV82 transmitting at high power on 440MHz
These results at 70cm are much better: the fundamental is at 4W and the second harmonic is down more than 40dB and is below -16dBm. The third harmonic isn’t visible. So, while there isn’t much margin, the UV82 appears to be good for amateur use at 70cm, but is not compliant in the 2m band.
It seems likely that the UV82 contains a low-pass filter that attenuates signals above 450MHz; which makes the radio compliant in the 70cm band, but is worthless for use in the 2m band due to the 2nd and 3rd harmonics. To use the radio in the 2m band legally, you probably need to install a 200MHz low-pass filter such as Mini-Circuits VLFX-225+ between the radio and antenna.
UV-B5 – FAIL
I also have a pair of Baofeng UV-B5 transceivers. They are also problematic with respect to spurious emissions, but interestingly in different ways from the UV82.
UV-B5 2m transmit on high powerUV-B5 70cm high power
In both bands, only the second harmonic is present with good suppression of higher harmonics. Unfortunately, the second harmonic violates the FCC regulations in all cases, so the UV-B5 can’t be used to transmit legally in either band. Compliance requires spurious to be BOTH -40dBc or better AND -16dBm or lower. I tested at high and low power and the second harmonic was much too high. Note: low power was measured at 1.5W at 2m and 1.25W at 70cm.
2m High Power: second harmonic is -40dBc (good!), but is -4.82dBm (fails compliance)
2m Low Power: second harmonic is at -5.88dBm (fails compliance)
70cm High Power: second harmonic is -34.25dBc and at -0.12dBm. (fails compliance)
70cm Low Power: second harmonic is at -8.08dBm (fails compliance)
This behavior is different from the UV-82; the third harmonic and above are well suppressed in both bands so these radios likely have separate VHF and UHF PAs (or at least harmonic filters). Unfortunately, they do not seem to be adequate and, as far as I can tell, it is likely illegal to transmit with the UV-B5 in either band, even at low power, unless you add additional filtering between the transceiver and the antenna.
The UV-B5s have another serious design flaw: if you leave the battery connected, it will gradually be drained, even with the radio off; so you must store the UV-B5 with the battery disconnected. Note: this is not the case for the UV-82.
GT-5R PRO – FAIL
I contacted Baofeng and they advised that their UV-5R and GT-5R comply with FCC part 97 & 15B. On their website, the GT-5R PRO is also advertised as FCC compliant and is tri-band, so I ordered a pair of GT-5R PRO and was dismayed to see that they too appear to be non-compliant on 2m. The first unit transmits at 3.37W at high power and has a huge spur at the second harmonic.
GT-5R PRO transmit at full power in 2m band
The second unit also transmitted at 3.3W at high power in the 2m band (35dBm) with a somewhat lower spur at the second harmonic of 0 dBm: better, but still not -40dBc AND below -16dBm. Interestingly, when transmitting at low power, the fundamental drops to 1.5W, but the 2nd harmonic actually goes UP by about 4dB!
The GT-5R PRO appears to be compliant in the 70cm band with the fundamental at 4.35W and no spurs above -20dBm.
GT-5R PRO transmit at full power in 70cm band
It’s possible I’m doing something wrong in my measurements; I would have liked to filter out the fundamental with a notch or high-pass filter before measuring the harmonics, but I don’t have the right filter and with the signal already knocked down 30-40dB, I don’t think I’m over-driving the SA. So I returned the GT-5R PROs.
I ship quite a few domestic packages and am a big fan of USPS Priority Mail service. I occasionally need to send packages overseas and at first glance, USPS Priority International service looks really good: low rates, reasonable delivery times, convenient shipping process. Unfortunately, the reality is different: their international shipping seems to be a disaster.
They estimate delivery to China at 6-10 days. The first package I sent took about 3 weeks. I shipped a second package 4 weeks ago; it reached China and cleared customs in 10 days, but then the tracking stopped. Maybe it will still get to its destination, maybe not, but I couldn’t wait any longer and had to ship a replacement (using a different carrier). USPS seems to lose all control over and visibility once they hand off to China Post.
What seems clear is that USPS International has no quality control. Even though their own tracking system shows the package long overdue, they do not automatically start a search…something any company concerned about quality would do automatically. To try to find the package, I started at the post office where I mailed it. I brought them the printed tracking history and showed them that they advertise 6-10 days and it had been 4 weeks. I was very polite and told them that I love USPS domestic priority shipping but can’t use USPS for international shipping if this is representative of the service. The agent said “I’m sorry you feel that way”….not “I’m sorry we lost your package” and told me to “call this number” (i.e. the human agent wasn’t going to help and as a representative of the organization, accepted zero responsibility for a service failure). This was two quality-control problems: 1) a failure of employees to act as representatives of their company and 2) a disinterest in finding and understanding quality problems in order to improve processes.
A company that doesn’t care about quality creates obstacles to reporting problems. Unsurprisingly, when I called the number, I encountered an automated system designed to maximize customer frustration: it demands you enter a tracking number but won’t accept international tracking numbers and refuses to connect you with a human unless you provide a tracking number it likes. Eventually, by trying different menu paths, I reached a human who took down gobs of information and told me I could call back in 35 days if they didn’t find the package. So after 2 months, I might have the opportunity to spend more time filling out extensive paperwork and finding detailed shipping evidence to recover the shipping cost – of a package that their own tracking system shows that they lost.
That’s not going to happen, of course, I’m simply not going to use USPS for international shipping again and will share the experience with friends to save them from going through the same trouble. That’s what bad quality control does: it causes companies to lose business. I sent a replacement for the lost package via FedEx; it cost significantly more, but like UPS, DHL, and other big-boy shipping companies, they will track the package from start to finish and take responsibility for actually getting it there. USPS domestic shipping is wonderful, but if they want to compete in the international shipping world, they need to get their act together and start paying attention to quality.
I do a lot of work in the sub-GHz ISM band and there are a lot of antenna vendors whose quality varies broadly. Consider the case of two antennae: The first was purchased from AliExpress vendor CS Family. These were sold as 915MHz antennae with 3dBi gain (this).
It’s centered at 910MHz and its best-case SWR is 1.34:1. At the band edges, it offers 1.57:1 at 902MHz and 1.77:1 at 928MHz. This is acceptable; I consider anything better than 2:1 acceptable for a cheap antenna and this meets its spec across the band. The impedance is 75 -j47. It’s not pretty, but it will do the job.
However, compare it to one of my favorite compact antennae from TE/Linx: the ANT-916-CW-HWR-RPS (datasheet) claims 1.2dBi and better than 2:1 VSWR.
This antenna is nicely centered in the band and offers an amazing 1:08 SWR at 915MHz, 1.57:1 at 902MHz and 1.40:1 at 928MHz. Impedance is 46.59 +j0.70. Now that’s pretty!
In fairness, both antennae meet their spec (better than 2:1) and the AliExpress antenna cost only $2.16 whereas the Linx antenna cost $13.50…so I cut the AliExpress guys some slack 🙂
Measurements taken using a NanoVNA SAA-2N with VNA Qt software. I might break out a nicer VNA some time and repeat these tests, but for quick measurements, I’ve found the NanoVNA2 to be remarkably accurate; it’s insane what $110 can buy these days. Note: if you have a NanoVNA2 SAA-2N, the firmware, manual, schematic, and a version of VNA Qt that works with it can be found here. The 1.3.07 firmware (Aug 30, 2022) offers many important features and if you’re running older firmware, you probably want to update (instructions are in the manual). The only thing I couldn’t find a way to do using the LCD UI was port extension, but it’s easy with VNA Qt.
Cybersecurity (or lack thereof) is a disaster. Every website in the world is under constant attack by networks of automated hacking robots (bot nets) checking for weak security.
Everyone should use a password manager such as PasswordSafe or BitWarden . These tools will generate a different random password for each account/website you use and store it securely encrypted. You “open” your safe by entering a master password which then decrypts all the stored information. The tools will also let you securely store things like the URL of the website, and some free form information like account numbers. All you need to memorize is one master password (make it something good – an unusual phrase).
Because so many sites use bad security practices, there are now massive databases of hacked usernames and passwords available. This would have been impossible if companies followed best security practices of even 30 years ago. This means you are particularly vulnerable if you use only one or a few passwords for many sites. Even if your password is good, you re depending on the developers of the website you entered that password into for its security.
Using different randomly generated passwords for each website means that even if one site uses bad security practices and is hacked, ONLY your account at that site is compromised, not all of your accounts.
Developers: NIST has issued guidance on password practices that are quite good and everyone who writes software that requires password authentication should read this:
Some of the simple things you can (and must) do that have been common practice since at least the 1990s:
Don’t store passwords. Anywhere. Not plaintext or encrypted. You should only store a one-way hash of the salted password. Even ancient hashes like MD5 are much better than storing plaintext or encrypted passwords, but there’s really no excuse for using anything weaker than SHA256 or better these days.
Use password spinning: after every N failed attempts, add a small (1-3 second) delay. This effectively prevents brute-force/rainbow hacking.
Test new passwords against a database of known hacked passwords. (no “OpenSesame”)
Require reasonable minimum password lengths. (no “123”)
Not from the 90s, but probably a good idea these days:
If you have a fast and easy way to do 2FA (e.g. biometric), use it.
Some things you should NOT do (and that drive me crazy when I see it):
Require users change their passwords frequently – this is just nuts; it drives users crazy and incentivizes them to use simpler and easier to remember passwords.
Have special characters users must/can’t use in their passwords. This discourages the use of good random password generation and is even worse without it.
Disallow users from seeing the password as they type it (that should be an option)
Time-consuming 2FA methods (like text messages or validator apps) for things that don’t need that level of security. It introduces a super-annoying delay in accessing your data/app. Biometric 2FA is OK.
The price of oscilloscopes goes up quickly above 100MHz bandwidth, often placing them out of the budget of hobbyists and small businesses. The analog bandwidth of a scope is defined as the frequency at which amplitude is reduced by 3dB (roughly 30%)
Most oscilloscope lines offer a variety of bandwidth options (at increasing prices) such as 50, 100, 200MHz or 100, 350, 500MHz. In many cases, those are really the exact same scope hardware (the highest bandwidth) but are limited in software to a lower bandwidth. This allows manufacturers to address a broader range of potential customers (they can sell the 100MHz scope to individuals or small companies without undercutting the big margins of their 500MHz scope sales to large companies).
Some manufacturers have made it possible for hobbyists to unlock the higher bandwidths. Doing this voids any warranty or calibration of course, and so most labs or large companies simply won’t do this and if you choose to do it, it’s at your own risk. However, I have done this successfully with scopes from Siglent (SDS1104X) and Tektronix (TDS3xxx) and the results have been pretty good.
TDS3K scopes are older Tektronix models that used to cost a fortune (Tek was long the king of the oscilloscope hill and my favorite). The TDS3K line came in 100, 350, and 500MHz models. Fortunately, you can hack any TDS3K scope to 500MHz. For info on how to do this, look to the always excellent eevblog (here). Note that you will need to downgrade the firmware to 3.39 in order to perform the hack. In a nutshell:
Install a communications module in the back slot
Configure for 9600,8,N,1 (local echo on is helpful)
Check current version: *IDN?
PASSWORD PITBULL
MCONFIG TDS3052 (or whatever model you’re upgrading to)
Reboot the scope
Note too that there are downsides to the TDS3K line like calibration is stored in battery backed RAM (and the battery will eventually die). In general, to continue to use a scope of this age, you should plan to re-cap it (replace all electrolytics) and replace the battery-backed RAM module with a new one.
Siglent and Owon are Chinese companies that make a lot of test gear that isn’t quite up to Tek or Keysight standards, but still offer a great deal of bang for the buck and the Siglent products are often hackable. For info on how to hack the Siglent SDS110x scopes you can also refer to eevblog.
An important question is: how do these scopes perform after the hack, so I tested a Tektronix TDS3012 (100MHz) before and after hacking it to a TDS3052. I also tested a TDS3032 I had previously hacked to TDS3052, a Siglent SDS1104X hacked from 100 to 200MHz, and compared them with an unhacked TDS5054B (500MHz) and an Owon SDS8202 (200MHz). In each case I supplied a 0dBm tone from an IFR 2025 RF signal generator through an admittedly less-than-ideal but short coax cable with BNC connectors. For the scopes without internal 50-ohm termination, I used a BNC through terminator and a 6dB attenuator.
A 0dBm signal terminated in a 50R load should be 632mV peak-to-peak. At the bandwidth limit of the scope, that signal should be reduced by 3dB or roughly 30% (-3dBm = 448mV p-p):
MHz:
Term
10
50
100
200
300
350
400
500
TDS3012 (before hack)
Int
562
320
—
—
—
—
TDS3012 (hacked)
Int
666
648
644
640
606
580
554
510
TDS3032 #1 (hacked)
Int
680
665
660
644
630
604
578
530
TDS3032 #2 (before hack)
Int
641
627
626
598
563
546
511
457
TDS3032 #2 (hacked)
Int
658
640
637
631
619
604
576
555
TDS5054B
Int
662
642
630
627
593
575
560
566
SDS1104X (hacked)
BNC
650
638
600
514
360
264
169
57
SDS8202
BNC
680
672
664
608
512
424
300
—
Peak-to-Peak voltage measured with 0 dBm sine wave
It’s clear that the hacks really do increase the available bandwidth. In the case of the TDS3K scopes, to greater than 500MHz, making them truly the equivalent of TDS305x. I measured a 700MHz signal on a hacked TDS3032 at 466mVp-p so the 3dB bandwidth was even higher than that! The hacked scopes also show the sample rate at 5Gs/s whereas before the hack they top out at 1.25 or 2.5GS/s.
The Siglent SDS1104X (nominally 100MHz) hack also extends its bandwidth to 200MHz; mine was down -1.78dBm at 200MHz and still slightly better than 3dB at 235MHz (-2.88dBm). The trigger was able to lock cleanly out well past 400MHz and measurements remained accurate. Note: the SDS1104X does not offer internal 50R termination so measurements were made through a 6dB pad (reduces signal by half, probe set to 2x) and 50R through terminator.
The old Owon SDS8202 (nominally 200MHz) did remarkably well out past 300MHz, easily outperforming the hacked SDS1104X. Owon makes nice analog front ends! Note that frequency measurement stopped at 200MHz even though the scope was clearly able to trigger on and lock to signals out to 400MHz.
I designed the Simcom SIM7000x into a product some time ago; although it is a little dated, it still offers an extensive set of features for a remarkably low price. In particular, it combines a (2G, 3G, 4G/LTE) cellular modem with a GPS receiver and supports very low power modes of operation. The problem is the documentation and I’m publishing this post in the hope that it will save others some pain.
First: the grousing:
Like most communication modules, the SIM7000x is controlled via an asynch serial interface using the venerable AT command set dating back to POTS modems. That so many manufacturers still use this 1981 control interface is remarkable (and so awful that I will post about just this issue in the future). There are three particularly bad things about it:
It tries to combine human and M2M communication and, as a result, is terrible at both. For M2M, there is no framing, error checking, data typing, MIB, easy way to separate tokens, or standard error handling.
The data and control streams share the same serial interface so you can’t (easily) interact with the module while it is transferring data (yeah, I know about CMUX).
Because the interface is so old, has been used by many manufacturers, and several standards bodies have attempted to tame it (each differently), there are now gobs of similar commands that leave a confusing and inconsistent interface which is difficult to code to.
Some day, a smart manufacturer is going to fix this. The SIM7000x has a rich set of peripherals, gobs of I/O, memory, and processor power; it could easily deprecate the AT interface and add something sane. A modern interface would support I2C and/or SPI, layered communication protocol, and standard MIB interface. Nevertheless, the SIM7K modules offer a great deal of functionality, are FCC and PTCRB modular certified (so they’re ready to use on carrier networks), and can be purchased for a reasonable price.
My Applications
Nearly all of my design work involves embedded systems (there are often extensive backend server systems too). For the embedded systems, I typically want to establish a connection to a remote server and exchange data; usually using a RESTful or MQTT API in a format like JSON or msgpack. Because the devices are typically remote from the server, I need:
secure communication (TLS)
server authentication (public key certificates)
remote device authentication that can be revoked
The SIM7000x supports all of this, but the specifics are not always obvious or convenient despite the 281 page AT Command Manual and numerous application notes including TCP/IP, SSL, and HTTP(S) Simcom provides. The manuals should probably be much longer and take more time to explain the API architecture and how the commands. I’ll provide an overview below of how to do secure data communications and include discussion of some of the potential areas of misunderstanding. Note: the discussion below assumes you have the latest firmware installed on the module.
LTE Connectivity
In America, GPRS (2G) and EDGE (3G) data networks have been completely discontinued as of the end of 2022. Most low-cost data connectivity now relies on 4G/LTE which the SIM7000x supports. All the major cellular carriers (AT&T, Verizon, T-Mobile, etc.) support LTE and you can buy SIM cards for any carrier to use with the SIM7K modem module. I use the MVNO Velocity/Flolive; which offers multi-carrier SIMs so the device will connect to whatever carrier is available, anywhere in the world it is deployed (i.e. you’re not tied to one carrier’s network).
Let’s look at the AT commands involved in bringing up an LTE data connection:
Initial Startup of the Modem
If you are using the DTR wake/sleep functionality, set the DTR pin to wake the modem
Send the modem an AT command and wait for OK response to see if it is already awake
If the modem does not respond, try a hard reset wait for the RDY prompt
If the modem still does not respond, toggle PWRKEY and wait for the RDY prompt
Repeat the above a few times until you get a RDY or OK prompt
Reset the modem configuration so you’re starting from a known state using the command: ATZ (and wait for OK response)
Enable sleep mode if you want low power operation (which I usually do) with the command: AT+CSCLK=1 (and wait for OK response) (note: this is a persistent setting, you only need to do it once – noted as “AUTO_SAVE”)
Configure the modem for LTE operation only. There are many 2G, 3G, and 4G bands to be scanned; by limiting the scan to LTE bands, you can dramatically speed up the time it takes to initially find a carrier (the modem will remember after that). Send the command: AT+CNMP=38 (and wait for OK response) (AUTO_SAVE) (note: this is a persistent setting, you really only need to do it once)
Note: if you know which carrier(s) you will be using, you can further speed up the initial carrier discovery by restricting which LTE bands are scanned to only those supported by the carrier.
Configure for LTE-M1 only for the same reason (unless you need NBIoT) using the command AT+CMNB=1 (and wait for OK response) (AUTO_SAVE)
Disable the Network activity LED if you wish to save power using the command: AT+CNETLIGHT=0 (and wait for OK response) (AUTO_SAVE)
Gather and cache any data you want about the modem and SIM card using commands like: AT+GMM, AT+GMR, AT+GSN, AT+CIMI, AT+CCID
Register with the Carrier Network
Check if the modem has already registered on the carrier network using the command AT+COPS? (look for a response like +COPS: 0 which indicates that the modem is searching for a supported carrier or a response like +COPS: 0,0,”AT&T FloLive”,7 which indicates that the modem is connected via LTE.
If the modem is not connecting, you can forcibly cycle the modem through de-registering and re-registering with the carrier using the sequence: AT+COPS=2 and wait for OK then AT+COPS=0 and wait for OK.
When the modem connects to the carrier, it can send (depending on some other configuration settings) an asynchronous notice like: *PSUTTZ: 24/06/13,22:40:35″,”-16″,1
Once AT+COPS? indicates that you’re connected to the carrier, you can check things like the signal strength with the command AT+CSQ (and wait for the response like +CSQ:25,99 followed by OK)
Connect to the Packet Data Network
Your data provider may be the carrier like AT&T or a third party MVNO like FloLive that uses many carriers. You will need to know the APN for your data provider to get IP connectivity.
You can either hardcode an APN (like flolive.net) or, when using LTE, request the APN from the carrier using the command: AT+CGNAPN (and wait for a response like +CGNAPN: 1,”flolive.net”). Note that not all carriers will provide the (correct) APN so you may be better off hard coding it.
Set the APN using the command: AT+CSTT=”flolive.net” (and wait for OK) (not persistent)
Check to see if the modem has connected to the packet data network using the command: AT+CEREG? (the response that indicates you are connected +CEREG: 0,1 or +CEREG: 0,5 or are not yet connected +CEREG: 0,2 (searching/trying to attach).
Handle critical errors such as +CEREG: 0,0 (modem gave up searching for a carrier) or +CEREG: 0,3 (registration denied). Generally your options in these cases are limited to periodically de-registering from the carrier network and re-registering (as described above with AT+COPS=2 then AT+COPS=0).
Once you are connected to the APN, you can connect to the IP network.
Connect to the IP network
Check your IP connection status and IP address using the command AT+CNACT? (your response will indicate +CNACT: 0,”0.0.0.0″ if not connected or something like +CNACT: 1,”100.64.132.137″ if you are connected)
If you don’t have an IP connection yet, use the command: AT+CNACT=1 or AT+CNACT=1,”flolive.net” (and wait for the OK response). When the connection is made, the modem sends an asynchronous status message: +APP PDP: ACTIVE
Wait until you are connected and have been assigned an IP address.
You can optionally test the connection by pinging your server or a remote host using: AT+SNPING4=”yahoo.com”,5,16,1000 (ping 5 times with a 16-byte packet and 1s timeout). If you’re connected, you’ll see 5 responses like: +SNPING4: 1, 74.6.231.20,194 (indicating a 194ms ping time)
SSL/TLS connection
The SSL stack supports several (6) different configurations (contexts). Each context is numbered (ctxindex 0..5). Use the following command to set context 0 to use TLS1.2: AT+CSSLCFG=”sslversion”,0,3
If your application doesn’t set the date/time on the modem, you can tell the modem to ignore date/time when evaluating the validity of security certificates using the command: AT+CSSLCFG=”ignorertctime”,0,1
If your server serves multiple domains from the same machine (e.g. apache virtual servers), you can indicate the server name to tell the stack which certificate should be used: AT+SSLCFG=”sni”,0,”myserver.mydomain.com”
Configure Connection parameters
Configure keep-alive messages depending on your server configuration needs to prevent the connection from automatically closing: AT+CACFG=”KEEPALIVE”,1,30,30,1
Establish a secure TCP connection to the server
You can configure several simultaneous connections; each is identified via connection ID (cid). Note: the connection cid is different from the context (each cid should reference a context).
Close any prior connection and clear connection settings AT+CACLOSE=0 (and wait for OK or ERROR response)
Configure connection 0 to use SSL: AT+CASSLCFG=0,”ssl”,1 (and wait for OK response)
If you have installed a server or CA certificate in the modem (see details below), you can configure the SSL connection to authenticate the server using that certificate so it will only connect to the real server: AT+CASSLCFG=0,”cacert”,”myCA.crt” (and wait for OK response)
If your server certificate is self-signed (typically with a very long expiration date), you may need to tell the stack to ignore the certificate expiration: AT+CASSLCFG=0,”ignorertctime”,0,1 (and wait for OK response)
Configure the connection timeout: AT+CASSLCFG=0,”timeout”,30000 (and wait for OK response)
For debugging, you can check the configuration: AT+CASSLCFG?
Open a TCP connection to the server AT+CAOPEN=0,”TCP”,”myserver.com”,443 (and wait for response: +CAOPEN: 0,0) (<cid>,<result> where rslt 0=success, >0=fail; note: 24..26 indicate certificate mismatch)
Send data to the server
Send your request data to the server (note specification of the number of bytes you will send) AT+CASEND=0,186 (wait for a ‘>’ prompt indicating the modem is ready to receive the data)
Send the data and wait for the asynchronous completion indication: +CADATAIND:0
Request response information from the server. E.g. to request 1000 bytes of response data: AT+CARECV=0,1000
You can check the connection status if desired: AT+CASTATE? (returns +CASTATE: 0,0 (disconnected) or +CASTATE: 0,1 (connected)
Close the connection AT+CACLOSE=0 (and wait for OK response)
Note: to connect again you must again send the AT+CASSLCFG configuration commands; you don’t need to re-configure the AT+CSSLCFG commands; and re-connect via AT+CAOPEN.
Installing a server certificate
For security, it’s important that the communications be sent over a secure channel so they can’t be stolen or corrupted in transit. The TLS connection does this for you using public key cryptography and a Diffie-Helman key exchange whereby the server and your modem agree on an encryption key to be used during the session.
However, it’s also critical that you authenticate the server (i.e. confirm that the server you are communicating privately with is the actual server you intend to be communicating with). This is also done using public key cryptography and certificates. To do this, you must store a public key for your server or for a master authority on the modem and tell the modem to use that public key to check that a signed certificate supplied by the server when you connect to it is valid for the public key you’ve stored in the modem. Only a server that holds the matching private key can provide a proper certificate signature. A cool feature of certificates is that they can be chained: an higher-level authority can sign a certificate for your server and if you trust that authority, you can trust the server certificate. This means that you can store the public key for that higher Certificate Authority (CA) and then trust any server certificate that has been signed by the CA. The CA is often called the “root of trust”.
Websites typically pay a certificate authority like DigiCert or Google Trust Services to sign their server certificates. Web browsers come with the public keys for most popular certificate authorities so when you connect to a website, the site can automatically be authenticated. Unfortunately, those CA certificates usually have a short lifetime to protect against the possibility that they may be compromised. This is not a big deal since browsers are regularly updated and those updates include new certificates. However, it’s a problem for embedded devices that may not receive frequent updates.
For your own servers and devices, it may be preferable to generate your own certificates (aka self-signed certificates). You can even generate a public/private key pair for your own certificate authority which you can then use to sign and update many server certificates. Then if the public key for your own CA is stored on the modem, it can authenticate any servers you issue certificates to. Your CA can also have a very long lifetime (e.g. 50 years) so that the public key stored in your modem will be valid for the life of the product. The easiest way to create CA and server certificates is using openssl (I’ll make another post about that if there’s interest). To install a server or CA certificate in the modem (both are referred to as a “cacert” in the modem), it must be loaded into the modem’s file system and then converted to a format used by the modem:
Initialize a file system buffer: AT+CFSINIT
Prepare to write the file to the “customer” portion of the modem’s file system (3), 0 indicates overwrite if file existed, 765 is the certificate file size in bytes (change this to the size of your certificate), 2000 is the timeout in ms for the entire download. AT+CFSWFILE=3,”myCA.crt”,0,765,2000 (wait for DOWNLOAD response)
Send the certificate file in PEM format (starts with —–BEGIN CERTIFICATE—–\n and end with —–END CERTIFICATE—–\n). Note that in most cases, you can get the certificate for your server by visiting the server from a web browser like Firefox. Click on the lock icon, then Connection Secure, then More Information, then View Certificate. There will be links to download the server certificate or the chain of certificates (starts with rootCA) in PEM format.
Free the file system buffer: AT+CFSTERM (and wait for OK response)
Convert the CA certificate format: AT+CSSLCFG=”convert”,2,”myCA.crt” (and wait for OK response)
You can check the file size or read it to confirm it has been successfully received using: AT+CFSGFIS=3,”myCA.crt” (returns +CFSGFIS: 765\r\n\r\nOK\r\n\r\n) OR AT+CFSINIT (wait for OK response) AT+CFSRFILE=3,”myCA.crt”,0,765,0 (returns +CFSRFILE: 765\r\n … file contents … \r\n\r\nOK\r\n\r\n) AT+CFSTERM
Note that if you are using the HTTP(S) APIs for the modem (not covered in this post), you can configure them persistently to use this certificate using: AT+SHSSL=0,”myCA.crt” (and wait for OK response) (AUTO_SAVE)
