Icecast PHP Stats

A recent project of mine called Coop Cam uses several live video streams served by an Icecast server at different mount points which works great, but I found there was no real solution to simply display how many viewers were actually watching the live streams.

I put together a basic PHP code that reads the Icecast XML stats file and retrieves the current overall viewers (or listeners as its officially known) of all available mount points.

Code

// get the stats xml file //
$output = file_get_contents('http://admin:[email protected]:8000/admin/stats');

// explode to make the magic happen //   
$listeners = explode('',$output);
$listeners = explode('',$listeners[1]);

// output to the world //
echo "Currently <b>$listeners[0]</b> people are watching the live stream!";

Once you have amended the admin password, server name and port the code above will then connect to your server and read the /admin/stats XML file. From here it will literally pick out the content shown between the <listeners></listeners> tags and that then becomes the $listeners[0] variable, simply place this wherever you want to display the amount of current viewers.

Notes

  • This code may or may not work depending on if your hosting provider allows the file_get_contents function – In my case I use my own dedicated servers and it works without issue, if you have any problems I’m sure I can sort something for you!
  • You can show the amount of sources, file connections and so on by amending the code to reflect the correct tags – A full list of tags can be seen by visiting the youricecastservername.com:8000/admin/stats page
  • You can find a live working example of this script here or actually see it in place here
  • Finally, you can download the script by clicking here

Disable Virtualmin Two-factor Authentication

Virtualmin is constantly being developed and gaining ever useful features, and for a while now has featured two-factor authentication which is great, although what happens if you get locked out of your system? As long as you have SSH or console access then you can follow the steps below to easily get back in.

Disabling two-factor authentication for a single user

  • Get root SSH or console access
  • Edit the file /etc/webmin/miniserv.users, comment out the current line for the user then create a fresh copy above it
  • Remove any mention of “totp” and the long string of characters near the end and save, for example your file should now look like the following:
...
root:x::::::::0:0:::
#root:x::::::::0:0:totp:ZZZZZZZZZZZZZZZZ:
...
  • Restart Webmin and log back in normally

Disabling two-factor authentication entirely

  • Get root SSH or console access
  • Edit the file /etc/webmin/miniserv.conf and find the line “twofactor_provider=totp” and replace with “twofactor_provider=” and save
  • Edit the /etc/webmin/miniserv.users as mentioned above
  • Restart Webmin and log back in normally

Notes

  • I’ve had success with this on Webmin 1.760 running on CentOS 7.0

Encrypted AES VPN tunnel between pfSense 2.3 and Ubiquiti EdgeRouter Lite

I recently retired my Draytek 2830 following a serious security flaw I discovered (that’s another post, stay tuned!) and took the plunge with a rather impressive looking Ubiquiti EdgeRouter Lite.

The other option was a rack mountable TP-Link TL-ER6020 although the maximum NAT throughput was only 180Mbps and it only had 128MB  DDR2 memory and no clear CPU specs, also the web interface looked tired and very restricted. Pound for pound the EdgeRouter was cheaper and has a better spec of anywhere up to and over 600Mbps, 512MB DDR2 memory and Dual‑Core 500 MHz, although it wasn’t rack mountable it was a no brainer with its modern web interface, also did I mention it can process 1 million packets per second?

The EdgeRouter also appeals to my inner nerd  (you can no doubt tell) as you can program it via web interface, command line or console connection and you can remove features you don’t need to boost performance. For example, it may only have 3 gigabit ports, but you can do whatever you like with them! In my case I have it configured as 1 WAN port and the other 2 ports are linked to two seperate LAN’s. I will write a full review when I get chance, but for now just take my word that it is the best router I have ever owned.

Anyway, to business!

Home Network

As before with the Draytek guide my home network is still double NAT’d but there isn’t a speed issue anymore. I do plan to eventually run everything via the EdgeRouter but first I need to install a few additional access points (I’m thinking a couple of airGateway-LR’s hidden in roof spaces will do, powered by PoE obviously!).

In the example below the home network subnet will be 192.168.100.x
and WAN address will be 1.2.3.4

Remote Network

The remote network is the same as before too – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x and WAN address will be 5.6.7.8

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely and under no circumstances use the example key!
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is. Anything to do with double NATing is in red, ignore this if your router is WAN facing.

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the EdgeRouter (or the Superhub in my case) 1.2.3.4
  • Enter a brieft description in the Description box – VPN to pfSense LAN
  • Select Peer identifer as KeyID tag then enter the WAN address of EdgeRouter (192.168.100.1) else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box – testing123
  • Set the DH Group to 14
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box – Home
  • Set PSF Key Group to 14
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box – Allow VPN Traffic
  • Press Save any hit Apply Changes

Configuring the EdgeRouter

First of all make sure you are running the latest firmware otherwise options may be missing and this may not go smoothly! Currently (March 2017) I’m running EdgeRouter Lite v1.9.1.

Configuring the EdgeRouter is pretty straight forward, you don’t need to do anything via command line or console (unless you really want to, knock yourself out!) – Go to VPN > IPSec Site-to-Site

  • First tick the box Show advanced options to show the encryption options
  • Under Global Options leave Automatically open firewall and exclude from NAT unless you want greater control over who can connect in
  • Under Site-to-site peers enter the Peer as the home WAN address – 5.6.7.8
  • Put a brief description in the Description box – Remote
  • In local IP enter any
  • For Encryption set AES-256
  • In Pre-shared secret enter the key set previously – testing123
  • Enter the Local subnet as 192.168.100.0/24
  • Enter the Remote subnet as 192.168.150.0/24

All being well you should end up with something like below:

Once everything is saved, head over to the pfSense IPSec Status page and hit connect if it hasn’t already established and  there you have it!

At this point you may be asking why did you uncheck the option to Automatically open firewall…, this is because I like to have greater control over what IP addresses are allowed access to my network.

To substitute this option I created a rule in the NAT section translating UDP port 4500 to the routers local IP address (192.168.100.1). In turn I set the Src Address Group of this rule to a list of predefined IP addresses, thus only allowing access to my networks and blocking the rest of the world.

 

 

 

How to List the Contents of a Web Directory

Any good web host will secure the contents of website directories which don’t have an index page by not allowing the  files or folders to be listed, instead you’ll get a 403 error page saying access is forbidden. Whilst this is good in practice, sometimes you might actually need to list the contents – and its simple to enable on an Apache web server – add one line to your .htaccess file and you’re done!

How it’s done

Options +Indexes

Notes

  • If you have access you can edit your web server configuration and make it global

Add a NAS drive to your Livedrive account for free

I used to be a customer of popular cloud backup service Livedrive. The upload and download speeds were nothing to shout about and one annoyance was having to pay extra to add a NAS drive to your account, but there is a workaround!

How so?

All you need to do is add a symbolic link to your NAS drive from your computer. Think of a symbolic link as a fancy shortcut, the only difference being it masks the destination instead of taking you straight there – you’ll see what I mean when you read on.

Imagine you have a Windows computer with your NAS drive with the root of the drive already mapped to Z:, you have a folder on your NAS called MyFiles and would be able to browse to Z:\MyFiles to see whatever is stored there. Next imagine we have a folder called C:\Backup which is already uploading to your Livedrive account, using  the following command we will make C:\Backup\MyFiles lead to your NAS and in turn be included with your Livedrive backup.

mklink /d "C:\Backup\MyFiles" "Z:\MyFiles"

For me, this worked absolutely fine and I had a couple of TB uploaded without ever being caught out. I’ve since jumped ship to Amazon Drive, whilst it is more expensive per year I’ve got it running from multiple computers and the upload and download speed always tops out my connection, so I can’t complain!

Notes

  • Use the above guide at your own risk – I won’t be held liable if anything happens to your Livedrive account, files or anything else because of this!
  • This doesn’t work with Dropbox or Google Drive  – sorry
  • You only need to run the command once, after that the link will be remembered
  • To remove the link just delete it as you would any other  file or folder

Connect Directly to SunLuxy Camera Streams

For a while now I’ve used a cheap SunLuxy H.264 DVR as the heart of the CoopCam project and initially couldn’t get a direct link to the camera stream so had to screen captured the bog standard web interface using VLC and break the feed down into separate streams but recently after a fair bit of trial and error I discovered a much easier solution!

I had researched on and off for months, went through masses of trial and error with various software and ultimately found no solution but after being inspired again I headed to the DVR’s web interface to start from scratch. I stumbled across source code in a file called /js/view2.js that constructs an RTMP:// address to show live camera feeds through the web interfaces flash player – See snippet of code below:

dvr_viewer.ConnectRTMP(index, "rtmp://" + location.host, "ch" + index + "_" + (dvr_type=="main"?"0":"1") + ".264");

After removing the jargon the link came out as rtmp://dvraddress:port/ch#_#.264 with the first number being the channel you want to connect to (starting at 0) and the second being the stream (substream being 1 and main being 0)

I headed to VLC player, selected Open Network Stream and entered the following:

rtmp://192.168.0.100:81/ch0_0.264

Broken down you can see my DVR is on the local network as 192.168.0.100 at port 81  and that I wanted to view channel 1’s main stream, low and behold after a few seconds the camera started to play!

Notes

  • To convert the stream to something more useful you could use rtmpdump and ffmpeg on Linux systems – I’ll write another guide about that shortly
  • If you do something wrong and overload the DVR then you’ll hear a beep as the box reboots
  • If this works for you please comment your DVR make and model

Search terms:

  • log into sunluxy dvr
  • petu3v

Encrypted AES VPN tunnel between pfSense 2.3 and Draytek 2830

For a long time now I’ve managed several VMware ESXi servers and for easy management I’ve created a local area network on each making backups, monitoring and the usual sysad tasks a breeze.

The icing on the cake is that I recently swapped from m0n0walll to pfSense and went about setting up a lan to lan VPN tunnel to my home network, so now I can access everything locally as if I was on the same network.

Home Network

My home network uses a Draytek 2830 connected to a Virgin Media Superhub. Unfortunatley the Draytek is getting on a little bit now and doesn’t have the processing power to deal with my 100mbit connection speed, so I’ve had to double NAT the network using the Superhub in router mode and then DMZ everything towards the Draytek.

This isn’t a bad thing though as all the “dumb” wireless devices (mobile phones, Roku’s, Nest thermostat, etc) connect direct to the Superhub whilst my home server and everything crucial connect via the Draytek. All in all I get 70mbit through the Draytek on average and there’s plenty of bandwidth left for the devices connected to the Superhub.

In the example below the home network subnet will be 192.168.100.x

Remote Network

The remote network is pretty simple, they are all setup the same apart from x is a different number based on the virtual host name – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the Draytek (or the Superhub in my case)
  • Enter a brieft description in the Description box
  • If you are double NAT’d like me select Peer identifer as KeyID tag then enter the WAN2 address of Draytek else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box
  • Set PSF Key Group to 2
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box
  • Press Save any hit Apply Changes

Configuring the Draytek

Now it is time to configure the Draytek – Go to VPN and Remote Access > LAN to LAN

For Common Settings:

  • Enter a Profile Name
  • Tick Enable this profile
  • Make sure Call Direction is set to Both

For Dial-Out Settings:

  • Set type of server to IPSec Tunnel
  • Enter the Remote WAN IP in the Server IP/Hostname for VPN box
  • Enter the pre-shared key set previously in the Pre-Shared Key box
  • For IPSec Security Method set it to High (ESP)AES with Authentication
  • Under Advanced set IKE phase 1 propsal to AES256_SHa1-G14 and IKE phase 2 proposal to AES256_SHA1 then press OK

For Dial-In Settings:

  • Set the Allowed Dial-In Type to IPSec Tunnel
  • Tick the box to Specify Remote VPN Gateway and enter the remote network WAN IP
  • Enter the pre-shared key set previously in the Pre-Shared Key box
  • For IPSec Security Method untick all apart from High (ESP) – AES

Under TCP/IP Netowrk Settings:

  • Set Remote Network IP as the remote network subnet – 192.168.150.0

Hit OK at the very bottom to save the profile, leave it a few seconds and it should connect. If it doesn’t connect automatically, head to the IPSec Status page in pfSense and hit Connect manually

Search terms:

  • draytek openvpn
  • pfsense vpn to draytej

TRENDnet TV-IP310pi Night Vision Fix

Let’s face it, it’s not fun when things don’t work properly which is why I was a little annoyed recently – very big understatment! – when I discovered my TRENDnet TV-IP310pi cameras had a slight flaw, a flaw which is scarcely documented but fairly fundemental to the overall use of the camera… oh and did I forget to mention I own 5 of these cameras, all installed around my house, all which had the same problem? Yup!

So what is the actual problem?

Well the cameras work perfectly in the day delivering 25 frames per second of crisp 1080p footage which is great BUT when the night time comes – as it does – performance takes a dramatic hit and you are lucky to get a maximum of 4 frames per second… which is pretty rubbish! For months I’ve been thinking it  was a problem with my home server – an Intel I7 920 quad core 2.4GHz  running VMware – and I came to the conclusion that I needed a new rig as it just couldn’t cope with the amount of data passing thrdropough but oh was I wrong!

Anyway, long story short after pestering my friend Chris at work – who also runs his own CCTV system, only with the identical Hikvision DS-2CD2032F-I cameras – some extensive testing was done – I’ll spare you the details – but we came to the conclusion that the hardware was good, the network was good and were stumped until we found an Amazon review which also mentioned the same problem!

This unfortunatley opened up a can of worms and what followed was a very stressful 3 days which involved not sleeping much, scouring forums, downloading all sorts of firmware and almost losing ALL hope and contacting support! However, I’m very pleased to report that all of my cameras are now running the latest TRENDnet firmware – v5.3.4 – and are delivering 25 FPS 1080p footage at night time – Wow!

So how easy is it to fix?

The fix is easier than you might think, but you do need to be brave as we are essentially going to ‘brick’ the camera and make it an expensive paper weight by installing the Hikvision firmware, then we will reload the TRENDnet firmware fresh and enjoy ALL the frames per second! You might think this is a mad idea, but the TRENDnet TV-IP310pi is actually a rebranded version of the Hikvision DS-2CD2032F-I, so deep down the hardware is the same it just has a different sticker on the side.

I used the following files found below, combined with an XP laptop that was connected by cable directly to the PoE switch, this was connected to the camera directly and ideally  you’ll want to unplug all other devices so you only have the camera and the laptop plugged in but I might have got a bit lazy towards the end… Also, my Windows 7 laptop struggled to transfer the firmware as the TFTP file transfer kept looping and wouldn’t complete, hence using an old XP machine.

I’m up for the challenge!

Great! Before you continue please be aware that I won’t be liable if this goes wrong and it will reset your camera back to the factory default settings! I’ve done this process 5 times flawlessly so far but still – proceed at your own risk!

Whenever the camera boots it scans a predefined IP for a TFTP server, if it finds this server it looks for a specific file and because of this we can do the recovery without having to open the camera up or get ‘hands on’! I reflashed all my cameras with them still fixed in position on the house, minimal effort required!

Update 24/03/2017 –

I can confirm the same process below works on Windows 10 Pro, the firewall had to be switched off but that was all – 79 seconds from start to finish!

  1. Download the files found here, extract them somewhere safe and keep reading
  2. Change your computers network settings so the IP address is 192.0.0.128, see picture below:
    trendnet_tv-ip310pi_recovery-network-config
  3. Connect your computer to the switch along with the camera, disable any other connections network – FLASH VIA ETHERNET CABLE ONLY!
  4. Copy the Hikvision_5-1-6–digicap.dav file into the TFTP Server folder and rename it digicap.dav
  5. Run tftpserv.exe and then restart your camera, after a few seconds you should see the following:
    trendnet_tv-ip310pi_recovery-tftp1
  6. Now you won’t get any confirmation here, so leave it 2 or 3 minutes then unplug your camera, close the tftpserv.exe and repeat step 3 but this time use the Trendnet_5-3-4–digicap.dav file
  7. Now start tftpserv.exe again and connect your IP camera, this time after a few minutes you’ll see a system update complete message like below:
    trendnet_tv-ip310pi_recovery-tftp2
  8. Close of tftpserv.exe and reboot the camera, after a few minutes check your router and you’ll have a fresh IP camera sat on DHCP waiting be configured! If you can’t find your camera straight away, don’t panic! Install the auto discovery program (SADPTool_V3.0.0.100.exe) and find the camera that way

Conclusion

I did try updating to the latest TRENDnet firmware via the web interface before going down the TFTP route but it still gave me low frames per second at night using the identical 5.3.4 file… I’m guessing installing the Hikvision firmware first completely screwed things up, after that the camera is left fresh, ready for the TRENDnet firmware? Either way it worked and I’m a happy nerd!

Notes

  • Again, I can’t be liable if this goes wrong for you!
  • The files in the link above were all found on the Internet, I take no credit, all  credit belongs to the respective authors (presuming that is Hikvision? Thanks!)
  • If you get really stuck I can reflash your cameras, after all not everyone has an old XP relic lying around! Drop me an email, pay for postage and send your camera in a box along with a little gift!
  • I found an easy way to tell the camera state during the reflashing process which is to do a constant ping to the IP addresses below – Note that in order to use this method you’ll need to assign your network card two IP addresses (192.0.0.128 and 192.168.1.128):
    • 192.0.0.64 – Camera is in rescue mode
    • 192.168.1.64 – Camera firmware has updated but not yet rebooted
    • No response from either – Somethings not right!
  • You can find the latest TRENDnet firmware direct from their website here
  • From various forum posts I read some people were saying you can flash using any TFTP server software, however this isn’t the case as you must use the Hikvision TFTP server as there is a special initiation process which waits for certain key to be sent back and forward before the firmware updating process begins
  • Make sure you clear your browser cache before logging in again otherwise things might not work properly
  • The default user/password combination is admin/admin

Search terms:

  • trendnet hikvison
  • tv-ip314pi upgrading failed
  • trendnet ip310 problem
  • trendnet reset ip310pi
  • trendnet tv-ip310pi cannot upgrade
  • TV-IP310PI find firmware version
  • •TV-IP310PI find firmware version

Remove Adverts from All 4 Roku App

Disclaimer

This post is for educational purposes only, it briefly describes a technique for removing the adverts from Channel 4’s on demand service. I won’t be providing any working examples and won’t be held liable whatever the outcome if you try this, this was just setup as a test one afternoon and then destroyed shortly after. Do so at your own risk.

Why even bother?

Now I love TV but I always end up forgetting and then having to catch up later using on demand services via my NowTV box, some services are great – like the BBC iPlayer – where as others – 4OD or All 4 – lack basic features like being able to resume where you left off without having to sit through the ads again.

This got me thinking, is it possible to get around the ads? Picture this… you are watching an hour long programme on your Roku (or NowTV) box, you have 10 minutes to go and you have to nip out. You come back hoping to pick up where you left off.. but oh no, something happened and now you have to watch from the begining OR fast forward until you get to an ad break, watch the ads, then fast forward again… its not good right? This has happened to me many a time!

A quick Google suggested this is not possible, but that wasn’t good enough for me.

How did you get it to work?

It took a bit of nerdy know how, a decent router and a publicly accessible Linux box.

Decent router – I was using a NowTV (watered down Roku) box, these don’t have the option to manually specify the DNS server addresses so you have to set the DNS servers in my router

Linux box – I used a CentOS 7 box running BIND and Apache, BIND responded to the DNS requests aiming everything at the Apache server

The basic idea is to redirect any requests to ‘known advertiser servers’ to your own server which is returning a single pixel instead of the advertisers video, and it did work really well:

As you can see above the same programme has ads and one does not. This method also removes the ad cue points so you are literally just served with the entire video – cool, huh?

Notes

  • This was just a test, please don’t lecture me about the importance of advertising and the revenue it generates
  • I only tested it with the Roku app, although I think it would have worked for the Xbox app too
  • I guess the same tecnique could be used to create a ‘super’ ad blocker that works with more than just on demand services

Search terms:

  • adblock roku
  • bypass adverts on roku
  • how to get rid of ads on roku
  • remove ads all 4

Enable SSH on LinkStation Stock Firmware

Enabling SSH on the LinkStation is simpler than you might think and opens up a world of functionality (and nerdyness) that you never had before – All this with no firmware flashing which ultimately means no data loss and no risk of bricking your box.

My motivation to enable SSH came about when my older LinkStation (a 500GB HS-DHGL) was doing a Disk Backup to my newer one (a 2TB LS-WXL) and it just seemed to be taking forever. It turned out the backup had hung part way through and the only official way to fix this problem as listed on Buffalo’s support website was to reset the box back to factory settings – That’s a bit ridiculous in my opinion but there is a work around, see this post here for more information on how to unstick a backup.

The activation process is done by a program called ACP Commander which is a command line tool that can be a little confusing to work at times with its lack of user friendly interface (if you search for this online you’ll see what I mean) however by chance I came across a reworked version that has a decent interface and is fairly easy to use.

Enabling SSH

The following guide will assume that you are on the same network as your LinkStation and are able to access it freely as you normally would day-to-day,  also if you want to keep your warranty with Buffalo do not continue!

  • Download ACP Commander GUI for Windows (.EXE file)
  • Run your newly downloaded file and you should see a screen similar to the one below:
    lsunlock-1
  • Select your LinkStation IP address from where it says Select LinkStation, then enter your password where it says Admin password and press Enable SSH
  • After a couple of seconds you will be shown a SSH enabled OK! message as seen below:
    lsunlock-2
  • The next step is to set your root password for SSH, click Set root PW, type in a password and then press OK and you will see another message like the one below:
    lsunlock-4
  • Now head to your favourite SSH software and connect to your box! If all is well you will see something similar to this:
    lsunlock-5
  • That’s all you need to do to enable SSH!

Notes

  • This method is proven to work on both Windows and Mac for the following models/firmware: LS-WXL/v1.68, HS-DHGL/v2.11, LS-QVL/v1.64
  • Common out of the box commands include: top – process viewer, vi – text editor, cp – copy files, mv – move files
  • Mine and my friends newer LinkStations had HTOP installed – Epic!
  • Enabling SSH will no doubt void your warranty with Buffalo but who needs that anyway?!
  • I didn’t create the program recommended and take no credit for it
  • Finally, if you could let me know if you encounter any problems or can confirm if this works for other models I’d be grateful
  • Thanks to Callum for confirming this works on the LS-QVL and Michael for confirming this works on the TS-X/R5 with version 1.66 firmware

Search terms:

  • enable ssh on buffalo linkstation ls10d654
  • linkstation SSH kill USB Disk
  • ssh buffalo Linkstation LS-CHL
  • buffalo linkstation ssh
  • Buffalo LinkStation LS220D root access
  • buffalo linkstation ls220 ssh access
  • linkstation 1 74 mod
  • terastation ssh
  • linkstation root password
  • Buffalo LS520 ssh