Re: Fix SSL on Chumby One

By the way, in order to test a different SSL fix for another Chumby developer, I reloaded the upgrade to the Chumby One (to make sure this SSL fix was removed) - and I ran your fix tester and got this log:

---------------------

Tue Mar 13 20:50:18 PDT 2018
falconwing

/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar 13 20:37 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar 13 20:38 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root       1184988 Nov  5  2010 /lib/libcurl.so.4.0.0

/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Nov  5  2010 /usr/bin/curl

/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Nov  5  2010 curl-ca-bundle.crt

Checking installation
Not recoverable installation
Original installation
curl 7.30.0 (arm-none-linux-gnueabi) libcurl/7.30.0 OpenSSL/1.0.2l zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile NTLM SSL libz
Test of update successfull
Update can be successfully installed

End of test


......  which indicates it does detect when the fix isn't on a Chumby One as well.

Re: Fix SSL on Chumby One

One more test,
I restored the Insignia 3.5 to the most recent Chumby One software and ran the latest test-sslfix program and received this log file.

---------------------

Tue Mar 13 23:29:23 PDT 2018
falconwing

/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar 13 23:14 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar 13 23:15 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root       1184988 Nov  5  2010 /lib/libcurl.so.4.0.0

/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Nov  5  2010 /usr/bin/curl

/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Nov  5  2010 curl-ca-bundle.crt

Checking installation
Not recoverable installation
Original installation
curl 7.30.0 (arm-none-linux-gnueabi) libcurl/7.30.0 OpenSSL/1.0.2l zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile NTLM SSL libz
Test of update successfull
Update can be successfully installed

End of test

After this, I installed the latest ssl-fix_wi-150 onto the Insignial 3.5
it displayed Test SSL Fix is running, I saw a mountaing, then I saw that it had installed successfully.

and noted the install.log was empty, but I did see the mountain on the USB stick...

I tried it again,
Saw that it was running, saw the mountain again, saw that it was successful - saw the widgets appear, waited awhile - but my test widgets were not showing behavior as if the fix was functioning.  Specifically wGraph was no longer working and neither were Image URL or Image - Scalable, using the following URL... https://radar.weather.gov/ridge/lite/N0R/HNX_0.png
The image is viewable on the C8 (with your fix), Infocast 8 (with your fix), Chumby original (with Duane's fix) and Chumby One (with the text SSL fix provided to me by Michael Masterson).
Also the install log now contained this:

---------------------

Tue Mar 13 23:44:58 PDT 2018
falconwing
/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar 13 23:14 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar 13 23:15 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root       1184988 Nov  5  2010 /lib/libcurl.so.4.0.0
/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Nov  5  2010 /usr/bin/curl
/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Nov  5  2010 curl-ca-bundle.crt
Showing intro
Checking installation
Not recoverable installation
Original installation
curl 7.30.0 (arm-none-linux-gnueabi) libcurl/7.30.0 OpenSSL/1.0.2l zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile NTLM SSL libz
Test of update successfull
Update can be successfully installed

Showing result
End of test



So, then to be safe, I reinstalled the latest firmware for the Chumby One to be sure things were cleared out again.
Then installed the V3 Fix specifically for the Chumby One and received this install log:

---------------------

Starting install
Checking installation
Not recoverable installation
Original installation
V1 not installed
V2 not installed
V3 not installed
Installing V3
Installation successfull.
Installation of V3 successfull
Test of V3 successfull
curl 7.46.0 (arm-none-linux-gnueabi) libcurl/7.46.0 mbedTLS/2.1.9 zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile SSL libz
Installer finished

After this, the https images appeared and wGraph returned to functional.

One thing I am noticing between your fix and Michael's is that the eBay widget persists on your fix.  On his fix, the widget loses the auth token and stops working.

OK - that's enough for tonight.  Going to go get some sleep...

Re: Fix SSL on Chumby One

Thank you very much for your very extensive testing. It has been very useful.

The SSlfix-test is only meant to check whether a device is compatible with the  SSL-fix. It does not install it.

Based on your testing it turns that the fix is compatible with:

  • Chumby One (as expected)

  • Insignia 3.5"

  • Chumby 8

  • Insignia 8"

It's not compatible with the Dash as it runs on a different processor architecture (MIPS), as I seem to have forgotten in my previous post. The test correctly identifies this issue:
Original installation
Test failed: unable to load secured content
Unfortunately update will not work and should not be installed

To install the fix you still have to use the "old" installer SSL-fix-V3:

https://sourceforge.net/projects/chumby … p/download for the Chumby One

https://sourceforge.net/projects/chumby … p/download for the other Chumbies

The difference between the two is minimal. Uni-versal is built to be compatible with a "more generic" ARM processor.

These installers do work fine, but they may not be able to write a report to the usb key. To address this issue I may add a few screens to the universal installer, so at least the user gets an idea of what is going on.

In the meantime I hesitantly assume that SSl-Fix does indeed "fix" the Chumby 8.

29 (edited by chankla 2018-03-14 07:30:26)

Re: Fix SSL on Chumby One

Hello Francesco,
I agree, it seems your universal fix works on the C8 and Insignia 8 which has had the latest Chumby 8 firmware loaded upon it.
The universal did not seem to work on the Chumby One or Insignia 3.5, however the one you optimized for those devices (V3) DID work.  So we appear to have SSL fixes for everything except the Sony Dash. 

So... I leave it to you to alert Duane - so that an appropriate sticky post can be made to announce the news to the Chumby community.

Furthermore, it appears another user, is working on an SSL fix for the Chumby One as well - but I'm not sure it is as "stable" as yours appears to be - however it does work.

So - the question everyone will ask is how do we attack the Sony Dash/Chumby-ized?

Congratulations on making a successful SSL fix!

Re: Fix SSL on Chumby One

chankla wrote:

So - the question everyone will ask is how do we attack the Sony Dash/Chumby-ized?

As I mentioned in a previous email, the Sony dash already supports SSL, however, with a bug in redirection from http to https.

Note also that the dash does not have an file system that can be remounted as read/write, unlike the C1/I3/C8/I8 devices. Like the chumby Classic, it uses a compressed read-only filesystem.  You'd basically have to modify a firmware update image directly, however, the dash would likely reject the modified filesystem for security reasons. You'd have to host the libraries in a different mount point (not sure there's enough available internal r/w storage) and modify the lib paths to use them.

Re: Fix SSL on Chumby One

Francesco,
Just to follow-up on the Insignia 8.
To prove the fix works there...
I re-installed the latest (update.zip) Chumby 8 firmware to be at a clean, original known version, then applied the V3 Universal fix.

Here is the Install log I obtained:

---------------------

Starting install
Checking installation
Not recoverable installation
Original installation
V1 not installed
V2 not installed
V3 not installed
Installing V3
Installation successfull.
Installation of V3 successfull
Test of V3 successfull
curl 7.46.0 (arm-none-linux-gnueabi) libcurl/7.46.0 mbedTLS/2.1.9 zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile SSL libz
Installer finished

-------------------------------------
and after the installation the https images returned as did functionality to wGraph and wGraphXL.

So - Insignia 8 is good to go for sure, so long as it has the latest Chumby 8 software installed.

smile

Re: Fix SSL on Chumby One

Francesco,
Just to follow-up on the Insignia 8.
To prove the fix works there...
I re-installed the latest (update.zip) Chumby 8 firmware to be at a clean, original known version, then applied the V3 Universal fix.

Here is the Install log I obtained:

---------------------

Starting install
Checking installation
Not recoverable installation
Original installation
V1 not installed
V2 not installed
V3 not installed
Installing V3
Installation successfull.
Installation of V3 successfull
Test of V3 successfull
curl 7.46.0 (arm-none-linux-gnueabi) libcurl/7.46.0 mbedTLS/2.1.9 zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile SSL libz
Installer finished

-------------------------------------
and after the installation the https images returned as did functionality to wGraph and wGraphXL.

So - Insignia 8 is good to go for sure, so long as it has the latest Chumby 8 software installed.

smile

Re: Fix SSL on Chumby One

I have updated the sourceforge site (https://sourceforge.net/projects/chumby-ssl-fix) with the new info.

Regarding the Dash. It's really a two steps process.
First I need to find and install a MIPS toolchain, which can be very quick or take a long time looking for the various parts.
Then I would use the test-sslfix script to test the new libraries on a Dash device.

Once I get something working the next step would be to actually and permanently put it on a Dash device. I went through the Chumbyize update and it seems to use mostly the psp directory to do his job.
I could follow the same route but I would have to force the flash player to use the customized libcurl.so in /psp/whatever/ instead of the system /lib/libcurl.so. I'm not sure this is possible.

BTW on the space issue: are the sample_photos really needed? wink