Re: Fix SSL on Chumby One

By the way, in order to test a different SSL fix for another Chumby developer, I reloaded the upgrade to the Chumby One (to make sure this SSL fix was removed) - and I ran your fix tester and got this log:

---------------------

Tue Mar 13 20:50:18 PDT 2018
falconwing

/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar 13 20:37 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar 13 20:38 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root       1184988 Nov  5  2010 /lib/libcurl.so.4.0.0

/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Nov  5  2010 /usr/bin/curl

/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Nov  5  2010 curl-ca-bundle.crt

Checking installation
Not recoverable installation
Original installation
curl 7.30.0 (arm-none-linux-gnueabi) libcurl/7.30.0 OpenSSL/1.0.2l zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile NTLM SSL libz
Test of update successfull
Update can be successfully installed

End of test


......  which indicates it does detect when the fix isn't on a Chumby One as well.

Re: Fix SSL on Chumby One

One more test,
I restored the Insignia 3.5 to the most recent Chumby One software and ran the latest test-sslfix program and received this log file.

---------------------

Tue Mar 13 23:29:23 PDT 2018
falconwing

/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar 13 23:14 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar 13 23:15 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root       1184988 Nov  5  2010 /lib/libcurl.so.4.0.0

/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Nov  5  2010 /usr/bin/curl

/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Nov  5  2010 curl-ca-bundle.crt

Checking installation
Not recoverable installation
Original installation
curl 7.30.0 (arm-none-linux-gnueabi) libcurl/7.30.0 OpenSSL/1.0.2l zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile NTLM SSL libz
Test of update successfull
Update can be successfully installed

End of test

After this, I installed the latest ssl-fix_wi-150 onto the Insignial 3.5
it displayed Test SSL Fix is running, I saw a mountaing, then I saw that it had installed successfully.

and noted the install.log was empty, but I did see the mountain on the USB stick...

I tried it again,
Saw that it was running, saw the mountain again, saw that it was successful - saw the widgets appear, waited awhile - but my test widgets were not showing behavior as if the fix was functioning.  Specifically wGraph was no longer working and neither were Image URL or Image - Scalable, using the following URL... https://radar.weather.gov/ridge/lite/N0R/HNX_0.png
The image is viewable on the C8 (with your fix), Infocast 8 (with your fix), Chumby original (with Duane's fix) and Chumby One (with the text SSL fix provided to me by Michael Masterson).
Also the install log now contained this:

---------------------

Tue Mar 13 23:44:58 PDT 2018
falconwing
/lib/libcurl
lrwxrwxrwx    1 root     root            16 Mar 13 23:14 /lib/libcurl.so -> libcurl.so.4.0.0
lrwxrwxrwx    1 root     root            16 Mar 13 23:15 /lib/libcurl.so.4 -> libcurl.so.4.0.0
-rwxr-xr-x    1 root     root       1184988 Nov  5  2010 /lib/libcurl.so.4.0.0
/usr/bin/curl
-rwxr-xr-x    1 root     root         59784 Nov  5  2010 /usr/bin/curl
/usr/share/certs/
total 225
-rw-r--r--    1 root     root        229223 Nov  5  2010 curl-ca-bundle.crt
Showing intro
Checking installation
Not recoverable installation
Original installation
curl 7.30.0 (arm-none-linux-gnueabi) libcurl/7.30.0 OpenSSL/1.0.2l zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile NTLM SSL libz
Test of update successfull
Update can be successfully installed

Showing result
End of test



So, then to be safe, I reinstalled the latest firmware for the Chumby One to be sure things were cleared out again.
Then installed the V3 Fix specifically for the Chumby One and received this install log:

---------------------

Starting install
Checking installation
Not recoverable installation
Original installation
V1 not installed
V2 not installed
V3 not installed
Installing V3
Installation successfull.
Installation of V3 successfull
Test of V3 successfull
curl 7.46.0 (arm-none-linux-gnueabi) libcurl/7.46.0 mbedTLS/2.1.9 zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile SSL libz
Installer finished

After this, the https images appeared and wGraph returned to functional.

One thing I am noticing between your fix and Michael's is that the eBay widget persists on your fix.  On his fix, the widget loses the auth token and stops working.

OK - that's enough for tonight.  Going to go get some sleep...

Re: Fix SSL on Chumby One

Thank you very much for your very extensive testing. It has been very useful.

The SSlfix-test is only meant to check whether a device is compatible with the  SSL-fix. It does not install it.

Based on your testing it turns that the fix is compatible with:

  • Chumby One (as expected)

  • Insignia 3.5"

  • Chumby 8

  • Insignia 8"

It's not compatible with the Dash as it runs on a different processor architecture (MIPS), as I seem to have forgotten in my previous post. The test correctly identifies this issue:
Original installation
Test failed: unable to load secured content
Unfortunately update will not work and should not be installed

To install the fix you still have to use the "old" installer SSL-fix-V3:

https://sourceforge.net/projects/chumby … p/download for the Chumby One

https://sourceforge.net/projects/chumby … p/download for the other Chumbies

The difference between the two is minimal. Uni-versal is built to be compatible with a "more generic" ARM processor.

These installers do work fine, but they may not be able to write a report to the usb key. To address this issue I may add a few screens to the universal installer, so at least the user gets an idea of what is going on.

In the meantime I hesitantly assume that SSl-Fix does indeed "fix" the Chumby 8.

29 (edited by chankla 2018-03-14 07:30:26)

Re: Fix SSL on Chumby One

Hello Francesco,
I agree, it seems your universal fix works on the C8 and Insignia 8 which has had the latest Chumby 8 firmware loaded upon it.
The universal did not seem to work on the Chumby One or Insignia 3.5, however the one you optimized for those devices (V3) DID work.  So we appear to have SSL fixes for everything except the Sony Dash. 

So... I leave it to you to alert Duane - so that an appropriate sticky post can be made to announce the news to the Chumby community.

Furthermore, it appears another user, is working on an SSL fix for the Chumby One as well - but I'm not sure it is as "stable" as yours appears to be - however it does work.

So - the question everyone will ask is how do we attack the Sony Dash/Chumby-ized?

Congratulations on making a successful SSL fix!

Re: Fix SSL on Chumby One

chankla wrote:

So - the question everyone will ask is how do we attack the Sony Dash/Chumby-ized?

As I mentioned in a previous email, the Sony dash already supports SSL, however, with a bug in redirection from http to https.

Note also that the dash does not have an file system that can be remounted as read/write, unlike the C1/I3/C8/I8 devices. Like the chumby Classic, it uses a compressed read-only filesystem.  You'd basically have to modify a firmware update image directly, however, the dash would likely reject the modified filesystem for security reasons. You'd have to host the libraries in a different mount point (not sure there's enough available internal r/w storage) and modify the lib paths to use them.

Re: Fix SSL on Chumby One

Francesco,
Just to follow-up on the Insignia 8.
To prove the fix works there...
I re-installed the latest (update.zip) Chumby 8 firmware to be at a clean, original known version, then applied the V3 Universal fix.

Here is the Install log I obtained:

---------------------

Starting install
Checking installation
Not recoverable installation
Original installation
V1 not installed
V2 not installed
V3 not installed
Installing V3
Installation successfull.
Installation of V3 successfull
Test of V3 successfull
curl 7.46.0 (arm-none-linux-gnueabi) libcurl/7.46.0 mbedTLS/2.1.9 zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile SSL libz
Installer finished

-------------------------------------
and after the installation the https images returned as did functionality to wGraph and wGraphXL.

So - Insignia 8 is good to go for sure, so long as it has the latest Chumby 8 software installed.

smile

Re: Fix SSL on Chumby One

Francesco,
Just to follow-up on the Insignia 8.
To prove the fix works there...
I re-installed the latest (update.zip) Chumby 8 firmware to be at a clean, original known version, then applied the V3 Universal fix.

Here is the Install log I obtained:

---------------------

Starting install
Checking installation
Not recoverable installation
Original installation
V1 not installed
V2 not installed
V3 not installed
Installing V3
Installation successfull.
Installation of V3 successfull
Test of V3 successfull
curl 7.46.0 (arm-none-linux-gnueabi) libcurl/7.46.0 mbedTLS/2.1.9 zlib/1.2.3
Protocols: dict file ftp ftps http https tftp
Features: AsynchDNS Largefile SSL libz
Installer finished

-------------------------------------
and after the installation the https images returned as did functionality to wGraph and wGraphXL.

So - Insignia 8 is good to go for sure, so long as it has the latest Chumby 8 software installed.

smile

Re: Fix SSL on Chumby One

I have updated the sourceforge site (https://sourceforge.net/projects/chumby-ssl-fix) with the new info.

Regarding the Dash. It's really a two steps process.
First I need to find and install a MIPS toolchain, which can be very quick or take a long time looking for the various parts.
Then I would use the test-sslfix script to test the new libraries on a Dash device.

Once I get something working the next step would be to actually and permanently put it on a Dash device. I went through the Chumbyize update and it seems to use mostly the psp directory to do his job.
I could follow the same route but I would have to force the flash player to use the customized libcurl.so in /psp/whatever/ instead of the system /lib/libcurl.so. I'm not sure this is possible.

BTW on the space issue: are the sample_photos really needed? wink

Re: Fix SSL on Chumby One

There are some advances on the Dash side of the SSL-fix.
Since I don't own one myself I would need volunteers to test out some binaries made for the Dash. Please send me a PM through the forum.

Still I'm not sure there's going to be a solution.

Re: Fix SSL on Chumby One

Check your email...   smile

Re: Fix SSL on Chumby One

Has the SSL issue been fixed on chumby 8?  It's been a while...

Re: Fix SSL on Chumby One

An update would be nice -
as I understood it, a fix would work with c1 and c8 (?), but not the Dash.

I hesitated to try the fix on my c8, waiting to see if the "home team" blessed it, or offered another.

Re: Fix SSL on Chumby One

Duane -
Could you weight in on this?

Re: Fix SSL on Chumby One

I applied this fix to my chumby 8 today and many widgets came back to life!  I don't know why I waited so long.  Thank you Francesco!

Re: Fix SSL on Chumby One

I did the ssl fix v3 to several Infocast 3.5s, and they all worked.
But one, shows signs of not having worked.  Specifically the threatpost widget does not load. It loads find on the others.

I reran it and the install log only says
--------------------------------------Installer Finished
message in the log, but I don't think it worked, probably when I originally did that SSL fix.

Any ideas?

Re: Fix SSL on Chumby One

Yes, go to settings and tap on that symbol for "pi" in the top right corner.
clear the cache
then reboot and reload the channel.

That worked on mine.

Re: Fix SSL on Chumby One

I tried that, no difference.

Re: Fix SSL on Chumby One

Here is the feed for ThreatPost that I placed in the RSS Reader. https://threatpost.com/feed

I'm not sure why it isn't working for you. I have the "app" installed locally on my C1 and it works with the SSL fix.

Owner of three C1's, Infocast 3.5, Sony Dash C10, and Infocast 8. A tinkerer at heart and IT director by trade.

Re: Fix SSL on Chumby One

drexful wrote:

Here is the feed for ThreatPost that I placed in the RSS Reader. https://threatpost.com/feed

I'm not sure why it isn't working for you. I have the "app" installed locally on my C1 and it works with the SSL fix.

It works on several Infocast 3.5s and a Infocast 8. Just one does not work. I dunno. Bad ssl installation on that one.
Not sure how to force it to do it again.

Re: Fix SSL on Chumby One

I ran the SSLfix V3 that Francisco released, and it worked ok on all but one I3.
On that particular I3 the threatpost widget does not work but the google calendar now does! 
I have no explanation as to what went wrong but I have been unable to resolve this on that one I3.
I tried to rerun the SSLfix, but there is never anything in the log so I assume it does not run if it has already been installed.

But something is not right on that one I3.

Can anyone direct me to a way to check the SSLfix v3 installation on that one I3? As i said since the google calendar started working the SSL is likely working but something is making threatpost not work on that one I3.