Archive for March, 2007

Boost C++ static libraries

Friday, March 30th, 2007

I was compiling a project with Visual Studio 2005 that requires the Boost libraries. Unfortunately I did not have them on my system, even though I had Boost itself installed in c:\boost_1_33_1. The VS2005 linker complains with the following error:

LINK : fatal error LNK1104: cannot open file 'libboost_thread-vc80-mt-gd-1_33_1.lib'

There are two ways to resolve this.

The first is to compile the libraries yourself. Follow the instructions at this link: The instructions are for VS2003, but VS2005 can be used with a minor modification: change -sTOOLS=vc-7_1 to -sTOOLS=vc-8_0 when you get to that step.

You can also download precompiled Boost libraries from
These are not considered "official" Boost releases, but they are the closest thing to it.

Hacking 3ware’s management utility for setuid programs

Tuesday, March 27th, 2007


If you do any of these hacks, be sure that you do NOT install the tw_cli program itself setuid root; use sudo, or another wrapper that filters user access to running tw_cli as root. If you do not take appropriate precautions, any user will be able to run tw_cli, bugs and all, and have all the powers of root while doing so!

Problem and solutions

3Ware’s management utility for their RAID cards under Linux is called tw_cli. I have found that it may be desirable to script certain activities in the tw_cli. One such instance required writing a setuid wrapper program so that a non-root user could invoke tw_cli as root (a sudo setup would be similar). But the tw_cli program unfortunately does a getuid() check against root (the precise system call according to strace(1) is getuid32()). Since in a setuid environment the effective user ID is root but the real user ID is non-root, this check fails and tw_cli refuses to run. Aside from getting 3ware to change this call to geteuid(), the user would be out of luck.

Actually, we are not totally out of luck. tw_cli is stripped, which makes binary analysis difficult, but it is statically linked. This aids analysis because all of the code is included in the binary. On IA-32, Linux system calls are invoked by moving the system call number into eax and executing int $80. The actual system call is performed by a macro in the C library which does exactly this; when statically linked, this code will reside in the binary image.

What I did was to search for a word move placing getuid32()’s system call number into the eax register immediately followed by an int $80. getuid32()’s system call number can be found by checking the Linux kernel source code; all the system call numbers are defined as __NR_syscall. __NR_getuid32 is 199, which is $C7. The op code for a 32-bit move to eax is $B8. So, since IA-32 is little endian, this instruction is B8 C7 00 00 00. The INT instruction has an opcode of $CD and an 8-bit argument ($80 in this case). So the hex string to search for is B8 C7 00 00 00 CD 80. Well wouldn’t you know, there it is. And only one instance! It must be our culprit.

Now, what to change it to? We want to change this call to geteuid32(). Luckily, getuid32() and geteuid32() have the same arguments (none at all) and the same return type, so this hack is trivial. __NR_geteuid32 is 201 ($C9), so just change the move to B8 C9 00 00 00 and save the file. Now your tw_cli works as a setuid program.

A better way to do this might be to skip this call altogether. tw_cli operates on the 3ware device node, which has its own UNIX permissions, so… the tw_cli program does not really even need this check. Since the return value of the system call (the UID number) is placed in eax, we could make this hack just pass every time by changing the move to B8 00 00 00 00, and changing the CD 80 to 90 90 (nop nop). Then the program’s behavior will be controlled by device and file permissions as expected, instead of being controlled by a crude root check.

Corrupted NTFS filesystem recovery

Monday, March 19th, 2007

The quick guide to recovering a corrupt Windows NTFS filesystem from a dead or dying hard drive:
1) If the drive does not power up or respond at all to host I/O, replace the drive controller board with a compatible one (i.e. from an identical drive purchased on Ebay), unless it is a drive known to not work with a controller board swap. Don’t bother doing this if the drive responds but clicks when accessing certain files. If a controller swap doesn’t get the drive to at least respond to ID, the drive has serious problems and will require professional service (or a do-it-yourself head stack/preamp replacement, and possible reserved region rewrite…not for the faint of heart).
2) Put the hard drive in a Linux system with excess hard disk capacity.
3) Attempt to mount the partition. Recover any utterly irreplaceable files immediately, in order of necessity. You may not be able to get anything, and it may take several reboots if you “poke” the drive in the wrong place, but if you do get something, at least you know you have _that_.
4) Use dd_rescue, and dd_rhelp if necessary, to make a “clone” image of the drive. The clone image can be a file or it can be another blank hard disk. This may take several weeks and the drive may die while it is being cloned. Not much you can do if that happens but send it in to the recovery house like you would have had to do anyway.
5) Attempt to loop-mount the NTFS filesystem (mount -o loop /tmp/image.img /mnt). If it succeeds, try to copy the data you need out of /mnt that way. Very likely that the filesystem will not mount. Even more likely that it will mount, but then attempting to read certain files crashes the kernel.
6) If you couldn’t get the files you need, copy the image to a sufficiently sized blank hard disk if you hadn’t already (dd if=/tmp/image.img of=/dev/hdd bs=10M), and then attach the cloned drive to a Windows XP machine. Do NOT allow Windows to “Chkdsk” the drive when it boots.
7) If Windows blue screens when it looks at the drive while booting up, wipe out the partition table in Linux (dd if=/dev/zero of=/dev/hdd bs=512 count=1). This will cause Windows to effectively ignore the drive.
8) Use EasyRecovery from Ontrack in “Advanced” mode to scan the disk for directory structure, and recover as necessary. The result can be copied to another disk or uploaded to a FTP server.

Hints for EasyRecovery:

  • Don’t bother with the Undelete tool because it does not deal with massive filesystem corruption.
  • The Format recovery tool will only work on an existing NTFS volume, which it won’t see because yours is corrupted.
  • The Raw scan should only be used a last resort because it omits all file and directory names, resulting in a disorganized mess. However, it may find files that the Advanced scan does not, because they have been severed from the directory structure by corruption. If you know the contents of the file you are looking for, you can do a Raw recovery, and then “grep” through the files for a pattern that you know is in the interesting file.

If EasyRecovery cannot find your file, use a hex editor to search through the raw disk image for a piece of the file contents. You may get lucky and find it in the hex dump, and use the hex editor to save it to a file, or copy and paste from the hex editor to another program. If you don’t, well, time to decide if that file is worth $500+ for an attempted professional recovery…

TSA is useless

Thursday, March 1st, 2007

The TSA (United States Transportation Security Administration) agent at the airport made me throw away an unopened bottle of juice that I had just bought. Amazing.

Seems to me that TSA is a real regression from private security. It has been accused of being “security theater” by notable security experts. There is good reason for this.

  • TSA baggage and body checks do not extend much beyond what was already being done at airports by private security.
  • TSA, by virtue of being a government agency, is almost assuredly more expensive and ineffective than the airlines’ private security.
  • TSA no-fly lists can be easily circumvented with a fake boarding pass and fake ID, because TSA does not refer to the airline’s passenger database, and the airlines do not check ID as the plane is boarded, at which point the real boarding pass would be substituted. In fact, a real ID is never required throughout the screening and boarding process. And an individual on the no-fly list can even fly under their real name, because the no-fly list is considered a state secret, and as such the airlines don’t have access to the list when the suspected individual books his ticket or uses his boarding pass. Airline private security, on the other hand, would be able to verify that the boarding pass is valid and matches the ID at the security checkpoint.
  • TSA has absurd regulations on what can be brought on board, including many items such as containers of liquid that cannot possibly be used to gain control of or to bring down a plane. These regulations are not subject to market forces, meaning that I cannot choose to fly at an airline where I am not assumed to be a criminal until I prove otherwise. Thus, the terrorists have won by removing my freedom of choice.

The lone benefit to the TSA system is that security constraints at airports are now uniform, meaning that another airport can now trust that passengers who are arriving by plane at that location have been subject to the same security screening that is performed on passengers who are entering the terminal by foot.

But is that benefit worth the inefficiency and hassle that will in the end just leave the airlines with more empty seats?

In what way does the TSA dog and pony show make more sense than requiring passenger screening by private security, armed pilots, a cockpit barrier that cannot be penetrated while in the air, and/or a flight crew trained in riot control?

Speaking of useless security measures, you may notice that the instructions that come with the form for obtaining a passport (DS-11) mention the new electronic passports. They make some funny statements:

“Use of the electronic format will provide the traveler the additional security protections inherent in chip technology“.

“The electronic chip must be read using specially formatted readers, and is not susceptible to unauthorized reading.”

What wishful thinking. You have to wonder if some of these people know anything about the technology basket they are putting all their eggs into.

Oil consumption, rich mixtures, etc

Thursday, March 1st, 2007

You may know that a lean mixture causes reduced power, preignition, and detonation (the latter two especially in the presence of excessive heat). It also causes increased combustion temperature which consumes oil.

You may also know that coolant in the exhaust from an internal engine leak will destroy your O2 sensor and catalytic converter.

It is common belief that the only problem a rich mixture causes is reduced gas mileage and increased pollution. So when a car starts to get bad mileage and a rich smelling exhaust, it is usually ignored.

What you may not know is that a rich mixture causes several problems as well.

  • A rich mixture will send more unburned HC into the catalytic converter to be burned, which overheats and destroys the converter over time.
  • A rich mixture will foul spark plugs, reducing mileage even more and exaggerating the effect on the converter as more unburned fuel enters it.
  • A rich mixture causes carbon build-up in the cylinder, reducing the life of the piston rings and possibly causing them to stick.
  • While a rich mixture does lower combustion temperature, a rich mixture will wash oil from the cylinder walls, reducing lubrication and causing the oil that is washed off to be consumed.

Some things that can cause a rich mixture:

  • Bad fuel injectors (spraying a stream instead of a fog)
  • Bad O2 sensor (reading lean all the time, so ECM richens mixture unnecessarily)
  • Bad ECM, or running in open loop due to failure of some sensor needed for correct closed loop operation
  • Insufficient coolant (ECM does not go into closed loop)

Advanced timing also causes higher ignition temperatures and therefore greater oil consumption (in addition to detonation and a ruined engine if a knock sensor is not present).

This is also a good reason NOT to “warm up” a modern fuel-injected engine with a modern motor oil in it by idling it. Doing so simply prolongs the period when the engine is cold and running rich, and as such leads to oil consumption and contamination.

So if your engine is using oil and it’s not leaking externally, check the PCV valve, ignition timing, and rule out a rich mixture caused by bad fuel injectors, sensors or a clogged air filter, before tearing into the motor.

One way to check the mixture if no ECM code is present is to install a new O2 sensor and monitor its voltage after it is warmed up. The voltage should be around 0.7 volts. If you remove a vacuum hose, the voltage should dip to 0.3 volts or so. The injectors can be removed and serviced for $100-150 by mail order.

Oil Consumption and Bearings

It’s a well known fact that worn bearings lead to low oil pressure, wearing the rings which then allow oil consumption and allow more contamination into the crankcase, destroying the engine in a vicious cycle. Excessive bearing clearance is also partially responsible for that oil consumption. Worn bearings throw more oil up into the cylinder than the oil ring can dispense with, and the rest of the oil is burned. Then you have not only low oil pressure, but also dirty oil AND a low oil level to deal with.

So if you have a rod knock you’ve been ignoring, time to drop the oil pan and fix it right — before the bearing spins and repair of the engine becomes more difficult (requiring removal and cleaning of the engine, machining of the crank, and replacement of all bearings), the rod is thrown and repair of the engine becomes impossible, or the oil consumption and low oil pressure ruins the rings – replacing rings is an inexact science and best avoided when possible. Buy the correct size bearings (according to the stamps on the old bearings) and new rod bolts, then install the new bearings by cleaning the crankshaft, “clipping” the bearing into the interference fit grooves on the rod, applying oil, loctite, assembly lube, or nothing at all to the bolt threads as called for in the factory repair manual, and tightening the rod bolts to the correct final torque.

Sticking Rings

When people talk about “sticking rings” or “stuck rings”, be careful not to left the terminology confuse you. Stuck rings can actually refer to two events. The first is when an engine has been stored for a long time, and rust has set into the cylinders. The rings are “sticking” to the cylinder walls in this case, and the engine is seized. The best way to get this kind of engine loose is to soak with WD-40 or a penetrating oil, and attempt to turn the crankshaft by hand. When the rings come loose, they may or may not sustain damage, the only way to tell is to do a compression check. To prevent this kind of sticking rings, remove the spark plugs and spray WD-40 into the cylinders before storing.

The more common kind of stuck rings that happens in a motor that has been used even recently is that the rings themselves become stuck in the piston groove. The rings no longer seal against the cylinder wall because their “spring” is not allowed to expand against the cylinder wall. This happens when hard carbon and varnish build up on the rings. Once it has happened, there are several ways to address it. First, rule out all other sources of oil leaks, or oil burning in the head such as valve stem seals, worn valve guides, spark plug tube seals/o-rings, etc.

If the rate of oil consumption is relatively slow, try an ester motor cleaner like Auto RX. This is put into your oil and left in it for 1500 miles, then the oil is changed. It is a slow cleaner and may take two applications to demonstrate a difference.

If Auto RX did not help, or the rate of oil consumption is so fast that using Auto RX at $20 a bottle is uneconomical, then it is time for more drastic measures to get the rings unstuck. The motor cleaner used can be Marvel Mystery Oil, Seafoam, or even Automatic transmission fluid. Don’t use motor flush solvent (Kerosene) or fuel injector cleaner in the following procedures.

  • Remove spark plugs and add a small amount (teaspoons) of MMO, Seafoam, ATF, or Berryman B-12 to the cylinders. It is important that the engine is warm when you do this. Allow to sit for 30 minutes to two days. Crank the motor to spit cleaner out of cylinders, soaking it up with rags, then install spark plugs, allow the smoking to stop, and change the oil and filter. Repeat as necessary.
  • Alternately, the cleaner can be introduced through the brake booster vacuum hose with the engine warmed up, adding just enough through the hose for the engine to die. Wait 30 minutes, then start the engine, run it until the carbon burns off, and change the oil.
  • Change your oil every 1000 miles with 15W-40 diesel oil until the problem is solved. Before each oil change, add 1 qt MMO or ATF to oil, being careful not to overfill crankcase. Drive no more than 100 miles, allowing the motor to warm up completely for as long as possible. Change the oil and filter immediately. You can use a higher cleaner to oil ratio, but go easy on the engine if you do this. The oil in MMO is 3W and ATF is 7W, which does not provide much protection to the engine bearings, and if the filter is clogged, any suddenly loosened particles could clog the oil pickup.
  • Before each oil change, add several quarts of MMO, ATF, or Seafoam to a tank of fuel. Change oil when it becomes dark.

You can combine any of the above strategies, i.e. if you want to add MMO to the crankcase and Seafoam to the intake before changing oil, that is a good idea.

In order of solvent concentration (and reverse order of oil protection): Motor flush, Seafoam, MMO, ATF. When using in a 75% oil/25% cleaner concentration in the crankcase, you want to be very careful not to load the engine when using flush, be “nice” to the engine when using Seafoam, and you can drive the engine as normal when using MMO or ATF. Some people fill and run the entire engine with MMO/ATF immediately before an oil change, do not under any circumstances rev or load the engine if you do this.
If you choose to use a kerosene motor flush product, it is important that you not allow the engine RPM to increase above idle or place a load on the engine, due to the risk of running the bearings dry. Solvents such as those contained in MMO, top end cleaners, and motor flush will cut through the oil film on bearings, so any oil starvation will then lead to a bearing failure.

To prevent rings from sticking in the future, use a good detergent motor oil such as Mobil 1, or even 15W-40 diesel oil — since it has more detergents to prevent coking in diesel engines — obey the oil and filter change intervals, fix any other sources of oil burning (such as worn valve stem seals and excessive rod bearing clearance) as soon as possible, and don’t allow your motor to run rich. Many motor oils claim that their detergent packages will gradually unstick rings, but if this is true at all, it is a much slower process than the above techniques.