Category Archives: Tips

Root on Verizon Galaxy S5 on NK2 Firmware

4 minutes, 19 seconds

Galaxy-S5After my S3 took a quick, but not quick enough, drink in the kitchen sink, I upgraded to an S5. It’s a really great phone. However, I had been running Cyanogenmod 11 on my S3 and I missed all the perks of root access. I’ve rooted my S5, and it’s awesome. Here’s a write-up for those who want to know how to do it. In my guide below, I take a bit more time than some of the threads in XDA to describe each step, which will hopefully make it a bit more beginner friendly.

Rooting is always a bit of a risk and ***YOU SHOULD NOT DO IT UNLESS YOU ACCEPT THE RISK OF TURNING YOUR PHONE INTO A PAPERWEIGHT***. Also, though, you already have a good backup system, (right!?), ***BE SURE YOU HAVE A BACKUP OF YOUR DATA ON YOUR PHONE***. With those warnings out of the way, root was a snap following bdorr1105‘s excellent write-up on xda developers. On top of it all, I had zero data loss as the root process doesn’t require you to reset android, which was super handy.

Preparation:

  • Have a windows machine and install Odin on it.
  • Double check you’re on NK2 baseband: Settings -> About Phone -> Baseband version -> last 3 characters are “NK2”.
  • Install latest Samsung USB drivers on your windows machine
  • Download both G900V_NCG_Stock_Kernel.tar.md5 and NK2_Firmware_Only.zip to your windows machine. Extract the NK2 zip file so it’s an md5 file (extracts to NK2_Firmware.tar.md5).
  • Have a micro USB cable
  • Allow unknown sources on your phone: Settings -> Security -> Unknown sources – checked
  • Read through all these steps and prep items. Ask questions *BEFORE* you start if you’re confused.
  • If you’ve never used Odin, maybe check out this youtube video to see how it works. There’s a 1080p option, and you can really see exactly which buttons to click and what Odin looks like in action. Note: the steps in this video differ from mine and you shouldn’t follow the video’s steps; follow mine instead. The video is for NI2 not NK2.
  • Be patient. Don’t get frustrated!

At a high level, we’re going to be doing 4 things which I’ll label below broken into 12 steps:

  1. Prep root kit: Installing a the towelroot root kit. Steps 1 and 2 below.
  2. Revert: Reverting back to the old NCG kernel/baseband which is vulnerable to a root kit. Steps 3 through 7 below.
  3. Root: Rooting the phone. Step 8 – just one easy step!
  4. Update: Updating back to the current NK2 kernel/baseband. Steps 9 through 12 below.
Odin v3.09 configured to install Ni2 firmware.

Odin ready to install NI2. Click to see larger version.

Now, the steps, again from the great guide that bdorr1105 wrote:

  1. Prep root kit A: Install Towel root to your phone. To download the APK, open Chrome and go to towelroot.com. Hold down on the big red lambda icon and choose “Save Link.” When you click the link in Chrome it creates an infinite redirect. If you click it in Firefox, it loads the text of the APK in the browser instead of saving the file :(.
  2. Prep root kit B: After the download, click the APK and install it. Also, add a shortcut of the towelroot APK to your phone’s home screen so that it’s easy to launch (more on this later).
  3. Revert A: Put your phone in Odin mode: hold down power button and then choose “Restart.” When the phone turns off, hold down power button, home button(button on front) and down volume at the same time. When prompted, choose to continue by pressing up volume.
  4. Revert B: Connect your phone to your laptop with the micro USB cable and launch Odin. If this is the first time you’ve connected your phone in Odin mode it might take a few minutes to find all the drivers. Possibly even longer. Be patient!
  5. Revert C: Once your phone shows up in Odin in the upper left in the ID:COM section (see screenshot), click the “AP” button and navigate to where you download the “G900V_NCG_Stock_Kernel.tar.md5” file. Click “Start.” Your phone will show a progress bar on the screen, and then it will reboot. Once Odin app says, “PASS” in green, unplug your phone.
  6. Revert D: Your phone will reboot and update the apps. This will take a few minutes.
  7. Revert E: Once it’s done updating, your phone will be slow. A ton of apps will force close. This is expected. Click “OK” or “Close” to any dialogues that pop up.
  8. Root: Click on the towelroot icon we made on the desktop. Click “make it ra1n” and wait. Towelroot will confirm you have root.
  9. Update A: Restart your phone and hold down the down + power + home buttons. Press up to get into Odin mode again
  10. Update B: Plug your phone in to the USB cable again. In the Odin app on your computer, press “AP” button and select “NK2_Firmware.tar.md5”. Click “Start.” Your phone will show a progress bar on the screen, and then it will reboot. Once Odin app says, “PASS” in green unplug your phone.
  11. Update C: Your phone will reboot and update the apps for a second time. This will take a few minutes, same as before.
  12. Update D: Go to the Play Store on your phone and install “SuperSU.” Open and choose to install SU. When prompted, choose “Normal” mode instead of “TWRP.” When prompted, disable Knox and reboot.

You’re done, congrats! You can install “Root Checker Basic” if you want to have warm fuzzies of seeing you have root. To clean up, go back into settings and uncheck “allow unknown sources” as well as uninstall towelroot. Google will flag this as an unsafe app and ask you to uninstall it anyway.

Trick to easily reload that Chrome App you’re developing

0 minutes, 30 seconds

I’m working on a chrome app. Maybe you are too! Maybe you want to do the old view-the-app-command-tab-back-to-editor-make-quick-tweak-save-command-tab-back-to-the-app-and-want-to-quickly-reload thang? Maybe you can’t reload your app quickly, like a good ol’ web page with “command + R” (or “ctrl + R” on windows)? Maybe you even saw that there’s a bug on file to fix this?

May I introduce the triple escape hack! If you add this snippet at the top of your app, all you need to do is hit the “esc” key 3 times and your app will reload:

var escCounter = 0;
$(document).keyup(function(e) {
    if (e.keyCode == 27) { 
	  escCounter++
	  if (escCounter > 2){
		  chrome.runtime.reload()
	  }
    }   // esc
});

Feel free to salt to taste with other key combos!

Addendum to “Ashley’s Law”, problematic iMac VESA mounts and new desks

2 minutes, 29 seconds

I’ve been thinking recently about items you use a lot in life. For example, the internet thinks we sleep for 20+ years in our lifetimes[1][2]. As well, the internet suggest a person with a desk job will spend 80k hours sitting [3]. What does this mean? It means that you shouldn’t skimp on your mattress and your chair! In fact, you should buy the best mattress you can afford. Well…no, you should by the best mattress on which you sleep well and should try to not be price conscious. Same for your chair and your desk. So if you recall Ashley’s Law said:

If you don’t have it, you can’t use it.
– Ashley Jones, 2011

So the addendum would be:

If you’re going to use an item for more than a 1/4 of your life, it should be a quality item you didn’t skimp on.
– Ashley Jones, 2013

The list of applicable items should be quantifiable! Despite having recently purchased not one, but two cars, I would say for most folks they don’t spend 1/4 of their lives in their cars. So, unless you’re a trucker, my advise is to not spend a lot of money on your car.

Speaking of this new addendum, I wanted to set up my iMac to be mounted on an articulated arm on my desk so it could be be the perfect ergonomic height when I work on it for hours a day (8+). This would also giv my desk those really clean lines with the monitors floating over the surface. Here’s my advise to those who want to also endeavour to have this setup:

  • The $115 Ergotron MX will indeed support a 2012 30lb, 27″ imac[4]
  • Be sure to get the iMac VESA mount[5] and not the Cinema Display mount which is cheaper[6]
  • Read the instructions for your iMac VESA mount carefully.
  • Especially the warning after step 4:imac.VESA.warning
  • If you don’t follow this step and after you take off your iMac stand you see the VESA mount suck back into the dark depths of Mordor[7] otherwise known as the inside of your iMac, chill out. Go down stairs and grab a cold beer. Crack off that top, take a nice long sip.
  • Back with your beer? Great. Skip the the top search result[7] which you find where they say you’ll have to disassemble your entire iMac and void your warranty to get your VESA mount back out:

    Hopefully you can fish the inner bracket back up and out the slot, because if not the iMac may have to be completely disassembled to recover it.

  • Take another sip of beer.
  • Check out the post waaaay down yonder in the search results. That’s right, the one with pipe cleaners[8]. See? You’ve got those supplies in your house to fetch that nasty guy back out. Here’s another variation that I came up with:vesa.retreval.2vesa.retreval.1

    Yes, that’s right, using some needle nose pliers, some picture hanging wire or what ever else you have around the house, you retrieve your precious and get back to setting up your desk.

After heeding my own addendum, following the wire cutter’s advice on standing desks[8] and recreating the “you can’t stump me, I’m the internet” solution to get my VESA mount back, I have a great desk set up that’s really quite nice. I highly recommend treating yourself right with the items you use the most:

newdesk

Swappa.com is an awesome site to sell or buy Android phones

1 minute, 24 seconds

I recently discovered Swappa. This is great site to sell or buy an Android phone. Why? First off they only sell good condition phones with clear ESNs. You won’t find any “only good for parts” deals here. As well, every phone posted for sale is verified by an actual employee at Swappa, so there’s no scammers. Further, they have lower fees than ebay.

However, I take the the blawg-o-sphere today because of their amazing customer service. The other day my one year old and I were hanging out by our pool. When he thought I wasn’t looking, he jumped in (ok, fell in) the pool, face down. Only thinking of ensuring my son didn’t drown, I jumped in and pulled him out. Only afterwords did I remember my Galaxy SIII in my pocket. After a week of letting it bake in the sun and still no speaker or mic working, I deemed it dead.

I went to Swappa, found my replacement phone, and purchased it. It was easy to find the exact phone I wanted, which even came rooted and with CyanogenMod 10.1. The seller told me it would ship out the next morning.

On a whim I powered up my old, left for dead phone. Oh my gosh! It totally worked! I even stuck my SIM card in there and I could make calls with the speaker and mic working no problem.

I embarrassingly asked the seller and Swappa if I could back out of the sale. Both agreed to help me out. The seller refunded my money, keeping $20 at my request. Swappa even refunded my buyers fee, which I had said they could keep. This all took hours and was tended to by the same Swappa employee who had verified the phone for the initial sale. What service!

I could not give them a higher recommendation and plan on purchasing all my phones from them. You should too!

How much should you trust the cloud?

0 minutes, 57 seconds

Recently there was quite a bit of hubulub about Dropbox allowing everyone’s account to be accessed by anyone for 4 hours. This is bad, obviously. The guys over at Securosis got it right in their response. However, y’all should have known already to encrypt anything in the cloud if you were reading this here fine blog back in aught nine.

I clearly do not trust cloud, or really, any services online (I also take issue with “the cloud” being synonymous with “online”). The few online services I do use, I follow extremely good password practices. For example, my gmail password being over 20 characters of which I don’t know even know. Really, we should all be using two factor authentication to really lock things down.

I’m still quite concerned with a scenario where gmail is hacked site wide (not per use phished or even “whaled”). There’s nothing you can do in this scenario to protect yourself. How expensive in time, and potentially, literal money, is it worth to have a free service like gmail at the point it gets hacked? I’ve asked the same question myself and have even priced out other hosted, dedicated email services, free or no.

So, the point of this post is A) Nya nya, I told ya so and B) be safe!

Why should I cut up my credit card?

1 minute, 2 seconds

Recently, some one got a hold of my card and was making fraudulent charges on it. My card company was Johnny on the spot and called me to verify the charges (side note: I had no way of verifying they were who they said they were, so they did the right thing and told me to call the number on the back of my card. You can’t be too vigilant!). When I finally got a rep. on the line, they canceled my card and sent me out a new one. Done deal.

But then they tell you, “cut up your card”. Why? If the number was stolen and we’re de-activating it so it can’t be used again, why cut up the card? In fact, why would you ever cut up the card? I guess if you think that cutting it up an active card will stop you from using it, then you should do a good job and cut it real good. But otherwise, I can’t think of a reason. My 5 minutes of googling didn’t find an answer either.

Do any of my faithful readers have an answer?

Update: There’s some good discussion below, but more notable is my comeuppance! After writing this post, I got not, one, not two, but three copies of my new card. Now I have the need to trash three credit cards that are all not canceled. Oh the horror!

How to spam this blog

1 minute, 40 seconds

As a follow up to last week’s post (How to comment on this blog), this week I bring you the results of the no-captcha test.

After much spam slipping through reCAPTCHA, I decided to nix a captcha all together. Originally I thought that just requiring a field via javascript and doing no server side checking would work. This was silly of me, of course. The spammers, having the source code of WordPress, would just blindly submit a comment to any post, bypassing any client side JS checks I had in place.

The fix was to create a field that was not known to spammers like the reCAPTCHA is. Further, if it is appended via javascript, then it is even harder to automate. I wrote the simple-math plugin (have a copy!) and implemented it as follow:

  • Turn off reCAPTCHA
  • Add a field via javascript
  • Ask a simple math question, validated in client side JS
  • Only validate that the field exists, not that the math is right, on the server side

The jury is, and I’m fully vindicated. Here’s the stats:

Hits Comment
Attempts
Comment
Succeses
Attempts
per
Visit
Defense
Success
Rate
Feb 6th-12th 1191 57 17 4.79% 70.18%
Feb 12 11pm – Feb 13 10am 58 20 13 34.48% 35.00%
Feb 13th-Feb18th 1204 132 0 10.96% 100.00%

#spamstats td, #spamstats th {padding:4px;margin:5px}
#spamstats td {text-align:center;}
#spamstats tr:hover {background:#ccc}

The important thing to note is twofold. The first is that the average number of raw hits (excluding me, yahoo and google) was the same week to week. Further, the number of attempts went up 200% of which 100% were thwarted (Defense Success Rate). Again, I suspect this is all possible because it’s not easy, nor worth while (it’s OK, plip isn’t a big blog, I know…sniff) to automate spamming against one off solutions like mine.

I should note that I used the free version of Splunk to garner the ad hoc stats for this post. As I was hemming and hawing on whether to count cookies or IPs or hits, it wasn’t worth while to use the old school command line style stats. Splunk scoffs at this level of stats and reporting. Really, it’s above it, but will happily crank out what you ask for it with ease. Here’s a purty graph:

Caveat Emptor: I work at Splunk.

How to comment on this blog

1 minute, 20 seconds

It seems that reCAPTCHA is a victim of its own success. Y’all know I’m a huge, huge fan. However, recently the spammers have started to submit comments, successfully getting past the reCAPTCHA . I suspect this is a mechanical turk or some such tomfoolery. Of course the comments don’t get approved, but they’re still a bother to have to delete.

Our friend over at hanskellner.com ( guess which friend?) also has the same problem with submitted span. This makes it clear that reCAPTCHA is being targeted (well, not clear, but it’s better than n=1!). However, he found a solution to stop the spammers. He added a static math question to his comment form. That is, it’s always “what is 5 + 6”, never any other question. Funny enough, his spam stopped all together. He still has his reCAPTCHA giong, but now it’s a two factor anti-spam.

I posit that the reCAPTCHA code is easy enough to programmatically detect, but some random math question isn’t, so it breaks the spam scripts. Let’s test this theory, shall we? I’ve just written a word press plug-in called simple-math. Using a simple to hack, all client side javascript there’s now an easy to solve math problem on the comment form. It is random, choosing two numbers between 0 and 9. I haven’t tested it too broadly, but you’re welcome to a copy.

I’ll let it run for a week and see how it goes and report back.

Feb 13th Update: I fought the law, and law won! Spammers got past round one of simple math. I’ve updated it to now check for the existence of the field on post, but still, no checking for a right answer on the server. As well, the field is created via javascript. Spammers, back to you for round 2.

Meego Redux: 1.1 Released

1 minute, 33 seconds

If you recall, I fell in love with Meego a bit ago. Then, we broke up, and I left Meego for Ubuntu Netbook Remix (UNR). Guess what? Yup, just like the title of this post suggests, I’m back to Meego. Yesterday was their 1.1 release and the netbook flavor with Chrome is ready for the Live USB Key, easy install testing. I skipped over the live USB thing and cut right to the chase to install it over UNR.

I went to go install some of the key apps that I use and bumped into a few problems. I’ll sketch ’em out here in case any one else is an early adopter like me:

  • No more yum: Well, yum is still available to install, but it’s not there by default. Instead the fine folks at Meego are shipping ZYpper instead. Works just the same, but for the not so distro savvy nerds like me, I had to search around in the forums to figure what was what. Thanks physalis!
  • KeepassX: The next problem I found was that Keepassx’s download page had 404 links for the fedora packages. When I found that Fedora 12 page DIDN’T 404, I downloaded THAT version of KeepassX. Welp, that version didn’t like the current version of QT that ships with Meebo. Finally, I searched around and found a slightly out of date version at hany.sk
  • Dropbox: Nothing really tricky here. Their download page has a “Fedora (x86 .rpm)” package. For both KeepassX and Dropbox, it looks like this to install it :
    sudo zypper install nautilus-dropbox-0.6.4-1.fedora.i386.rpm

For those keeping tabs, I did do a write up on configuring Meego mail and calendar which appears to all be the same in 1.1 as it was in 1.0. At first blush, it seems a little tricky to set up with Google Apps, where plip.com’s mail is, but we’ll hack away.

Next up: Installing Skype. Happy Meebo-ing!

Update: Skype installed no problem, and QT warning seems to be around fonts. A forum tip around font hinting worked wonders to make Skype and KeepassX look sharp (actually, look anti-aliased).

Wayback machine, privacy and old plip.com

1 minute, 16 seconds

This post is a short parable told in three lessons:

Lesson 1: The web is not as temporal as you might think!

Recently a co-worker was travelling and was unable to access her work based email. Instead, she directed folks to email her at her personal email. Being a curious fellow, I clicked over to her personal site to see what she had to say. All I found was “Site in progress, check back later” and link to a very outdated resume. Well, that’s just no fun! Enter the wayback machine! Using this fine site, I was able to see all the text, photos and links she had long since redacted. The wayback machine never forgets, so don’t you forget that.

Lesson 2: Robots.txt can pull Jedi mind tricks.

A natural response to seeing the archive of other sites, is to see what dirt folks might find out about me via the same method. Sure enough, there’s some good stuff! However, the more interesting fact I learned is that my robots.txt of today redacted the archive.org copy of yesterday! This is cool! A while ago I took down my resume and some older, more personal content and as well took a sec to make some broad strokes of search engines shouldn’t index. It was these actions that archive.org took note of. With a wave of my robots.txt hand, indeed these are not the pages you’re looking for.

Lesson 3: The wayback machine is way cool.

Ok, this parable kinda peters out right about here, but still, the wayback machine is way cool. Check out the rad looks plip.com has had over the years! Hrm, maybe that should be “rad”. You decide.