apt-get install pcscd opensc libengine-pkcs11-openssl

The following NEW packages will be installed:
  libengine-pkcs11-openssl libp11-0

If your smartcard reader is not supported by pcscd, you should install the openct package in addition to the packages above. You can then run pcscd on top of openct.
After installing these programs, we need to configure pcscd to correctly use our reader. Configure /etc/opensc/opensc.conf to use the pcscd method, search for reader_drivers inside the app default stanza of the config file and modify this to:

reader_drivers = pcsc;

For CCID compatible readers without openct installed, the reader should be visible after plugging in the reader into the USB port:

Readers known about:
Nr.    Driver     Name
0      pcsc       Gemplus GemPC Key 00 00

If the card reader is not directly supported by pcscd (but is supported by openct) we need to configure /etc/reader.conf.d/openct, a config file of pcscd, to use OpenCT as the input method, for this the file should contain:

FRIENDLYNAME     "OpenCT"
DEVICENAME       /dev/null
LIBPATH          /usr/lib/openct-ifd.so
CHANNELID        0

after modifying this file on Debian (on non-Debian systems you’ll probably have to modify /etc/reader.conf directly) we have to run:

update-reader.conf

which creates a new /etc/reader.conf. Now stop and restart openct and pcscd in the following order:

/etc/init.d/pcscd stop
/etc/init.d/openct restart
/etc/init.d/pcscd start

When everything went OK, you should see a pcscd based reader using opensc-tool:

opensc-tool -l

Readers known about:
Nr.    Driver     Name
0      pcsc       OpenCT 00 00

Add user to “scard” group in /etc/group and log in again to have the permissions to access the card. This is necessary if you want to use a reader provided by openct without going through pcscd.
If all else fails, you can still use openct without pcscd and set reader_drivers in /etc/opensc/opensc.conf to:

reader_drivers = openct;

Then a reader should be visible like this:

opensc-tool -l

Readers known about:
Nr.    Driver     Name
0      openct     Aladdin eToken PRO 64k
1      openct     OpenCT reader (detached)
2      openct     OpenCT reader (detached)
3      openct     OpenCT reader (detached)
4      openct     OpenCT reader (detached)

Now we should be able to read the card, if there is only one token in the USB port and no other smartcard readers are installed, we can leave out the -r option (for specifying the reader to use):

cardos-info

3b:f2:18:00:02:c1:0a:31:fe:58:c8:09:75
Info : CardOS V4.2B (C) Siemens AG 1994-2005
Chip type: 123
Serial number: 27 37 c0 09 2b 18
Full prom dump:
33 66 00 45 CB CB CB CB 7B FF 27 37 C0 09 2B 18 3f.E....{.'7..+.
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.9 (that's CardOS M4.2b)
Current life cycle: 32 (administration)
Security Status of current DF:
Free memory : 1024
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63
Free eeprom memory: 27686
System keys: PackageLoadKey (version 0xfe, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:

1.   Using Java-based Smartcards
Java-based smartcards need some preparation to work with OpenSC. First you should make sure that you have a card that permits you to upload your own applet (cardlet) to the card. This usually means you need a so-called developer version. Avoid cards that have a proprietary manufacturer applet in read-only memory! You also usually need some development keys to upload a cardlet to the card.
For the following instructions I’ve used the Gemalto TOP IM FIPS CY2 (Cyberflex Access 64k v2) which is an old card that has a Java virtual machine version 1.1 from 2001 (!) but the card is well established and will probably be available for some time.
For the card reader I’ve used the Gemalto USB Shell V2 (GemPC Key), a CCID compatible reader. When buying a new reader, you should use one that follows the CCID specification from the PC/SC Workgroup, this ensures that OpenCT will support it. The card reader I’m using can read ID-000 format cards, also called SIM cards. These are small form-factor cards that are nice for authentication purposes. The Cyberflex card I’m using is available in ID-000. If a card isn’t available in ID-000, chances are you can make it fit using a service similar to this SIM cutting service.
Preparing the card for use with OpenSC is a two-step process. The first step is to obtain the necessary applet for the card. The second is to upload the applet to the card and initialize the card with a default PIN. Note that 2048 bit keys may not work with MCardApplet with the current software versions, see Some notes on key sizes.

1.1.   Obtaining the MCardApplet for your card
I recommend building your own version of the applet from source. Get the source code from svn://svn.debian.org/muscleplugins/trunk/MCardApplet using the source code control tool subversion:

svn co svn://svn.debian.org/muscleplugins/trunk/MCardApplet

I had to make several changes to use Java 1.6 for cross-building for the ancient Java VM that runs on the card. My Cflex.properties looks like this:

CARD_NAME=Cflex
JAVA_BUILD_HOME=/usr
JC_HOME=${basedir}/depends/jc212
API_JAR=${JC_HOME}/lib/api21.jar
API_EXPORT_FILES=${JC_HOME}/api21_export_files
CAPTRANS=${basedir}/depends/jc212/bin/captransf.jar
VM_SOURCE_VERSION=1.2
VM_TARGET_VERSION=1.1
BOOTCLASSPATH=${basedir}/depends/jdk1.2.2/depends/jdk1.2.2/lib

In particular, I’m using the native java environment installed on debian lenny. This lives in /usr. Otherwise you should follow the excellent building instructions in the file INSTALL. Then I’ve modified the javac in the target named compile in the common.xml ant build file as follows:

<target depends="precompile" name="compile">
    <mkdir dir="${OUTPUT_DIR}"/>
    <javac debug="on"
        verbose="on"
        fork="true"
        executable="${JAVA_BUILD_HOME}/bin/javac"
        srcdir="${APPLET_SRC}"
        destdir="${OUTPUT_DIR}"
        target="${VM_TARGET_VERSION}"
        source="${VM_SOURCE_VERSION}">
        <bootclasspath>
            <pathelement location="${BOOTCLASSPATH}"/>
        </bootclasspath>
        <classpath>
            <pathelement location="${API_JAR}"/>
            <pathelement location="."/>
            <pathelement path="${java.class.path}"/>
        </classpath>
    </javac>
</target>

I’ve added the target and source options. These refer to the specific java virtual machine version we’re cross-building for. I’ve also added the bootclasspath to get the classes that are VM specific from the old java development package.
This allows me to cross-build the applet for an old version of the java virtual machine without running the old java development environment which does no longer run on recent versions of Linux due to library incompatibilities.
I also had to change all the backslashes in common.xml to forward slashes. It looks like the java compiler can handle the backslashes in path names, but the other tools cannot.
Before building you should also look through CflexCapabilities.properties for any capabilities you want to enable which are not enabled in the default configuration. I had to enable -DWITH_RSA_2048 and -DWITH_SIGN for example.
For the impatiant I’m offering a pre-compiled version of the applet. I’ll update this text with the build instructions soon.

1.2.   Uploading the applet to the card
As a preparation for this step, you should install the pcsc daemon and the pcsclite development packages on debian:

apt-get install pcscd libpcsclite-dev

For uploading the applet to the card, I recommend using gpshell, a tool from the globalplatform project which depends on the globalplatform library. Unfortunately these are not yet packaged as Debian packages, so obtain the sourcecode to both, gpshell and the globalplatform library . Unpack these packages and build using the normal process:

./configure
make
make install

For the globalplatform library you need the development libraries for libpcsclite, available as the Debian package libpcsclite-dev which should be installed before the ./configure step above.
If you installed the globalplatform library without root privileges, you have to run ldconfig as root to make the new library available in the shared library cache.
Check that your smartcard services are running (see above for how to do that) and verify that you see your card reader (or token) using:

opensc-tool -l

The gpshell tool interfaces to the card via pcscd, so you should see something similar to the following:

Readers known about:
Nr.    Driver     Name
0      pcsc       Gemplus GemPC Key 00 00

Now we can proceed to upload the applet using gpshell. We need the following applet upload gpshell script, put this into the file applet_install.gpshell, note that lines terminated with “\” need to be concatenated, gpshell currently doesn’t understand continuation lines:

enable_trace
establish_context
card_connect
select -AID a000000003000000
open_sc -security 1 -keyind 0 -keyver 0 \
   -mac_key 404142434445464748494a4b4c4d4e4f \
   -enc_key 404142434445464748494a4b4c4d4e4f
delete -AID a00000000101
delete -AID a000000001
delete -AID a0000003230101
delete -AID a00000032301
install_for_load -pkgAID a000000001 -nvCodeLimit 16000 \
   -sdAID a000000003000000
load -file CardEdgeCflex.ijc
install_for_install -instParam 00 -priv 02 -AID a00000000101 \
   -pkgAID a000000001 -instAID a00000000101 -nvDataLimit 32000
card_disconnect
release_context

and run the script with gpshell:

gpshell applet_install.gpshell

Finally we will have to set a default PIN for the card using opensc-tool:

opensc-tool -s 00:A4:04:00:06:A0:00:00:00:01:01 -s \
B0:2A:00:00:38:08:4D:75:73:63:6C:65:30:30:04:01:08:\
30:30:30:30:30:30:30:30:08:30:30:30:30:30:30:30:30:\
05:02:08:30:30:30:30:30:30:30:30:08:30:30:30:30:30:\
30:30:30:00:00:17:70:00:02:01

This sets the PIN to eight zeros, “00000000″. After this procedure the card can be used like a normal PKCS#15 based card with OpenSC.

1.2.1.   Some notes on using the gpshell script with other cards
Many of the magic numbers in the gpshell script depend on the card in use and on the applet that is uploaded. An AID is an applet-ID. The open_sc command has nothing to do with OpenSC, but opens a secure channel to the card. The parameters are the developer keys of the card. In our example, the key is used twice and the hex-bytes denote the string:

@ABCDEFGHIJKLMNO

The AID used for the secure channel is different for other brands of cards. I was able to find out this AID using the following AID gpshell script:

enable_trace
establish_context
card_connect
open_sc -security 1 -keyind 0 -keyver 0 \
   -mac_key 404142434445464748494a4b4c4d4e4f \
   -enc_key 404142434445464748494a4b4c4d4e4f
get_status -element 80
card_disconnect
release_context

This displays for the Gemalto TOP IM FIPS CY2:

List of applets (AID state privileges)
a000000003000000        7       0

The delete commands remove older versions of the applet — there also was a version that had another applet ID — from the card before uploading the new version. Think of the applet living in a package named a000000001 and the applet named a00000000101. The install_for_load command establishes the package inside the a000000003000000 package. Then the install_for_install command installs the applet into non volatile memory after upload.
Note that these numbers are hard-coded into the applet that is being uploaded. This is defined during compile-time and for the MCardApplet this can be configured in the common.xml ant-file. When packaging the compiled java classes, the build process generates .cap files which contain the applet ID in binary format, notably the Applet.cap file contains the AID of the applet.
So if these numbers are changed when building a custom applet, be sure to adapt the upload commands, too. A warning here: All tools that depend on the MCardApplet expect the given AID, so changing the AID would incur a change of all tools or at least their configuration.

2.   OpenVPN Preparation: Step by step process with high-level tool
This section describes how to initialize a token, create a user key and certificate using tools that come with OpenVPN. This was only tested on Linux since the certificate handling scripts for OpenVPN are more advanced on Linux.
I had to patch the pkitool of OpenVPN to use the pkcs15-init command instead of the pkcs11-tool command for initializing the token and creating keys. The reason is that Aladdin limits their tokens to use one key for only one purpose (encryption or signing). The pkcs15-init command allows the specification of the key purpose while the pkcs11-tool command does not.
In the following we assume you are in the easy-rsa directory of OpenVPN, and you have initialized the configuration by reading the configuration in vars. It’s also always a good idea to have a backup of all the OpenVPN keys before starting.
Initializing the token for first use (or re-using an already formatted token) THIS DESTROYS ALL DATA ON THE TOKEN:

./pkitool --pkcs15-init 0 "Thomas Mustermann"

New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:

If the token was already initialized, the procedure would also ask for the old password.
Now we can check that everything worked, by looking at the PINs:

pkcs15-tool --list-pins

Now we can proceed to generate a key pair and a certificate, this takes a long time:

./pkitool --pkcs15 /usr/lib/opensc-pkcs11.so 0 45 "user cert" client27

When everything went OK, we should be able to display keys, public keys, and certificates on the token:

pkcs15-tool --list-keys
pkcs15-tool --list-public-keys
pkcs15-tool --list-certificates

3.   What is needed for Windows
I’ve first installed the latest OpenVPN installer, only this package has the necessary TAP network driver for Linux. Only the TAP driver needs to be installed.
I’ve used a compiled version of OpenVPN that comes bundled with OpenSC from the binary windows repository, I’ve used the latest

opensc-i686-w32-mingw32-007-*.*

files (from Oct 2009). For 64bit Windows (AMD64) the

opensc-x86_64-pc-mingw32-003*.*

files should be used. Everything unpacked from these files should be installed to

C:\Programs\OpenVPN

I’ve also created a configuration directory under that directory called config. In config there are the necessary certificates (root ca) and hash keys and the client.ovpn configuration file.
When using my OpenVPN admin script, Python for windows from python.org and the Python WIN32 package are needed. In addition my rsclib library needs to be installed. For installing rsclib, unpack the .zip file and run:

setup.py install

from a command prompt. The admin script in pyovpn.zip has the same installation procedure.
After installing everything, basic working of the smart card can be verified with the OpenSC tools:

opensc-tool -l
cardos-info
pkcs15-tool --list-certificates

3.1.   Aladdin Token
For using the Aladdin eToken with Windows, the smart card tools of the manufacturer have to be installed — these include the driver for accessing the tokens. I’ve used:

PKIClient-x32-5.00.msi

from

eToken PKI Client 5.0 SP1 Windowsx32.zip

3.2.   Gemalto USB Shell Token V2
The driver for the Gemalto USB Shell Token reader can be downloaded free of charge from the Gemalto website.

4.   Using OpenVPN with SmartCard
OpenVPN uses a PKCS#11 provider library, on Debian this is /usr/lib/opensc-pkcs11.so, to access the smart card. We can show which certificates are on the card by issuing:

openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
      DN:             /C=AT/ST=AT/L=Weidling/ ...
      Serial:         03
      Serialized id:  OpenSC\x20Project/PKCS\x20 ...

Now OpenVPN can be started with the smartcard. I’m using the following additional config entries for OpenVPN — pkcs11-providers is set to the path of the PKCS#11 provider library:

pkcs11-providers "/usr/lib/opensc-pkcs11.so"
pkcs11-id-management
management 127.0.0.1 4711
management-query-passwords
management-hold

For Windows the provider library becomes (assuming the OpenSC tools where installed to C:ProgramsOpenVPNbin):

pkcs11-providers "C:\\Programs\\OpenVPN\\bin\\opensc-pkcs11.dll"

The other parameters are the same as for other operating systems.
Note also that the askpass option of OpenVPN does not work for querying the token password. In my experiment I had to give the token password to OpenVPN via the management interface using the config option management-query-passwords.
This configuration tells OpenVPN to open the management interface on Port 4711 of localhost. It will ask for the passphrase of the Aladdin token on that port. Additionally we wait (management-hold) until a management program has opened the management interface and told OpenVPN to proceed.
The pkcs11-id-management tells OpenVPN to accept the pkcs11-id to use via the management interface. With a little intelligence in the management interface we can avoid having the pkcs11-id in the configuration file (which would then be different for each user).
OpenVPN can be asked via the management interface about a listing of all pkcs11-ids. If there is only one certificate on the card, we feed the id of the only certificate back to OpenVPN when it asks about the pkcs11-id. This can be done without user intervention.
Unfortunately the feature that OpenVPN can ask the smartcard for all the certificates depends on the Token being present when OpenVPN is started. An alternative is to specify the pkcs11-id` directly in the configuration file. If this is specified, the management interface will ask for the token if it isn’t present when starting OpenVPN. The parameter to the pkcs11-id config parameter is the Serialized id from the command output above.
Since I have not found any graphical user interface programs for OpenVPN that can deal with asking the user for the token passphrase, I’ve written a little command-line python script which can be run on both, Windows and Linux, and will ask the user to insert the token and specify the token passphrase.
OpenVPN can be started with the script by issuing the command:

pyovpn

in a command prompt window. The command will start openvpn and proceed to ask for necessary token passwords.

4.1.   Low-level usage of the management interface
With the management-query-passwords option, OpenVPN will ask the password from the management interface. After starting the OpenVPN daemon and connnecting to the managment interface on the defined port (e.g., using telnet) we see the following message:

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
>PASSWORD:Need 'OpenSC Card (New User) token' password

The password can then be entered using the password command of the managment interface:

password 'OpenSC Card (New User) token' sehrgeheimespasswort

OpenVPN answers with:

SUCCESS: 'OpenSC Card (New User) token' password entered, but not yet verified

5.   Key Revocation
Revoke a certificate:

openssl ca  -config $KEY_CONFIG -revoke keys/02.pem

(re-) generate key revocation list (CRL):

openssl ca  -config $KEY_CONFIG -gencrl -out keys/crl.pem

6.   OpenVPN Preparation: Step by step process with low-level tools
This section describes the low-level tools as used by the patched pkitool from OpenVPN. It does not create a certificate with OpenSSL. This is for documentation purposes only (to understand what goes on behind the scenes) and was my first approach to getting started with OpenSC.

• Erase the card — if you already have a Security Officer PIN installed, you need this for erasing the card:

  
  pkcs15-init -E
  

• Create PKCS#15 structure (option –no-so-pin specified not to create security officer PIN and user PUK) on the card — note that the keys need to be between 6 and 8 characters long and should be numeric if you intend to use a keypad for key-entry (which applies mostly to smartcards not to USB tokens). Also note that if you omit –no-so-pin you should keep the Security Officer PIN secure — only with it can the token be re-formatted:

  
  pkcs15-init --create-pkcs15 --no-so-pin
  

  New Security Officer PIN (Optional - press return for no PIN).
  Please enter Security Officer PIN:
  Please type again to verify:
  Unblock Code for New User PIN (Optional - press return for no PIN).
  Please enter User unblocking PIN (PUK):
  Please type again to verify:
  

• The steps above can be rolled into one command:

  
  pkcs15-init -E --create-pkcs15 --no-so-pin
  

• Add an authentication (user) ID to the token with corresponding PIN and PUK:

  
  pkcs15-init --store-pin --auth-id 01 --label "User Name"
  

  New User PIN.
  Please enter User PIN:
  Please type again to verify:
  Unblock Code for New User PIN (Optional - press return for no PIN).
  Please enter User unblocking PIN (PUK):
  Please type again to verify:
  

• Check that everything worked, by looking at the PINs:

  
  pkcs15-tool --list-pins
  

  PIN [Security Officer PIN]
      Com. Flags: 0x3
      ID        : ff
      Flags     : [0xB2], local, initialized, needs-padding, soPin
      Length    : min_len:6, max_len:8, stored_len:8
      Pad char  : 0x00
      Reference : 1
      Type      : ascii-numeric
      Path      : 3f005015
  
  PIN [User Name]
      Com. Flags: 0x3
      ID        : 01
      Flags     : [0x32], local, initialized, needs-padding
      Length    : min_len:4, max_len:8, stored_len:8
      Pad char  : 0x00
      Reference : 3
      Type      : ascii-numeric
      Path      : 3f005015
  

• Now we can generate an RSA key on the card. Note that we could also import a PKCS-12 key onto the card, but the more secure option is to let the card generate the key (so the key will never be available outside the card). The split-key option actually generates two key-pairs, one for encryption and one for signing. There are some labelling options to attach names to the generated keys but these aren’t needed if you want only one key. You could specify an application profile with the –id option, if this isn’t given the default ID 45 (authentication purposes) is used. The command will ask for the Security officer PIN, then for the User PIN, then again for the Security officer PIN (!):

  
  pkcs15-init --generate-key rsa/2048 --auth-id 01 --split-key
  

  Note that with Java smartcards the keysize 2048 might not work with the current version of the tools, see Some notes on key sizes.

• Now we can verify that the key was actually stored on the card:

  
  pkcs15-tool --list-keys
  

  Private RSA Key [Private Key]
      Com. Flags  : 3
      Usage       : [0x4], sign
      Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
      ModLength   : 2048
      Key ref     : 16
      Native      : yes
      Path        : 3f005015
      Auth ID     : 01
      ID          : 45
  

• List public keys:

  
  pkcs15-tool --list-public-keys
  

  Public RSA Key [Public Key]
      Com. Flags  : 2
      Usage       : [0x4], sign
      Access Flags: [0x0]
      ModLength   : 2048
      Key ref     : 0
      Native      : no
      Path        : 3f0050153048
      Auth ID     :
      ID          : 45
  

• For the following steps we will need a minimum openssl config file:

  
  openssl_conf            = openssl_init
  
  [ openssl_init ]
  engines                 = engine_section
  
  [ req ]
  default_bits            = 2048
  default_keyfile         = privkey.pem
  distinguished_name      = req_distinguished_name
  
  [ req_distinguished_name ]
  countryName                     = Country Name (2 letter code)
  countryName_default             = AT
  countryName_min                 = 2
  countryName_max                 = 2
  stateOrProvinceName             = State or Province Name (full name)
  stateOrProvinceName_default     = Austria
  localityName                    = Locality Name (eg, city)
  localityName_default            = Vienna
  0.organizationName              = Organization Name (eg, company)
  0.organizationName_default      = example.com
  organizationalUnitName          = Organizational Unit Name (eg, section)
  organizationalUnitName_default  = IT-Department
  commonName                      = Common Name (eg, server\'s hostname)
  commonName_max                  = 64
  emailAddress                    = Email Address
  emailAddress_max                = 40
  
  [ engine_section ]
  pkcs11 = pkcs11_section
  
  [ pkcs11_section ]
  engine_id = pkcs11
  dynamic_path = /usr/lib/engines/engine_pkcs11.so
  MODULE_PATH = /usr/lib/opensc-pkcs11.so
  init = 0
  

• Generate a certificate request (CSR) from this key using openssl:

  
  CLIENT=newclient
  openssl req -days 3650 -new -out $CLIENT.csr -config openssl.cnf \
    -engine pkcs11 -keyform engine -key 0:45 -sha1
  

  This will ask for all the certificate parameters. Alternatively these can be specified using the -subj option of openssl (this is broken into several lines but should be assembled into one line) with the following parameter:

  /C=AT/ST=Austria/L=Vienna/O=example.com/OU=IT-Department
  /CN=$CLIENT/emailAddress=user@example.com
  

• You can view the contents of the CSR using:

  
  openssl req -in $CLIENT.csr -noout -text
  

• Now sign the certificate request with whatever tools you are using. With the pkitool of OpenVPN this would become (after having copied the certificate request newclient.csr to the keys directory):

  
  pkitool --sign newclient
  

  The message about not being able to access newclient.key can be ignored.

• You may want to delete old certificates from the token:

  
  pkcs15-init --delete-objects cert --id=45
  

• Then import the new certificate onto the token:

  
  pkcs15-init --store-certificate newclient.crt --id=45
  

• Reading a certificate from the token and output with openssl:

  
  pkcs15-tool --read-certificate 45 | openssl x509 -noout -text
  

6.1.   Some notes on key sizes
Using 2048 bit keys should generally be possible with newer cards. I had some problems with these key sizes using my Java smartcard, though.
After uploading the applet to the card, it is possible to create a key with either 1024 or 2048 bit. This indicates that the card is able to handle the large keysize. When trying to generate a CSR using openssl the command failed with:

[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: No precise diagnosis
[opensc-pkcs11] muscle.c:745:msc_compute_crypt_process: returning with:
                Card command failed
[opensc-pkcs11] muscle.c:840:msc_compute_crypt: returning with:
                Card command failed
[opensc-pkcs11] card-muscle.c:749:muscle_compute_signature:
                Card signature failed: Card command failed
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with:
                Card command failed
[opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature:
                sc_compute_signature() failed: Card command failed
20808:error:0E06D06C:configuration file routines:NCONF_get_string:no value:
conf_lib.c:329:group=req_attributes name=unstructuredName_min
20808:error:0E06D06C:configuration file routines:NCONF_get_string:no value:
conf_lib.c:329:group=req_attributes name=unstructuredName_max
20808:error:8000A005:Vendor defined:PKCS11_rsa_sign:General Error:
p11_ops.c:97:
20808:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:
a_sign.c:276:

Worse, after reinitializing the card in this state with:

pkcs15-init -E --create-pkcs15 --no-so-pin
pkcs15-init --store-pin --auth-id 01 --label "User Name"

and trying to generate a smaller key, this fails with:

pkcs15-init --generate-key rsa/1024 --auth-id 01 --split-key

[pkcs15-init] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=03
[pkcs15-init] muscle.c:557:msc_generate_keypair: returning with:
              Card command failed
[pkcs15-init] card.c:678:sc_card_ctl: returning with:
              Card command failed
[pkcs15-init] pkcs15-muscle.c:272:muscle_generate_key:
              Unable to generate key
[pkcs15-init] pkcs15-muscle.c:273:muscle_generate_key: returning with:
              Card command failed
Failed to generate key: Card command failed

I was able to fix this by re-downloading the applet onto the card. This also happens the other way round, when generating a 1024 bit key first and trying — after reinitializing the card with pkcs15-init — to generate a 2048 bit key.
So I recommend to stick with 1024 bit keys with the current software versions (debian lenny).

PGAPy ist ein Python-Wrapper für PGAPack, eine der vollständigsten Bibliotheken für genetischen Algorithmen. Die Python-Bibliothek eignet sich für eigene Experimente mit genetischen Algorithmen, aber auch für die Implementierung von kompletten Anwendungen.

Der Vortrag gibt eine kurze Einführung in genetischen Algorithmen mit Beispielen in Python. Vorgestellt wird u.a. ein Programm zum automatischen Erzeugen der bekannten Sudoku Zahlenrätsel. Dabei wird schrittweise die Bewertungsfunktion für ein Sudoku entwickelt.

Debian FreeTDS packages

• freetds-common – configuration files for FreeTDS SQL client libraries: NEEDED
• freetds-dev – MS SQL and Sybase client library (static libs and headers)
• gda2-sybase – FreeTDS backend plugin for GNOME Data Access library for GNOME2
• libct4 – libraries for connecting to MS SQL and Sybase SQL servers, needed only for sqsh for testing, gets automatically installed with sqsh.
• libdbd-freetds – Freetds database server driver for libdbi
• libsybdb5 – libraries for connecting to MS SQL and Sybase SQL servers
• sqlrelay-freetds – SQL Relay FreeTDS (Sybase and MS SQL Server) connection daemon
• sqsh – commandline SQL client for MS SQL and Sybase servers depends on libct4: Good for testing
• tdsodbc – ODBC driver for connecting to MS SQL and Sybase SQL servers “This package includes the ODBC driver for FreeTDS, for use with UnixODBC or iODBC.”: NEEDED

FreeTDS Needs either unixodbc or iodbc, both are ODBC implementations for Linux/Unix. Asterisk is built against unixodbc.
iodbc packages:

• iodbc – GTK+ config frontend for the iODBC Driver Manager
• libiodbc2 – iODBC Driver Manager
• libiodbc2-dev – iODBC Driver Manager (development files)

unixodbc packages:

• unixodbc – ODBC tools libraries depends on odbcinst1debian1: NEEDED
• unixodbc-bin – Graphical tools for ODBC management and browsing
• unixodbc-dev – ODBC libraries for UNIX (development files)

common packages for debian:

• odbcinst1debian1 – Support library and helper program for accessing odbc ini files: NEEDED

Asterisk depends on unixodbc which should be already installed, so we install the following packages (ignoring any warnings about already-installed packages):

apt-get install unixodbc sqsh tdsodbc

Other Software using ODBC

• Python seems to have its own access module for MS-SQL:
  python-pymssql – Python database access for MS SQL server and Sybase

Configuraton for Asterisk Logging

• /etc/freetds/freetds.conf

  
  [global]
          # TDS protocol version
  ;       tds version = 4.2
  
          # Whether to write a TDSDUMP file for diagnostic purposes
          # (setting this to /tmp is insecure on a multi-user system)
  ;       dump file = /tmp/freetds.log
  ;       debug flags = 0xffff
  
          # Command and connection timeouts
  ;       timeout = 10
  ;       connect timeout = 10
  
          # If you get out-of-memory errors, it may mean that your client
          # is trying to allocate a huge buffer for a TEXT field.
          # Try setting 'text size' to a more reasonable limit
          text size = 64512
  
  [logserver]
          host = 172.23.23.4
          port = 1433
          tds version = 8.0
  

• /etc/odbcinst.ini

  
  [FreeTDS]
  Description = FreeTDS ODBC driver for MSSQL
  Driver = /usr/lib/odbc/libtdsodbc.so
  Setup = /usr/lib/odbc/libtdsS.so
  

• /etc/odbc.ini

  
  [ODBC Data Sources]
  logserver = MSSQL Log-Server for Asterisk
  
  [logserver]
  description = MSSQL Log-Server for Asterisk
  driver      = /usr/lib/odbc/libtdsodbc.so
  servername  = logserver
  language = us_english
  trace = no
  tracefile = /root/mssql.trace
  

• /etc/asterisk/cdr_odbc.conf

  
  [global]
  dsn=logserver
  username=asterisk
  password=VERYSECRET
  loguniqueid=yes
  dispositionstring=yes
  table=cdr              ;"cdr" is default table name
  usegmtime=no             ; set to "yes" to log in GMT
  

• Test using isql

  # isql logserver asterisk "VERYSECRET" -v
  +---------------------------------------+
  | Connected!                            |
  |                                       |
  | sql-statement                         |
  | help [tablename]                      |
  | quit                                  |
  |                                       |
  +---------------------------------------+
  SQL> select * from cdr;
  [output of current cdr table]
  

Diese Verhalten eines der wichtigsten Services im Internet — der Namensauflösung — verletzt klar die Netzneutralität wie auch schon im Jahr 2007 von Ed Felten in seinem Blog im Falle Verizon festgestellt wurde. Verizon hat wohl seither auf diese Praxis — nach vielen Protesten — wieder verzichtet. Berechtigterweise wurde UPC für diese Praxis für den Big Brother Award nominiert — die gesammelten Daten gehen offensichtlich an einen ausländischen Werbeunternehmer. Zumindest in einem Fall kommt es bei diesem Verhalten zu Probleme bei Telefonie im Internet wie einem Forum Posting zu entnehmen ist.

Schlimmer noch: UPC liefert falschen Information auch für Domains die ganz klar von jemand anderem reserviert sind. Wenn ich also nonexistent.source-forge.org ansurfe komme ich auch auf die Werbeseite von UPC — obwohl source-forge.org (ja mit Bindestrich) von dem grossen Open Source Projekthoster sourceforge reserviert ist. Hoffentlich lässt es da mal jemand auf ein Gerichtsverfahren wegen unlauterem Wettbewerb ankommen. Wäre vermutlich recht lukrativ, jedenfalls bei anderen Firmen als Sourceforge.

Mir war das bisher nicht aufgefallen, aber offensichtlich wurden ehemalige Inode-Kunden erst vor kurzem umgestellt, UPC-Telekabel Kunden offensichtlich schon früher.

Heute habe ich mich bei der UPC-Hotline beschwert. Man werde an dem Fall arbeiten und “den Fehler” beheben. Leider könne man mir keine Ticket-Nummer geben unter welcher ich meine Beschwerde nochmal urgieren kann — aber ich könne ja “in einigen Tagen” wieder anrufen. Ein Rückruf wurde mir versprochen, mal sehen ob da was kommt. Ich habe den Hotline-Bearbeiter freundlich darauf hingewiesen, dass es sich ja nicht um einen unbekannten Fehler handeln kann, wenn UPC dafür bereits für den Big Brother Award nominiert wurde.

Inzwischen habe ich einen Workaround gefunden: UPC hat die alten, funktionierenden Nameserver nicht abgeschaltet, in obigem Link des ip-phone-forums findet man funktionierende DNS-Server: 195.34.133.25 und 195.34.133.26 die man fix einstellen kann. Weitere Tips finden sich als Antwort auf mein Posting an die LUGA-Mailingliste. Die alternative ist, gleich einen eigenen Nameserver zu betreiben (unter Linux sehr einfach möglich) oder auf alternative Namenshierarchien umzusatteln wie z.B. opennicproject — auch wenn man bei Verwendung von Alternativen von einer deutschen Ministerin gleich als pädophil eingestuft wird. Es ist kaum zu glauben, was manche Politiker für einen Schwachsinn von sich geben.

grml console=tty 1console=ttyS1,38400n8

I had tried console=ttyS1,38400n8 before which doesn’t work. So I added the ssh= boot-options found out via the grml cheatsheet. I could ping the machine but no SSH. Turns out it takes a loooong time until grml starts up the ssh-daemon for two reasons

• The net4801 is really slow
• GRML creates new SSH Host-keys before starting up SSH. Thats good. But a newly-started box without a Keyboard has a really small random-number pool, so the box sits there waiting for randomness to happen for generating the keys. So it helps to run several parallel pings to the machine to create some network traffic the timing of which slowly fills the randomness pool …

Turns out that process took several minutes on the Soekris net4801. After waiting I was finally able to log into grml and rescue the data using ddrescue. Thanks GRML!

This is a short howto how I built the debian patches and how you can — as a user — install everything needed for mISDN version 2 and Linux Call Router (LCR) with asterisk chan_lcr running on debian lenny.

I’m providing debian packages for Kernel (v 2.6.28.5), an updated zaptel (debian lenny zaptel doesn’t compile with newer kernels and zaptel wctdm uses some settings for analogue phones that don’t work with german and austrian phone like the “R”-key or optional pulse dialling), finally I’m providing a slightly patched asterisk for larger buffer sizes when playing long tones, LCR and misdnv2user packages originally built by Joerg Dorchain. My misdnv2user is the same as Joergs. The lcr package contains my bug-fix for DTMF digits A-F (also in Joergs packages now) which don’t work in upstream LCR version 1.3 and an updated /etc/init.d/lcr for querying the status of lcr.

I’m also providing source packages, except for the kernel — the kernel is stock kernel.org 2.6.28.5 configured for use of mISDN. The kernel was built using debians make-kpkg from the kernel-package debian package. And the config used for building the kernel is in the binary package.

I hope I can contribute something in order to get mISDN V2 and LCR into debian… in the meantime others may want to uses these on debian stable.

Installation

apt-get install vim less ssh ntp
apt-get install python-dev openbsd-inetd postfix madplay

Add following lines to /etc/apt/sources.list:

deb http://project.runtux.com/asterisk/debian/ lenny main
deb-src http://project.runtux.com/asterisk/debian/ lenny main

If you want to avoid warnings about an untrusted archive key from apt, you should import the following archive key. Save the key to a file and then issue the command
apt-key add file

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)

mQENBEnREAIBCADM8+KpoC/HJUCEsx8KZhGgsX/G3ouR4/xkgIuIPgz+t6JoTisj
9QmymDZKUXSy04WmbLjU/088xD5A9ukOEYxoFCGqwWf1tPOKqN1oKpVCkjJb8Dht
vvebqOCzJSV0nfqmIfkpbX+6dUssx+9u0BiFK3aj/GilkEloZl2g+vIT6fveJtKE
qmxz19vL516TDhsbsv3/AKfNKc7QRpsgvPmnNE2IL0CTgQYs26WtnJASlu1MQpwo
Qfb1PrO7ufq9eO58HjEBdfbSNjalQjVj7vLvE4GQglHULO500H9UlfOm2zpO0Vzs
5lGGbwLJdTpAS3HIRhQAW0pueRsQ8zagMn5lABEBAAG0OFJhbGYgU2NobGF0dGVy
YmVjayAoRGViaWFuLVBhY2thZ2UtS2V5KSA8cnNjQHJ1bnR1eC5jb20+iQE2BBMB
AgAgBQJJ0RACAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ5CizCR9G97ah
pAf/eLRYtPVs1apI3+AVi//8y1/r6uL+IxI/Tlt53jCtX/dy3Q3FeAEJt/7fbvcW
TBDnP5K8vWaYUlHHaz+6lbcQyV/KAH4LKJEKkyoINc9ytG1qEG6z8NPfDmKiEluy
HksgLpAqUBrdZy46iWQhcg7f3fpcUIsHHcXrOd2Ip5G9DL2q4/UoRrhBhHC3GNX7
ERaeAKZTF1JRaVN6KSWPC2+yaNmuGn1yoSChG0Q/bBTgzv2fm9Jzvok546f9LE0q
k2q5PvjlUSMGHHojTzzR6tGhnbw5mOfyMUDDs5LuAN1aWbDatepJgiC+dYasprQ5
pZygpoCASqIhWjjCZd3XI5mAEIhGBBARAgAGBQJJ0nZlAAoJEIO0FkDz/lcw0xYA
njBSGef/4KhZpuspIh6WnLM7ORKNAKCw28et9bUoaGu4ESRpIwtwj4asQoicBBAB
AgAGBQJJ0ncuAAoJEJWCQpSoBzk1hpcD/2KXiuvE2Nm0oOi0jBVEjT/Tu/GGkG5m
lf97/I6TMcJxlMpeBlv9SiJD+/BBQo0MGMxmkCwU4t+eBCBsCVcr/bJnrlrKa4Ab
9SR9WQ8PGrSQ+AwMePCDKngqFd5EERz8bxz4sZKGCxn9JVRQOGp03eKSGDG/Yh0v
FY3v7nV0BUaE
=mPtt
-----END PGP PUBLIC KEY BLOCK-----

Then install:

apt-get update
apt-get install linux-headers-2.6.28.5-i686 linux-image-2.6.28.5-i686 \
    asterisk zaptel lcr zaptel-modules-2.6.28.5-i686

If you’re on the amd64 architecture, you should replace i686 in the packages above with amd64.

and optionally (for misdn_info):

apt-get install misdnv2user

Edit /etc/default/asterisk and set RUNASTERISK=yes. Then make several directories (should be done by a future version of the lcr package):

mkdir /var/run/lcr
chown asterisk.asterisk /var/run/lcr
mkdir /var/log/lcr
chown asterisk.asterisk /var/log/lcr

I’ve also made a start-script for lcr (for use as /etc/init.d/lcr) ,
downloadable at http://project.runtux.com/asterisk/init.d:lcr
this probably should also be part of the lcr package.

Config file examples used for lcr — these pass
everything to asterisk. File /etc/lcr/interface.conf:

[Ext1]
portnum 0
ptp
nodtmf

[Ext2]
portnum 1
ptp
nodtmf

[Int1]
portnum 2
nt
ptp
nodtmf

[Int2]
portnum 3
nt
ptp
nodtmf

I’m using a Beronet 4 port ISDN card, your config will probably differ: This system only expects incoming calls and needs to check on which line a call comes in. So I distinguish all external interfaces as separate interfaces of LCR. I also need to check an interface by calling out via that interface, you probably would want to make all external ports a trunk by grouping them into one LCR interface.

And the routing config needs to match your interface definition. This config will pass all calls — if asterisk is running — to asterisk. If asterisk isn’t running, I’m calling a test application (untested). The context in asterisk will be the interface name. Again, if you’re using a trunk here, be sure to match the routing config with your interface config. /etc/lcr/routing.conf:

[main]
remote=asterisk interface=Ext1 : remote application=asterisk
remote=asterisk interface=Ext2 : remote application=asterisk
remote=asterisk interface=Int1 : remote application=asterisk
remote=asterisk interface=Int2 : remote application=asterisk
default                        : efi

Update /etc/modules to include the following lines (the command appends the lines between cat and EOF):

cat >> /etc/modules << EOF
mISDN_core debug=0x0
mISDN_dsp debug=0x0 options=0x0
hfcmulti debug=0x0
EOF

Linux udev must be configured to correctly set the user for the isdn device(s):

cat > /etc/udev/rules.d/91-isdn.rules << EOF
ACTION!="add|change", GOTO="permissions_end"

KERNEL=="mISDN*",       GROUP="dialout"

LABEL="permissions_end"
EOF

After a reboot asterisk and lcr should be running.

Building

Getting kernel:

wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2
wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2.sign
wget http://kernel.org/pub/linux/kernel/v2.6/patch-2.6.28.5.gz
wget http://kernel.org/pub/linux/kernel/v2.6/patch-2.6.28.5.gz.sign

For compilation (zlib isn’t checked by make-kpkg!):

apt-get install kernel-package bzip2 libncurses5-dev zaptel-source \
    zlib1g-dev fakeroot

Compile Kernel:

tar xvf linux-2.6.28.tar.bz2
cd linux-2.6.28
zcat ../patch-2.6.28.5.gz | patch -N -p1 | less 2>&1
cp /boot/config-2.6.28.5-i686 .config
make oldconfig
make menuconfig # just to be sure

For amd64:

make-kpkg --append-to-version -amd64 --revision 2.6.28.5.1.rsc --us \
    --uc --initrd --rootcmd fakeroot binary > m.out 2> m.err

For i686:

make-kpkg --append-to-version -i686 --revision 2.6.28.5.1.rsc --us \
    --uc --initrd --rootcmd fakeroot binary > m.out 2> m.err

The following doesn’t seem to work although zaptel is installed:
probably need to unpack /usr/src/zaptel.tar.bz2 into
/usr/src/modules/zaptel (tar file contains modules directory!)
this would save us from the m-a a-i step below. amd64:

make-kpkg --append-to-version -amd64 --revision 2.6.28.5.1.rsc --us \
    --uc --initrd --rootcmd fakeroot modules > mo.out 2> mo.err
cd ..

For i686:

make-kpkg --append-to-version -i686 --revision 2.6.28.5.1.rsc --us \
    --uc --initrd --rootcmd fakeroot modules > mo.out 2> mo.err
cd ..

Make a debianized zaptel for new kernel:

apt-get install devscripts libnewt-dev quilt libusb-dev asciidoc
svn checkout http://svn.digium.com/svn/zaptel/branches/1.4 zaptel
apt-get source zaptel-source
cp zaptel/kernel/ztdummy.* zaptel-1.4.11~dfsg/kernel
cd zaptel-1.4.11~dfsg
# Add "Fix compilation for newer kernels"
dch -i
dpkg-buildpackage
cd ..
dpkg -i zaptel-source_1.4.11~dfsg-3.1_all.deb
m-a a-i zaptel

The following installs my patched asterisk, I’m modifying some buffer sizes because I want to play long tones (I’m generating a faked modem guard-tone that is needed in a project). You probably won’t need the patches asterisk, but it won’t hurt to install it. The create-patches script is available from
http://project.runtux.com/asterisk/create-patches

apt-get install libreadline5-dev libgsm1-dev libssl-dev libtonezone-dev \
    libvpb-dev autotools-dev libsqlite-dev libspeex-dev libspeexdsp-dev \
    graphviz libcurl4-openssl-dev doxygen libpopt-dev libopenh323-dev   \
    libiksemel-dev libradiusclient-ng-dev freetds-dev libvorbis-dev     \
    libsnmp-dev libc-client2007b-dev libcap2-dev libpq-dev unixodbc-dev \
    libpri-dev
apt-get source asterisk
scp ralf@bee:checkout/own/config/asterisk/create-patches .
cd asterisk-1.4.21.2~dfsg/
sh ../create-patches
# Hunk #1 succeeded at 25 (offset 3 lines).
# Add "runtux.com local buffer-size patches"
# and new version-number 1:1.4.21.2.1~dfsg-3
dch -i # add comment
dpkg-buildpackage -rfakeroot
cd ..

For mISDNuser and chan_lcr I’m using Joerg Dorchains packages with my added patches for DTMF codes A-F.

Unpacking of 'iscan-firmware-2.8.0.1-48.1.noarch.rpm' failed at /usr/share/perl5/Alien/Package/Rpm.pm line 155.

After some more searching I found debian bugs 518348 and 509444 of which the latter contains a workaround: Seems that the rpm format changed to a compressed format that can be unpacked with lzma. Now unpacking was possible — after all I was only interested in the firmware file — and now my scanner is working again… For the record, unpacking was done as follows:

mkdir iscan-firmware-2.8.0.1
rpm2cpio iscan-firmware-2.8.0.1-48.1.noarch.rpm \
| lzma -d | (cd iscan-firmware-2.8.0.1; \
cpio --extract --make-directories \
--no-absolute-filenames --preserve-modification-time)

v.l.n.r Kokoschka, Leuchtfeder, Gertrude

Alle verwendeten Teile sind bei Conrad erhältlich, wo wir es noch rekonstruieren können geben wir die Bestellnummern und den Link zum Artikel an. Conrad ist zwar relativ teuer, dafür bekommt man für dieses Einmalprojekt alle Teile bei einem Händler und wer was nachbauen will kann im deutschsprachigen Raum über einheitliche Teilenummern auf die gleichen Teile zugreifen, sei es in Österreich, der Schweiz oder Deutschland.

Einige Teile unserer Lösung eignen sich sicher auch für andere Projekte, nicht viele Leute werden eine Hühnerstalltüre brauchen …

Die Hühnerstalltüre funktioniert jetzt schon ein paar Wochen. Anfängliche mechanische Probleme (Tür verklemmte sich einige Male beim Herunterfahren) sind wohl gelöst. Unsere Software hat einen Zeitcheck falls beim Runter- oder Rauffahren doch mal was schiefgeht.

In der Folge beschreiben wir den Aufbau, getrennt nach Mechanik, Elektronik und Software — die Aufteilung zwischen Mechanik und Elektronik ist etwas willkürlich, wir haben die ganze Elektromechanik
(Motor, Schalter) zur Mechanik gerechnet.

Die Mechanik

Mit einem Getriebemotor wird eine Welle über einen Zahnriemen-Antrieb (Übersetzung nochmal 4:1) angetrieben. Der Getriebemotor ist schon 148:1 untersetzt. Die Welle läuft auf Kugellagern, die in einem Holzrahmen montiert sind. Die Lagerflansche sind einfach mit Heisskleber in den ausgestemmten Teil der Holzlatten geklebt. Vorsicht, keinen Heisskleber ins Lager bringen…

Die Übersetzung wurde so gewählt, dass wir eine bis zu 800g schwere Tür mit einer Welle mit Radius 5mm gut hochziehen können. Das Drehmoment des verwendeten Motors ist etwa 1,2 Ncm, mit der 4:1 Übersetzung mit dem Zahnriemen kommen wir auf 4.8 Ncm.

Die Welle wickelt dann eine Nylonschnur auf, die an der Tür angebunden ist. Die Nylonschnur hat einen Durchmesser von 2mm, die Welle wurde mit einem 2mm Titanbohrer gebohrt. Zum Bohren der Welle haben wir einen Stellring verwendet, einfach durch das Schraubenloch des Stellringes gebohrt, der Stellring war mit Klebeband fixiert.

Das Einfädeln der Nylonschnur kann man sich erleichtern, indem man die Nylonschnur mit einem Feuerzeug an einer Stelle erhitzt und auseinanderzieht, die entstehende Spitze eignet sich recht gut zum Einfädeln.

Motor: Eigentlich wollten wir ursprünglich einen kleineren Motor, da der jetzt verwendete Motor bis zu 2A Strom zieht (bei hoher Last — unsere Tür ist relativ leicht, dadurch ist die Last und damit der Strom recht niedrig). Das könnte mal zuviel für den verwendeten H-Bridge Motorcontroller werden.

Die Tür selbst hat einen Magneten, der in zwei Stellungen (Tür ganz oben bzw. ganz unten) jeweils einen Magnetschalter auslöst.

Für das Justieren (von Hand Türe rauf- bzw. runterfaheren) gibt es zwei Taster die an digitalen Inputs des Arduino angeschlossen sind.

Mechanischer Aufbau

Teileliste Mechanik:

• 222366 Getriebemotor
• 222374 Alternativ: kleinerer Motor
• 237205 Welle 8mm
• 216011 Lagerflansch für Kugellager
• 225550 Stellringe 8mm
• 214493 Kugellager
• 226043 Zahnriemenscheibe 40 Zähne, für Welle 8mm
• 226106 Zahnriemenscheibe 10 Zähne, für Welle 6mm (an Motor)
• 226084 Zahnriemen
• 753360 Magnetschalter
• Taster ein (2X)

Im folgenden Bild sieht man die Tür im Zustand “NACHT” (zu). Die Magnetschalter und der Magnet an der Tür sind gut zu erkennen. Oben im Bild ist ein Stück Sperrholz auf Abstandshaltern so montiert, dass die Schnur durchläuft und beim Hochfahren die Tür an die Hüttenwand gedrückt wird.

Hühnerstalltür im geschlossenen Zustand mit Magnet und Magnetschaltern

Die Elektronik

Der Dämmerungsschalter ist mit einem einfachen Photowiderstand in einem Spannungsteiler mit einem 10k Widerstand realisiert. Der Photowiderstand ist über ein Lautsprecherkabel mit Heisskleber im Holzdach montiert. Oberhalb des Photowiderstands ist ein Acryl-Welldach. Die Magnetschalter sind an digitale Eingangspins des Arduino angeschlossen.

Die Motorsteuerung erfolgt über eine H-Bridge Schaltung in einem IC. Die Elektronik dazu findet auf einer Lochraster-Platine Platz. Die einfache H-Bridge benötigt keine externen Teile. Wie man das mit dem Arduino verdrahtet ist ganz gut auf der Seite der Physical Computing Labs der Tisch School of the Arts beschrieben — ist auch der erste Link auf den ich beim googlen nach “Arduino Motor Control” gestoßen bin.

Wir wollen aber — wegen des größeren Motors — auf eine größere H-Bridge, die braucht externe Schaltdioden (das Datenblatt des L298N schlägt Dioden mit höchstens 200ns reverse recovery time (t_rr) vor, wir werden die BYV 2100 verwenden mit einer t_rr von 12.5ns)

Teileliste Elektronik:

• Arduino Duemilanove
• 145475 Photowiderstand
• Widerstand 10k
• 174003 L293D H-Bridge max 1A
• 510821 Netzteil 9V passend für Arduino

Alternative größere H-Bridge:

• 156128 L298N H-Bridge Dual 2A bzw parallelgeschaltet 3A
• 160005 BYV 2100 Schnelle Dioden dazu

Die Software

Der Dämmerungsschalter sollte laut Wikipedia bei ca. 100 lux das Öffnen der Tür veranlassen und bei höchstens 3.4 lx (Dark limit of civil twilight under a clear sky) das Schließen. In dem Wikipedia-Artikel ist eine Tabelle, die einen sehr dunklen Tag mit 100lx angibt, die deutsche Version enthält leider keine ausführliche Tabelle. In unseren Experimenten war ein Meßwert des Arduino von 200 für “Jetzt ist es dunkel, Tür zu” und von 300 für “Jetzt ist es hell, Tür auf” gut — auch in den jetzt dunklen Wintertagen (auch bei einem Gewitter) bleibt die Tür tagsüber offen und schliesst zuverlässig bei Dunkelheit. In einer klaren Vollmondnacht blieb die Tür zu.

Die Steuerung ist als Zustandsautomat (State Machine) realisiert. Jenachdem welcher Magnetschalter beim Einschalten Kontakt hat, startet der Automat im Zustand “TAG” bzw. “NACHT”. Wird keiner der Magnetschalter gesehen, gehen wir in den Zustand “ERROR”. Dieser Zustand bildet auch alle anderen Fehlerzustände ab, die im Betrieb auftreten können. Dabei setzen wir eine Fehlermeldung, die dann über die serielle Schnittstelle des Arduino (USB Serial) ausgegeben wird.

Der Zustandsautomat verwendet Statusfunktionen: In einem bestimmten Zustand wird die zugehörige Zustandsfunktion ausgeführt. Wenn diese Funktion 0 zurückliefert, geht der Automat in den nächsten Zustand, sonst bleibt er im alten Zustand.

Durch die Verwendung von Statusfunktionen (und keiner speziellen Funktion beim Zustandsübergang) haben wir zwei zusätzliche Zustände um den Motor einzuschalten, dieser Zustand (START_RAUF bzw. START_RUNTER) schaltet den Motor ein und geht sofort in den nächsten Zustand über.

Die Verdrahtung mit dem Arduino, also an welchen Pins welche Peripherie angeschlossen ist, sind über define’s am Beginn des Programms festgelegt.

Die Logik für die digitalen Inputs verwendet die Arduino-internen Pull-Up Widerstände. Daher ist die Logik invertiert: Wenn der Taster (oder ein Magnetschalter) geschlossen ist, liefert der entsprechende digitale Input eine 0.

Beim Testen haben wir festgestellt, dass bei laufendem Motor gelegentlich eine gedrückte Taste — oder ein geschlossener Magnetschalter detektiert wird. Daher haben wir in Software alle digitalen Inputs entprellt (Funktion debounced_read). Vermutlich sollten wir vor der H-Bridge noch einen Entstörkondensator vorsehen.

Die beiden Taster zum manuellen Rauf- und Runterfahren setzen ein Flag das den Zustandsautomaten neu initialisiert — dadurch muss man nach dem manuellen Kalibrieren kein Reset ausführen: Einfaches Drücken der Rauf- bzw. Runter-Taste reicht, um ein neues Initialisieren durchzuführen.

Im Error-Status warten wir 100ms nach dem Ausgeben der Fehlermeldung. Durch dieses Delay merkt man bei Drücken des Rauf- bzw. Runter-Knopfes sofort, ob sich das Gerät im Error-Zustand befindet: Wenn ein Error-Zustand vorliegt, bewegt sich der Motor nicht sofort, sondern erst nach einem kurzen Delay. Wenn der Zustandsautomat korrekt initialisiert ist, bewegt sich der Motor sofort.

Während der Entwicklung habe ich mit etwas mit einem Bug der Arduino-Entwicklungsumgebung gekämpft: Um Function-Style casts (Typumwandlungen die wie eine Funktion aussehen) zu ermöglichen, macht die Entwicklungsumgebung Code-Rewriting und fügt insbesondere einige Preprozessor-Defines ein, die es verhindern, einen Funktionspointer in C zu deklarieren. Der Workaround ist ein “#undef int” vor der Funktionspointer-Deklaration einzufügen. Gleich am Anfang kann man das nicht machen, da das Code-Rewriting ein #include direkt vor dem ersten Statement (nach allen #include und #define Direktiven) einfügt. Dieses “Feature” hat durch obskure Fehlermeldungen einiges an Zeit gekostet, was mich veranlasst hat, einen Beitrag im Arduino Forum dazu zu schreiben.

Die verwendeten Timer-Routinen (#include <timer.h> und der Typ Arduino_Timer) dienen dazu, auf eine bestimmte Zeit nach dem Aufruf von millis() zu warten — auch wenn die von millis verwendete Variable inzwischen überläuft. Der Timer lässt sich fragen, ob der gewünschte Zeitpunkt schon erreicht ist. Ursprünglich habe ich diese Routinen geschrieben, weil Version 0011 (und früher) der Arduino Entwicklungsumgebung einen Bug hatte, so dass der Timer zu früh überlief. Die entsprechenden Timer Routinen (für Version 0011 oder ab 0012) gebe ich gern auf Anfrage weiter.

#include <timer.h>
#include <stdio.h>

# define LED          13
# define MAGNET_OBEN   7
# define MAGNET_UNTEN  8
# define FOTO          0
# define MOTOR         9
# define MOTOR_DIR1    4
# define MOTOR_DIR2    3
# define MOTOR_MIN  0x7F
# define KNOPF_RAUF   12
# define KNOPF_RUNTER  2

# define HELL        300
# define FINSTER     200

# define STATUS_TAG          0
# define STATUS_ABEND        1
# define STATUS_NACHT        2
# define STATUS_MORGEN       3
# define STATUS_START_RAUF   4
# define STATUS_RAUFFAHREN   5
# define STATUS_START_RUNTER 6
# define STATUS_RUNTERFAHREN 7
# define STATUS_ERROR        8

int status   = STATUS_ERROR;
char errbuf [80];
char *errmsg = "";
int neuinitialisieren     = 1;
int debounce_magnet       = 0;
int debounce_knopf_runter = 0;
int debounce_knopf_rauf   = 0;

# define TIMER_MS       10000 // 10 seconds debounce 300000 // 5 minutes
# define FAHRZEIT_MS    75000 // max 75 seconds for up/down of door
Arduino_Timer timer (TIMER_MS);

int debounced_read (int iopin, int *counter)
{
    if (!digitalRead (iopin))
    {
        if ((*counter)++ >= 10)
        {
            *counter = 0;
            return 0;
        }
    }
    else
    {
        *counter = 0;
    }
    return 1;
}

void motor_an ()
{
    digitalWrite (LED,   HIGH);
    digitalWrite (MOTOR, HIGH);
}

void motor_aus ()
{
    digitalWrite (LED,   LOW);
    digitalWrite (MOTOR, LOW);
}

void linksrum ()
{
    digitalWrite (MOTOR_DIR1, LOW);
    digitalWrite (MOTOR_DIR2, HIGH);
}

void rechtsrum ()
{
    digitalWrite (MOTOR_DIR1, HIGH);
    digitalWrite (MOTOR_DIR2, LOW);
}

// Wir benutzen Status-Funktionen fuer jeden Status unserer Maschine:
// Wenn die Funktion 0 zurueckliefert, geht die Maschine in den naechsten
// Zustand, sonst bleibt sie im gleichen Zustand.

int fahren (int magnet)
{
    if (!debounced_read (magnet, &debounce_magnet))
    {
        return 1;
    }
    if (timer.is_reached (millis ()))
    {
        motor_aus  ();
        timer.stop ();
        errmsg = "Zeitueberschreitung fahren";
        status = STATUS_ERROR;
        return 0;
    }
    return 0;
}

int starte_rauffahren ()
{
    if (digitalRead (MAGNET_UNTEN))
    {
        errmsg = "Hochfahren: Tuere nicht unten";
        status = STATUS_ERROR;
        return 0;
    }
    timer.start (millis (), FAHRZEIT_MS);
    debounce_magnet = 0;
    rechtsrum ();
    motor_an  ();
    return 1;
}

int rauffahren ()
{
    return fahren (MAGNET_OBEN);
}

int starte_runterfahren ()
{
    if (digitalRead (MAGNET_OBEN))
    {
        errmsg = "Hochfahren: Tuere nicht oben";
        status = STATUS_ERROR;
        return 0;
    }
    timer.start (millis (), FAHRZEIT_MS);
    debounce_magnet = 0;
    linksrum  ();
    motor_an  ();
    return 1;
}

int runterfahren ()
{
    return fahren (MAGNET_UNTEN);
}

int nacht ()
{
    int val;
    motor_aus ();
    val = analogRead (FOTO);
    Serial.println (val);
    if (val > HELL)
    {
        timer.start (millis ());
        return 1;
    }
    return 0;
}

int tag ()
{
    int val;
    motor_aus ();
    val = analogRead (FOTO);
    Serial.println (val);
    if (val < FINSTER)
    {
        timer.start (millis ());
        return 1;
    }
    return 0;
}

int abend ()
{
    int val;
    motor_aus ();
    val = analogRead (FOTO);
    if (val > FINSTER)
    {
        status = STATUS_TAG;
        return 0;
    }
    if (timer.is_reached (millis ()))
    {
        timer.stop ();
        return 1;
    }
    return 0;
}

int morgen ()
{
    int val;
    motor_aus ();
    val = analogRead (FOTO);
    if (val < HELL)
    {
        status = STATUS_NACHT;
        return 0;
    }
    if (timer.is_reached (millis ()))
    {
        timer.stop ();
        return 1;
    }
    return 0;
}

int error ()
{
    motor_aus ();
    Serial.println (errmsg);
    delay (100);
    return 0;
}

# undef int
struct state {
    int status;
    int next_status;
    int (*statefun)();
};

// Stati muessen in der Reihenfolge der numerischen Zustandswerte sein
// Zustaende muessen lueckenlos nummeriert sein
struct state stati [] =
{ { STATUS_TAG,          STATUS_ABEND,        tag                 }
, { STATUS_ABEND,        STATUS_START_RUNTER, abend               }
, { STATUS_NACHT,        STATUS_MORGEN,       nacht               }
, { STATUS_MORGEN,       STATUS_START_RAUF,   morgen              }
, { STATUS_START_RAUF,   STATUS_RAUFFAHREN,   starte_rauffahren   }
, { STATUS_RAUFFAHREN,   STATUS_TAG,          rauffahren          }
, { STATUS_START_RUNTER, STATUS_RUNTERFAHREN, starte_runterfahren }
, { STATUS_RUNTERFAHREN, STATUS_NACHT,        runterfahren        }
, { STATUS_ERROR,        STATUS_ERROR,        error               }
};

void setup ()
{
    pinMode (LED,         OUTPUT);
    pinMode (MAGNET_OBEN,  INPUT);
    pinMode (MAGNET_UNTEN, INPUT);
    pinMode (MOTOR,       OUTPUT);
    pinMode (MOTOR_DIR1,  OUTPUT);
    pinMode (MOTOR_DIR2,  OUTPUT);
    pinMode (KNOPF_RUNTER, INPUT);
    pinMode (KNOPF_RAUF,   INPUT);

    digitalWrite (MOTOR,   LOW);
    linksrum ();
    digitalWrite (LED,     HIGH);

    digitalWrite (MAGNET_OBEN,  HIGH); // enable pull-up resistor
    digitalWrite (MAGNET_UNTEN, HIGH); // enable pull-up resistor
    digitalWrite (KNOPF_RUNTER, HIGH); // enable pull-up resistor
    digitalWrite (KNOPF_RAUF,   HIGH); // enable pull-up resistor
    Serial.begin (115200);
    if (FINSTER >= HELL)
    {
        status = STATUS_ERROR;
        errmsg = "FINSTER >= HELL";
    }
    Serial.print ("initial state: ");
    Serial.println (status);
}

void loop ()
{
    struct state *st = &stati [status];
    if (!debounced_read (KNOPF_RUNTER, &debounce_knopf_runter))
    {
        debounce_knopf_runter = 10;
        linksrum  ();
        motor_an  ();
        neuinitialisieren = 1;
        return;
    }
    else if (!debounced_read (KNOPF_RAUF, &debounce_knopf_rauf))
    {
        debounce_knopf_rauf = 10;
        rechtsrum ();
        motor_an  ();
        neuinitialisieren = 1;
        return;
    }
    else if (neuinitialisieren)
    {
        motor_aus ();
        errmsg = "Unbekannte Tuerposition bei Start";
        status = STATUS_ERROR;
        if (!digitalRead (MAGNET_OBEN))
        {
            status = STATUS_TAG;
        }
        else if (!digitalRead (MAGNET_UNTEN))
        {
            status = STATUS_NACHT;
        }
        neuinitialisieren = 0;
        debounce_knopf_rauf = debounce_knopf_runter = 0;
        Serial.print ("Initialized to: ");
        Serial.println (status);
        return;
    }
    // Hard-coded error state must work if state-table is broken
    if (status >= STATUS_ERROR)
    {
        error ();
        return;
    }
    if (st->status != status)
    {
        status = STATUS_ERROR;
        sprintf
            ( errbuf
            , "Error in state-table, expected %d got %d"
            , status
            , st->status
            );
        errmsg = errbuf;
        return;
    }
    if (st->statefun ())
    {
        status = st->next_status;
    }
    if (status != st->status)
    {
        sprintf (errbuf, "new state: %d->%d", st->status, status);
        Serial.println (errbuf);
    }
}

The needed dfu-util is a Debian lenny package, on my lenny-laptop just one apt-get away. The upgrade steps are well documented on the “Flashing the Neo” page.

I’ve also upgraded the bootloader because I wanted to try to install Debian (on the SD card) and the instructions say to upgrade the bootloader.

After booting into the new version I discovered that the “Settings” icon did nothing. The device would auto-suspend after about 30 seconds when not in use via the touch-screen. Fortunately I had experimented earlier how to get a SSH-connection to the device — I wouldn’t have found out in 30 seconds: The device would suspend and kill a running SSH-session.

The openmoko device comes up as network interface usb0 on the machine you connect the USB to. The IP is 192.168.0.202, you should configure your usb0 network interface to something like 192.168.0.200.

I’m using the Debian package ipmasq on my laptop, so NAT to my internal network for the openmoko was working immediately, I could ping machines on my internal network.

So I held the touch-screen with the left-hand thumb and configured the network: The device comes up with an empty /etc/resolv.conf, you should insert a nameserver line with the IP of a reachable nameserver.

After having a running network (remember I’m still preventing the device from suspending and killing my ssh session with one finger on the display) I installed the package illume-config which adds a little toolbox-icon to the window-manager. With this I was able to finally disable the suspend via the config. After that I did an opkg upgrade of the device and the “Settings” program magically started working.

The first experiment with a phone-call failed, because the called party could not hear me. I had to install alsamixer and turn on the microphone and capture devices. Now calling and being called works fine.

I haven’t experimented too much until now — one of the major roadblocks is a broken input method. The on-screen keyboard is not really suitable for entering commands into an xterm. One of the next steps will be to install Debian on the device.