DD-WRT: OpenVPN Server Using Certificates

GUI confuses me sometimes, so I prefer to make configurations in text files. For DD-WRT, OpenVPN server is available in OpenVPN, OpenVPN Small, Big, Mega, and Giga builds: K2.6 Build Features. Since I have never used any router with USB storage capabilities, I can’t be sure but I think OpenVPN can be installed using ipkg as well.

For this post I am going to assume you’re an OS X user, but Windows procedures shouldn’t be too different.

1. Generating certificates and keys

  1. Get Easy-RSA. You can either clone the git repository or download the package as zip. Navigate to the folder where you downloaded/cloned Easy-RSA and get into the directory easy-rsa/2.0.
  2. Edit the file vars. I’m showing the variables that you might want to change. Take note of the KEY_SIZE variable. If you’re paranoid like me, leave it at 2048. It takes longer to generate DH parms but not that long.
    # Increase this to 2048 if you
    # are paranoid.  This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=2048
     
    # In how many days should the root CA key expire?
    export CA_EXPIRE=3650
     
    # In how many days should certificates expire?
    export KEY_EXPIRE=3650
     
    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="MY"
    export KEY_PROVINCE="SELANGOR"
    export KEY_CITY="Puchong"
    export KEY_ORG="AdyRomantika"
    export KEY_EMAIL="[email protected]"
    export KEY_OU="RomantikaName"
     
    # X509 Subject Field
    export KEY_NAME="MYKEY1"
  3. Import the variables into the current shell:
    $ source vars
  4. Clean existing keys if any (WARNING: This deletes all existing certificates and keys)
    $ ./clean-all
  5. Generate server certificates. The script will still ask for parameters you entered in vars so just press ENTER if you’re satisfied
    • This will produce 2 files: ca.key and ca.crt
    $ ./build-ca
  6. Generate Diffie Hellman parameters
    • This will produce the file: dh{n}.pem where {n} is the key size specified in the vars file.
    $ ./build-dh
  7. Generate key for the server.
    • When asked for a password, just press ENTER otherwise the key password will be asked each time service is being brought up.
    • When asked whether to sign the certificate, say Yes.
    • This will produce 3 files: server.crt, server.csr, server.key
    $ ./build-key-server server1
  8. Generate key for the clients. This step can be repeated in the future for more clients as needed.
    • When asked for a password, you can enter a password so that when connecting to the service, the key password will be asked. I recommend this to make it more secure.
    • When asked whether to sign the certificate, say Yes.
    • This will produce 3 files: client1.crt, client1.csr, client1.key
    $ ./build-key client1

Continue reading DD-WRT: OpenVPN Server Using Certificates

DD-WRT as Wireless Client

There is something very wrong with the wireless module on the DELL Precision M4300 I am currently using – after a while files begin to get corrupted and Windows will fail to write the event log. I have just had the motherboard changed by DELL last Monday. In the office I did not have any problem for the whole week since I was using a wired connection. At home, I mainly use wireless because my access point is in the family hall.

Bummer! I can’t be wired at home, it’s simply not practical and I have no suitable surface to work on near the access point. It’s a Huawei E960, property of Maxis. It’s a HSDPA modem so where I place it is very important.

I have an antique Linksys WRT54G v2.2 with DD-WRT v24 on it so I decided to convert it to a wireless client. It acts as a wireless client to the main wireless router, and provides LAN connection via the wired ports. Perfect for a busted wireless module.

Steps on the WRT54G:

  1. Do a hard reset
  2. Connect to the router via wired port
  3. Open the Wireless » Basic Settings tab
    • Wireless Mode: Client Bridge
    • Wireless Network Mode: Match Primary Router
    • Wireless Network Name(SSID): Match Primary Router
    • Wireless Channel: Match Primary Router
    • Wireless SSID Broadcast: Enable
    • Network Configuration: Bridged
    • Save Settings
  4. Open the Wireless » Wireless Security tab
    • Set Encryption to match the primary router. I use WPA2 with TKIP+AES and it works fine.
    • Enter encryption key to match the Primary router
    • Save Settings
  5. Open the Setup » Basic Setup tab
    • Connection Type will show: Disabled
    • Set STP to Disabled
    • IP Address: 192.168.1.2 (Primary Router IP is 192.168.1.1)
    • Mask: Match Primary Router (mine is 255.255.255.248)
    • Gateway: 192.168.1.1 (Primary Router IP is 192.168.1.1)
    • DHCP Server: Disable
    • Save Settings
  6. Open the Setup » Advanced Routing tab
    • Change Type to: Router
    • Save Settings
  7. Open the Security » Firewall tab
    • Uncheck all boxes except “Filter Multicast” in “Block WAN Requests”
    • Disable SPI firewall
    • Save Settings
  8. Open the Administration tab
    • APPLY Settings
    • Click “Reboot” button

On the primary router I only had to add the MAC Address of the WRT54G to it so that it allows connection (I have MAC filtering enabled). To look for the MAC address I simply use the Administration » Commands tab to run ifconfig (or of course via SSH). I am not sure on how other hardware would work but I use my eth1 address.

This is good enough for now, although I am hoping that the notebook gets fixed. I am not going to pack the WRT54G along to Starbucks or any cafe just to get wireless connection.

Battery Powered Server

For real?

googleservermedium

The black box with two terminals is a 12V battery, and it looks like a lead-acid battery. Is it a DELL? Is it an IBM? Is it an HP? No, it is a Google. That’s right people, it’s a unit of many Google’s server inside its data center containers. It’s a 2U thick server, with a Gigabyte mainboard holding 2 CPUs, 2 hard disks, and 8 pieces of RAM.

It’s not really battery powered, but the battery kicks in once the main power is lost. This effectively eliminates the need for more expensive and space consuming giant UPS’s (uninterruptible power supplies) which are batteries anyway. Is this a better solution? You be the judge.

If you ask me, I’d like to have one of those Magnetek power supply unit to install on my PC. The battery can nicely fit in a tower casing, much better than having separate UPS units. However I think the mainboard itself must be custom because the 12V to 5V conversion takes place there. The power supply unit only outputs 12V (approximately 13.65V).

However I can’t find any info on how long can the battery can actually supply power.

Story found on CNET: http://news.cnet.com/8301-1001_3-10209580-92.html

Maxis to bring iPhone 3G to Malaysia on March 20

Really? That short notice? I was casually browsing my Google Reader when I stumbled upon this exciting news. Exciting? Not anymore. I don’t know why but the frustration of waiting has made me less interested in iPhones. The time stamp on the news was like 4 hours before I started this entry. Fresh!

maxis-iphone-3g

Going to into Maxis site there is now a big banner “Be among the first to own an iPhone 3G“. No, Maxis did not do anything wrong and it’s still a great news except that right now there may be hundreds of people in Malaysia using cracked iPhones. Among the first? I don’t think so. It should say “Be among the first to own an official and uncracked iPhone 3G“. Yes that’s me trying to be funny. Ha ha.

If you’re interested you may go here at Maxis’ spanking new iPhone section. Enjoy it. I don’t think I will be getting one anytime soon.

When Security Is Not Secure

I was going after a moron who was disturbing my wife’s blog and reached an IP number. Utilizing nmap, I found out that port 80 on the IP is open.

-(~:#)-> nmap -A -T4 XXX.XXX.XXX.XXX
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-09 23:52 MYT
Warning: Giving up on port early because retransmission cap hit.
WARNING:  RST from port 80 -- is this port really open?
WARNING:  RST from port 80 -- is this port really open?
WARNING:  RST from port 80 -- is this port really open?
WARNING:  RST from port 80 -- is this port really open?
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on XXX.XXX.in-addr.arpa (XXX.XXX.XXX.XXX):
Not shown: 1673 closed ports
PORT     STATE    SERVICE        VERSION
25/tcp   filtered smtp
80/tcp   open     http            (GoAhead-Webs embedded httpd)
443/tcp  open     ssl/unknown
1720/tcp filtered H.323/Q.931
5000/tcp open     UPnP?
5001/tcp open     commplex-link?
5100/tcp open     admd?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port443-TCP:V=4.11%T=SSL%I=7%D=2/9%Time=499051AA%P=i686-pc-linux-gnu%r(
SF:GetRequest,18A,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nContent-type:
SF:\x20text/html\r\nPragma:\x20no-cache\r\nDate:\x20Mon,\x2009\x20Feb\x202
SF:009\x2015:54:17\x20GMT\r\nLast-modified:\x20Mon,\x2009\x20Feb\x202009\x
SF:2015:54:17\x20GMT\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20close\r\
SF:n\r\n\r\n<html>\n<head>\n\x20\x20<title>501\x20Not\x20Implemented\n</title></head>\n<body \x20bgcolor=\"ffffff\">\n\x20\x20<h2>501\x20Not\x20Im
SF:plemented</h2><h2>\n\x20\x20<p>\n\x20\x20The\x20requested\x20method\x20is\x2
SF:0not\x20implemented\x20by\x20this\x20server\.\n</p></h2></body>\n</html>\n")%r(G
SF:enericLines,18A,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-type:\x2
SF:0text/html\r\nPragma:\x20no-cache\r\nDate:\x20Mon,\x2009\x20Feb\x202009
SF:\x2015:54:17\x20GMT\r\nLast-modified:\x20Mon,\x2009\x20Feb\x202009\x201
SF:5:54:17\x20GMT\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20close\r\n\r
SF:\n\r\n<html>\n<head>\n\x20\x20<title>400\x20Bad\x20Request</title>\n\n<body \x20bgcolor=\"ffffff\">\n\x20\x20<h2>400\x20Bad\x20Request<h SF:2>\n\x20\x20<p>\n\x20\x20Your\x20request\x20has\x20bad\x20syntax\x20or\
SF:x20is\x20inherently\x20impossible\x20to\x20satisfy\.\n</p></h></h2></body>\n</head></html>\
SF:n")%r(HTTPOptions,18A,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nConten
SF:t-type:\x20text/html\r\nPragma:\x20no-cache\r\nDate:\x20Mon,\x2009\x20F
SF:eb\x202009\x2015:54:18\x20GMT\r\nLast-modified:\x20Mon,\x2009\x20Feb\x2
SF:02009\x2015:54:18\x20GMT\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20c
SF:lose\r\n\r\n\r\n<html>\n<head>\n\x20\x20<title>501\x20Not\x20Implemente
SF:d</title>\n</head>\n<body \x20bgcolor=\"ffffff\">\n\x20\x20<h2>501\x20No
SF:t\x20Implemented</h2><h2>\n\x20\x20<p>\n\x20\x20The\x20requested\x20method\x
SF:20is\x20not\x20implemented\x20by\x20this\x20server\.\n</p></h2></body>\n</html>\
SF:n")%r(RTSPRequest,18A,"HTTP/1\.1\x20501\x20Not\x20Implemented\r\nConten
SF:t-type:\x20text/html\r\nPragma:\x20no-cache\r\nDate:\x20Mon,\x2009\x20F
SF:eb\x202009\x2015:54:18\x20GMT\r\nLast-modified:\x20Mon,\x2009\x20Feb\x2
SF:02009\x2015:54:18\x20GMT\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20c
SF:lose\r\n\r\n\r\n<html>\n<head>\n\x20\x20<title>501\x20Not\x20Implemente
SF:d</title>\n</head>\n<body \x20bgcolor=\"ffffff\">\n\x20\x20<h2>501\x20No
SF:t\x20Implemented</h2><h2>\n\x20\x20<p>\n\x20\x20The\x20requested\x20method\x
SF:20is\x20not\x20implemented\x20by\x20this\x20server\.\n</p></h2></body>\n</html>\
SF:n");
Device type: general purpose
Running: Microsoft Windows Longhorn
OS details: Microsoft Windows Longhorn Preview
 
Nmap finished: 1 IP address (1 host up) scanned in 122.444 seconds

And so I went to look at what the HTTP server offers. It’s a D-Link DCS-950 camera, most probably port-forwarded using a router since the browsing IP from the computers are also the same.

I went to the D-Link website to look for the product manual and as I suspected it is using the default password, admin/admin. Here’s what i saw:

Anyone recognize this place?

The point here is that a device that is intended to serve as a security tool, can also be used against you. The dumbest thing you can do it leaving your devices on default passwords.

Ha… I can see someone changing tab to open their router configuration panel which have the default password. 😉

But hey, this camera is cool. I would not hesitate to install one or two at home. It can also be a PPPoE dialer (ADSL) so it can connect directly to a modem and dial the Internet. One bad thing I noticed is that to login and browse the images you need to use IE as it utilizes ActiveX.

Setting DD-WRT Cron Job Through Command Line

I managed to get OpenVPN running on my DD-WRT v2.2 router, with the instructions from the wiki.

However after a few reboot tests I saw that OpenVPN died immediately after it started, with no traceable reasons.

Sep 12 00:51:10 192.168.xx.xx openvpn[3940]: TUN/TAP device tap0 opened
. . .
Sep 12 00:51:11 192.168.xx.xx openvpn[3949]: Initialization Sequence Completed

I suspect it has got to do with the fact that my ppp0 (ADSL) connection takes some time to activate.

So I thought of doing a check using cron – if OpenVPN is not running, run it.

The command I wrote was:

But the bad news is that when I enter this command in the cron box inside the Web Administration GUI the single quotes get translated into the HTML entity, and this becomes permanent in the nvram and also in /tmp/cron.d/cron_jobs. Damn.

So I thought of using the command line. Here’s what I did in the SSH shell:

At this point if you don’t want to reboot your router, enter these into /tmp/cron.d/cron_jobs and restart cron using stopservice cron && startservice cron.

And I’m all set!

I hope the IT team from my company is not reading this, but I also have a vpnc daemon running on the router to connect to my company network and I do the same check as above 😉

DD-WRT v24 Upgrade on My WRT54G v2.2 Wireless Router

It has been some time that I wanted to upgrade the firmware, but I rarely have the motivation to do so. I ensured myself that I would not brick the router, and reminded myself on how DD-WRT always produces new and exciting features. So today, I did it. It took around 20 minutes to upgrade and re-configure my router. I have a significant number of customization done especially the QoS and port forwarding and they take a while to be reconfigured. Unfortunately I can’t import saved settings from the previous version of the firmware.

Since I have a WRT54G v2.2 (antique), I followed the advice from the Internet – upgrade to mini version and then to standard version.

One of my favorite addition is the ability to see how many connection each client is using:

Another feature that I think is cool is the ability to plot a real-time bandwidth graph:

The WAN graph is maxed out because I am downloading Ubuntu from OSCC mirror as mentioned in the previous post.

There are tons other improvements included that I can’t include here, try it out yourself!

Enabling connection to modem to check stats

Since the WRT54G is not a modem, I do sometimes have the need to check my ADSL stats and have to connect to the modem directly. My provider sometimes do cheat by capping my connection lower than what I have paid for.

To enable this I simply add an interface alias to the vlan1 interface on the router. I am using a Linksys AM-300 modem-router as a modem only and it has the default IP of 192.168.1.1. If you didn’t customize your WRT54G then it’s difficult because 192.168.1.1 is also the default IP. In my case, my LAN is in a different subnet (my WRT54G has a customized IP). All I had to do in the web interface is to go to Administration > Commands, enter ifconfig vlan1:1 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 to the box and click on “Save Startup”. The router will reboot because it is a startup script!

After the router finished rebooting, if I enter the 192.168.1.1 in my browser address bar I will get my AM-300 administration page. Now I can be sure I am not cheated and still get my 2Mbps 😉

MacBook Air Is Too Expensive For Me

Hey hey hey… looks like MacBook Air’s price has been released in Malaysia. However when I took a glance at Machines Sunway Pyramid last weekend I didn’t see any hint (not even a flier) about MacBook Air.

The least expensive model is priced at RM6,299.00 (~US$1,949.25) – which is actually logical for an Apple notebook. However, analyzing the tech specs, I can get a very high-end x86 machines with that kind of money! Unless I have a never-ending flow of money, or am very rich, I don’t think I will get one of those. The most expensive model is RM10,899.00 (~US$3,372.74) which is jaw-dropping. 🙁

In the States, the prices are US$1,799.00 (~RM5,813.46) and US$3,098.00 (~RM10,011.19) respectively.

Sure, the physical design is extremely beautiful. But if I really want to use Mac OS X I guess I can try installing it on a normal x86 machine. I guess we can’t expect a good balance between physical beauty and excellent tech spec!

I guess I’ll just have to forget about self-adjusting keyboard backlight and multi-touch trackpad. Michael Dell, I’m coming your way!

Apple MacBook Air, Anyone?

MacBook Air

I can’t believe my eyes when I saw this notebook. It’s as thin as air hence the perfect name is given. At 1.94cm, it is as thick as two foolscap binders stacked on top of each other. The weight of 1.36kg is simply acceptable.

It looks like I made the right decision not to get myself a MacBook Pro late last year. Of course, we still don’t know how much it’ll cost and when will it arrive in Malaysia. It has just been launched in the States.

At that thickness I would never though this machine would be able to have the “almost” normal configuration. It comes with either 1.6GHz or 1.8GHz Intel Core 2 Duo processor, standard 2GB RAM, 13.3″ screen, the latest 802.11n Wi-Fi, built-in Micro-DVI output (VGA & DVI with provided adapters, S-Video & Composite with optional adapters), the cool backlit keyboard with ambient light sensor, and a battery that lasts for 5 hours.

Did I mention about storage? It comes standard with a traditional 4200RPM IDE (aka parallel ATA) or optionally a 64GB solid-state drive. The SSD is cool, and would be very invulnerable to shocks caused by moving round.

Well, that’s my summary. Go here for a detailed spec. Now, let me spend some time to watch the guided tour. 🙂

Why I Set Up VPN On DD-WRT On My Router

Everyday I receive a massive number of emails from many sources and half of them are valid (i.e. not spams). And at certain times I receive huge attachments from friends with pictures or other things. With a normal Streamyx ADSL connection this is fine, but when it gets hiccups my email retrieval process normally gets interrupted in the middle (timed out). 90% of the time my Thunderbird go nuts and corrupted its own “state” database. This means that it “forgets” which message it has downloaded and which has not.

This will not be a big problem if I set my email client to “delete from server” each time but I set it to “leave on server” as an online backup. I know I know I am a freak. Because of this, the next time it retrieves, my email client will download every message from my Inbox (which is in the thousands because I still keep my emails since 1997). This is insane.

I needed a more robust solution and as a Linux geek I used fetchmail to download my emails to a local server and set it to “leave on server”. From my observation, it does not have the same corrupting effect as Thunderbird when a timeout occurs. Good, one problem solved. Next, I set my Thunderbird to retrieve email from the local server which is faster than a speeding bullet. OK, I exaggerated. I set it to “delete from server” where the server is the local server. Good, another problem solved.

Now I have my emails intact regardless of what the connection condition is.

But… when I am on the road I have a problem to retrieve my emails. I heard someone is shouting, “why the hell don’t you just use the webmail?”. When it comes to email, I think I have Obsessive Compulsive Disorder. Except for GMail, I will need my Thunderbird to compose my emails.

This is when I realized that I can do something about it. I enabled a simple VPN server on my Linksys WRT54G router which I have flashed with DD-WRT. Here’s a complete guide that I followed: http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration.

I have never regretted since, but I do have to make sure that the connection to my home is stable enough. But please be warned that this will only work if the connection you are using allows PPTP pass through.

There you go, a story of someone having email OCD. What’s your excuse?

Oh BTW I also have a PAC (Proxy Auto Configuration) setting on my browsers so when there is a connection to the Squid box at home (the VPN is connected), it’ll utilize the cache. 😛

Do You Own An MP3 Player?

MP3 players today are as common as a discman or walkman used to be. Back then we have to carry a bigger pouch to pack in our CDs or cassettes, and each of them usually can carry only about 17 songs – and that was already considered many.

Today, with a device the size of a cigarette lighter and sometimes smaller you can pack hundreds of song and you can barely feel the weight. It’s the miraculous mp3 player. They come in all sort of shapes and colors a confused toddler just might think it is candy 😉

I have been toying with the idea of owning a good one (maybe an iPod?), with gigabytes of space to store my songs but until today even after spending much more on other devices I still never bought one myself. I only own a 512MB Creative Zen Neeon that I got for free last year.

What about you, what mp3 player do you currently use and what’s your dream device?

1TB Hitachi Hard Drive

After 51 year from the introduction of the first hard drive by IBM in 1956 (5MB in capacity), Hitachi has released a 1TB hard drive. For the technical readers, 1TB = 1024GB = 1048576MB. That’s a huge amount of data, and if the hard disk crashes and you don’t have any backups or a RAID setup, you’ll end up kneeling down and crying over your lost data. And just imagine what’s the cost for data recovery service…

Hitachi 1TB Box

In the future if I even consider buying disks this big, I’ll surely buy by pair and setup RAID.

The consumer version of the Hitachi drive is named Deskstar 7K1000 while the two other versions (which will be released later – 2nd quarter) are called CinemaStar for DVR boxes, and unknown name for enterprise with certified MTBF.

The disk contains 5 platters, in which each carries 200GB. The 7200 rpm Serial-ATA drive will have 32MB data buffer. It will be available in SATA 3.0Gb/s and Parallel-ATA 133 interfaces.

Of course, this big capacity drive was achieved by Perpendicular Recording.

For further reading this technology go to http://www.pcworld.com/article/….

Whatever it is, I am sure that late Reynold Johnson will be very happy with what has evolved from his invention and how it has helped mankind.

Thanks for Azidin for the heads up.

When Things Are So Easy… Cursed?

I just realized that when things get so easy, I get confused and lost. Last Saturday a friend asked me to help in installing one of these at his home:

Netgear Wireless Router

There was an installation CD with SmartWizard®, which Netgear said should be “effortless”. Sure, it should be, and yet I was thinking in low level networking way – the way wireless routers used to be where you need to hook the network card on your machine and access it via an internal IP address, with a web-based administration interface.

SmartWizard® is supposed to be convenient, it has all the instructions and steps (i.e. take cable off, switch that off, switch that on, enter the DSL login/password) but I can’t seem to find anyway where I can save the login/password to the damn thing.

DHCP seems to be working – it gives the PC an IP of 192.168.1.2; which logically means that the router have 192.168.1.1 but still TCP connections to port 80 are refused. All I can do was do a nslookup (the router has a built-in DNS where www.routerlogin.com or something like that points to its own internal IP).

Weird. The funny thing is that when my friend brought the unit along with his DSL modem to the shop, the guy over there installed it in minutes. Go figure.

I am starting to think that I am cursed or something like that, since last few weeks another friend had a trouble with her PC and I couldn’t find what the problem was. I disconnected all cables and hook only the monitor, and yet the thing doesn’t even give me a BIOS POST message. When my friend told me that she cleaned up the inside with a feather duster (which is dumb – static electricity) I made an assumption that the thing was broken – and was too busy to look at it the second time.

Just a few days ago she mentioned that the PC is working again – and that the problem was a wrongly connected cable. Which cable? I have no idea (she has no idea). The funny thing is that all cables in a computer system is designed in shapes that it is impossible to plug them the wrong way. Oh well, go figure. I am too tired to think about it.

I don’t think I will respond to any home computer related distress calls from friends anymore. I am too easily stressed out nowadays. Can anybody let me know of a nice and polite excuse to reject requests for help?

Storage Emergency

My 17-days old Seagate Barracuda 7200.9 300GB disk was giving a lot of error two days ago. There were a bunch of errors in my syslog:

ata1: translated ATA stat/err 0x51/40 to SCSI SK/ASC/ASCQ 0x3/11/04
ata1: status=0x51 { DriveReady SeekComplete Error }
ata1: error=0x40 { UncorrectableError }
ata1: translated ATA stat/err 0x51/40 to SCSI SK/ASC/ASCQ 0x3/11/04
ata1: status=0x51 { DriveReady SeekComplete Error }
ata1: error=0x40 { UncorrectableError }
sd 2:0:0:0: SCSI error: return code = 0x8000002
sda: Current: sense key: Medium Error
Additional sense: Unrecovered read error - auto reallocate failed
end_request: I/O error, dev sda, sector 212833665
Buffer I/O error on device sda1, logical block 106416801
ata1: translated ATA stat/err 0x51/40 to SCSI SK/ASC/ASCQ 0x3/11/04
ata1: status=0x51 { DriveReady SeekComplete Error }
ata1: error=0x40 { UncorrectableError }
ata1: translated ATA stat/err 0x51/40 to SCSI SK/ASC/ASCQ 0x3/11/04

Yes, that’s right. After 17 days so I can’t get a one-to-one replacement from the shop.

SMARTD Logs:

Error 6892 occurred at disk power-on lifetime: 427 hours (17 days + 19 hours)
When the command that caused the error occurred, the device was active or idle.
 
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 b4 95 af e0  Error: UNC at LBA = 0x00af95b4 = 11507124
 
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name
-- -- -- -- -- -- -- --  ----------------  --------------------
25 00 d0 b0 95 af e0 00      01:47:04.861  READ DMA EXT
25 00 d0 b0 95 af e0 00      01:47:03.048  READ DMA EXT
25 00 d0 b0 95 af e0 00      01:47:01.243  READ DMA EXT
25 00 d0 b0 95 af e0 00      01:46:59.447  READ DMA EXT
25 00 d8 a8 95 af e0 00      01:46:57.650  READ DMA EXT
 
Error 6891 occurred at disk power-on lifetime: 427 hours (17 days + 19 hours)
When the command that caused the error occurred, the device was active or idle.
 
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 b4 95 af e0  Error: UNC at LBA = 0x00af95b4 = 11507124
 
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name
-- -- -- -- -- -- -- --  ----------------  --------------------
25 00 d0 b0 95 af e0 00      01:47:04.861  READ DMA EXT
25 00 d0 b0 95 af e0 00      01:47:03.048  READ DMA EXT
25 00 d0 b0 95 af e0 00      01:47:01.243  READ DMA EXT
25 00 d8 a8 95 af e0 00      01:46:59.447  READ DMA EXT
25 00 d8 a8 95 af e0 00      01:46:57.650  READ DMA EXT
 
Error 6890 occurred at disk power-on lifetime: 427 hours (17 days + 19 hours)
When the command that caused the error occurred, the device was active or idle.
 
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 b4 95 af e0  Error: UNC at LBA = 0x00af95b4 = 11507124
 
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name
-- -- -- -- -- -- -- --  ----------------  --------------------
25 00 d0 b0 95 af e0 00      01:47:04.861  READ DMA EXT
25 00 d0 b0 95 af e0 00      01:47:03.048  READ DMA EXT
25 00 d8 a8 95 af e0 00      01:47:01.243  READ DMA EXT
25 00 d8 a8 95 af e0 00      01:46:59.447  READ DMA EXT
25 00 d8 a8 95 af e0 00      01:46:57.650  READ DMA EXT

Here’s the disk label:

Seagate Disk 300GB

I blamed the disk. My friend Azidin had a different idea. He said that it might be the SATA controller card that I installed on my computer that’s causing the errors. I didn’t believe him.

That night I tested the disk with Azidin. There were a lot of bad sectors!!!!! But still, I refused to blame the SATA controller card.

Seatools

After work on 23 June, I immediately rushed to the shop, hoping that they would give me some help, or keep my disk for checking during the weekend but they (C-Zone) rejected me saying that their service center is closed and asked me to come the next day. I was disappointed. But I didn’t leave Low Yat plaza before buying a 200GB Maxtor disk from Startec, just in case if it’ll take months to get my disk repaired.

Maxtor 200GB

Back home, I installed the disk onto the same SATA controller card. The next day, I received these from my syslog:

end_request: I/O error, dev sda, sector 132826840
Buffer I/O error on device sda2, logical block 8210
lost page write due to I/O error on sda2
ATA: abnormal status 0xD0 on port 0x9807
ATA: abnormal status 0xD0 on port 0x9807
ATA: abnormal status 0xD0 on port 0x9807
ReiserFS: sda2: warning: journal-837: IO error during journal replay
REISERFS: abort (device sda2): Write error while updating journal header in flush_journal_list
REISERFS: Aborting journal for filesystem on sda2
ata1: command 0x25 timeout, stat 0xd0 host_stat 0x1
ata1: translated ATA stat/err 0xd0/00 to SCSI SK/ASC/ASCQ 0xb/47/00
ata1: status=0xd0 { Busy }
sd 0:0:0:0: SCSI error: return code = 0x8000002
sda: Current: sense key: Aborted Command
Additional sense: Scsi parity error
end_request: I/O error, dev sda, sector 133810704

I started to believe that the controller card might be causing the problems. What are the odds that all my disks end up producing errors like these? I decided to buy a new motherboard with a built-in SATA controller, without spending too much. Also, I have an unused socket 478 Celeron, so after some research, I decided to get an ASUS P4P800-MX that’s still available in Cycom. The very same night, I ran Seagate Desktop on my older disk – low-level format (zero fill). It took hours but totally worth it. This morning when the process finished I ran another surface scan of the 300GB disk and all bad sectors are gone. Pheww! I decided not to send it to the shop, but continue using it with caution. It carries a 5-year warranty anyway.

Seatools 2 all ok

So today I went and bought a P4P800-MX from Cycom, with two sticks of 512MB DDR (to utilize dual-channel memory bus). I have just finished installing the 300GB Seagate disk plus the 200GB Maxtor disk on the new motherboard. Everything looks good.

The cuplrit? Here it is:

Sata controller

I don’t think it’s the chip. Maybe the card is defective. I bought it at Sri, in a plastic package (they hang such packages on a wall like in a supermarket). I thought of returning it, but I’m too tired to argue with the shop.

Oh well. I am all happy now. Thanks to Azidin for his help, and of course to my dear wife for her understanding of this matter.