Nifty hardware, here's some stuff to do with it.
Contents
Alternative hardware
Maybe you want something different? There's many manufacturers of single-board computers now. Here's one that'd be good for a VPN access router or something, the Nano Pi R4S: https://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=284
Possible boards for a cyberdeck-type use
Requirements
- Wifi
- Battery powerable
- USB chargeable
- Some sort of display, probably rearview-sized HDMI
- Useful to have extra status display? SPI/I2C OLED would do
- USB keyboard
How performant does it need to be? Any reason it can't be an RPi or something? Probably not if I want more network ports, or fancier wifi.
Intended uses
- Portable diagnostic terminal, this means being able to scan for wifi, jack into ethernet, run tcpdump and similar things.
- Possible fixed-function usage, switch between apps with dedicated hardware buttons
- Dedicated serial console mode? Jack into a switch with Cisco RJ45 serial or classic DB9, probably through a USB dongle. 3-pin TTL debugging console would be handy as well.
Compute offerings
- Banana Pi BPI-M7
About $260 AUD in base 8G/64G config: https://www.aliexpress.us/item/1005006504845998.html
- Very well specced for network and storage options
- Radxa NIO 12L
About $185 AUD in 8G/128G config: https://arace.tech/products/radxa-nio-12l?variant=42914957131956
- Smaller and fewer ports, but still well specced compared to the BPI-M7, has an NPU
- Radxa ROCK 5C
About $92 AUD for the 4G version and $123 AUD for the 8G version, no storage included: https://arace.tech/products/radxa-rock-5c?variant=42798016954548
Also worth considering an x86 pocket PC, it's crazy that you can basically get a pocket netbook now with a touchscreen for ~$300 AUD: https://www.geekbuying.com/item/Meenhong-JX2-5-7-inch-Touchscreen-Mini-PC-522725.html
And that one's not even particularly good value. The screen being built in may or may not be a good thing for hacking. You probably also want the flexibility of GPIO pins and general hackability that a consumer-oriented product won't give you.
Banana Pi has some interesting options, they have a LOT of different boards.
Banana Pi M5 Pro: https://docs.banana-pi.org/en/BPI-M5/BananaPi_BPI-M5_Pro
Banana Pi M7: https://docs.banana-pi.org/en/BPI-M7/BananaPi_BPI-M7
The M7 is the exact same form-factor as the M5 Pro, to the extent that they use the same case, just the M7 has beefier specs.
Call it 200 bucks for the M5 Pro and 250 for the M7, might as well go for the latter:
M7 case for $25: https://www.aliexpress.com/item/1005006896915587.html
Display hats
Here's one I bought from Aliexpress for about 20 bucks Aussie: http://www.lcdwiki.com/3.5inch_RPi_Display
There's no one canonical supplier, but you can tell they're all the same product.
Here's my notes, I downloaded their driver package (https://github.com/goodtft/LCD-show.git) then pulled it apart. It's not hard to get up and running, even avoiding the all-in-one script that probably smashes itself onto your system.
# copy the devicetree file to two names in the overlays dir cp ./usr/tft35a-overlay.dtb /boot/overlays/ cp ./usr/tft35a-overlay.dtb /boot/overlays/tft35a.dtbo # enable spi in raspi-config (or uncomment it in /boot/firmware/config.txt, dtparam=spi=on) # They wanna edit boot/config.txt # if hdmi display is not detected and composite is being output hdmi_force_hotplug=1 enable_uart=1 dtoverlay=tft35a:rotate=90 # forces a specific mode hdmi_group=2 hdmi_mode=1 hdmi_mode=87 hdmi_cvt 480 320 60 6 0 0 0 # force a HDMI mode rather than DVI hdmi_drive=2 # for the touchscreen cp -rf ./usr/99-calibration.conf-35-90 /etc/X11/xorg.conf.d/99-calibration.conf # compile and install fbcp mkdir -p ./usr/rpi-fbcp/build cd cmake .. make cd ../../../ install -v ./usr/rpi-fbcp/build/fbcp /usr/local/bin/fbcp # make the Xorg server pick up and load xf86-video-fbturbo driver installed in the system cp -rf ./usr/99-fbturbo.conf /usr/share/X11/xorg.conf.d/99-fbturbo.conf cp -rf ./usr/99-fbturbo-fbcp.conf /usr/share/X11/xorg.conf.d/99-fbturbo.conf # And now... run fbcp constantly in the background? Maybe this only does something after a reboot loads the fbturbo thing # Try this instead cp -v ./usr/99-fbturbo-fbcp.conf /etc/X11/xorg.conf.d/99-fbturbo.conf # change the end of /etc/rc.local to: sleep 7 fbcp & exit 0 It's not even clear that this matters, and I think it's because I'm on a non-graphical system - no framebuffer to deal with, no fbturbo driver either. Derp. # touchscreen config stuff apt install xserver-xorg-input-evdev apt localinstall xserver-xorg-input-evdev_1%3a2.10.6-2_arm64.deb # what does this even do?? cp -rf /usr/share/X11/xorg.conf.d/10-evdev.conf /usr/share/X11/xorg.conf.d/45-evdev.conf Try rebooting now? Aha there it is. It says nothing on the console but it does log to syslog: Jul 11 18:04:23 azusa fbcp[756]: Unable to open primary display
Removing it was easy too
Remove fbcp from /etc/rc.local rm /etc/X11/xorg.conf.d/99-fbturbo.conf rm /usr/local/bin/fbcp comment out the stuff in /boot/firmware/config.txt rm /boot/overlays/tft35a-overlay.dtb /boot/overlays/tft35a.dtbo disable SPI in raspi-config Reboot
Smallish external displays
These are all sort of laptop-ish size which might be convenient for cyberdeck-style builds.
- Arace 8" HD touch panel
- 1280 x 800
- 5-point touch input
- MIPI connection
About $70 AUD: https://arace.tech/products/display-8-hd
- Arace 10" FHD touch panel
- 1920 x 1200
- No touch?
- MIPI connection
About $100 AUD: https://arace.tech/products/display-10-fhd
- 5.5" 1080p IPS panel (touch?)
About $60 AUD: https://www.aliexpress.com/item/1005006117065145.html
- Ubiquitous 480x320 status display
- 3.5" panel, advertised for PC status dashboards
- Power and signal over a USB-C cable, intended for Windows machines
- Meant to be used with their own proprietary software, but surely is hackable
- Might be a USB-attached GPU and display in one, so there's no HDMI or DP on the cable
Less than $10 AUD: https://www.aliexpress.com/item/1005005641370235.html
This one for $27 AUD? Says it supports linux, but they probably all do: https://www.aliexpress.com/item/1005004754031670.html
- 256x64 pixel OLED panel
- Small and probably bright
- Likely best as an external notifications display
About $60 AUD: https://www.aliexpress.com/item/1005006861815214.html
- Bar displays, nice and wide
- About 8-9" sizing
- Made for mounting in a PC, which is good for hacking
Black or white, 1920x480, USB-only, might not be suitable, too smart; about $70 AUD: https://www.aliexpress.com/item/1005005538830549.html
Black or white, 1920x480, HDMI and micro-B, about $60 AUD: https://www.aliexpress.com/item/1005005777270234.html
RPi and AIDA64 instructions on this one: https://www.aliexpress.com/item/1005005653159471.html
- 3.5" 480x320 touchscreen designed to sit directly on an RPi
About $6 AUD: https://www.aliexpress.com/item/1005006849788696.html
- I got one of these, the process I followed to get it working are the ones shown above
- 7" 1024x600 touchscreen designed for an RPi, but via HDMI cable offboard
About $25 AUD: https://www.aliexpress.com/item/1005006849086577.html
RPi builds
This is using them for stuff like Pihole and Wireguard.
https://www.reddit.com/r/pihole/comments/c62np8/pihole_with_unbound_wireguard_vpn_server_on_a/
https://github.com/harrypnyce/raspbian10-buster/blob/master/README.md
https://www.raspberrypi-spy.co.uk/2019/10/pi-hole-oled-status-screen/
https://www.reddit.com/r/pihole/comments/bnihyz/guide_how_to_install_wireguard_on_a_raspberry_pi/
Monitoring is good too.
Apt Cacher NG
Package cache, great for RPi because one of the upstream repos is horrible and slow.
PXE utility server
https://wiki.polaire.nl/doku.php?id=raspberry_pi_pxe_server
Minimising
Stuff you can do to make it boot faster and run leaner. These notes are from running Fedora, but they're somewhat general.
disable wifi in config.txt (https://raspberrypi.stackexchange.com/questions/43720/disable-wifi-wlan0-on-pi-3)
dtoverlay=disable-wifi
yum erase -y wpa_supplicant
disable selinux (https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html)
selinux=0 on kernel comdline
grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
disable firewalld
systemctl disable firewalld --now
dnf erase -y firewalld
disable auditd
audit=0 on kernel comdline
grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
disable sound (https://www.instructables.com/id/Disable-the-Built-in-Sound-Card-of-Raspberry-Pi/)
modprobe.d blacklisting /etc/modprobe.d/raspi-blacklist.conf
disable fstrim (do it with an @reboot crontab)
systemctl disable fstrim.service --now
/usr/sbin/fstrim --fstab --verbose --quiet
remove lvm2
yum erase -y lvm2Maybe use systemd for networking config: https://raspberrypi.stackexchange.com/questions/108592/use-systemd-networkd-for-general-networking
Setup the filesystem to be read-only if you want it to be really bulletproof and appliance-y: https://medium.com/@andreas.schallwig/how-to-make-your-raspberry-pi-file-system-read-only-raspbian-stretch-80c0f7be7353
General provisioning
- Download the latest image, like RPi OS buster-lite, write it to SD card with balenaEtcher
- Boot as normal, let it do the firstboot thing
Rename it: https://wiki.debian.org/HowTo/ChangeHostname or use raspi-config tool
- Wifi as needed in raspi-config
- Set locale and default system locale in raspi-config
Enable ssh
systemctl enable --now ssh
Fully update
apt update and full-upgrade apt install vim screen locales bash-completion lsof tcpdump netcat strace nmap reboot
Change password for pi account
- Install your ssh pubkeys
- apt autoremove, autoclean
Empty motd, don't care about that on SSH login
> /etc/motd
Unifi controller references
Useful packages to install:
apt install openjdk-8-jre-headless apt install haveged
Debian 11 Bullseye on Zero W
As an extension/variant of the above, most of the trickiness is initial booting.
Loaded up the image, booted, fixed up the wifi config in /etc/network/interfaces.d/wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid "Your Waifu is Trash"
wpa-psk ABCDEFGHIJKLTweak /boot/firmware/sysconf.txt settings and reboot.
Should use hostnamectl set-hostname makarov.thighhighs.top
Actually it's much like furinkan/private/illustrious, can also follow that.
THIS IS A ROOT-ONLY BUILD
apt install vim screen locales bash-completion
Fix the locales: dpkg-reconfigure locales
Disable console blanking, seems this is already done by default:
cat /sys/module/kernel/parameters/consoleblank
Disable address privacy:
echo -e "net.ipv6.conf.all.use_tempaddr = 0\nnet.ipv6.conf.default.use_tempaddr = 0" >> /etc/sysctl.d/local.conf
service procps restart
echo "export EDITOR=vim" > /etc/profile.d/50-editor-vim.sh
timedatectl set-timezone Australia/Sydney
echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf
apt install python3 python-is-python3
apt install wget curl net-tools ack jq make mlocate elinks nmap whois
updatedb
curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc
curl -o ~/.config/procps/toprc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.toprc
apt install dphys-swapfile/testing
Edit /etc/dphys-swapfile and set CONF_SWAPFACTOR=2 or whatever, then systemctl restart dphys-swapfileconfig.txt
enable_uart=1 upstream_kernel=1 kernel=vmlinuz-5.10.0-5-rpi # For details on the initramfs directive, see # https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=10532 initramfs initrd.img-5.10.0-5-rpi
Pihole HA
Run a couple of nodes, to ensure that an update or failure won't kill your entire network. Upstream ISP DNS servers are remarkably handy in their reliability, except when you can't reach them.
- vector as primary and DHCP server
- asval as secondary, maybe doing some DHCP too
Apparently it's valid to just rsync your configs across the network, that should do it. I wonder how the sqlite DB deals with this.