Defcon:Blog Keklkakl blog blag


Flaws in my simplified CoreXY idea

After building my first prototype of a CoreXY based cartesian movement system, as shown in two earlier posts ((CoreXY Experimentation))((CoreXY experimentation update)), I have realized that my idea for a simpler pulley configuration is flawed. I've simply forgot basic geometry math. The idea was to start with a CoreXY system, as described on, take inspiration from FABtotum to avoid crossing belts, and simplify the pulley location to get as few anchor poins for the belts as possible. My attempt used two "layers" of belt paths, and tried to reduce the number of pulley-axles to 4, compared to CoreXY's 8 and FABtotum's 6. But, unless I start offsetting the location of stepper motors (and introducing uneven stress on the frame), I end up with an undesired geometry...

Continue reading ...

Filed under: Mechanics Tagged as: 3 Comments

WordPress XMLRPC is a liability

This week I re-launched my blog, and I really wanted to do so silently, without the useless "Oh look, I've upgraded" type of post that so many publish (including myself in the past). But I was hit by a very common abuse-vector that prompts me to write a few words about it. The problem: DoS via WordPress XMLRPC. I've installed WordPress 4.0, a version where flaws in the XML-RPC mechanisms allowing it to be used as part of bot-nets and the like are supposedly resolved. But, after having my new WP installation active for less than 24 hours, my server ground to a halt, with ridiculous load numbers (190+ load), all caused by accesses to /xmlrpc.php

What is XML-RPC anyway?

The XML-RPC API is used by WordPress for a few things. The useful part, is making third-party publishing and administration applications for both desktop and mobile. But it is also used for so-called "pingbacks" and "trackbacks", where WordPress itself notifies other WordPress installations that links to their content has been created in articles/posts/pages. As this mechanism is supposed to run without user intervention, it's done without authentication, unlike the third-party client enabling admin/publish features of the API.

Insecure by default

Before WordPress 3.5, the XML-RPC API was something you had to actively enable. So to be able to use the API for publishing clients and/or pingbacks and trackbacks, you had to be aware of that the API existed, and enable it. For a number of reasons, I think that was a really good idea. Perhaps primarily because the XML-RPC used to have some seriously big flaws that could be used as vectors for abusing a WordPress installation. Now, from version 3.5, most of these flaws have been fixed. And with that, someone decided that users of WordPress are not very bright, and having to enable an API before using a third-party client was very complex and too hard for the users to understand. So they enabled the API by default. And removed the option for turning it off easily! How can possibly having an open API for anonymous, un-authenticated generator of HTTP-requests enabled by default, with no filtering, be a bad idea, right?

Continue reading ...

Filed under: Systems administration Tagged as: No Comments

CoreXY experimentation update: pen plotting with motor moves

The prototype for my CoreXY experiment now moves by motor control. Using Marlin software on an Arduino Mega with RAMPS1.4 to drive the motors, I go through several speeds from 800mm/min to 24000mm/min, (that's 400mm/sec) moves. I have made no care to precision in the belt, and adding that to unevenly tightened belts, flex in components, and finally a pen that's not really fastened well, there is noticeable flaws in the resulting drawing. However, this also means the prototype highlights what areas of a final build will need extra attention.

Relevant links:

Filed under: Mechanics Tagged as: No Comments

CoreXY experimentation

Based on the CoreXY concept and ideas from FABtotum to avoid crossing belts, I'm experimenting to see if I can get away with as few mounting-points for belts/pulleys as possible. This video shows that my prototype moves, as well as showing the CoreXY movements. Moving resistance feels very low, even if this is very simply built (no linear rollers/brass bearings, no attention made to precicion...). Next step: moving the parts using the motors 🙂

Ideas from:

Filed under: Mechanics Tagged as: 2 Comments

Arducopter AC 3.1.2 Loiter test on PX4

Finally I've gotten stable Loiter, by getting GPS and Compass away from pesky annoying interference. I wasn't able to show long-duration position hold as I had planned, because my battery went flat a bit early 🙂

The AC version I am using is quite old, so it is not representative of current AC Loiter state. I have also done minimal tuning of nav/loiter when doing the test.

The frame I am using is a HobbyKing Q450 (really a Whirlwind FY450), equipped with generic 20A ESC's and NTM 28-30S 900 motors spinning unbalanced 1045SF plastic props, so the PX4 is seeing quite a lot of vibration. The GPS is a uBlox Neo-7M + HMC5883l compass from HobbyKing:


Pathfinder Mk.0 Tricopter maiden flight

Maiden flight of my first bujild of a tricopter. The build is based on the common / David Windestål trike-design, but using aluminium 10x10mm profiles, FR4 as material for center-plate. Flight controller on this one is a KK2.1.5, ESC's are HK SS-series 18-20, tail servo is a TGY-9018MG.


FPV November – Biri Bruk

Evening flight in November at Biri Bruk.
Aircraft is my HCopter APM2.0

Soundtrack: "Son of a Rocket" Kevin MacLeod (
Licensed under Creative Commons: By Attribution 3.0


FPV forest flight in October

FPV-flight in the forest.

Music by MiuGlitch/Miu


Xen on Debian Wheezy (with VLAN networking and LVM storage).

TODO: Add an introduction paragraph, or ingress (so having READ MORE makes sense...)

Preparing the operating system

The absolutely first step in getting a Xen capable Debian Wheezy server, is to install Debian Wheezy. Really, there are no special tricks to this “step”, simply install a base system to your liking. I would reccomend NOT installing any X/Desktop environment at all; keep your Xen server a text-based system. Remember to install SSH server, as you'll probably be remote-managing the system. I'll also suggest you install NTP, VIM and Screen as part of the base install. After completing debian-installer:

apt-get install ntp vim screen

The rest of this prep-section is specific to my setup, you may skip down to “Installing Xen” if you like. In my setup, I'm using two RAID sets, one hardware-array with RAID1 for my root filestystem, and one software-array with RAID5, used as a physical volume for LVM. To set up these, the following packages are needed:

apt-get install mdadm lvm2

Next, to create my sfotware-RAID, I used (after a lot of testing to get acceptable IOPS from the disks):

mdadm --create /dev/md0 \
      --verbose \
      --level=5 \
      --chunk=256 \
      --raid-devices=4 /dev/sd{a,b,c,d}

That creates my /dev/md0, as I said, I'm using that as a PV for LVM:

pvcreate /dev/md0
vgcreate sraid5 /dev/md0

Installing Xen

With the basic operating system installed and (lightly) prepared, it is time take a plunge, and install Xen itself.

Continue reading ...

Filed under: Systems administration Tagged as: No Comments

Networking with VLANs on Debian Wheezy

This is a short note on using tagged VLANs on Debian Wheezy. Setting up and using VLANs on Wheezy is slightly changed from previous versions. The most notable difference is that vconfig is finally deprecated also for Debian, and that the “vlan-raw-device” stanza is gone from configuration.

In this short document, I assume that you know how to set up VLAN trunking and -tagging on the network-equipment that your Debian-box is connected to.

Continue reading ...

Filed under: Systems administration Tagged as: No Comments