Milestone XProtect and Tailscale VPN using SSL

by

This post is an evolution of Milestone XProtect Mobile Server – SSL Certificate configuration as we continue to use SSL certificate with HTTPS.

The advantage is to use Tailscale VPN which is free up to 20 devices for personal use, to avoid open HTTP/HTTPS port to external public domain.

Configure Tailscale

Configuration is super simple:

  1. Download and install Tailscale to all Windows, Linux, Android, iOS devices
  2. Login using SSO with preferred method
  3. Once logged in Admin panel
  4. Select or change your tailnet name in DNS section to register unique domain name in DNS entries
  5. Enable MagicDNS in DNS section to automatically register domain names for devices in your tailnet
  6. Enable HTTPS Certificates in DNS section to allow provision of HTTPS certificates

HTTPS Certificates allows to replace manually generated certificate by Let’s encrypt with similar certificate generated by Tailscale for specific server in tailnet name.

Generate Certificate from Tailscale

To generate SSL certificate, connect to server / PC:

  1. Open PowerShell / CMD with Run as Administrator
  2. Move to folder where the certificate will be created CD C:\Certificate
  3. Generate the certificate using tailscale command: tailscale cert "<server_name>.<tailnet_name>.ts.net"
  4. Certificate file <server_name>.<tailnet_name>.ts.net.crt and Private Key file <server_name>.<tailnet_name>.ts.net.key will be created in the current folder

Convert certificate in Windows

To be able to use certificate in IIS running in Windows 10 or 11, the certificate file must be in PFX format which include the certificate and private key together.

Windows has certutil tool capable to generate PFX file using CER and KEY file (with the same name in the same folder), but the CRT file format isn’t recognized correctly:

certutil -mergepfx "<server_name>.<tailnet_name>.ts.net.crt" "<server_name>.<tailnet_name>.ts.net.pfx"

To generate PFX file online use SSL online converter website and select “Standard PEM” as current certificate to “PFX/PKCS#12”

To generate the PFX file offline you can use OpenSSL built for Windows. This is syntax to convert PEM certificate to PFX:

openssl pkcs12 -export -out "<server_name>.<tailnet_name>.ts.net.pfx" -inkey "<server_name>.<tailnet_name>.ts.net.key" -in "<server_name>.<tailnet_name>.ts.net.crt"

Import PFX certificate

Easier way is to double click on PFX file and follow certificate import wizard, remember to import in Computer Store, not in the User Store.

Automated and script version is to use PowerShell with Import-PfxCertificate cmdlet

Set-Location -Path cert:\localMachine\my
Import-PfxCertificate -FilePath "C:\Certificate\<server_name>.<tailnet_name>.ts.net.pfx"

Finally, select the new certificate in Server Config of XProtect Mobile Server

Advertisement

Baby Logger

by

[Update 10/7] Added OneDrive Backup and RaspberryPi shutdown page

This project logs baby’s bodily functions and displays them on a webpage. Many pediatricians recommend tracking your baby’s feeding patterns, wet and dirty diapers to help know if he/she are eating enough – at least for the first few weeks. This is valuable information if there is a problem early on. The doctor can use this information to help with a diagnosis.

For the tech/geek parents, Baby Logger is Raspberry Pi based on Python and PHP using 3 switches.

Here is some photo of the result, 100% Reduce – Reuse – Recycle approach: 😊

Here is the video of testing version, with 5sec delay in the script between switch activation and LED turning on:

Hardware Configuration

3 pin switch with LED

LED Switch configuration has 3 pin used as reported below:

Pin NumberPin ColorRoleConnectionState
1GoldGNDGND (-)Stable at GND
2SilverSwitch OUTVCC (+) FloatClosed = LED ON = VCC
Open = LED OFF = Float
3SilverSwitch INVCC (+)Stable at VCC
pinout switch configuration

Base hardware and engine is based on Raspberry PI Zero W pre-assembled and Electronics Fun kit or anything else to simplify cables and connectors between switch, LED and Pi with correct 10kΩ pull down resistor.

Pull Down switch configuration

Finally, RGB LED part of fun kit to report the status of the 3 switch back to user. Remember to add 220 Ohm resistor on the V+ wire:

Raspberry Pi Zero W – GPIO configuration

Raspberry Pi Zero W

List of GPIO pins used for the project. There 2 main groups:

  • Group #1 to control RGB Led
  • Group #2 to read status of switches for pee, fed and poo
  • Others are +3.3VCC and GND to power on/off
Variable NameGPIOTypeFunction
pee_led_pin20OUT#Green LED
PIN #34#GND
fed_led_pin16OUT#Blue LED
poo_led_pin12OUT#Red LED
PIN #9GND
pee_switch_pin17IN#Green Switch
fed_switch_pin27IN#Blue Switch
poo_switch_pin22IN#Red Switch
PIN #17VCC +3.3V
GPIO configuration

Software configuration

Raspberry PI OS

Make sure you have latest Bullseye OS version, install it from Raspberry Pi OS – Raspberry Pi

Perform an update to latest pages and remove unused one:

sudo apt update
sudo apt upgrade
sudo apt autoremove --purge -y
sudo apt autoclean

Python setup

Install Python library and MySQL SDK for Python

#setup python
sudo apt-get install python3-pip

#setup MySQL SDK
sudo pip3 install pymysql

#Verify installation
pip3 show PyMySQL

MySQL MariaDB setup

Install MariaDB as MySQL – you can follow this guide: Setup a Raspberry Pi MYSQL Database

#Install MariaDB
sudo apt install mariadb-server 

#Answer Y to all questions for best security
sudo mysql_secure_installation

Once MariaDB is installed, login, create user and configure DB and Table

#Login to MariaDB as root
sudo mysql -u root -p 

#Create User
CREATE DATABASE babylogger;
USE babylogger;
CREATE USER 'logger'@'localhost' IDENTIFIED BY 'YourPassword!';
GRANT ALL PRIVILEGES ON babylogger.* TO 'logger'@'localhost';
FLUSH PRIVILEGES;
quit

#Create Table
USE babylogger;
CREATE TABLE buttondata
	(
	id INT PRIMARY KEY auto_increment,
	created TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
	category TEXT,
	state TEXT
	);
SHOW TABLES;
quit

After initial DB setup, you can login to DB using this:

mysql -u logger -p -D babylogger

#Show existing table
SHOW TABLES;

#Show existing records
SELECT * FROM buttondata;

Webserver NGINX setup

We need to setup web server to display PHP page with result of data. You can follow this guide: Build your own Raspberry Pi NGINX Web Server

#Remove Apache 2 if there
sudo apt remove apache2

#Install NGINX and start service
sudo apt install nginx
sudo systemctl start nginx

#Install PHP
sudo apt install php7.4-fpm php7.4-mbstring php7.4-mysql php7.4-curl php7.4-gd php7.4-curl php7.4-zip php7.4-xml -y

#Configure NGINX to process PHP
sudo nano /etc/nginx/sites-enabled/default

#Uncomment this section of the file
location ~ \.php$ {
               include snippets/fastcgi-php.conf;
               fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

Test the webpage connecting to http://raspberrypi/ from your computer.

GIT configuration

Download the Repo via GIT to Raspberry PI:

#Instal GIT
sudo apt install git
>>> git is already the newest version (1:2.30.2-1).

git --version

#configure your login information
git config --global user.name "username
git config --global user.email "username@email.com"

git config --list

#close repo
cd ~
git clone https://github.com/inglele/Baby-logger.git
cd Baby-logger/
ls

If you need to get an updated copy of the repo:

cd ~/Baby-logger/
git pull origin master

Set parameters files

Once all software is installed and repo downloaded in ~/Baby-logger, update the 2 files holding configuration for MySQL DB:

#Edit MySQL settings for Python
nano ~/Baby-logger/script/mysql_variables.py

#Edit MySQL settings for PHP
nano ~/Baby-logger/website/mysql_variables.php

Testing HW, Script and Website

Raspberry PI + Python Testing

Test Raspberry PI configuration with switch_test.py, it’s a simple script used to test Switch and LED without writing to DB with all log printed in console:

python3 ~/Baby-logger/script/switch_test.py

Web Server + PHP Testing

Copy the website folder in the GitHub repo to /var/www/html/ so NGINX can execute it

sudo cp ~/Baby-logger/website/* /var/www/html/

Test PHP and NGINX via:

If you need to restart NGINX or get more logs:

# Restart NGINX + PHP
sudo systemctl status nginx # Status
sudo systemctl restart nginx #Restart
sudo service php7.4-fpm restart

# Print NGINX error log
tail -f /var/log/nginx/error.log
sudo tail -f /var/log/php7.4-fpm.log

Baby-Logger main script Testing

Execute the mail baby_logger.py script from console to confirm all events are tracked and webpage is updating according:

python3 ~/Baby-logger/script/baby_logger.py

# Example of startup logs:
Sep 28 14:17:47 raspberrypi python3[509]: DEBUG - Set GPIO PIN configuration
Sep 28 14:17:47 raspberrypi python3[509]: DEBUG - DB Connection settings: localhost logger YourPassword! babylogger
Sep 28 14:17:47 raspberrypi python3[509]: DEBUG - Set INPUT GPIO
Sep 28 14:17:47 raspberrypi python3[509]: DEBUG - Setup LED GPIO
Sep 28 14:17:47 raspberrypi python3[509]: DEBUG - Reset LED GPIO
Sep 28 14:17:47 raspberrypi python3[509]: DEBUG - Flash RGB LED - Category: STARTING -
Sep 28 14:17:50 raspberrypi python3[509]: LOG - Baby Logger running...
Sep 28 14:17:50 raspberrypi python3[509]: DEBUG - File: /home/pi/Baby-logger/script/buttondata_2022-09-28.csv
Sep 28 14:17:50 raspberrypi python3[509]: LOG - Backup to /home/pi/Baby-logger/script/buttondata_2022-09-28.csv
Sep 28 14:17:50 raspberrypi python3[509]: LOG - 76 rows written successfully to /home/pi/Baby-logger/script/buttond>

Website should looks like this:

Configure Baby Logger as service

Next step is to automate startup during boot as service.

Create a new file: sudo nano /lib/systemd/system/babylogger.service with the following content:

[Unit]
Description=Baby Logger Service
After=multi-user.target

[Service]
Type=simple
ExecStart=/usr/bin/python3 /home/pi/Baby-logger/script/baby_logger.py
User=pi
Restart=always
Environment=PYTHONUNBUFFERED=1

[Install]
WantedBy=multi-user.target

Reload daemon and start the babylogger.service:

sudo systemctl daemon-reload
sudo systemctl start babylogger.service

Enable autorun:

sudo systemctl enable babylogger.service

Check on the status of service:

#Check service status
sudo systemctl status babylogger.service

#Print last 30 rows of log
sudo journalctl -r -u babylogger.service -n 30 --no-page

OneDrive backup script

Follow these steps to setup rclone on Microsoft OneDrive (rclone.org) and allow you to backup CSV file in backup folder directly into OneDrive in case your MicroSD get corrupted or fail:

curl -L https://raw.github.com/pageauc/rclone4pi/master/rclone-install.sh | bash
rclone config

Follow the steps for onedrive and authenticate it via Windows is super easy.

Once done with initial configuration, you can use script/rsync.sh to automate the sync between backup folder and ondrive folder on PI:

rclone sync -v /home/pi/Baby-logger/backup "onedrive:Documents/Baby-logger/Backup"

Remember to mark as eXecutable with the following:

chmod +x rsync.sh
crontab -e

Add the following entry in cron file:

0 * * * * /home/pi/Baby-logger/script/rsync.sh

This will automatically trigger the sync between RaspberryPi and Onedrive and you will get the file available remotely.

Remote shutdown

Raspberry Pi runs Linux, so clean shutdown is required to avoid corruptions.

Enable Reboot/Shutdown RPI from Web explains all steps.

Main PHP page has link to off.php to trigger a Python script shutdown.py

There are few steps to allow PHP to execute a script in SUDO mode:

sudo visudo
 
pi ALL=(ALL) NOPASSWD: ALL
www-data ALL=/sbin/reboot
www-data ALL=NOPASSWD: /sbin/reboot
www-data ALL=/sbin/shutdown
www-data ALL=NOPASSWD: /sbin/shutdown

NBEMS – Fldigi, DMR and Anytone AT-D878UV

by

Fldigi is multi platform software to send and receive msg Flmsg or file Flamp via Analog two-way radio using Mic/Speaker connectors with no special HW.

It can be use as NBEMS – Narrow Band Emergency Messaging Software on VHF/UHF and on HF.

Anytone AT-D878UV could be used with Bluetooth functionality or with Kenwood connector to interface with Microsoft Surface 3 or even with Raspberry Pi in Radio GoKit scenario.

HAMlib library can manage interface with serial portal and send PTT input.

Anytone AT-D878UV connected to PC via Bluetooth

On Windows 10 PC, go to Settings -> Devices -> Bluetooth -> Add Bluetooth or other device.

On Radio, go to Menu -> Bluetooth -> BT On (to enable) and BT Pairing -> Available BT -> Select name of PC

Pending HAMLib module for AnyTone

Example:

XMR on Azure – MineXMR closure

by

Based on previous posts:

Use latest xmrig v6.18 and leverage the configuration wizard website to select nanopool based on the official nanopool settings: 

{
    "autosave": true,
    "donate-level": 5,
    "cpu": true,
    "opencl": false,
    "cuda": false,
    "pools": [
        {
            "coin": "monero",
            "url": "xmr-us-west1.nanopool.org:14433",
            "user": "your_wallet_here",
            "tls": true
        }
    ]
}

To check if startup script and configuration are working correctly, review Nanopool status and search XMR Wallet.

SSH into the node and monitor xmrig miner =

tail -s 5 -n 100 -f /mnt/batch/tasks/startup/wd/xmrig/build/xmrig.log
sudo hscreen -r -S monero

For troubleshooting, review these folders:

# Azure Batch startup script location
cd /mnt/batch/tasks/startup/wd/

# xmrig build folder
cd /mnt/batch/tasks/startup/wd/xmrig/build/

Unlock and Install custom ROM on AT&T Calypso (HW Tinno A318UU)

by

Pre-requirements

Unlock phone bootloader

Bootloader must be unlocked to install the new firmware.

MTK CLIENT will allow you to read stock firmware off from phone, except with this phone the manufacture has enabled security and authorization files to block sp flash tool.

Install Python 3.9 from Microsoft Store and Git – Downloading Package and daynix/UsbDk · GitHub, then open a CMD:

mkdir C:\test
cd C:\test
git clone https://github.com/bkerler/mtkclient
cd mtkclient
pip3 install -r requirements.txt

Once installation in complete, start MTK Client with 

c:\Test\mtkclient
python mtk_gui

To activate BRUM mode for the phone and connect it to MKT Client

  • Turn off the phone if it’s on.
  • Press Volume UP + Volume DOWN and plug the USB cable.
  • Do not press power button and MKT Client will detect it.

Backup:

  • In the Read partition tab,
  • Select all of them and Save to C:\Test\Firmware\Original
  • It will take about 40min to complete all the operation

Unlock Bootloader

  • In Flash Tools tab,
  • Click on Unlock bootloader button
  • Debug log will show Bootloader: unlock and python windows list
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.03 MB/s

If you restart the phone, you will see a warning that bootloader is unlocked and it will ask you to factory reset the phone.

Install the new firmware

You need to have Android DevelopersSDK Platform Tools |  Android Developers installed to be able to flash the new firmware.

Enable USB Debugging in the phone and connect ADB

  • Start the phone
  • Perform a Factory Reset
  • Restart the phone and complete the initial wizard
  • Open Settings -> “About Phone” -> Tap the “Build Number” item seven times.
  • You should get a message saying you are now a developer.
  • Settings -> “System” -> “Advanced” -> “Developer Options.”
  • Open the menu and enable “USB Debugging.”

To verify that ADB in installed correctly and is able to connect to the device:

CD C:\Test\Tools
adb version

Android Debug Bridge version 1.0.41
Version 33.0.1-8253317
Installed as C:\Test\Tools\adb.exe

adb devices

List of devices attached
AYMB5PKZCUEUUOSC        device

Boot into fastboot with the following command adb reboot bootloader 
or reboot while holding the volume up button and select fastboot.

Install Google ADB FastBoot driver in Windows 11

Download Google USB Driver  |  Android Developers as they will be needed to connect the device via fastboot. To install the driver, we need to force the installation in Device Manager with these steps:

  • Open Device Manager
  • Right click on Other Devices \ Android device
  • Select “Update Driver” -> “Browse my computer for drivers” -> “Let me pick from the list of available driver
  • Select “Show All Devices” -> “Have Disk
  • Navigate to “C:\Test\Tools\usb_driver_r13-windows” and let Windows load the drivers
  • Select “Android Bootloader Interface” as driver name
  • Test that Fastboot tool is able to interact with the phone
CD C:\Test\Tools
fastboot devices

AYMB5PKZCUEUUOSC fastboot

Next step is to disable vbmeta verification with the following steps:

Firmware update via Fastboot

  • While the phone is in the FastBoot mode, type the following:
CD C:\Test\Tools
fastboot devices
fastboot --disable-verity --disable-verification flash vbmeta "C:\Test\Firmware\Original\vbmeta.bin"

target reported max download size of 134217728 bytes
sending 'vbmeta' (8192 KB)...   OKAY [  0.204s]
writing 'vbmeta'...             OKAY [  0.189s]
finished. total time: 0.393s

After vbmeta image is flashed, perform:

  • fastboot reboot fastboot to restart the phone and enter fastbootd
  • Check the phone is connecting correctly with fastboot devices
    and force the installation of Android Bootloader Interface in Device Manager if needed.

The following step delete product partition so system partition has enough space:

fastboot delete-logical-partition product

Deleting 'product'                                 OKAY [  0.016s]
Finished. Total time: 0.016s

This command flash the custom rom on system partition:

fastboot flash system "C:\Test\Firmware\system-squeak-arm32_binder64-ab-vndklite-vanilla.img"

Invalid sparse file format at header magic
Resizing 'system'                                  OKAY [  0.016s]
Sending sparse 'system' 1/5 (255489 KB)            OKAY [ 14.939s]
Writing 'system'                                   OKAY [  7.651s]
Sending sparse 'system' 2/5 (262100 KB)            OKAY [ 15.141s]
Writing 'system'                                   OKAY [  7.705s]
Sending sparse 'system' 3/5 (262104 KB)            OKAY [ 15.001s]
Writing 'system'                                   OKAY [  7.595s]
Sending sparse 'system' 4/5 (261825 KB)            OKAY [ 14.752s]
Writing 'system'                                   OKAY [  7.711s]
Sending sparse 'system' 5/5 (183741 KB)            OKAY [ 10.421s]
Writing 'system'                                   OKAY [  5.832s]
Finished. Total time: 107.885s

Once flash of new rom is completed, you can restart the phone and it will boot using the new rom.

Original post suggested to perform a factory reset.
WARNING: In my case, a factory reset caused a reboot loop and was not able to

If you want to proceed, in the menu on the screen:

  • Select “Enter recovery” and
  • Select “Wipe data/factory reset

Screen on the phone will show

-- Wiping data...
Formatting /data...
Formatting /cache...
Formatting /metadata...
Data wipe completed.

If you missed the previous screen, or clicked the wrong button/option:

  • restart the phone holding Volume UP,
  • Select fastboot on the phone
  • Type fastboot reboot fastboot to reenter fastbootd screen
  • And repeat the factory reset

Restart the phone and you are up and running.

Restore original firmware

If you need to restore original rom, use MKT Client tool to write:

  • vbmeta.bin
  • super.bin

then close the tool and restart the phone. It will be like new 🙂

Source:

XMR on Azure

by

Based on previous posts:

Latest xmrig version is v6.16.4 which requires a new configuration.

All Azure batch configuration remain the same as reported in original article and uses startup script save in Azure Storage Account for Ubuntu.

Configuration wizard allows to generate config.json file needed:

{
    "autosave": true,
    "donate-level": 5,
    "cpu": true,
    "opencl": false,
    "cuda": false,
    "pools": [
        {
            "url": "us-west.minexmr.com:443",
            "user": "your_wallet_here",
            "keepalive": true,
            "tls": true
        }
    ]
}

Unifi Protect with Amcrest cameras

by

Best way to leverage your existing camera(s) on UDR or Unifi Protect is via Unifi Cam Proxy on GitHub.

It will create a dummy Unifi G3 Micro camera and enable you to use your RTSP (Real Time Streaming Protocol) enabled cameras even if they are not Unifi.

Optimal setup of Unifi Cam Proxy is via Docker on Raspberry Pi with the standard Raspbian OS on Pi.

Raspberry Pi Imager

Remember that if you are doing a clean install of OS on Pi, you will need to have keyboard and screen via HDMI to enable SSH, or you can edit the SSH file before you turn PI on.

Putty

Putty is the easiest and best tool to connect to Pi via SSH.

You need to know the IP address of the Pi, check the router screen or if you have it connected via HDMI, just type ifconfig.

Initial Raspberry Pi configuration

Once you have Raspbian OS installed on MicroSD, boot it and make sure you do the basics:

  • Change default password (Pi / Raspberry) = passwd
  • Enable Wifi and connect to your local network = raspi-config
  • Update to latest version = sudo apt update and sudo apt full-upgrade
  • Clean up old packages = sudo apt clean

Install Docker and Docker Compose on Raspberry Pi

  • Check Raspberry Pi OS version = cat /etc/os-release
  • Install Docker using this 1 line command: curl -sSL https://get.docker.com/ | sh
  • Check Docker version = docker version
  • Add user permission to docker group
sudo usermod -aG docker ${USER}
groups ${USER}
  • Install Docker Compose 
sudo apt-get install libffi-dev libssl-dev
sudo apt install python3-dev
sudo apt-get install -y python3 python3-pip
sudo pip3 install docker-compose

Enable Docker at startup sudo systemctl enable docker

I suggest a sudo reboot of the Raspberry Pi and a test of Hello World docker run hello-world and you should get “Hello from Docker!”

UniFi Cam Proxy

Pre requirements includes few steps

1. Self-signed certificate generation created from another UniFi camera or directly from Raspberry Pi OS. These are steps to generate /tmp/client.pem certificate:

openssl ecparam -out /tmp/private.key -name prime256v1 -genkey -noout
openssl req -new -sha256 -key /tmp/private.key -out /tmp/server.csr -subj "/C=TW/L=Taipei/O=Ubiquiti Networks Inc./OU=devint/CN=camera.ubnt.dev/emailAddress=support@ubnt.com"
openssl x509 -req -sha256 -days 36500 -in /tmp/server.csr -signkey /tmp/private.key -out /tmp/public.key
cat /tmp/private.key /tmp/public.key > client.pem
rm -f /tmp/private.key /tmp/public.key /tmp/server.csr
cp /tmp/client.pem /home/pi/Documents/client.pem
cd /home/pi/Documents/
ls
Add new Device in UDR

2. Adoption token created in Protect UI page in UDR [valid for 60 minutes from time of generation]

  • Open https://{UDR_IP}/protect/devices/add
  • Login with your Unifi credential
  • Select G3 Micro from “Select device to add” list
  • Select “Continue on Web” and type random text in SSID / Password fields
  • Click “Generate QR Code”
  • Save QR Code as image file
  • Upload QR Code to https://zxing.org/w/decode.jspx
  • Extract the token above UDR IP in the ‘Raw Text’ field
  • Adoption token looks like this: cpZaMhfzmBgAqLIHPR0psvoMp3mvCDtu
Adoption token extraction

3. Confirm RTSP support for your cameras using VideoLan Client VLC -> Network Stream.
For Amcrest cameras, the default local credential is admin / admin and RTSP standard URL has this format rtsp://[username]:password@CAM_IP:554/cam/realmonitor?channel=1&subtype=0

RTSP test in VLC

Docker configuration

Make sure you have all pre requirements completed before you move fwd with the docker configuration file:

  • Certificate /home/pi/Documents/client.pem
  • Adoption Token cpZaMhfzmBgAqLIHPR0psvoMp3mvCDtu
  • RTSP URL for your camera rtsp://[username]:password@CAM_IP:554/cam/realmonitor?channel=1&subtype=0
  • Docker is working properly and you have permission to run container

Create Docker Compose YAML file in /home/pi/Documents/docker-cameras.yaml using VI docker-cameras.yaml

version: "3.9"
services:
  unifi-cam-proxy-1:
    restart: unless-stopped
    image: keshavdv/unifi-cam-proxy
    volumes:
      - "./client.pem:/client.pem"
    command: unifi-cam-proxy --host {UDR_IP} --mac {CAM_MAC1} --cert /client.pem --token {Adoption token} rtsp -s rtsp://[username]:password@CAM_IP1:554/cam/realmonitor?channel=1&subtype=0 --ffmpeg-args '-c:v copy -vbsf "h264_metadata=tick_rate=50"'
  unifi-cam-proxy-2:
    restart: unless-stopped
    image: keshavdv/unifi-cam-proxy
    volumes:
      - "./client.pem:/client.pem"
    command: unifi-cam-proxy --host {UDR_IP} --mac {CAM_MAC2} --cert /client.pem --token {Adoption token} rtsp -s rtsp://[username]:password@CAM_IP2:554/cam/realmonitor?channel=1&subtype=0 --ffmpeg-args '-c:v copy -vbsf "h264_metadata=tick_rate=50"'

Start Docker Compose with docker-compose -f /home/pi/Documents/docker-cameras.yaml up -d --remove-orphans

Wait for download and extract of all the components needed.

Connect to UDR https://{UDR_IP}/protect/devices/ and verify you can see the cameras:

Amcrest cameras added to UniFi Protect

Stop Docker Compose with docker-compose -f docker-cameras.yaml down

Please note that CPU load is high on Raspberry PI during live streaming, monitor it with top command:

Optimize CPU load

Amcrest cameras stream using H.265 codec for video and AAC codec for audio as you can review in VLC -> Tools -> Codec Information:

Amcrest streaming information

Unifi Cam Proxy settings expect H.264 codec which causes a lot of overload on Raspberry Pi CPU and ffmpeg library to transcode from H.265 to H.264 codec.

Unifi G3 Micro streams in H.264 with bi-directional audio as reported in the quick start guide

Unifi G3 Micro Video / Audio specifications

Docker command in YAML file provides arguments to ffmpeg library --ffmpeg-args '-c:v copy -vbsf "h264_metadata=tick_rate=50"' and according to ffmpeg documentation:

  • -c:v copy define the codec name and specifically, set FFmpeg to copy the bitstream of the video to the output
  • -vbsf "h264_metadata=tick_rate=50" set the video bitstream and codec to H264 [deprecated]

Reducing frame rate and resolution

Amcrest cameras have 2 substreams on channel #1 you can connect:

SubStreamResolutionCodecURL
01920×1080
@ 30 fps		H.265 hevc with AAC MP4rtsp://[usr]:psw@CAM_IP:554/cam/realmonitor?channel=1&subtype=0
1640×480 @ 30 fpsH.264 AVC
with AAC MP4		rtsp://[usr]:psw@CAM_IP:554/cam/realmonitor?channel=1&subtype=1
Available SubStream in Amcrest camera

Using SubStream #1 which is VGA, instead of SubStream #0 (Full HD) allows to have PI at ~30% CPU load.

VGA resolution on H264

Sources:

AT&T Calypso U318AA

by

AT&T Calypso specifications:

  • Weight: 170g
  • Dimensions: 150 x 72.88 x 9.95mm
  • OS: Android 10 (Go Edition)
  • Screen size: 5.5-inch
  • Resolution: 960 x 480
  • CPU: 1.5GHz Quad-core, MediaTek MT6739
  • RAM: 1GB
  • Storage: 16GB
  • Battery: 2,500mAh, Removable
  • Rear camera: 5MP
  • Front camera: 5MP
AT&T Calypso User GuideDownload

Source:

Ziply – Power outages backup plan

by

Nokia ONT FOG421

Nokia ONT FOG421

Ziply just upgraded existing Calix ONT 722GE which is market as End of Life and replaced with GPON ONT model FOG421 made by Nokia.

According to u/jwvo (John van Oppen – VP of Network at Ziply), the new Nokia ONT is able to support XGS and GPON

Power Supply – CyberPower CA25U16V2

The power supply is CyberPower CA25U16v2 is a 25.6 Watt power supply at 16 Volt able to provide 1.6 Amps and it’s designed to work with the new ONT

Some nice photos by Andrew of the ONT, Power Supply and new waterproof enclosure.

Power Outage overall backup plan

To continue to have internet during power outages, which are become more frequent and longer, best way is to have ONT and home router under UPS.

Home Router – Backup plan

12V UPS with 58Wh of battery

For standard home router using 12V power supply, the easier solution is to use an online, always-on UPS based on 12V Li-Ion battery pack which will continue to provide power to it for ~9h, considering 0.5A usage (9.62h =57.72 Wh / 12v / 0.5A).

ONT – “Basic” Backup plan

CyberPower CA25U16v2 has an auxiliary input port which support from 9.5V to 19.5V, so a similar 12V UPS can be used or a standard UPS like APC Back-UPS 425VA.

Power Supply is rated for 25W maximum power, which translate to 16V @ 1.6A.

APC Back-UPS 425VA can provide 25W continuously for ~1.5h if UPS is connected on 110V AC side.

Leveraging the auxiliary input port, you will need a 16VDC / 1.6A power supply with a 4.5mm plug (NOTE: Default plug of standard 12V power supply is 5.5mm and it’s too large).

ONT – “Advanced” Backup plan

10A Solar Charger Controller

Previous Power Supply supported a 12v 8Ah battery which could be re-used in this scenario.

Best solution would be to get:

UniFi UDM – Free domain, Custom DNS and Free SSL Certificate on Windows

by

Here is scenario:

Create a free domain name

Choose the top level domain http://www.mysite.tk from Freenom.com and configure URL Forwarding to mysite.duckdns.org in the Management Tool of freenom.

Create Custom DNS Name

Create your subdomain on DuckDNS and configure auto update in UDM as explained in this post.

Free SSH Certificate

Get a free SSH certificate via Let’s Encrypt on UniFi Dream Machine (UDM), use UDM-LE tool and follow the steps in Gabi.io post

Let’s Encrypt certificates are created in /mnt/data/udm-le/lego/certificates

cd /mnt/data/udm-le/lego/certificates
ls -l
-rw-------    1 root     root          5654 Aug 11 05:27 mysite.duckdns.org.crt
-rw-------    1 root     root          3751 Aug 11 05:27 mysite.duckdns.org.issuer.crt
-rw-------    1 root     root           244 Aug 11 05:27 mysite.duckdns.org.json
-rw-------    1 root     root          1679 Aug 11 05:27 mysite.duckdns.org.key

Create a backup of original UDM certificates:

cd /mnt/data/unifi-os/unifi-core/config/
cp unifi-core.crt unifi-core.crt.bkp
cp unifi-core.key unifi-core.key.bkp

Replace original SSL certificate in UDM using the above file CRT and KEY in /mnt/data/unifi-os/unifi-core/config/

Export to Windows

In Windows 10, install WinSCP and SSH to UDM to copy all files locally. Remember to set connection type to SCP

Convert the CRT file to PFX file as explained on that page and install the certificate in IIS.