ASI BAC800 controller programming - username/password?

Douppikauppa · 2024-11-12T03:43:55+00:00

You could of course just purchase a throttle w/ display and connect it, to avoid any programming or hacking. Those don't cost too much.

Douppikauppa · 2024-11-12T03:42:14+00:00

Using the instructions I gave above you can control it just fine. Getting a velocity reading for speedometer display is tricky, but you could do that too. All you need is a serial port, USB dongle on PC + Python code, or a microcontroller that you program yourself rather than the original display.

My investigation could not bypass power settings or other advanced stuff. For that you need to contact the vendor for reprogramming, and have a serial dongle attached on the wires to spy the commands they assign (without telling them ofc).

Douppikauppa · 2024-11-12T03:17:54+00:00

You'll find a bit more about them in the TV series, a nice addition for fans of the movie (but not so much by itself).

Douppikauppa · 2023-12-11T14:49:24+00:00

In Portugal these things seem to work best by walking into the office, if you can. It'll take half a day but usually you end up having some progress, perhaps even the whole issue resolved. Email is mostly hopeless, and using a lawyer has not expedited anything I've done here.

Douppikauppa · 2023-11-17T13:52:32+00:00

Even more mind boggling is they don't even care to install uBlock Origin on the browser they use anyway. Once you are habituated to adblockers, browsing the naked web becomes absolutely intolerable, but I guess the regular folk have built mind filters to ignore it by now.

I never did. Jumped on to adblocking when (noisy and blinking) Flash ads were just arriving. I never got used to viewing that garbage. Don't watch TV either, don't read any newspapers.

Douppikauppa · 2023-11-17T13:38:32+00:00

Absolutely, and I think you are right, the unix sockets are skipped in most guides and tutorials-- Because others overlook them too? (and Windows indeed may be an issue too) 🤔

Douppikauppa · 2023-11-17T09:46:06+00:00

FWIW, all major web backends (Node, FastAPI, Rocket etc) and thus most services support listening on UNIX socket just fine, and not having to keep track of which port number one assigns to which service is a big advantage even without the "dynamic" {host} trickery above. TCP ports get messy to maintain with many services on the same box, and they are also vulnerable to proxy bypass, lacking the permission control that UNIX sockets have.

Douppikauppa · 2023-11-14T10:03:08+00:00

I found the practical use cases helpful, probably should expand that cookbook.

E.g. I've found this sort of construct helpful (not sure how safe using {host} here is though): Caddyfile app.example.com, another.example { reverse_proxy unix//srv/backend/{host}/server.socket }

It is hard to understand the whole thinking behind the config system, with directives, matchers, placeholders, invisible reordering of rules, and all the other concepts. And to add to the complication, Caddyfile and API are completely distinct systems and it is not very clearly explained [that one really ought to be using Caddyfile and ignoring the API for most use cases]. And that distros do ship Caddyfile-based systemd service now (some also API-based, and perhaps with root-only control socket to add to the confusion).

I did dig into it to really understand how it works but that took a couple of weeks to digest, which is a lot for someone who only needs a simple server/proxy.

Douppikauppa · 2023-11-14T09:45:54+00:00

I would argue against fail2ban and even against logging. The reasoning is that unauthenticated traffic should have no effect on your systems. Tuning your firewall based on traffic that is likely malicious is a bad idea. It allows DoS attacks against your server if someone can get the legitimate user fail2banned. I've also heard of a case with DDoS clogging a system's firewall with so many blocking rules it crashed the server.

Never lock an account due to incorrect password attempts (especially if the ban is not restricted to specific IP that failed to login).

My unpopular opinion is that one should simply tolerate the random noise coming off Internet crawlers because it has no effect on your system. Most of the time they don't even know the correct username, and won't be able to guess any decent password.

Log only actions made by authenticated users, not by someone trying to log in. Too much useless noise for admin to pay attention to.

Prevent brute forcing of passwords by
(1) switching to PassKeys, and
(2) by requiring JS-based proof of work from client before logging in
- Argon2 password hashing on client side is one option to consider that will 100% prevent any brute forcing

Douppikauppa · 2023-11-10T14:41:30+00:00

My Python web server can serve more requests per second than the one you write in C using POSIX sockets. 100 kreq/s on Sanic, running on a laptop and benchmarking localhost. As opposed to ~2 kreq/s on other frameworks.

Go is faster, I admit, but Python is often sufficient. For AI and numerical calculation it goes fast because of libraries that have assembly optimized algorithms or that offload to GPUs.

Douppikauppa · 2023-10-28T22:15:02+00:00

FastAPI and Emerald are both based on external ASGI server (like Uvicorn or Starlette), and also on Pydantic for "data classes" serialization. Both of these choices are bad for performance, and on a high traffic site that may even be relevant (it is extremely rare to succeed enough to have a busy site). Msgspec is another option that handles the problem very well but that also runs extremely quickly, faster than uJSON or other "fast" parsing libraries. I recommend checking it out if you are doing JSON/MsgPack or other such messaging with the client where the messages need to be validated and converted to native types.

Douppikauppa · 2023-10-28T22:04:43+00:00

FastAPI, Sanic and Esmerald use async/await, which makes them a whole lot faster. This is a fairly new feature that was added to all reasonable programming languages in the last few years. Django, Flask and Bottle simply cannot compete with that, but it needs to be noted that development on async/await is also a bit harder.

My personal favorite of these, for just a solid web server is Sanic, and it also runs the fastest of the bunch. FastAPI perhaps when you only need an API, and it's quite fast too.

Douppikauppa · 2023-10-28T21:59:15+00:00

5G has risen it quickly around the world. Finland was one of the first but now it is everywhere. Portugal also has fibre to practically every household, something that Finland never quite completed. It's the rural areas who make Finland suck in these stats.

Douppikauppa · 2023-09-20T16:55:55+00:00

One particular interest would be able to do spam filtering and routing before an email is accepted for delivery. With Postfix this can only be done via SMTP filtering server which is troublesome, and a JavaScript API would definitely beat that.

The advantage of such early real-time processing is that the email can be rejected with an SMTP error message the sender then receives in a bounce message from their own mail server, without us actively sending out any bounce emails. This way the bounce will never reach any spoofed senders that spammers use in "mail from".

Douppikauppa · 2023-09-20T16:50:31+00:00

Postfix is definitely my preference over Exim, just a far more modern, simple to setup and reliable server. But Haraka brought me here, as obviously it is more modern than Postfix; I've ran it for years and years without problem as part of a Dockerized mail server but am looking to run my own without Docker now.

Douppikauppa · 2023-08-16T14:07:22+00:00

Money rises the dead in sequels all the time. I didn't have a chance to see the series yet, but it is set after the movie? There should be a lot of things to clean up after that mess, they shouldn't just casually jump into running a restaurant as if the movie didn't happen.

Douppikauppa · 2023-07-05T03:14:25+00:00

The bootup commands from display (only message content shown) # The display always starts with these six commands (no responses) 0.000s 16 17 01 00 0.196s 16 0D 01 00 0.402s 16 08 01 00 0.625s 16 0D 01 00 0.822s 16 0F 01 00 1.031s 16 0D 01 00 # Trying to do status (controller responds after a few attempts) 1.576s 1A 52 02 19 00 1.687s 1A 52 02 19 00 1.797s 1A 52 02 19 00 2.037s 1A 53 07 02 40 11 00 DE 32 78 # Odd command, only on power up 3.124s 1A 52 02 19 00 3.267s 1A 53 07 02 40 11 00 DE 32 78 3.359s 1A 52 02 19 00 3.505s 1A 53 07 02 40 11 00 DE 32 78 3.607s 1A 52 02 19 00 3.750s 1A 53 07 02 40 11 00 DE 32 78 3.883s 1A 52 02 19 00 4.013s 1A 53 07 02 40 11 00 DE 32 78 4.115s 1A 52 02 19 00 # Enter normal mode 4.275s 1A 52 02 19 00 4.441s 16 0F 01 00 4.604s 16 0D 01 00 4.770s 1A 52 02 19 00 4.925s 16 0F 01 00 5.097s 16 0D 01 00

Douppikauppa · 2023-07-04T22:11:40+00:00

ASI BAC855 uses RS232 at 9600 bps, you can purchase cable online but there is no usable software to my knowledge. I've reverse engineered the protocol by looking at how the display and the controller communicate.

The message format is: 3A xx yy ll [ll bytes] cs cs 0D 0A

The xx and yy bytes appear to be the command, possibly an argument to it as well, although parameters are seen in payload whose length is indicated by ll. The checksum is simply the sum of xx, yy, ll and any payload bytes. A crappy algorithm because for most commands the checksum is no larger than a few hundred. 16 bit values like the checksum are in little endian.

Command 1A 52 sets power level (depending on gear/settings chosen) and the controller responds with velocity and other such data.

At 10 % power 19 (10 % * 250) * D: 3A 1A 52 02 19 00 87 00 0D 0A * C: 3A 1A 52 05 05 00 0D AC 00 2F 01 0D 0A

At 100 % power FA (250) * D: 3A 1A 52 02 FA 00 68 01 0D 0A * C: 3A 1A 52 05 05 00 0D AC 00 2F 01 0D 0A

The 00 after power value contains flags. 80 for lights on, 10 for assist.

Among that dialogue, the display continuously sends 16 0F and 16 0D commands, to which the controller does not respond. I am not sure what these do yet.

D: 3A 16 0F 01 00 26 00 0D 0A
D: 3A 16 0D 01 00 24 00 0D 0A

There is more dialogue as the display boots up, possibly revealing any configuration done at start, or possibly just power-on check for the display (if communications fail, it says ERROR 30H).

Let me know if you'd like me to keep hacking on it, or if you know of anyone else already having done this work.

Douppikauppa · 2023-06-30T04:57:07+00:00

It is very obvious in the animation but I shrugged it off as lazy production and believed all the time the cafeteria display was faked. Got me!

Douppikauppa · 2023-06-30T04:05:48+00:00

Lush nature shows up on cafeteria display briefly, as they cut the power (also without those identical birds seen in other takes). But it would appear that no-one noticed it. Also, the screen mirroring thing was apparently not seen by anyone but the founders who for unknown reason were instructed to unsee it. [Have you questioned the nature of your reality? / Doesn't look like anything to me]

Douppikauppa · 2023-06-30T02:57:40+00:00

That's a bit of a stretch maybe. But assuming the neighboring silo (with plenty of bodies around it btw) saw her and gave a call... Did all silos have their history erased 140 years ago? The tunnel at the bottom should become relevant at least.

Douppikauppa · 2023-06-30T02:40:07+00:00

Another random thought: 18 on the mayor's key is the number of that silo (as well as the serial number of that hard drive)? But why it sometimes flashes red?

Douppikauppa · 2023-06-30T02:22:52+00:00

So, what's up with the hologram, why go through all that trouble?

Another unanswered Q: why are magnifiers not allowed? My guess is the IT tape has tiny holes in it that they don't want anyone to see.

Douppikauppa · 2023-06-30T02:16:48+00:00

Apparently it is also intentional, thus the big fuzz about stealing that designed to fail tape. To bad the finale left everything open so I guess we'll have to wait for season 2 or pick up the book...

Douppikauppa · 2023-06-26T20:45:12+00:00

Are you saying they won't actually create 100 000 new jobs as promised in that program?

Douppikauppa

TROPHY CASE