Sunday 20 December 2015

Ubuntu 14.04 on Lenovo ideapad 100-14IBY (Part 3)

This is the third post on the same topic, part 1 covers hardware details and issues I encountered with the ideapad while part 2 covers the main steps to resolve the most critical issues. This post covers further improvement to the WiFi stability issue.

WiFi stability improvements

The RTL8723be was always disconnecting after a few minutes of operation in the beginning. This issue has been largely improved by disabling hardware encryption, as described in the previous post. Due to the lack of time for more extensive testing, I settled with these settings and asked for a week of test drive. Feedback was that after the WiFi card still disconnected after a couple of hours.

I intuited that the network disconnect could have probably been experienced after a longer period of network inactivity (having left the ideapad on it's own), which led me to the dig into settings around power management of the WiFi card.

Having read up on the topic and after initial trial and error I settled with adding two further module parameters, one for disallowing the firmware to control link power saving, and another one for disabling link power saving in general.


echo "options rtl8723be swenc=1 fwlps=0 ips=0" | sudo tee /etc/modprobe.d/rtl8723be.conf

sudo modprobe -rv rtl8723be
sudo modprobe -v rtl8723be
# confirm parameter values under /sys/module/rtl8192be/parameters

Feedback so far confirmed the current configuration is not prone to getting disconnected. After the holidays I will attempt to narrow down the set of required parameters, first by re-enabling hardware encryption, then experimenting with the two new parameters.

Wednesday 9 December 2015

Ubuntu 14.04 on Lenovo ideapad 100-14IBY (Part 2)

Following up on the first part, this post will cover issues I experience after installing Ubuntu 14.04 and the steps I took to investigate them. The following issues immediately caught my attention:

  • WiFi connection dropped - no WiFi until reboot
  • Returning from flight mode leaves WiFi disabled - or at least unusable
  • Suspend/resume does not work - stuck at a black screen
  • Reboot and shutdown need the physical power button to be pressed
  • Brightness control buttons inverted - "up" will dim the backlight and vice versa

WiFi stability issues

The lspci output from the first part shows that the ideapad is equipped with a RTL8723be WiFi card. Googling revealed others has similar issues which could be dodged or at least significantly improved by disabling hardware encryption.


cat <<EOF | sudo tee /etc/modprobe.d/rtl8723be.conf
options rtl8723be swenc=1
EOF

In order for the changes to take effect, one either has to reboot or remove and then probe the kernel module. With this change applied, WiFi seemed much more stable, entering and returning from flight mode worked just fine, and occasional WiFi issues could be simply resolved disconnecting and reconnecting, although rather infrequently toggling flight mode or removing and probing the module were needed. In addition to this, I disabled IPv6 for our local WiFi connection. The results were good enough so I moved on to the next topic.

Inverted back-light control buttons

Googling revealed other have experienced this issue before me, however, the common suggestions of using acpi_osi=Linux acpi_backlight=vendor boot parameters did not help, nor did any element of the superset of these two parameters. The only side effect was constantly maximum brightness, which cannot be changed with the buttons at all. On the Lenovo support forum I read that people using Windows experienced the same until new Lenovo provided drivers were installed... As I was running out of time, I decided to categorize this as a minor cosmetic issue and removed those boot parameters.

It is worth to note that after installation I had just about an hour to work with the ideapad which then I left the with the owner and had to continue my investigation at home, reading and googling, without access to the hardware. Therefore I quickly skipped to the next topic.

Suspend/resume, reboot and shutdown issues

It was rather obvious from the beginning that all issues around changing the power state have a common root cause. I assumed a faulty or non-standard ACPI implementation might be the root cause. I entered firmware setup and carefully reviewed the settings but did not find any obvious configuration option which might be related. I experimented with disabling virtualization support and thermal management capabilities but did not see any improvement.

Assuming the ACPI implementation of the ideapad wants to be smart and compensate some broken Windows versions, I attempted to fix the issue by experimenting with acpi_osi settings.

The ACPI _OSI call

It is not unheard of that BIOS/firmware bugs cause reboot problems. ACPI offers a way for the firmware to query which operating system [version] is running - and this feature is frequent used by vendors with good intention to work around specific operating system bugs but in long term this practice translated to the proliferation of non-standard OS implementations and wrongly applied ACPI quirks.

It is documented in the ACPI BIOS Guideline for Linux that by default the Linux kernel since version 2.6.23 no longer returns true for _OSI("Linux")ACPI invocations, effectively lying to the firmware in order to discourage vendors from applying Linux specific quirks as opposed to strictly following the standards. At the same time, the Linux kernel also returns true when _OSI is invoked with any known Windows OS string. This behaviour can be controlled via the acpi_osi parameter already mentioned before.

Other sources recommend to use acpi_osi=Linux in combination with acpi_osi='!Windows 2012' for UEFI based laptops. I have experimented with many variations, selectively enabling and disabling OS strings for individual Windows version. Unfortunately, this did not resolve the issue.

Update something

The ideapad came with firmware version CCCN12WW(V1.01) released on 03/23/2015 as confirmed via sudo dmidecode, and the most recent firmware found on the Lenovo support site is CCCN18WW (V2.04) released on 11/27/2015. While it would be a logical next step to update the firmware, Lenovo only provides a Windows executable, no way to flash the update from Linux or to prepare bootable media for flashing. The rules I have set for myself does not allow using windows based tools, so I had to stay with firmware v1.01. I believe it is rather strange that the ideapad is shipped with FreeDOS but no firmware update can be run anything other than Windows 7 or newer releases.

What I could update was the Linux kernel. The default HWE kernel these days is 3.19.0-37-generic #42~14.04.1-Ubuntu, and I installed linux-image-4.2.0-19-generic which is the Ubuntu 15.10 kernel. This update did also did not change the ACPI issue.

Firmware developers and counter-intuitive decisions

Eventually, the ACPI issue could be resolved by experimenting in the firmware settings on pure trial and error basis. The ideapad came with FreeDOS, and was configured to support BIOS/CSM mode as a fallback if UEFI boot failed. This I quickly disabled legacy mode right after installing Ubuntu. Also, UEFI Secure Boot was disabled by default which I found reasonable as I do not fancy Microsoft's practices of trying to hinder the installation of alternative operating systems.

In the "Exit" menu of the firmware setup, right under "Load Defaults" there is an parameter called "OS Optimized Defaults" which was set to "Other OS". The other option is "Windows 8 64-bit". This is only used when someone activates "Load Defaults" and as I would expects, it enables Secure Boot, sets UEFI only boot mode and some other settings found on the setup screens.

Just for the fun of it, I changed the "OS Optimized Defaults" to "Win8 64bit" and loaded defaults. As expected, it activated Secure Boot but did not change any of the other values on the setup screens. I was surprised to see that this completely fixed the ACPI issues. I returned to the firmware setup screen, disabled Secure Boot, changed "OS Optimized Defaults" back to "Other OS" - but did not load defaults. After booting Ubuntu, I confirmed that suspend, resume, reboot and shutdown work well. My conclusion is that loading Windows 8 64-bit optimized defaults also changed firmware settings which are not exposed on the setup screen. This is a very counter-intuitive practice as loading default firmware setup values should not do anything else than loading defaults for the values exposed on the setup screens.

Closing notes

With all major issues addressed, I released the ideapad for production use. I made the owner aware of the inverted backlight controls buttons and told to provide feedback if any WiFi stability issues occur during field use. The remaining glitches will be addressed subsequent posts.

Monday 7 December 2015

Ubuntu 14.04 on Lenovo ideapad 100-14IBY

The first laptop which I really liked was an IBM t60p ThinkPad manufactured in 2006. It served me well for years but was retired some time ago and my father inherited it - predominantly for light office use. A few days ago, the graphics chip gave up and we needed an urgent, low cost replacement that fits his needs. The goal is simple: get a fully functional notebook for office use with 4G of RAM, the cheapest available disk and without OEM Windows. The stock disk would be replaced by the after market 120GB SSD from the t60p and Ubuntu 14.04 would be installed anyway, since this is the OS my father already got familiar with. The rules are simple as well: buy, install & configure the notebook, the use of windows or any windows based tools is strictly prohibited.

Enter Lenovo 100 80MH003AHV

For around 250 USD excluding VAT, this ultrabook includes 4G of RAM, a strong enough Intel Pentium Quad-Core N3540, 500GB HDD, and is shipped with FreeDOS. I have googled for any information specific to this model and Ubuntu or Linux in general, but did not find anything useful, which is not a good sign of ultrabooks in this price range... so I was prepared for surprises.

The Levono 100 is available in different models / machine-types, and 80MH003AHV relates to 100-14IBY. The hardware maintenance manual can be downloaded from the official support site.

The first surprise came right after unboxing. The plastic case did not feel very robust, but still much force was needed to open it even after all screws have been removed. Once has to be careful to apply enough but not too much force. The next surprise was the sticker seal I found on the screw that attached the HDD to the motherboard. This could possibly mean that the HDD cannot be upgreaded without voiding warranty, which is not a fair practice. I was handy enough to remove the sticker without damaging it.

Unfortunately, I realized that the SSD was password protected and although I knew the password, it could not unlock the disk. This phenomenon I have observed before - my conclusion was that that the t60p and other ThinkPads of the same era transform the HDD password provided on the BIOS Setup screen before sending it to the HDD via ATA Security commands, which, even when the password is known, makes it impossible to access the drive from notebooks of other vendors or even other generations of ThinkPads. The password has to be removed on a ThinkPad that was manufactured in the same era as the one which was used to set the password. The SSD password topic was put on hold over the weekend and on Monday, I used a t60p I borrowed from a colleague to unset the password.

Let us get back to the ideapad - I created an EFI-bootable USB key with Ubuntu 14.04, and inserted it while the computer was still powered off, then I connected the power cord and used a paper clip to push the "Novo button". This button started the computer but enter the BIOS/UEFI menu instead of launching the operating system on the HDD. I took a look at the firmware settings (which many incorrectly still refer to as BIOS setup screen) but did not see any hard reason to change any setting, so I stayed with the defaults for the initial boot.

The first boot: Ubuntu 14.04 from USB

Ubuntu booted without major hiccups, and first commands I ran was lspic and sudo dmidecode to get more information about what the ideapad contains under the hood.


00:00.0 Host bridge: Intel Corporation ValleyView SSA-CUnit (rev 0e)
00:02.0 VGA compatible controller: Intel Corporation ValleyView Gen7 (rev 0e)
00:13.0 SATA controller: Intel Corporation ValleyView 6-Port SATA AHCI Controller (rev 0e)
00:14.0 USB controller: Intel Corporation ValleyView USB xHCI Host Controller (rev 0e)
00:1a.0 Encryption controller: Intel Corporation ValleyView SEC (rev 0e)
00:1b.0 Audio device: Intel Corporation ValleyView High Definition Audio Controller (rev 0e)
00:1c.0 PCI bridge: Intel Corporation ValleyView PCI Express Root Port (rev 0e)
00:1c.1 PCI bridge: Intel Corporation ValleyView PCI Express Root Port (rev 0e)
00:1c.2 PCI bridge: Intel Corporation ValleyView PCI Express Root Port (rev 0e)
00:1c.3 PCI bridge: Intel Corporation ValleyView PCI Express Root Port (rev 0e)
00:1d.0 USB controller: Intel Corporation ValleyView USB Enhanced Host Controller (rev 0e)
00:1f.0 ISA bridge: Intel Corporation ValleyView Power Control Unit (rev 0e)
00:1f.3 SMBus: Intel Corporation ValleyView SMBus Controller (rev 0e)
02:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS5229 PCI Express Card Reader (rev 01)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101E/RTL8102E PCI Express Fast Ethernet controller (rev 0a)
04:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter

The next step was to verify if the system booted in UEFI mode or legacy BIOS mode. Checking /sys/firmware/efi/ quickly revealed we are in UEFI mode.

I intentionally did not even attempt to boot the HDD even once, as I wanted to take a backup of the factory HDD image the computer came with. I quickly configured WiFi and installed partimage after enabling the "universe" repository component and took a full backup of /dev/sda, a 500GB rotating disk with MBR partition table containing a single FAT partition which was basically empty.

Before downloading partimage I quickly verified internet connectivity, but during the repo update and package download the WiFi connection seemed unreliable. After a few minutes I completely lost connection and had to fall back to wired connection - this issue did not surprise me that much.

I manually configured the disk via gdisk, created a 32MB EFI system partition, swap and separate ext4 partitions for /root and /home. I created the partitions in a way they would only occupy the first 120GB of the disk so I can simply clone it onto the SSD once the HDD password issue is resolved. Once done, I installed Ubuntu which went fine, the only strange issue i experienced that the system did not automatically reboot itself and was stuck at a blank screen so I had to keep the power button pressed for a few seconds to force a reboot.

In the next post on this topic, I will list the issues I experienced, the systematic approach I applied to investigate and overcome those and of course the resolution itself will also be provided shortly...

Saturday 24 October 2015

Lenovo S650 update to VibeUI 2.0 1439

This post is a follow up on my older posts on Lenovo VibeUI KitKat ROM. I settled with version VibeUI 1.5 (1427) for about a year, in spite of hte following issues:

  1. Waze always had a dark overlay on the map during navigation with eventual flickering, to the extent that is was completely unusable for navigation as the map was hardly visible. I am not aware of any workaround for this issue, other than using alternative navigation software.
  2. Google Maps navigation is always crashing after a few minutes. The issue was narrowed down to affect newer versions, and downgrading to 8.0.0 proved to be a stable temporal workaround.
  3. Security - in more particular, the lack of regular security updates and recently disclosed android related vulnerabilities frightened me at this stage.

Lenovo published a firmware update for S650 smartphones on the 25th of September last year, but at I did not see a compelling reason to install it right away, I was rather waiting for subsequent updates but they did not come. I decided to upgrade and yesterday night I found time for it.

The upgrade procedure

I cleaned up both internal and external storage, and made sure the following files are present to the external storage:

  • VIBEUI_V2.0_1439_7.3.1_ST_S650_WC52.zip from vibeui.com
  • 5-31_GApps_Minimal_4.4.2_signed.zip which I already had from my last download
  • superuser.zip - com.koushikdutta.superuser which I also already downloaded earlier.

I took a backup of my call logs and text messages, copied important data to my computer, then booted into recovery and created a full TWRP backup. Read my previous posts for details on this step.

After wiping data, cache and dalvik cache partitions I installed the update from within TWRP recovery, then immediately applied superuser.zip. Before reboot, I opened a terminal from within TWRP, and manually mounted the system partition and deleted Chinese apps that I do not need:


mkdir /tmp/s
mount -t ext4 /dev/block/mmcblk0p5 /tmp/s
# change directory to /tmp/s/vendor/operator/app/ via TWRP menu as the built in terminal 
# does not allow you to do that
mv Len* .. # move LenovoPhonemgr.apk which I decided to keep this time
rm *.apk 
mv ../Len* . # move back the app
# change to /tmp/s/priv-app/ via TWRP
rm GameWorld_Phone.apk Youyue.apk
# change to /
umount /tmp/s

Once this was done, but before installing the google apps package, I rebooted the phone, and chose English language in the setup wizard. This was a bit tricky due to the many pop-ups, but still much easier without the Google setup wizard, which would have been run in Chinese had I installed Google Apps in one shot. After language selection and initial setup, I went back to recovery and installed google apps minimal. After booting the system the google setup wizard was greeting me in English...

Later I restored my call logs and text messages as well as application data of some of my key apps. This I had to do manually via and adb shell as Super Backup failed to restore application data even with root privileges granted. My approach was to do some setup of the critical apps manually, so the data files are were created by the app itself with appropriate permissions and ownership, then I overwrote the content of the necessary files with cat $BACKUP > $DATAFILE.

First impressions

Both Google Maps and Waze works fine with this app. I got used to the previous ROM and found stock theme and UI changes annoying. I quickly tailored the theme and launcher according to my preferences.

The Goolge Apps minimal package was outdated, which gave me some application crashed before and during updated, but once the new version of Google packages were installed, everything worked fine.

Unfortunately, according to Stagefright Detector the new version is even a bit more vulnerable than the previous one.

Stagefright

As mentioned above, this new ROM contains one more Statefright related vulnerability compared to VibeUI 1.5, and Lenovo does offer security patches, but not for this phone.

As a countermeasure, I disabled automatic retrieval of multimedia message, from the mail messaging app as recommended here and revoked MMS permissions from any other application. Of course I would be happier if Lenovo provided security updates regularly and more consistently across reasonably new mobile devices.

Saturday 25 April 2015

Firefox 37 and corporate intranet

After a recent update on Ubuntu 14.04.2 LTS, no connection to the beloved corporate expense reimbursement application could be established any more. Of course I realised this situation at a time when I urgently needed to use that application.

Background

Long time ago I have installed the Firefox extension SSL Version Control which allows me to use stronger encryption by defaults, while enables lowering the security level easily if needed. I quickly realised that requiring TLS 1.2 everywhere was not be a workable practice, so I settled with TLS 1.0 back then to get rid of at least SSLv3. Google for POODLE to learn more about the reasons.

I still needed to occasionally allow SSLv3 from time to time in order to be able to use corporate web applications hosted on improperly configured servers - this is the reality of a huge US based enterprise in 2015, no comment.

In Firefox 34 (released in December 2014), SSLv3 was disabled by default, but could be easily enabled by end user either via the extension referred above or changing property security.tls.version.min in about:config as explained here.

Firefox 37, released right before April Fool's Day 2015, disabled insecure TLS version fallback as a security improvement. This means that nor the extension, nor setting the above mentioned configuration property to 0 would allow me any more connect to sites via SSLv3. It is suggested to set another property, security.tls.version.fallback-limit to 1 and file a bug noting the URL of the site where this is needed.

Obviously, I did not submit a but report to Mozilla with a link to our intranet expense reimbursement application. Apparently, setting fallback limit to 1 or 0 did do the magic. Needless to say at that point I was a bit annoyed and under time pressure.

The solution

To make the long story short, Firefox 37 by default does not even respect user-configurable whitelisting, but uses a hardcoded list of hosts. Disabling the use of the compiled-in whitelist allows the end user to provide a custom list of hosts where insecure TLS version fallback should be allowed.See bugs 1114816 and 1084025 for details.

I ended up with disabling the SSL Version Control extension and manually tweaking TLS fallback related properties as shown below.


security.tls.version.max = 3 # default value
security.tls.version.min = 1
security.tls.insecure_fallback_hosts = w3.***.com
security.tls.insecure_fallback_hosts.use_static_list = false
security.tls.version.fallback-limit = 1

Update: Two days ago, the host running the corporate expense reimbursement application was reconfigured to support TLS 1.0 (but not any newer version). The configuration properties above have been updated to reflect this change.