iptables mirror target for linux kernel 5.4

After my last kernel upgrade I tried to build the iptables mirror target that I have published the last time here. The iptables mirror target takes the packet sent to your machine and returns the same packet to the machine the packet came from. Thus, let’s say someone tries to scan your machine or tries an attack he would scan his own machine or even attack his own machine.

When I tried it with kernel version 5.4, it did not build anymore with the current linux kernel. This time there has been a API change in kernel 5.0. Thus I had to replace the call to skb_make_writable() with a call to skb_ensure_writable. Furthermore a call to dst_neigh_output() had to be replaced by a call to neigh_output(). Also a small Makefile change has been necessary. Starting with kernel 5.4 the outdated SUBDIRS=$(PWD) argument gets ignored and M=$(PWD) has to be supplied instead. You can download the newer release for kernel version 5.4 and probably future kernels here:

MIRROR.5.4.tar.gz (61 downloads)

The kernel module has been tested with kernel version 5.4.15-zen1. To build the module, boot the kernel you want to use the module with. Afterwards unpack the archive and run the compile.sh script to build the module. Then run the install.sh script for installing the compiled module into the /lib/modules directory for your kernel.

Now you may use the mirror target in place of the REJECT or DROP target in the INPUT, FORWARD and PREROUTING chains, like this in your firewall script:


Beware: The use of the mirror target may lead to strange results, in example if you want to connect to an iptables protected machine which uses the mirror target, you may end up connecting to the local machine without recognizing it. It also may use much bandwith. The worst case occurs if you have two machines using the module. These machines may end up playing ping pong. So you have been warned, use with caution and at your own risk. For more information see: MIRROR target.

Downloads for older kernel versions are below. Notice the version numbering 2.6.25 works for kernels up to 2.6.27. 2.6.28 also works for 2.6.29 and 2.6.30 kernels. The 2.6.13 version of the module should work up to kernel version 2.6.16.

MIRROR.2.6.13.tar.gz (3258 downloads)
MIRROR.2.6.24.tar.gz (3695 downloads)
MIRROR.2.6.25.tar.gz (3423 downloads)
MIRROR.2.6.28.tar.gz (3464 downloads)
MIRROR.2.6.31 (3296 downloads)
MIRROR.2.6.35.tar.gz (3220 downloads)
MIRROR.2.6.36.tar.gz (3307 downloads)
MIRROR.2.6.37.tar.gz (3050 downloads)
MIRROR.3.0.7.tar.gz (2732 downloads)
MIRROR.3.1.0.tar.gz (2426 downloads)
MIRROR.3.3.0.tar.gz (2462 downloads)
MIRROR.3.6.0.tar.gz (2211 downloads)
MIRROR.4.10.tar.gz (938 downloads)


1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

exFAT/NTFS support for the Cosmo Communicator

Cosmo with exfat formatted micro sd card
Cosmo Communicator with exfat formatted micro sd card

Unfortunately the Cosmo Communicator, like many other Android phones, does not support the exFAT filesystem. Most vendors do so due to exFAT being covered by software patents in the USA, which is a problem for companies selling to the USA. exFAT might not be the most sophisticated filesystem available, but is needed for interoperability with other devices and to get rid of the 4GB file size limit of fat32. This article shows how to enable exFAT support for the Cosmo. Since it is not much effort to also get NTFS support this is done by the way.

Setup the kernel sources

To get exfat support, first of all we need a kernel module providing exfat support. Fortunately some time ago Samsung has released their exfat driver under the GPL license. The derivate of this driver can be found on github¹ This module has to be built against the kernel used on the device. The kernel source for the Cosmo has also been made available on github². The two source trees can be combined, as described in the documentation for the exfat module by editing the relevant Makefile an Kconfig. Furthermore CONFIG_EXFAT_FS for exFAT support CONFIG_NTFS_FS for NTFS have to be enabled as modules in kernel configuration. The resulting kernel source tree with the included exfat submodule has been placed on github.

Setup the build environment

To build the kernel modules on better uses a compiler that is as near as possible to the one that has been originally for building the kernel. We can easily find this out via procfs on the target device.

clang version used for the Cosmos kernel build

When compiling on an arm64 system the build environment can easily be installed. I.e. by executing apt install llvm clang on an Ubuntu arm64 system. When using a different architecture for compiling, the appropriate cross toolchain has to be installed.

Build the kernel modules

Once all is set up the kernel modules can be built.

make O=../KERNEL_OUT -C cosmo-linux-kernel-4.4 ARCH=arm64 k71v1_64_bsp_defconfig

make -j4 O=../KERNEL_OUT ARCH=arm64  CC=clang  CLANG_TRIPLE=aarch64-linux-gnu- CROSS_COMPILE=aarch64-linux-gnu- modules

As result we get the two kernel modules ntfs.ko and exfat.ko

Creating a magisk module

The resulted kernel modules have to get loaded on Android startup. Starting with Android Pie it is not possible any more to mount the system partition for writing. One possibility would be to create an own system image containing the kernel modules and necessary scripts. Since Magisk is the recommended way for rooting the Cosmo Communicator anyways, we can take a different approach. Fortunately Magisk gives the possibility to create on overlay filesystem which gets injected into the android system partition, so we can get the same result with less effort.

To create the Magisk module containing the filesystem support we start with the Magisk Module Template4 and copy the two kernel modules to system/lib/modules/. Furthermore we need some additional binaries for filesystem checking and mounting. So we add the filesystem support binaries and volume daemon built for the Pixel 2 from fsbinaries.zip and Magisk-v18.1-extrafs.zip³. Next we need a service.sh script which loads the kernel modules on startup an restarts vold once the user is present. With an earlier restart the volumes do not get added.


# load kernel modules
insmod /system/lib/modules/exfat.ko

# kernel ntfs support is ro
# comment this line to use fuse ntfs (rw)
insmod /system/lib/modules/ntfs.ko


# wait for startup
while [ "$(getprop sys.boot_completed)" != "1" ]; do
    sleep ${_SLEEP_INTERVAL}

# wait user to unlock
while dumpsys trust | grep -c "deviceLocked=1"; do
    sleep ${_SLEEP_INTERVAL}
    echo "device locked"
    echo $(dumpsys trust | grep -c "deviceLocked=1")

#kill vold to restart
killall vold
echo "vold restarted"

One can comment the line loading the ntfs module to decide whether ntfs kernel support, which is read only or fuse ntfs, which is read/write shall be used. For this a simple wrapper script replacing mount.ntfs has been added.

# call mount for in kernel ntfs and mount.ntfs3g without
if cat /proc/filesystems | grep "ntfs" &> /dev/null ; then
  echo "using kernel ntfs (ro)"
  params=$(echo "$@" | sed 's/,shortname=mixed//')
  params=$(echo "$params" | sed 's/,dirsync//')
  mount $params
  echo no ntfs.ko
  mount.ntfs3g $@
  echo "using fuse ntfs (rw)"
  mount.ntfs3g $@

Finally LATESTARTSERVICE=true has to be set config.sh to execute the service.sh script on startup and some Selinux policies have to be added to avoid the need of running in permissive mode.

The final result can be found on github. For those who do not want to perform the procedure or parts of it themselves, the installable Magisk module can be downloaded from here:

cosmo-fs.zip (74 downloads)

It can be installed using the Magisk Manager App. Best for all users would be if Planet Computes could include this in the stock ROM. This would give exFAT/NTFS support also for non-rooted devices. Assuming they are fearing software patents, they might consider joining the Open Invention Network to get access to the relevant Microsoft patents in the future.


1. exfat kernel module
2. cosmo communicator kernel source
3. filesystem support binaries
4. Magisk Module Template
5. Magisk module developers guide

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Unboxing the Cosmo Communicator

Like I did when receiving the Gemini PDA, I want to share the first impressions while unboxing the brand new Cosmo Communicator, I have received today. About one year ago I have backed Planet Computers Cosmo Communicator Indiegogo campaign. Planet Computers has promised a device that is different from anything else, that is available for purchase. The Cosmo Communicator is a clamp-shell class device with a fully integrated keyboard and touchscreen and full phone usability that is designed for Android, but will also be capable of running Linux or Sailfish OS. Major improvements compared to the Gemini PDA, beside better specs, are the outside cover display and the backlit keyboard. No need to go through the full specs here, everything interesting regarding these can be read on Planet Computers web page. Yesterday, after a long time of waiting the parcel with the Cosmo finally arrived.

Cosmo Parcel
Parcel containing the Cosmo Communicator

Inside the parcel has been a single box

cosmo box
Box containing the Cosmo Communicator

Before opening the box has to be fold out.

cosmo box fold out
Fold out Cosmo box

After Opening the box one can see the well packed Cosmo in there.

csomo box opened
Opened Cosmo box

The full content of the box can be seen below. One can see the Cosmo wrapped well in foil as well as an envelope containing a quick start manual and the Sim card tool. Still in the box are two smaller boxes containing the charger and the USB cable.

cosmo content
Cosmo box content

After removing the foil we can see the Cosmos full beauty.

The Cosmo Communicator

With the opened device we can see the display and the German QWERTZ keyboard. Keyboard and hinge even feel more solid as with the Gemini PDA.

cosmo booting
Opened Cosmo booting Android

After booting the Cosmo shows the initial welcome screen. With a press to the start button one could start the initial setup process.

cosmo welcome
Cosmo welcome screen

The outer cover touch display, which shows the caller id and allows to accept calls can be seen below.

outer display
Cosmo Communicators outer touchscreen showing date and time

For the Cosmo Communicator I also ordered a third party belt case which can be seen below with the Cosmo inside and a Adonit Dash2 stylus attached.

cosmo belt case
Third party belt case with the Cosmo

I am hoping you have enjoyed the photo series and some first impressions of the Cosmo. Further articles regarding testing some aspects of the device, and hopefully some solutions will follow. Stay tuned for updates.


1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 2.50 out of 5)

Modular kernel for the Gemini PDA available from the gemian repository

Recently Adam Boardman and I have managed to integrate the modular kernel for the Gemini PDA into the gemian kernel repository. So, from now on, whenever the kernel gets improved, the modular kernel gets built and the update is available for Debian via apt.

Installing the modular kernel

From now on, the modular kernel for the Gemini PDA can be installed easily using apt:

sudo apt install gemian-modular-kernel

When using the new bootloader the kernel gets flashed to the boot partition automatically. This works because the new bootloader passes the current boot partition’s name to the kernel using the kernel cmdline. The cmdline can be examined with:

cat /proc/cmdline

When using the old bootloader with the Gemini PDA this information is not available to the kernel and consecutively to the operating system, thus one still has to flash the kernel image manually after installing or updating the kernel package. For this one has to carefully decide which boot partition the Linux system is being booted from. Using the wrong partition name can render other installed operating systems unbootable. To recover, flashing the wrongly overwritten boot partition using the flash tool might be necessary. When knowing the boot partition the new kernel can be flashed using dd (the X in bootX has to be replaced with the number of the boot partition) as shown below.

sudo dd if=/usr/share/kernel/linux-boot.img of=/dev/disk/by-partlabel/bootX

After flashing the kernel the either or the other way a reboot is necessary. The boot partition number can be determined from the scatter file that has been used initially to flash the Gemini. Alternatively it can be found out from the key combination that has been used to boot the Gemini. Detailed information on this can be found in the Gemini bootloader documentation.

Building out of tree modules

For building out of tree modules with the Gemini (in example for using USB devices that are not supported with the kernel), in addition to the kernel, the kernel-headers package has to be installed:

sudo apt install gemian-modular-kernel-headers

With the kernel headers and the appropriate build toolchain (gcc, etc.) additional kernel modules can be compiled on the Gemini. Instructions on how to do this can usually be found with the module source.

Some prebuilt modules (iptables mirror target, frandom, 88XXau) for the kernel can be downloaded below:

gemini-modules-extra-3.18.41.tar.gz (173 downloads)

To use the modules, the downloaded archive has be extracted to the root directory. Afterwards depmod has to be executed:

cd /; sudo tar -xzf /path/to/gemini-modules-extra-3.18.41.tar.gz; sudo depmod

With high probability these modules should still be usable after upgrading the modular kernel to a newer build.


1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

Modular Linux kernel for the Gemini PDA with cut+paste fix

Using Debian with the Gemini PDA one can use cut and paste, for example in QTerminal, using the key combinations [Ctrl]+[Shift]+[c] and [Ctrl]+[Shift]+[v]. Unfortunately this did not work using the left Shift key. There is no need to fiddle with the keyboard configuration to fix this, since it is a kernel issue.

Again Adam Boardman has fixed one of the most annoying issues within the Gemini’s Linux kernel. His fix priorizes the mentioned useful keyboard combinations over the ghosted¹ versions. Again this fix is worth another kernel build. As usual, I want to share my kernel build below:

The kernel configuration is unchanged (with respect to the previous article), but included for completeness: gemini-3.18.41+-config.gz (166 downloads)

For the build, again the updated kernel source the from https://github.com/gemian/gemini-linux-kernel-3.18 has been used.

Again the kernel modules for the iptables MIRROR target (will not be usable with the default iptables version on the Gemini) and frandom are included. This time also the module for the awus1900 and similar usb wifi dongles (88XXau.ko) has been added.

Those who do not want to go through the build themselves can download my prebuild kernel from here:

Kernel Image: linux_boot-gemini-3.18.41+.img (171 downloads)
Modules: modules_firmware-gemini-3.18.41+.tar.gz (202 downloads)
(the kernel modules in the previous article should still work, however, the new build is included for completeness)

Instructions for flashing the image can be found on: support.planetcom.co.uk. Make sure to use a proper scatter file, in example the one that has been used for the initial flashing. Using the Download only mode of the flash tool is sufficient. Uncheck all partitions but boot (or boot1 or boot2, depending on your boot order). For the boot partition respectively the boot1 or boot2 partition select the downloaded kernel image.

Alternatively you can flash the kernel using dd:

dd if=linux_boot-gemini-3.18.41+.img of=/dev/block/disk/by-partlabel/boot

If Linux is not your primary operating system on the Gemini use boot1 or boot2 instead, depending on your partition layout.

After flashing, copy the modules archive onto your Gemini and extract it in your root directory:

cd /
tar -xzf /path_to/modules_firmware-gemini-3.18.41+.tar.gz

After rebooting the device, cut and paste using the keyboard combinations should work in QTerminal. Currently I am working on getting the modular kernel configuration into the main Gemini kernel. Hopefully we manage to get this done soon. If so, this might have been the last Gemini modular kernel post.


1. oesf.org: keyboard ghosting

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

Recovery from a failed kernel upgrade on Lamobo R1

Yesterday I have updated my Lamobo R1 router board running Debian Stretch the usual way with apt update;apt upgrade. This time many updates were involved including a kernel update from 4.9.130-2 to 4.9.144-3. After rebooting the device it did not come up again. The same happens with the 4.9.144-3 kernel and the Bananapi board which is nearly identical to the Lamobo R1.

After attaching a screen to the HDMI output I was able to see the boot messages. The last thing I noticed was that uboot was struck at “Starting kernel”. Unfortunately there has been no more useful information. Maybe one could get some more information using the serial console. Obviously the new kernel is broken for the Lamobo and the Bananapi. The corresponding bug report can be monitored on bugs.debian.org. The natural reaction is to downgrade the kernel to the previous state, which is not as simple as on Intel based devices. Since it is quite probable that others experience the same problem with the kernel upgrade I will show in the following how to recover from the upgrade.

First of all I inserted the sd card containing the operating system into a notebook and mounted the boot partition. Luckily there still has been a older backup kernel remaining from system setup. In my case this has been a 4.9.0-7 kernel. So I extracted the boot script from the boot.scr file.

dd if=boot.scr of=boot.script bs=72 skip=1

In the resulting boot.script I replaced the line

setenv fk_kvers ‘4.9.0-8-armmp-lpae’


setenv fk_kvers ‘4.9.0-7-armmp-lpae’

This might be different if the backup kernel available has a different version. If there is no working backup kernel, one might try to get a kernel image from a different source, in example extracting from one of the older Debian packages, from the boot partition of a second device or if one has been paranoid, from a backup.

Afterwards the boot.scr file has to be regenerated. For this the u-boot-tools package has to be present on the system used for the recovery.

mkimage -C none -A arm -T script -d boot.script boot.scr

After reinserting the card into the Lamobo R1 eventually I have been able to boot the system with the old kernel version. Afterwards it has been possible to restore the previous kernel version (4.9.130-2) with:

dpkg -i linux-image-4.9.0-8-armmp-lpae_4.9.130-2_armhf.deb

It might be a good idea to prevent further kernel upgrades until the mentioned bug has been solved. This can easily be done by:

apt-mark hold linux-image-4.9.0-8-armmp-lpae

Hopefully this helps others facing the same problem after this or any other kernel update on these or similar devices.


1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

Building a kernel module for the awus1900 Wifi stick and the Gemini PDA

A few days ago I have been asked if it is possible to build a driver for the awus1900 Wifi stick for the Gemini PDA. To be honest, I did not know, so I gave it a try.

The awus1900 uses Realtek’s rtl8814au chipset. The Linux driver for this chipset is available at many locations around the net. Most ones, I have tried, have not been compilable against the Gemini’s kernel. The driver at https://github.com/aircrack-ng/rtl8812au has been compilable with some minor modifications against the kernel source used for the kernel in Modular Linux kernel for the Gemini PDA with lid close fix.

First of all some parameters in the Makefile had to be changed to match the Gemini:

  • CONFIG_PLATFORM_I386_PC = n (disable x86 build)
  • CONFIG_PLATFORM_ARM64_RPI = y (enable arm64 build)

Some more parameters have been enabled for features in the hope that these do not cause problems:

  • CONFIG_80211W = y

With all these changes the build fails complaining about STATION_INFO_SIGNAL and many more being undeclared. The module’s source expects these defines to be present in the kernel source for kernels below version 4.0. Most probably the Gemini kernel tree is different than other 3.x trees. So the line 23

#if (CFG80211_API_LEVEL >= KERNEL_VERSION(4, 0, 0))

in os_dep/linux/ioctl_cfg80211.c has been replaced with


to get the module source build against the Gemini’s kernel. Afterwards it has been possible to cross compile the kernel module by running make:

make ARCH=arm64 KSRC=/path_to_lib_modules_dir/3.18.41+/build

After building the module it can be copied to /lib/modules/3.18.41+/extra/ (or any other proper directory) on the Gemini and used afterwards. For those who do not want to build the module themselves, the binary modules for the kernel shared in the article Modular Linux kernel for the Gemini PDA with lid close fix can be downloaded from here: rtl88XX.zip (145 downloads)


1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)