Friday, November 25, 2016

Kenwood TK-890 Amateur Radio Mod (repost)

I'm a ham radio operator and have been since 1987, when I got my Novice ticket in rural South Dakota (SD) at 14 years old. It's been a fun hobby, even though I took a break from roughly 1993-2013. the point...

I went to the Mike and Key Ham Fest down in Puyallup, WA in the spring of 2015. Before I showed up there, I had been thinking about a GMRS license and radios for the family. I picked up a Kenwood TKR-820 repeater, already programmed to the GMRS repeater frequencies.

Kenwood TK-790/890 control head options, basic and advanced.
I also picked up 4 Kenwood TK-890 radios. I got a "good deal". They didn't come with microphones, but I didn't see that as a big deal...while I was at the ham fest. Once I got home, I found out differently. This particular breed of radio, as a result of the genius of Kenwood, doesn't have a standard microphone plug. As a result, microphones cost $65+ each. And the aftermarket doesn't make them. Stupid. I found a lot of 7 on eBay, for a reasonable price, so now I'm in action.

Anyway, this is a repost of an article I found on a blogspot post about how to tune the TK-890 to the high end of the 70cm ham bands. That article has since disappeared and the blogspot site is no longer in, I'm reposting the content here. (Thankfully, PDF'ed the article!)

Original article:
(from Wirelessness blog from W6DTW, originally at

Over the past weekend a friend of mine asked if I would help him convert his Kenwood TK-890 mobile to work on the ham bands. I wasn't sure how successful we'd be, since most every online search came up with at best little information or at worst flat out statement saying "Nope, can't be done." As it turns out, it can't be done. Kudos to Time K for his notes posted to Radio Reference [cg, I also placed the relevant content at the end] which gave enough hints to make this happen.

In general this is how it went. My friend wanted his radio to work on the Bay-Net repeater system, which operates 443.225 with a +5 MHz TX split. TX was fine, but RX was giving a steady "beep-beep-beep..." which indicates PLL unlock.

In the PLL section, under the copper foil, [cg, for the record, mine weren't) are three adjustment pots: A = TC302, B = TC303, and C = TC301. (Don't ask why they're out of order.) According to the Service Manual, Pot A sets the PLL for the low end of the receiver range, Pot B set the high end of the receiver range, and Pot C sets the TX PLL. The goal is to monitor testpoint CV with a voltmeter and adjust for minimum voltage during RX and TX. This requires reprogramming the radio's test frequencies to match the band of interest, so you'll need the [KPG-44] software and [KPG-4] cable.

Once we had the PLL voltages minimized for RX and TX, I found that the radio's TX frequency was way off, so a frequency alignment was needed. This again required the [KPG-44] software - for some reason we couldn't get the radio in to Panel Test/Tune via the control head. It was easy enough with the KPG, once we realized you need to press "Enter" to lock the modified value.

Other things like adjusting the BPF and checking deviations should be done. In the end, the conversation was very easy and the radio is working well on the UHF amateur band.

[cg Adding this here, to make it more complete, and have information all in one place.]
From Radio Reference:
From ramal121:
"The VCO can be adjusted fairly easy with a volt meter. You just program your highest and lowest frequencies, monitor the VCO steering line voltage, check high and low (both TX and RX) and see if the voltage stays within specs. There are tweekers for both TX and RX to achieve this. And yes, if you lower your VCO's range, you will lose the top freqs, the VCO can only swing so far."

From Tim K:

Thursday, November 3, 2016

For the record...HP Elitebook 840 G3 BIOS update

HP, in their wisdom, decided that a standard laptop BIOS update should sound like you're bricking your device. So, I'm posting this here so it will get picked up by Google and people don't need to freak out as much as I did. My experience was I ran the BIOS update, the machine started beeping with the screen blank and then I panicked, trying to figure out what I should do. After a bit of work, I found out that this is completely normal for these laptops, for this BIOS update. It is not normal in the world of systems BIOS updates, by any means.

Comment here if you have the same or a different experience.

- Run BIOS update
- Warning about bitlocker being suspended temporarily.
- Update completes
- Machine reboots automatically
- Screen blanks
- 2 long beeps, 2 short beeps x 5
- Reboot
- 1 long beep, 2 short beeps
- 2 long beeps, 2 short beeps x 4
- Reboot x 2
- Full, white screen notification of DXE update
- Reboot
- Back to Windows login


Tuesday, June 14, 2016

Putting this here: Shuttle XPC Glamor Series SN68SG2 and Windows 10

I have a Shuttle XPC Glamor Series SN68SG2 that I've had for years. I originally built it in 2008 as a Windows Home Server box. 

As time has gone on, I turned into a workstation for mundane tasks, such as running the weather station interface software, or USB-to-Serial cables for programming the scanner, ham and GMRS radios.

This went from Windows Home Server to Windows 7 to Windows 10 with the free upgrade. Since the upgrade to Windows 10, I've had issues with the Start Menu and Cortana. I tried a number of fixes, but nothing really worked. I even went so far as reloading the system with a fresh copy of Windows 10.

I had just been resigned to getting the weather station software fired up and running and then not interacting with it until I needed to restart the software and computer.

Turns out I think it's been a video driver related problem all along. I installed an older, alternative video card and the start menu is magically working again. I used an ATI Radeon X1300/X1550 PCIe video card that had two SVGA cables when it was on Windows 7 and it worked well. This video card doesn't have any valid or supported Windows 10 drivers...but since Windows 10 knows that, it kicked the video driver back to the generic, lower resolution driver.

Start menu works like a champ so far and its been a couple days, which is a couple days longer than it had been working before.

Given all that, I'll be on the hunt for a cheap and/or free low profile PCIe video card for this machine.

Good luck!

Monday, March 7, 2016

Grant's Rants: "I got hacked on an airplane"...because you weren't paying attention.

Grant's Rants:

My initial reaction to the original story of how a reporter was hacked mid-flight through an airline's GoGo wireless network was that reporters, by nature, tend to use less secure, consumer-focused systems. With this update, we understand with clarity that he is operating as an independent reporter. This wasn't a reporter for security issues, so this was just a reporter, even if he has a description like: USA TODAY columnist Steven Petrow offers advice about living in the Digital Age."

In the end, we can interpret this story as being one that was ripe for happening, and was trumpeted by an opportunistic reporter. We now know that he wasn’t focused on maintaining his own equipment or being concerned about information security issues until he was compromised, and then he made some money off of it by writing articles about his experience that are being shared widely.

Let's look at the situation:

  1. He was using an older, deprecated email connection method (POP3). He set it up in 2002 and apparently hasn’t touched it since. Therefore, his email traffic could be picked up “in the air” and was entirely unencrypted. 
  2. He wasn’t using a VPN for his insecure email protocol. Again, his email traffic could be seen.
  3. He was using unencrypted (public) WiFi. Frankly, any Public WiFi is as secure as any unencrypted WiFi network, home or otherwise. If the network connections aren’t encrypted, then others who are within listening range can see any app traffic that isn’t encrypted…like unencrypted POP3 to pull email.

He wasn't under the corporate umbrella of systems management and secure configurations, so he was left to his own devices (no pun intended). Petrow asked the security expert “'What else do I need to do?' He explained [the reporter] needed to regularly download software updates…” was shocking to read. Frankly, I was surprised it took this long for this reporter to be compromised.

After writing this, there is blame to be spread around, though:

  1. ISPs and email providers should only provide encrypted methods for accessing email. Why was unencrypted POP3 still allowed? I know the answer, because they didn't want to have additional support requests from their users.
  2. OS vendors should do more to educate and encourage automatic updating for OSes. Microsoft does a good job, on the initial install, and through occasional reminders. 
  3. App vendors should be encrypting network connections by default, not by exception or an opt-in process. 
  4. App vendors should be building in automatic updates and/or warnings about lack of upgrades. This is a win-win driving more business and securing the consumer. Apple App Store, Chrome and Firefox Automatic Updates were designed for the consumer with no ability to engage in this overhead. Turn it on and forget it. Never look back. Kudos to them. It is for self preservation, and other selfish reasons, typically, but it is moving the needle for consumers and consumer protection.
  5. At this point, consumer VPN services are used widely for a) the paranoid, b) high school students trying to get around school content filters. Maybe it's time for Consumer VPN services to take off. 

This type of article in USA Today gives continued exposure and awareness to these basic issues to those people in hotels across the country, so that's good, but updating systems should be table stakes for anyone under 50, especially if you offer "advice about living in the Digital Age." He wasn't paying attention, was compromised and suffered embarrassment. Fortunately, this guy got a second chance to improve his security posture and get paid for his work instead of more serious consequences for his inaction.

Wednesday, September 24, 2014

Synology, StartSSL, OpenVPN and Tunnelblick

As I mentioned previously, I had switched my Synology box to have a real, live SSL cert from a trusted CA, StartSSL. That worked great for connecting via SSL to either the web console, or Chrome extension for Download Station. All worked swimmingly, until I discovered my OpenVPN connection wasn't functioning any longer. PPTP worked fine, but OpenVPN had issues. Turns out the Synology box, the OpenVPN server, and therefore, the OpenVPN client connection package, don't understand the StartSSL CA. Here was my process of discovery and resolution for this issue.

I tried re-exporting the config, changing the hostname to the new Internet-facing hostname. That didn't work. I re-exported the .crt files from the server and included them in the .tblk file to import into TunnelBlick. That didn't work.

Then I decided to go look at the client connection logs, which is where I should have started. Here's what they said:
2014-09-24 09:50:43 *Tunnelblick: openvpnstart starting OpenVPN
2014-09-24 09:50:44 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=IL/O=StartCom_Ltd./OU=Secure_Digital_Certificate_Signing/CN=StartCom_Class_1_Primary_Intermediate_Server_CA
2014-09-24 09:50:44 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-09-24 09:50:44 TLS Error: TLS object > incoming plaintext read error
2014-09-24 09:50:44 TLS Error: TLS handshake failed

Researching this error, I found the following reference on the Synology forums:

Here's how I fixed this problem:
  1. Get the StartSSL root CA cert (ca.pem) and the StartSSL Class1 cert ( from StartSSL's web site
  2. Concatenate the StartSSL root CA with the StartSSL Class1 cert and save it as a new file. You can use cat in *nix to do this or notepad in Windows, or TextEdit in OS X. Order doesn't matter. It will look something like this, except much longer:




On your Synology box, do the following: 

  1. In Control Panel > Security > Certificate, you may see that your StartSSL cert is already installed, which was the case in my situation. If this is true, export your certificates, so you have a known good copy of your server.crt and server.key. This will be needed on the next step.
  2. Import your server.key, server.crt and the new ca.crt (or whatever you called it) file generated above as the intermediate certificate.
  3. This took a bit to import and restart the web server. 
  4. Go into Package Center and find VPN Server. "Stop", then "Run" the VPN server.
  5. Re-export the OpenVPN config and fix your client .tblk package for the clients.
After this, I was able to successfully connect using OpenVPN to my Synology box again. Woo hoo!

Thursday, August 21, 2014

Implementing a free StartSSL cert for Synology NAS

I have a plugin for Chrome called Download Station Extension (, also available for Safari and Opera) which allows me to tell my Synology NAS to download and initiate torrent downloads among other things. It is excessively handy.This extension supports all types of downloads that are supported by Synology's Download Station, application developed by and built into the Synology base OS. ( . You can tell your Synology box to go download files quickly and easily, including: 
  • BitTorrent (both .torrent files and magnet links) 
  • Usenet news NZB files 
  • http, https, ftp, sftp and ftps downloads 
  • YouTube videos 
  • Some supported filehosting websites 
The extension does this by logging into the "Download Station" app on your Synology using your. This is great, however, there is one significant caveat. The Download Station Extension will only use http until you have a trusted SSL cert installed. In order to protect the credentials to your Synology and use SSL/https, this plugin needs a certificate that is trusted by your browser. And in order to do that, you need to install an SSL certificate on your Synology NAS that comes from a real Certificate Authority (CA).

Now, to be clear, your Synology does have a SSL certificate already, but it's a "self-signed" certificate, meaning your server generated the certificate and it also validated it as being a good, trusted certificate. 

A post in the Synology Community Site describes how to go the process of installing a free StartSSL cert, however it involved significant ssh command line work, operating with openssl directly. Turns out Steps 1-6 in this guide are no longer necessary. You could probably still do the requisite work through ssh/openssl, however, according to the Synology guide here, you no longer have to ssh into the box to generate a certificate signing request or process the certificate returned from an SSL cert provider. 

Based on that, here's what you need to do.
  1. Go to the Synology guide, and perform steps 1-7. Proceed to the next step.
  2. Use the Synology Community Site post by GNOE Inc. and perform steps 7-8.8 to generate the StartSSL-based (free) cert.
  3. Go back to the Synology guide, and perform the last steps on the page, 1-3.

Make sure that the SSL certificate domain matches the domain you're using to access your NAS through the Internet. If the SSL cert and the domain don't match, you'll still get SSL cert errors and you won't get the benefits of this whole process.

Hope this guide helps!


Friday, February 28, 2014

Moving a Windows 7 VM from Parallels 8 to VirtualBox 4.3 on OS X Mavericks using VMWare Fusion

My first Macbook Pro was a 1st Intel generation, early 2006 model, that I bought from someone local on Craigslist in 2009. (Example to the right.) I cut my teeth there and got used to the Mac-isms and the Apple-isms about running OSX. That machine was't going to run any virtual machines well, so I never installed VirtualBox, Parallels or VMWare Fusion.  That machine wouldn't install anything newer than 32-bit Snow Leopard. No Lion and no Mountain Lion. This was frustrating enough, and then software application makers moved to 64-bit entirely, so then I wasn't able to run the software either.
So, in early 2013, I bought a new Macbook Pro and now I had the horsepower to run VMs. Woo hoo!

Parallels pushes their marketing heavy on the Mac world. They have a lot of features, and seemed to have a lot of people who have used the product successfully. So I bought it too.

Fast forward to late 2013, and the release of Mavericks. Before I installed Mavericks, Parallels started warning me about Parallels 8 compatibility with Mavericks. I scoffed. All of the reviews said it ran just fine, and it has, but I have become increasingly resentful of having to shell out $50 for an upgrade, for little benefit. 

So, I decided to try to convert my Win7 VM in Parallels to a Win7 VM in VirtualBox. I ran into a few issues. Here's how I did it successfully (I'll list what didn't work, after):

Step 1) Shutdown the Parallels VM, not just sleep, actually shut the machine down.

Step 2) Convert Parallels machine (.pvm) to VMWare (.vmwarevm) virtual machine

To do this, you'll need to first, download and install the VMWare Fusion trial through the normal means. Here's a YouTube walkthrough:

Next, once you get it installed, choose to "Import" an existing machine. This will make VMWare Fusion go look for existing virtual machines on the system. Of course, in this case, my Windows 7 Parallels instance exists, so it found it right away. (Not sure why it listed it as a "Recent Item", though.)

Click on Continue. You'll be asked what you want to call this new VM. It will use the same base name, but then provide the VMWare extension .vmwarevm for the new virtual machine. You don't really need the whole machine, I don't believe, but the process does create the .vmdk disk image inside the directory named YourNameHere.vmwarevm which we will need in the next step.

Of course, click save.

At this point, I fired up the Windows 7 virtual machine under VMWare Fusion and everything went swimmingly. I just wanted to make sure the new disk image was viable. Because of that, and because I didn't want to create any other issues I didn't install the VMWare extensions. I simply shut the machine back down again and moved on to Step 3.

Step 3) Convert a VMWare disk image (.vmdk) file to a .vdi file which VirtualBox understands

First, install Oracle VirtualBox. You can get it from here:

Second, we'll convert the VMWare Fusion disk image in .vmdk format to VirtualBox-import-capable .vdi disk image using a VirtualBox utility called VBoxManage.

You'll need to run this command either from the directory that the .vmdk file is in, or you'll have to put in the full path to the .vmdk file. Mine was ~/Documents/Virtual Machines.localized/Windows 7.vmwarevm

  VBoxManage clonehd --format VDI Windows\ 7-0.vmdk newimage.vdi

I then moved the .vdi image to my VirtualBox VMs directory.

    mv newimage.vdi ~/VirtualBox\ VMs/

Third, start up VirtualBox and set up a new VM and choose an existing disk image.

Here's the "New" screen:

And this is the area where you'll choose "Use an existing virtual hard drive file". You'll have to then find the .vdi file and it will end up populating the area below the radio button.

Click on Create.

That's it. Fire up the new VirtualBox VM and install the extensions.

Once you're satisfied with the fact that it booted and you're running Windows in VirtualBox on Mavericks on your'll have to remove your Parallels instance. Windows will start barking that it is counterfeit. You'll have to reactivate your license on this VM.