MQTT – How to use ACLs and multiple user accounts

I’ve previously written about how awesome MQTT is and how it’s an integral part of my home automation system.  This tutorial will show you how to make your MQTT broker more secure.  In any sort of information technology you should always use the principle of least privileges.  Basically, only give each account the bare minimum access that they actually need.

1) Define Needs

Lets use my home automation system as an example.  I’ll limit to just a few clients in this example.  I have my automation server (home assistant), a WiFi light (a sonoff) and a light sensor.  Lets state the minimum needs of each client:

Home Assistant

  • Process all MQTT messages to allow full control of devices and to run automation scripts

WiFi light (sonoff)

  • Subscribes to “cmnd/light/POWER” for control
  • Subscribes to “cmnd/light/UPDATE” for OTA updates
  • Publishes to “stat/light/POWER” for status and confirmation

Light Sensor

  • Subscribes to “cmnd/sensor/kitchen/light” for a manual sensor reading
  • Subscribes to “cmnd/sensor/kitchen/light/set” to change settings
  • Subscribes to “cmnd/sensor/UPDATE” for OTA updates
  • Publishes to “stat/sensor/kitchen/level” with current light level

2) Create User Accounts

We can now see we have three clients with distinct, separate needs.  This is a good case where three MQTT user accounts would be beneficial.  Let’s say our Light Sensor has a security flaw that accidentally exposes the password, we don’t want to give someone full access to our system!

If you haven’t already, follow Digital Ocean’s tutorial on setting up and securing Mosquitto.  To add a new user account is quite easy.  Simply run the following command and follow the prompts to enter a password.

sudo mosquitto_passwd /etc/mosquitto/passwd <new-user>

So in total, you should run 3 commands that look something like these, note how I like to obscure the usernames a little.  Call me paranoid, but it makes them just a little bit harder to guess.

sudo mosquitto_passwd /etc/mosquitto/passwd homeassist
sudo mosquitto_passwd /etc/mosquitto/passwd sonoffswitch
sudo mosquitto_passwd /etc/mosquitto/passwd lightsense
Note: make sure you use a very secure password for the home assitant account as it will have full access!

3) Tell Mosquitto to use ACLs

Open your mosquitto configuration file:

sudo vim /etc/mosquitto/conf.d/default.conf

Add the following line, specifying where you put your ACL file.  (I put mine in the same directory as the passwd file)

acl_file /etc/mosquitto/acl

MQTT has two types of wildcards:

  1. “#” means literally everything and is “recursive” so can only be used on the end of a topic.
    1. example “cmnd/light/#” will receive every message from topics that start with “cmnd/light“.
  2. “+” meanse literally everything but only one level, so one or more may be used inside a topic.
    1. example “stat/+/POWER” could receive the “POWER” message from every device.

Generate your ACLs

Open your ACL file and add your topics and user accounts to it like below.  Note the three types of permissions; there are read, write and readwrite.  Wild cards may also be used. Also, please for the sanity of future you document what each one does!

# Give Home Assitant full access to everything
user homeassist
topic readwrite #

# Allow the sonoffs to read/write to cmnd/# and stat/#
user sonoffswitch
topic readwrite cmnd/#
topic readwrite stat/#

# Allows the light sensor to read/write to the sensor topics
user lightsense
topic cmnd/sensor/#
topic stat/sensor/#

Notice how the light sensors have a similar permission level as the sonoffs?  The sensors don’t need to read/write to the sonoffs so they shouldn’t be allowed.  However, we may want the sonoffs to be able to directly read the sensors.

4) Save and profit ??

Save all the settings and make sure they’re right.  Normally I wouldn’t reccomend it, but it may be useful to right down the usernames and passwords of all the accounts.  This could save a lot of confusion with all the different accounts.  (of course you should destroy the passwords after)

Be sure to restart both home assitant if you’ve got it running and the Mosquitto server so that the changes can be applied.

sudo service mosquitto restart
sudo service homeassistant restart

 

Let me know how you go or if you run into trouble in the comments below.  I couldn’t find much documentation on actually implementing ACLs and multiple user accounts so hopefully this makes it easier for others.

How to use Espressif SDK functions in the Arduino ESP8266 IDE

I found myself wanting to use one of the espressif SDK functions in the ESP8266 Arduino IDE.  It took me longer then it should have to work it out so I thought I’d share it!  The first step is to make sure you’ve got the ESP8266 library and boards setup properly.  (see the documentation) In the sketch you’d like to include the espressif function in, paste the following up the top:

extern "C" {
    #include "user_interface.h"
}

Just replace “user_interface.h” with the name the espressif documentation tells you to.  What this does is tells the arduino IDE to include the espressif library.  (which is a standard C library)  This little trick should also work for any standard C library.

The correct name for each API can be found at the top of the relevant espressif documentation page. (their documentation – choose the latest “NON-OS SDK”)  Here is an example of the force sleep api:

Make a 10 way Li-Ion battery charging station for $10

So my DIY Powerwall (like the Tesla one) project is moving along quite nicely.  I’ve just finished my mass charging station design and I’m quite happy with it.  This design is a lot simpler/easier to make (for most people) than my normal designs.  It doesn’t require any laser cutting because the laser cutter at HSBNE (brisbane hackerspace) was out of action briefly.    It still requires 3D printed parts but a bit of extra work means you can use the normal 18650 holders.

The Components

1) Ply wood mounting plates.

I used two rectangular plywood plates that I cut out by hand.  (yes, I didn’t use a laser cutter 😉 )  The top one is for mounting everything to, whilst the bottom one is to allow for a level bottom and to hide all the wiring.  Cut out the two plates so you can fit everything on with some room around the edges for the wiring.

2) 18650 Chargers (TP4056)

These are one of, if not the cheapest Li-ion/LiPo battery chargers that exist.  It’s an all in one board with through holes for 5v in and a battery output.  They will charge any Li-ion or LiPo battery up to full from either a USB connection or 5v to the two pads either side of the USB plug.  The cheapest place to get them I found was Aliexpress.  (I got mine for 30c each on the 11/11 sale!)

tp4056

3) Computer power supply

Any generic 5v power supply will work.  However, you’ll need quite a lot of current to charge more than a couple of batteries at once.  Old (or new) computer power supplies are perfect.  Most can supply around 30 amps on the 5v rail.  Each battery needs about 1 amp so this means it should be good for about 25-30 batteries at once.

Tech Tip: Some power supplies only watch the 12v line for voltage drop, so if there is no load the 5v rail could drop below 4v!  The easiest way to fix this is to put a load on the 12v rail.  I find putting a few 12 fans to cool the chargers down helps.  See below for optional monitor.

psu1

psu2

4) Wiring, connectors and (optional) fan

You’ll need a bunch of wiring and a connector if you want to easily disconnect it from the power supply.  I find old network cables are great for this job.  A single 5m network cable has about 40m of wiring in it!  The wires are tiny and can carry enough current for this job, making them the perfect fit.  Solder one wire to each + and – near the USB connector, join them all up and use some thicker wire to join the bunch to a connector.  Connect the fan to the 12v rail and glue it onto the side.  If you get a small bit of cardboard/wood you can direct the flow a little better.

wires

5) Voltage Monitor (optional)

I bought a few of these voltage monitors off eBay.  They are super cheap and easy to wire, simply put the red wire on the positive side and black on the negative side of whatever you’re measuring.  It even powers itself from the same source.  This is great for watching the voltage of the power supply.     I have mine on the 5v rail of the power supply so you can keep an eye on it.  Cheap Voltage Monitor (eBay link)

voltage-monitor

 

 

fin

Once it’s all put together this is what it looks like.  Quite a good little package I think, and really cheap at about $1 per battery slot.  (assuming you have access to a 3D printer, box of power supplies, network cables and connectors like me 😉 )battery-charger

sonoff WiFi relays

The sonoff WiFi relays have arrived.  I ended up buying ten of them and 3 motion sensors.  My first impression is that they’re tiny and solid.  They’re much smaller than I thought, which is a good thing!  The case they come in is perfect for mounting inline with something and neatly hides the exposed wires.  For comparison, you can see my old LG G4 phone next to it.

sonoff-1On the inside

On the inside, they look pretty good.  The soldering is done well and the gaps between the mains traces is reassuring.  As you can also see from the picture below there are a few header pins.  These are the programming pins.  Itead has been nice enough to breakout the programming pins into headers to make it easier to reprogram with your own code.

sonoff-2

 

Reliability

I’ve currently had one set up on my desk lamp for the last couple of days.  It has been rock solid and hasn’t experienced any drop outs or glitches.  This was running their stock firmware which allowed me to connect it to their app.  Although I have no intention of continuing to use their app it is miles ahead of the Belkin system.  For example, switching it on or off happens via the internet almost instantaneously.  However the Belkin’s system sometimes takes 10 seconds!

sc

How to make an autonomous car (code included)

Update: the reason the sampled image is such a low resolution is because we don’t have a computer powerful enough to train it.  If we had a much better computer and GPU we could train it at a higher resolution.  (hint hint intel/nvidia 😉 )

Suiron-3

I’ve just finished a recent side project with my friend Kendrick. (his GitHub)  We built an autonomous car that you can teach how to drive, then it drives around by itself.  I did all of the hardware/arduino software and Kendrick did all of the machine learning software.  He called his project Suiron and it’s available on GitHub here.  The code running on the arduino is called car-controller and is available on my GitHub here.

Now that you’ve got the links feel free to go and have a look.  Work through the code and try to figure out how it works.  I’ll try to briefly cover the software here but my main focus will be on the hardware.  One thing to note are the open source licenses, all my stuff is GPL and Kendrick’s Suiron project is MIT.

This post is more intended as an overview of how the whole thing works.  If I get time I might turn it into a tutorial on how to get it working yourself.

Before we begin here is a short video of it in action.

Now onto the fun stuff!  How does it work?

The Hardware

These are the main components used.

1) Remote Control Car – we used this car (link) but anything of similar size will work.  As long as it has a standard ESC and Steering Servo.  It comes with a remote control, battery and charger to start with.  I recommend buying a new remote control system. (link 5 below)

car

2) Inten NUC – The raspberry pi doesn’t really have enough power and is arm based.  An x86 based processor like the i5 in our NUC is much easier to use for machine learning purposes.  The exact one you use doesn’t matter.

nuc

3) Battery for NUC – A standard laptop battery bank was used to power it.  This one from kogan gives about 6-10 hours of runtime.  (link)

powerbank

4) Logitech C920 Webcam – Buy from any reputable retailer.  You could probably use a cheaper model but we had better luck with a C920. (link)

c920

4) Lens filters – if you are operating in any sunlight, you will want a Polarising and ND (Neutral Density) filter.  The camera just can’t cope with the harsh sunlight and shadows so these filters help bring the conditions into something much better.  A variable ND is great as it let’s you adjust the “darkness” level.

filters

5) Radio control system – if you intend on doing lots of this stuff then get an FrSky TARANIS.  You won’t be disappointed.  Otherwise, a turnigy 9XR will work just as good.  Make sure you get a receiver too if it isn’t included.

taranis

6) You’ll also need an arduino.  I like the Arduino Nano’s because they are super cheap and have on board USB.

nanoIf you want some specific help choosing components just leave a comment.

I won’t go into details on how to wire everything as this isn’t a tutorial.  However, If you need some help drop a comment below.  I suggest you learn how an ESC (electronic speed controller) works together with a motor, receiver, servo and battery.  This is a standard setup on normal remote control cars.  Once you understand that you should look at arduino’s and how to use them to blink lights and read inputs.  Read through the arduino code and the wiring should be pretty self explanatory.

How it all fits together

It’s up to you how you put everything together.  I recommend trying to keep everything as low as possible for better stability when driving.  The webcam needs to be mounted up high so it has a better chance of seeing the lane that it’s in.  I just used a square bit of balsa wood as it’s really light and strong, then glued the webcam to it.  Instead of explaining exactly how I mounted everything I’ll dump a few pictures here.  All the white things are 3D printed, but you could easily do it without a 3D printer.

Suiron-1 Suiron-2 Suiron-3Suiron-6

Polarising/ND Filter

The importance of a polarising filter cannot be underestimated.  It reduces reflections and the harsh glare sometimes encountered.  In the image below (credit)  you can see how much of a difference a polarising filter can make.  Now water is a bit of an extreme example, but I chose that picture so it’s easier to demonstrate the difference.  In realty, where we’re operating the difference won’t be so obvious.

PolarizingFilter1

The neutral density filter is equally or more important than the polarising filter.  The ND filter is basically like sun glasses for the webcam.  The webcam doesn’t like really harsh light so it reduces the intensity of it without interfering with the image to much.  The picture below (credit wikipedia) shows how much better the right ND filter can make an image in harsh light.

nd

 

I suggest making the lens filters removable as it will make the image to dark in lower lighting situations.  For example, it was perfect mid day but much to dark a few hours later just before dusk.  I made a simple mount that just uses an alligator clip to hold the filters in place.  The filters are both glued together then onto a small 3D printed right angle mount.

Suiron-4Suiron-5

The Arduino

The diagram below shows how everything is hooked up.  Basically the arduino is the “brains of the hardware”.  It reads in the values from the R/C receiver (bottom left) and then decides what to do based on the mode channel.  Dig through the arduino code (link) and see exactly how.  Basically there are 3 modes, manual, autonomous and emergency stop.

In manual mode the arduino reads in the steering and motor values and passes it straight to the motor and steering servo.  In this mode with the right flag enabled, it also sends back over UART what those values are every time it receives a character.  (every time it receives prevents the serial buffer getting full and “lagging”) In autonomous mode the arduino reads inputs over UART from the NUC.  In this mode it receives two messages; steer,x and motor,x where x is the value you want to set it to.  It then writes those outputs to the steering servo or motor.  Finally, emergency stop kills the motor output and straightens the steering servo.  This emergency stop overrides any sort of manual or autonomous control.

arduino

The Machine Learning Part

This isn’t my expertise so I’ll briefly summarise what it’s doing.  (not really how it’s doing it, no one really knows)  We used a library called Tensor Flow.  It’s an Open Source machine learning library published by Google.  It’s open source and released under an Apache license.  It has a nice python and a “no nonsense” C++ api.

Collecting data

This is a really short summary of the whole process.  Each time a video frame is recorded Suiron (software on the NUC) asks car-controller (software on arduino) what the human operator is doing.  Remember, in manual mode the human operator is driving the car around.  Car-controller responds by sending the current steering and motor values back to Suiron.  Suiron takes these values and saves them along with a processed version of the frame.

This process happens at about 30Hz (or 30 times per second) for as long as you record data.  In the final model, we used about 20 minutes worth of training data.  That is 20 minutes of continuously driving around the track.  It may not seem like a lot but it’s repetitive very quickly. 😉  In reality, 20 minutes is no where near enough data.  It works great on this particular track with similar lighting conditions but would likely fail if the conditions changed to much.

Training data

Again, I’m not an exert at this but I’ll try to briefly explain how the training works.  Convolutional Neural Networks (CNNs) are weird in the way they work.  It’s impossible to know exactly how or why a CNN works.  Basically, we’re giving Tensor Flow the frame and two numbers. (steering and motor)  Then we’re asking it to work out how the frame relates to those two numbers.  After giving it hundreds of thousands of examples (frames) it can try to generalise a model.

Because of the amount of computing power required it takes a very long time to train a good model.  Due to the type of calculations it has to do, Tensor Flow runs much faster on a dedicated GPU.  With only 20 minutes of data our model took half a day to train properly.  The training took place in a desktop with a borrowed GTX980, a GPU that’s towards the higher end of consumer graphics cards.

Using the model

You can see it in action in the gif below.  The blue line is what the model thinks it should do, the green line is what I actually did when I was steering it.  Note that this data was not included in the training set, this is to ensure the model works with other data.

demo gif

Once it has been trained we can then use the model.  Basically, what happens is we collect just a frame from the webcam.  Then we pass it to Tensor Flow and ask it to run it through the model.  The model then spits out what it thinks our two values should be, one for steering and one for throttle.  At the moment the throttle is unused and it runs at a constant speed.  However we thought we’d include it just in case we wanted to use it in the future.

sonoff home automation products

I’ve discovered a really cool product that is cheaper to buy than what I was making them for.  Plus it looks a lot neater and is probably safer seeing as I’m not a qualified electrician. 😉

These sonoff “smart switches” (link) are exactly what my home automation system is looking for.  Basically, the sonoff switches has a mains to 3.3v regulator, relay, ESP8266 and a button/LED all on board.  For about $5.  The manufacturer has even broken out the serial pins so it’s easy to upload your own code.  I’ve bought about 10 of these little devices after hearing great reviews about them from the internet.

I intend on automating as much as I can with my home.  I’m going to make all the automation switches MQTT compliant which make it easier to expand and/or change things around later.  I’m going to be making a personal companion (much like Siri or Alexa) that can answer useful questions and do some cool things around the house.  Eventually, small remote control modules likely running raspberry pi zero’s will be placed around the house so you can pick one up and ask the house to do things.

I’ll post an update when the sonoff modules arrive and post heaps of pictures!

What is free Software?

I strongly believe in the philosophy of open source and free software. Most of the projects and code I publish on this site and my GitHub are released under the GNU GPL v3 or later license. What is this GNU GPL you say? Well, it’s a type of software license you must abide by. If you’ve ever downloaded a program that asks you to accept something, it’s likely the license agreement. The GNU GPL is great, it lets anyone do anything they want with the software, as long as they pass along the same freedoms.

 

GNU GPL v3 Logo

The GNU GPL v3 logo

 

Free software generally has no price attached to it. This means you can download and use the software at no direct monetary cost. However, the greatest benefit is having the ability to modify the code and make changes. This allows you to improve the software and release an even better version for other people to use. This may include adding new features, or fixing problems like bugs and security flaws.

That was a quick overview of what “free” software is and why I love it so much. For more information and some great reading I suggest checking out the GNU project’s website by clicking the link: www.gnu.org

First post!

Hey!

This is my first blog post. The aim is to fill this blog with heaps of projects and lots of random tips and tricks that I find during my day to day hacking. I will also list all the hardware/software I make and make it available for download and/or purchase. Thanks for visiting! 🙂