A blog by Jonas Finnemann Jensen

January 14, 2008
HSH – A simple hash algorithm + embedded webserver
Filed under: Computer,Electronics,English,School by jonasfj at 8:01 pm

Lately I’ve been building a webserver, in school as a light and curtain controller, on top of an AtMEGA168 and ENC28J60, I’ve based it off an article I found at Which by the way is a fine place to order components for personal usage – They’re cheap and they shipped to Denmark in 2-3 days…

Anyway, the webserver software I found sends a plaintext password over HTTP for authentication. This is of course not desirable since anybody with access to the same network link can see the password. This is very bad security, especially if it’s a wireless link. And who would want a light and curtain controller if the neighbor kid suddenly hacked it.

Therefore I decided that I needed a secure authentication method. Asymmetric cryptographic algorithms are already out of the question since I’m working on a microprocessor with 16kbytes program memory. I tried to find a conventional md5 or sha1 implementation, however they were very easily too big in program size and inefficient. So I looked around and found HSH 11/13 by Herbert Glarner.

HSH 11/13 looked to be efficient, small and easy implement. Later I discovered that with my lack of experience with bit manipulation in C ladder was not true. However, I did manage to get an implementation working, it’s written in C and I’ve tested it with GCC and AVR-GCC against glibc and AVR-libc respectively. You may download it here:

Now having a webserver with a serverside hash algorithm doesn’t solve the issue. The client needs to have the hash algorithm as well. Therefore I wrote a compatible implementation of HSH 11/13 in Javascript. This may seam rather weird, and it’s sure not efficient anymore. I’ve only tested the script in Firefox 2.0, however I’d imagine that it works in other browsers as well. You may download the Javascript implementation here:

Like I said before this may seam rather weird, as the webserver isn’t capable of serving pages as big as the Javascript implementation. However the solution is to let the main page of the embedded webserver be:

< script src = '' > < / script>

Where “” is a file located on a remote ordinary webserver, e.g. not served from the embedded webserver. The included Javascript file then writes an entire web 2.0 application using “document.write”. Once the web 2.0 application have been loaded it can use AJAX requests and the HSH 11/13 implementation to communicate with the embedded webserver.Apart from the main page, a simple AJAX API is all the embedded webserver needs to host. Authentication against the webserver may then be done using a HSH hashsum of a timestamp + password + data, referred to as token. Where timestamp, data and token, are send everytime an API request is made. The embedded webserver then knows the password and generates the token from the given timestamp and data, one can then authenticate the request by comparing the generate token with the received token. Note, it may not be desirable to keep track of time on a embedded webserver, so it’s easier to just check if received timestamp is bigger than the latest received timestamp, and then save the timestamp for later use.

January 12, 2008
Release of TheLastRipper 1.3.0 for Windows
Filed under: English,TheLastRipper by jonasfj at 9:35 pm

Development on TheLastRipper have been stalled for a while, but thanks to Andreas’ work we’re now able to release TheLastRipper 1.3.0 for Windows. It features:

  • New GUI station selection improvements.
  • Using the new protocol version 1.2 (Skip now works!).
  • Additional management features like skip songs already recorded.
  • A few other minor details…

This release is largely created by Andreas, since I haven’t really had time for it. Which is also why it’s not ported to Linux yet, though the executables with Windows.Forms GUI runs fine under Mono/Linux, we’d like a GTK# GUI because it’s much prettier. I hope I’ll find time to do a Linux port soon…

Now some might be wondering why it’s called version 1.3.0 and not 1.2.0 – well, what can I say: It’s a “known issue” šŸ™‚ I think I accidentally incremented it one too much, and since we can’t really delete downloads from GoogleCode it’s going to be version 1.3.0 instead. It would also look weird to have a version 1.2 featured and a version 1.3 deprecated.

Anyway I don’t think the version number thing is so bad either, I think I previously stated that there wouldn’t come a version 1.2.0, because I was going to rewrite the codebase. Because a rewrite would be needed to make a clean, easy portable and extendable backend implementation of the protocol version 1.2. I started development of such a clean backend, but it’s still stuck in development, since I don’t have time for it at the moment.

January 9, 2008
If Birthday(): Year++; //Oh no Iā€™m 20ā€¦
Filed under: English,Personal by jonasfj at 7:32 pm

Well, it happened I’m no longer a teenager, that means I just turned twenty. Unfortunately I guess it’ll also mean that I have to stop always saying what I don’t mean, and start saying what I do mean. No more useless, pointless and weird statements in the interest of a good/funny discussion of a dead topic; nope from now on it’ll just be dead discussions. Everything is serious when you not a teenager anymore, I just realized this morning when I woke… šŸ™‚

Well, apart from the getting more serious less teenager thing, it’s also this year I’m going move away from home, at least it’s my plan to study computer science next year (meaning after summer). With regards to my birthday presents they were all move-away-from-home-stuff, pots and pans you know… But it’s pretty much what I’ve wanted too, though chance are I’m going to stave anyway when moving away from home…