May Contain Traces of Bolts

Refurbishing a coil pack

While my bug-eyed baby is in the shop for a full respray, let’s flash back to May, when I discovered—ironically, while trying to help someone diagnose an ignition issue—that my coil pack was hanging on by the skin of its teeth.

Closeup of the #4-#1 (driver’s left) coil on my 1993 Miata and the tip of the #4 HT lead. Both posts show damage from arcing due to corroded connectors and sockets.

The image to the right shows what an ignition coil is not supposed to look like. I only have myself to blame for not checking the condition of the coils and HT leads before buying the car.

Quick recap: an ignition coil is an engine component that converts the low voltage from the battery to the high voltage required to create the spark used to ignite the fuel-air mixture in the combustion chamber. Coils can be arranged in different ways: a single coil serving multiple cylinders through a mechanical distributor, individual coils for each cylinder, or individual coils for each pair of opposite cylinders. In the latter case, each spark plug fires twice per cycle: once at the end of the compression stroke, to ignite the fuel-air mixture, and once (needlessly but harmlessly) at the end of the exhaust stroke, which coincides with the end of the opposite cylinder’s compression stroke. The Miata‘s four-cylinder B6 engine uses this “wasted spark” arrangement with a coil pack consisting of two coils around a shared laminated iron core, mounted in a frame between the rear of the engine and the firewall. Each coil has two sockets numbered (from driver’s left to driver’s right) #4, #1, #2 and #3. The numbers correspond to the cylinders served by the coils: the left coil serves the rear (#4) and front (#1) cylinders, and the right coil serves the middle two (#2 and #3).

The ignition current is delivered from the coil to the spark plug by an HT lead, which is little more than a high-quality electrical wire with connectors at each end that fit in a socket on the coil and onto the spark plug (with the engine block serving as the return path). If the connection between the HT lead and the coil socket is poor (be it due to dirt, corrosion, mechanical damage or other causes), the current will arc across the gap, resulting in damage to both the lead and the socket. In my case, the arcing developed enough heat to bake the plastic casing, causing it to crumble when I pulled the lead out.

A new coil pack would have set me back quite a bit, so I got hold of a used one and refurbished it. The slideshow below illustrates the process.

This is the used coil pack I got hold of from a fellow member of the Norwegian Miata club. The mounting bracket is broken, but that doesn’t matter since I can reuse the bracket from my original coil pack.

The input terminals after removing the caps (visible in the background). The bottom leads supply power, the top leads control the ignition.

Disconnecting the wiring from the input terminals.

I cleaned all exterior surfaces as best I could by first wiping the grime off with a soft cloth soaked in naphtha, then rinsing the parts with water before drying them with a clean rag.

Coarse tissue paper and cotton swabs for hard-to-reach nooks and crannies.

The #4 socket has visible corrosion (verdigris), while the #1 socket is almost pristine. The #2 and #3 sockets don’t look too bad apart from some dirt and deposits. Note that the #4 and #2 sockets seem to be made of brass or some other copper alloy while the #1 and #3 sockets seem to be made of steel.

A closer look at the corrosion in the #4 socket, after I had tried to clean some of it off with cotton swabs soaked in naphtha. I could have done a better job on the casing…

Carefully brushing the sockets with a Dremel #537 brass wire brush at 15,000 rpm. Harder than it looks, because the brush is quite narrow (I tried to bend the wires into more of a cone shape, but didn’t have much luck) and I couldn’t angle it much without hitting the rim of the socket with the brush spindle.

The result of about an hour’s work with the Dremel. No corrosion or dirt left except in the retaining groove (barely visible about halfway up the socket) which I simply couldn’t reach.

Once again: naphtha, water and a dry cloth.

The wiring also got the naphtha treatment, followed by a liberal dose of isopropyl alcohol on the shiny bits.

Everything goes back where it was. It doesn’t get much simpler than that.

The original nuts and washers look almost like new after a good soak in a cup of naphtha.

I fitted the refurbished coil pack with new 8 mm HT leads and it fired right up. Four months and a few thousand kilometers later and the plugs and sockets are still shiny.

The only issue remaining is that the new coil pack’s bracket is cracked, as shown in the pictures above. The old coil pack has separate cores for each coil, while the new one has a shared core for both coils, so while the brackets are nearly identical, the screw holes don’t line up. I need to drill new holes in the old bracket so the new coil pack will fit. I didn’t have a drill bit of the correct diameter available and was impatient to get the car back on the road, so I’ve been driving around with a cracked bracket. It hasn’t shaken loose yet—knock on wood.

If any other Miata owners read this, I’d love to hear from you about the condition of your coil pack and especially about any uneven wear or corrosion on coil sockets and HT lead tips. I have a hunch that the #4 socket is particularly vulnerable, although I have no idea why.

OpenSSH, PAM and user names

FreeBSD just published a security advisory for, amongst other issues, a piece of code in OpenSSH’s PAM integration which could allow an attacker to use one user’s credentials to impersonate another (CVE 2015-6563, original patch). I would like to clarify two things, one that is already mentioned in the advisory and one that isn’t.

The first is that in order to exploit this, the attacker must not only have valid credentials but also first compromise the unprivileged pre-authentication child process through a bug in OpenSSH itself or in a PAM service module.

The second is that this behavior, which is universally referred to in advisories and the trade press as a bug or flaw, is intentional and required by the PAM spec (such as it is). There are multiple legitimate use cases for this, such as:

Letting PAM, rather than the application, prompt for a user name; the spec allows passing NULL instead of a user name to pam_start(3), in which case it is the service module’s responsibility (in pam_sm_authenticate(3)) to prompt for a user name using pam_get_user(3). Note that OpenSSH does not support this.
Mapping multiple users with different identities and credentials in the authentication backend to a single “template” user when the application they need to access does not need to distinguish between them, or when this determination is made through other means (e.g. environment variable, which service modules are allowed to set).
Mapping Windows user names (which can contain spaces and non-ASCII characters that would trip up most Unix applications) to Unix user names.

That being said, I do not object to the patch, only to its characterization. Regarding the first issue, it is absolutely correct to consider the unprivileged child as possibly hostile; this is, after all, the entire point of privilege separation. Regarding the second issue, there are other (and probably better) ways to achieve the same result—performing the translation in the identity service, i.e. nsswitch, comes to mind—and the percentage of users affected by the change lies somewhere between zero and negligible.

One could argue that instead of silently ignoring the user name set by PAM, OpenSSH should compare it to the original user name and either emit a warning or drop the connection if it does not match, but that is a design choice which is entirely up to the OpenSSH developers.

Update 2015-08-27 NIST rates exploitability as “medium” rather than “low” because an attacker who is able to impersonate the UID used by the unprivileged child can use a debugger or other similar method to modify the username that the child passes back to the parent. In other words, an attacker can leverage elevated privileges into other elevated privileges. I disagree with the rating, but have never had any luck getting NIST to correct even blatantly false information in the past.

On molar mass and ideal gas

I recently started reading Andy Weir’s The Martian which is supposed to be the hardest of hard science fiction, written by the son of a particle physicist and scientifically accurate in every possible respect. We’ve heard that story before, so I was not surprised to find the first error (claiming that desiccated stool would be completely free of bacteria) about 13 pages in. Then I got to page 24 and it got bad. Really, really bad. Bad enough that I wouldn’t be surprised if Weir’s physicist father disowns him.

The protagonist, astronaut Mark Watney, is stranded on Mars and believed dead. He has calculated that he has no chance of surviving until a rescue mission arrives (not least because he has no way of informing anyone that he is still alive), but decides to try anyway. He plans to grow food inside the habitat using a mixture of Martian soil, Terran soil that was brought along for experiments, and his own waste. But he needs water:

There isn’t a lot of water here on Mars. […] I’ll have to make it from scratch. […] Take hydrogen. Add oxygen. Burn.

Burning a stoichiometric mixture of hydrogen and oxygen is actually very dangerous, which is not mentioned, but Watney does reflect on the danger of extracting hydrogen from hydrazine, so I’ll let it slide. But let’s see how he plans on obtaining oxygen:

I have a fair bit of O₂ reserves, but […] only enough to make 100 liters of water (50 liters of O₂ makes 100 liters of molecules that only have one O each). […] That’s where the MAV fuel plant comes in. […] Once I get the fuel plant hooked up to the Hab’s power, it’ll give me half a liter of liquid CO₂ per hour, indefinitely. After ten sols it’ll have made 125 liters of CO₂, which will make 125 liters of O₂ after I feed it to the oxygenator.

Now for hydrogen, from what’s left in the hydrazine-powered descent module’s fuel tanks:

Each molecule of hydrazine has four hydrogen atoms in it. So each liter of hydrazine has enough hydrogen for two liters of water.

The first red flag is that Watney uses units of volume instead of mass, which is inappropriate when calculating quantities for a chemical reaction. Watney is a mechanical engineer and would have been thoroughly trained in the correct use of units, even if chemistry is not really his field. I also doubt he would use the chemical formulas for carbon dioxide, water etc. in daily conversation or in a diary destined for laypeople, but I understand why Watney (or rather Weir) did it: he wants the reader to be able to count H’s and O’s and follow Watney’s calculations. Unfortunately, his calculations are unsound, because you have to add up mass, not counts.

It is not initially clear whether Watney is talking about gases, liquids or solids. Since he will be working in the habitat, close to standard conditions of temperature and pressure, it is not unreasonable to assume that the CO₂, O₂ and H₂ are in gas form and the H₂O is liquid. But it seems Watney himself is confused: when he says that the fuel plant will make “125 liters of CO₂, which will make 125 liters of O₂” in ten sols, he is right… if he is talking about gases, but not if he is talking about liquids (“it’ll give me half a liter of liquid CO₂ per hour”).

In reality, 1 l of liquid CO₂ at a density of 770 kg·m^-3 contains (770 / 44) * 32 = 560 g of oxygen, barely enough for 0.5 l of liquid O₂ at a density of 1141 kg·m^-3. Since 1 l of water requires (1000 / 18) * 16 = 889 g of oxygen, 1 l of liquid CO₂ will only provide enough oxygen for 0.63 l of water.

Meanwhile, 1 l of liquid N₂H₄ at 1021 kg·m^-3 contains (1021 / 32) * 4 = 128 g of hydrogen, which is enough for slightly more than 1 l of water ((1000 / 18) * 2 = 111 g), not the 2 l Watney claims.

It would be different if he was operating exclusively with gases. Assuming the ideal gas law is sufficiently accurate (which depends on temperature, pressure and molecule size), and assuming conditions of temperature and pressure under which carbon dioxide, hydrazine and water are all in gas form, one liter of carbon dioxide and one liter of hydrazine vapor contain enough hydrogen and oxygen for two liters of water vapor (which is not the same as steam) plus one liter of nitrogen and a few grams of solid carbon.

Finally, Watney mentions that some of the reactions he relies on are extremely exothermic, but not that releasing liquid carbon dioxide into the habitat’s atmosphere will dramatically lower the temperature. The exterior temperature is never mentioned, so I cannot comment on the effect of bringing in soil and hydrazine, nor on the state of the hydrazine, which has a melting point of 2 °C and is therefore very likely to be frozen solid.

I’ll keep reading, for the same reason I sometimes watch CSI (but not CSI Miami): the story and characters are sufficiently engaging that I can overlook the bad science, as long as they’re not waving it in my face. The Martian is flying dangerously close to Gap territory, but at least the text flows well and the characters are likable. For now.

Mechanical Advantage

New rims¹ on my little bug-eyed baby, because one of those that came with it was bent (not noticeable to the naked eye—I only found out when I went to have them rebalanced). I also removed the spacers that a previous owner had mounted on the rear wheels. This made a world of difference. The ride is much smoother, and the car now absorbs bumps and potholes firmly instead of crashing over them.

This is basic physics. Spacers increase the mechanical advantage of the wishbone² and necessitate upgraded springs and shocks, whereas this car came fitted with aftermarket shortened springs and adjustable shocks which seem to be set to the firmest setting (I can’t easily check because the adjustment knobs are missing). I also think lateral stability improved a bit, but I’m still not entirely satisfied. However, I’ve already blown over £1,000³ on parts, so new tires will have to wait.

I also replaced the PCV valve and grommet in the hopes that it would ameliorate the idle speed issues, but it didn’t. I will probably have to refurbish the ISC valve and / or the air valve; my guess is that some of the moving parts in the air valve stick when cold. The new PCV valve and grommet should however stop aerosolized engine oil from spraying all over the camshaft cover and inlet manifold.

Next project for a rainy day: clean and polish the camshaft cover and replace the leaky gasket.

These are the downsides to buying a 22-year-old sports car whose previous owners thought they knew what they were doing…

¹ Martins Image Arctis 7″×16″; it’s hard to find sporty rims in that dimension. I have a set of the relatively rare love-’em-or-hate-’em stock Mazda 14″ “daisy wheel” rims, but they need sanding and respraying, and the hubcaps are missing. I might just PlastiDip them for now and use them for snow tires.

² A double wishbone suspension is not a classical example of lever and fulcrum, because the effort (weight of the car on the wheel) and resistance (spring) are on the same side of the fulcrum (inboard end of the wishbone). However, the principle and the equations are the same.

³ I get most of my parts from the UK, which apparently has a *huge* market for new and used MX-5 parts.

SSLv3

UPDATE 2014-10-14 23:40 UTC The details have been published: meet the SSL POODLE attack.

UPDATE 2014-10-15 11:15 UTC Simpler server test method, corrected info about browsers

UPDATE 2014-10-15 16:00 UTC More information about client testing

El Reg posted an article earlier today about a purported flaw in SSL 3.0 which may or may not be real, but it’s been a bad year for SSL, we’re all on edge, and we’d rather be safe than sorry. So let’s take it at face value and see what we can do to protect ourselves. If nothing else, it will force us to inspect our systems and make conscious decisions about their configuration instead of trusting the default settings. What can we do?

The answer is simple: there is no reason to support SSL 3.0 these days. TLS 1.0 is fifteen years old and supported by every browser that matters and over 99% of websites. TLS 1.1 and TLS 1.2 are eight and six years old, respectively, and are supported by the latest versions of all major browsers (except for Safari on Mac OS X 10.8 or older), but are not as widely supported on the server side. So let’s disable SSL 2.0 and 3.0 and make sure that TLS 1.0, 1.1 and 1.2 are enabled.

Continue reading “SSLv3”