Reviews

GL.iNet Comet 5G Review

2026-04-21 IT Reviews

One of the downsides of self-hosting critical applications like email on your homelab is that if you lose connectivity, especially when you are travelling, you are out of luck. It’s happened to me twice. The first time I had to ask a colleague (Hi Jason!) to go get my spare keys from the building super and reboot my home server. In the other instance, I walked my wife over the phone through the steps of rebooting our OpenBSD home router that runs on a somewhat dubious computer sourced from AliExpress with an Intel N100. I actually ordered an industrial-grade Asus NUC 13 Rugged N50 to replace it, but in a variant of the Heisenberg effect, the original machine started working flawlessly, go figure.

On some of my HP machines (Z workstations and EliteDesk 8xx Mini), the firmware includes Intel AMT/IME ~~spyware~~ management firmware. You can install the MeshCommander software to get a poor man’s version of the IPMI remote management facility included in most servers. IPMI usually includes remote KVM, i.e. being able to control the computer over the network as if you were directly in front of its keyboard, mouse and monitor. KVM stands for Keyboard, Video and Mouse, although most KVM systems also give you the ability to insert a virtual USB drive to boot into diagnostics or a rescue drive. This allows access to the BIOS and other things you can’t do from the OS itself, or recover if the OS itself has crashed.

To resolve this vulnerability, I have been equipping the majority of my key machines that don’t have Intel AMT with physical IP KVM devices. These used to be very expensive and required having some cursed version of the Java plugin installed in your browser, but recently the Pi-KVM project has opened up the market and there are now a host of relatively inexpensive (in the $100 range) devices available like the JetKVM and GL.iNet’s Comet line of IP KVMs.

GL.iNet is known for its well-regarded line of travel routers like the tiny but mighty Mango, but has been expanding into IoT and now IP KVMs. That line is now quite extensive, with:

The basic Comet GL-RM1.
A variant with PoE, the GL-RM1PE which also supports USB-C PD for power.
A pro variant, the GL-RM10 (I haven’t tried it).
More interestingly, a 5G cellular equipped model, the GL-RM10C.

Like their travel routers, the KVMs have an open operating system based on Linux with SSH and root access, and excellent support for VPN protocols actually invented in this millennium, i.e. WireGuard rather than hoary L2TP, PPTP, IKE/IPsec or OpenVPN.

I have a basic Comet, two PoE powered ones and the 5G cellular one attached to the router.

Due to the exhaustion of available IPv4 address pools, almost all cellular carriers today use some form of Carrier-grade NAT (CGNAT), which means you do not have a permanent IP address for your mobile device. Some cellular carriers will offer plans with static IP addresses, but they are extremely expensive including the per-kilobyte charges because this is a niche market, primarily enterprises wanting remote monitoring and access to satellite offices.

GL.iNet offers a cloud service for remote access and also supports Tailscale and ZeroTier. Either of these would obviate the need for an exotic data plan SIM. I don’t trust the cloud, however, and find Tailscale too invasive, so I opted instead to set up WireGuard between the GL-RM10C and a cloud server, with routes forcing it to use the 5G wwan0 interface instead of Ethernet for the tunnel.

The /etc/wireguard/wg0.conf config on the server is:

[Interface]
Address = 192.168.2.1/24, fddd::ffff/64
ListenPort = 45340
PrivateKey = <redacted>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;ip6tables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;ip6tables -D FORWARD -o %i -j ACCEPT
 
[Peer]
PublicKey = <redacted>
AllowedIPs = 192.168.2.2/32, fddd::1/128

on the GL-KVM, it is:

[Interface]
Address = 192.168.2.2/24, fddd::1/64
#ListenPort = 45340
PrivateKey = <redacted>
 
[Peer]
PublicKey = <redacted>
AllowedIPs = 192.168.2.0/24
Endpoint = <redacted>:45340
PersistentKeepalive = 30

Add opening UDP port 45340 on the firewall, and on the KVM a /etc/init.d startup script to call route add <ip of server> wwan0 and wg-quick up wg0 at boot time, that establishes the tunnel. Since the IPs on either end are not routable, I also have HAProxy running in TCP mode on the server to allow access from the Internet:

global
    log /dev/log local0
    log /dev/log local1 notice
    daemon
    user nobody
    group nobody

defaults
    mode tcp
    log global
    option tcplog
    timeout connect 5s
    timeout client  1m
    timeout server  1m

frontend https_in
    bind <redacted>:443
    default_backend wg_https_out

backend wg_https_out
    mode tcp
    server wg0_peer 192.168.2.2:443 check

I have a £5/month SIM card and plan installed, with a 5GB quota. I only start HAProxy when I actually need it so I don’t waste any of it on script kiddies trying to break in.

The user interface is largely the same across the entire GL.iNet KVM product line, is excellent, uses native Web technologies and WebRTC to provide the remote video, so no janky VNC plugins or Java required. The video is crisp, as can be expected from a purely digital signal path, and I haven’t noticed compression artifacts, even when running over cellular.

It does have the same problem as almost all IoT devices with a Web UI, of not being able to self-provision a TLS certificate. I modified my monthly Let’s Encrypt certificate rotation script to copy the keys and certificates to /etc/kvmd/user/ssl/server.{key,crt} where the firmware expects them to be. There is an IETF effort to fix this once and for all, but it is still very much work-in-progress and probably still too complex for the average consumer to deal with.

It’s also worth noting the 5G in the Comet 5G is RedCap (reduced capability), which is a cheaper and more power-efficient version of 5G that is capped at around 100Mbps instead of the gigabit speeds full-fat 5G offers. This is unlikely to be an issue for this class of devices, as people are not buying them to play Doom remotely.

What you don’t get with the Comets is the ability to remotely power-cycle the machine you get with IPMI or AMT. They have an accessory for computers with ATX motherboards, but I haven’t had one in ages, and a Rube Goldberg-like contraption poetically named Fingerbot that physically pushes the power button. JetKVM does have an accessory that interposes between computers with a barrel DC connector and their power brick, to allow turning them on and off. Let’s hope GL.iNet is inspired to make their own, and also a USB-C one while they are at it. In the meantime, I plan on using a smart-home type Wi-Fi-controlled power switch running Tasmota to do forced power cycles.

I also have a JetKVM. It’s a cute little device, very compact (but surprisingly heavy), and I am planning to add it to my portable computer-maintenance toolkit rather than keeping it stationary like my Comets.

Canon Powershot Zoom review

2020-11-22 Photo Photo galleries

TL:DR A nice toy, useful for documentation purposes, but don’t expect amazing image quality.

I just received my Canon Powershot Zoom yesterday. It’s a relatively compact digital camera shaped like a monocular. Size-wise, it is comparable with monoculars like my Leica Monovid or Nikon 7x15 HG.

It’s not actually a zoom, but rather it offers 100mm-e and 400mm-e discrete magnifications (with nothing in-between), and a 800mm-e digital zoom setting that is best ignored. It will take 4000x3000 images or 1080p25 (if set to PAL) at 30Mbps. There is no built-in memory, you have to use a microSDXC card, in my case a 64GB one, there is no specified upper limit.

On paper it looks like an ideal birdwatcher’s camera, since the 400mm-e is roughly the same magnification as a pair of 8x magnification binoculars, but Canon’s specifications list it as 4.8x (and 9.6x for the digital zoom, which is closer to 8x as seen through my Swarovski NL Pure 8x42 binoculars). This suggests the EVF is a 60% magnification type. The actual focal length is 55.5mm on a 1/3" type sensor (actually the center of a 1/2.3" sensor) with a diagonal of 8.467mm, which compared to the 40mm diagonal of a 24x32mm 4:3 crop of a 24x36mm full frame would be 262mm-e or 5.24x magnification, not 400mm-e, so Canon’s specs are somewhat dubious, unless the equivalence is calculated from the 1/2.3" sensor size, but then why throw away those pixels?

That said, the 2.36 Mdot EVF resolution (so 0.8 MP, or basically 1024x768) is not on par with quality birdwatching optics and the field of view is tunnel-like. A 62cm ruler fills the horizontal width at 7.26m at the 400mm setting, so 85m at 1000m, thus 4.9º real horizontal field of view¹ And using the 4.8x magnification quoted by Canon, about 23º apparent field of view², which is abysmal. In comparison the Nikon 5x15 HG monoculars have a 43º AFOV , and full-size binoculars are considered mediocre if they don’t get at least 55º, and that understates the case since the field of view is a 4:3 rectangle, not a circle, so only 61% the AFOV³. Furthermore, the EVF is prone to blown highlights or muddy shadows in scenes with wide dynamic range. Eye relief for glasses is fine, and there is a tiny wheel for diopter adjustment. This gadget will not replace real optics anytime soon.

The image stabilization is a 4-axis lens-shift type, and quite effective while viewing, slightly less so for video.

The user interface is very basic given the few buttons available. I think the prominent zoom button on top would be better used as the photo-taking button, vs. the smaller and more fiddly one at the bottom. It would also be nice for the camera to remember the previous magnification setting rather than defaulting to 100mm-e every time it is powered on. There is a smartphone app that allows image transfer over WiFi and geotagging using the phone’s GPS, but I haven’t tested that functionality.

With a sensor that puny, you can’t expect amazing results. At night, the image quality falls apart. In the daytime, it has to crank up the ISO to have sufficient shutter speed to avoid motion blur, even with stabilization, aiming at 1/500 shutter speed when at the 400mm-e setting.

Scene at night
© Copyright 2020 Fazal Majid, All rights reserved.

Magpie in a tree
© Copyright 2020 Fazal Majid, All rights reserved.

Magpie in flight
© Copyright 2020 Fazal Majid, All rights reserved.

City rooftops
© Copyright 2020 Fazal Majid, All rights reserved.

Pigeons splashing in a gutter
© Copyright 2020 Fazal Majid, All rights reserved.

There are still planes flying, who knew?
© Copyright 2020 Fazal Majid, All rights reserved.

Here is a sample video (30MB H.264 in Apple Compressor, the 90MB original is here).

Inexplicably, Canon did not include a lens caps to protect the objective lens, so I designed and 3D-printed my own (the OpenSCAD source is here and gcode for Prusa i3 MK3S here). It would be much harder to make a lens cap for the eyepiece, but that’s less critical as it has no bearing on picture quality.

2×arctan(0.62/2/7.26)×180/π ↩︎
2×arctan(4.8×0.62/2/7.26)×180/π, see the revised ISO standard for details ↩︎
4×3/π/(5/2)² ↩︎

Withings smart baby monitor review

2012-03-24 IT Stuff Reviews

One of the ~~joys~~ challenges of being a first-time parent is being exposed to a bewildering array of gadgets and equipment required to care for the baby, from baby car seats, strollers and diaper pails to 2-axis rocking robots (thanks Rohit!). There is an entire cottage industry of books like Baby Bargains that help you navigate through the confusing and sometimes questionable or outright unnecessary choices.

I have a Withings body weight scale that I really like and I was excited to learn they were going to release a networked video baby monitor. It took a while to get to market in the US, however, so in the interim I purchased a Philips Advent DECT digital baby monitor, which ended up unusable in practice, because its microphone sensitivity is so poor that you can barely hear anything. When the Withings baby monitor finally became available in the US, I immediately ordered it.

Withings is clearly taking design cues from Apple, from the lavishly designed packaging to the glossy white plastic RoundedRect aesthetic and the use of a magnetic clip to attach the baby monitor to the crib. The clip is serviceable, but the magnets are not quite strong enough to hold the unit firmly onto the crib. I would not trust it to keep the monitor from toppling when the baby grows and kicks at the crib. Fortunately they also include a flip-out tab on the base of the unit that can be inserted into a slit on the clip to prevent sliding, although it is not obvious and it took me a while before I discovered this key feature.

The wall wart is a generic black model with swappable AC prongs for international markets, and detracts from the overall package, but since the monitor has a micro-USB input, you can always use another standard AC to USB type A adapter like the iPhone’s, with a USB type A to micro-USB cable. A rechargeable battery is included, with 2 hours’ claimed life, I did not verify that spec.

The initial out of the box experience is good: you connect to the device from your iPhone or iPad using Bluetooth (no messing around with a USB cable as with the Withings scale), enter the WiFi settings in the Withbaby app, and then use WiFi to access the device afterwards. It is as streamlined an experience as you can expect without a keyboard on the unit. There is also an Ethernet jack (it is unclear whether it supports power over Ethernet), but my house was built in 1928 and is not wired upstairs where the baby lives.

Once you enter your credentials into the app, it connects to the monitor and shows you the video and sound. If you put it in the background, you have the option of monitoring audio. Withings will also send you alerts via push notifications if the temperature or humidity is excessive, or if it detects noise or motion. The default settings are way too twitchy, however, and you will find yourself disabling audio notifications as the deluge of alerts is just too much.

The device includes a night light with selectable color, a lullaby player, and the ability to speak to your baby, all controlled through the app. At the front you also have touch controls to turn some of these features on. This is actually a bad idea, as on two occasions I started the lullaby by accident as I was fumbling with it in a dark room, and woke up my baby as a result. Another design flaw is the pulsing blue night light when the unit is rebooting, the Airport Express like amber/green status LED in the back is quite sufficient. Frankly the only one of these features that is useful is the speaker, and the ability to stream from your music collection, such as Dr. Harvey Karp’s white noise selections would be preferable to the canned lullabies.

The video camera is advertised as having a 3 megapixel sensor. It has a wide-angle lens and you can “pan” using the usual iPhone or iPad gestures. The lens is a fixed-focus plastic one, and optical clarity is so-so at best, optimal focus seems to be at 50cm or so. One great feature is the monitor has a normal and night vision mode, similar to the one on some Sony HAD camcorders, with an IR illuminator that provides light for the night vision mode. This means you can watch your baby toss and turn in an otherwise pitch-black room.

You can use the baby monitor from outside your network, and it works fine, even over a 3G connection. Withings allows you up to 15 minutes per day, anything beyond that requires paying them $6 for each 100 minutes. Coming on top of an already expensive device, this seems like a naked money grab from anxious parents. (Updated 2012-09-29: remote monitoring is now free and unlimited).

When the unit works, it is absolutely great: good sound sensitivity and the video feature mostly works as advertised. Unfortunately it frequently does not function, and I find myself performing a hard reboot by removing the battery far more often than I would like. Among the pathologies:

Once it falsely reported the unit was closed and thus video inaccessible
Once the camera was in a frozen state, it took a power cycling to get the video moving again.
Yesterday I could not connect at all, no matter how many times I rebooted my Airport Extreme, the monitor and my wife’s or my iPads. Some detective work using a packet sniffer showed the app was trying to connect to babyws.withings.net using HTTP, which is aliased to s11.withings.net, and that server was down. Some of the documentation suggests you can use the Bluetooth connection to access the monitor, but I was not able to figure out how to do this.

This brings me to a crucial point. The baby monitor is a safety device, and it is utterly unacceptable for its functioning to be dependent on a cloud service, which can and will be a single point of failure. It should use Bonjour or similar discovery methods to work on the LAN, and rely on Withings’ servers only when accessing it from outside the home LAN’s perimeter. I wonder if Withings’ eagerness to nickel-and-dime users by charging for outside monitoring led to this critical design flaw.

The bottom line is the Withings smart baby monitor is a very frustrating device, with its obvious potential marred by failures of execution. If it worked consistently, it would be a top-notch product worthy of its Apple inspiration and lofty price tag, but the general lack of reliability means I cannot recommend it until the bugs are ironed out. Consider it an alpha release at best.

Update (2012-09-17):

Here’s how to make the Withings not-so-smart baby monitor more usable:

Remove the battery from the unit and hook up the micro-USB power adapter to a Belkin WeMo remote-controlled power switch. This allows you to power-cycle the baby monitor remotely from the same iPhone or iPad you are using the monitor software on.
Hide the blue led with gaffer’s tape. This prevents the blue light on reboot from waking the baby. Unlike duct tape, gaffer’s tape can be removed without leaving glue residue, although the aesthetics of dark gray gaffer’s tape on the gleaming white unit are questionable at best.
I haven’t tried covering up the touch controls with gaffer’s tape, which would eliminate the risk of triggering a jingle and waking the baby. The WeMo eliminates the need to enter the room and tinker with the baby monitor.

It’s quite sad to have to pay an extra $50 to work around buggy hardware and software, but it makes a big difference.

Update (2013-05-20):

The micro-USB connector failed and the baby monitor is now essentially a doorstop. Not surprising given how flimsy micro-USB is, compared to mini-USB, for insignificant space savings. Micro-USB was a Nokia design rammed through the USB-IF. In theory it has better insert-remove cycle life than mini-USB, but in practice I’ve never had mini-USB fail, whereas it is a frequent occurrence with micro-USB.

Update (2015-08-17):

USB-C is an improvement over micro-USB, hopefully some future version of the baby monitor will use it. Still nowhere near as robust as Lightning or tip-ring-sleeve, though.

The HP-15C was reissued at long last!

2011-09-24 IT Nostalgia Reviews

It is strange no one seems to have picked up the news yet, but HP has reissued the legendary HP-15C in a special “30th anniversary limited edition”, and it became available for purchase last week.

The new HP-15C is not strictly speaking a reissue but a replica, as it does not use the original’s Saturn processor, but instead an emulation thereof running on an ARM CPU. Even emulated, it should be much faster than the original 640 kilohertz processor. I ordered two, and received them today.

As expected, the quality is in line with the current HP-12C, i.e. not as good as the 1980s models in terms of key feel, but still leagues ahead of any competing product. The originals used a special 47-point bonding process to ensure the utmost in rigidity and reliability, I doubt the current model had as much attention paid to detail. It is made in China, obviously, the Corvallis facility is long gone. The slipcover fits very poorly (too tight, and the seams are not trimmed properly) and feels thinner and outright cheap compared to the original. The labels on the keys are accurately positioned, at least, unlike the train wreck that was the HP-12C Platinum. The cheat sheet in the back is a garish black on silver as on the 35S, instead of the original’s silver on black. It also uses two 3V CR2032 batteries instead of the 3 button cells in the original.

Speed-wise, the Limited Edition integrates the normal distribution nearly instantly, when that test that took 34 seconds on the original.

In short: not as good as the original, but still an excellent calculator for those who prize ergonomics.

I love my ISP

2010-12-09 San Francisco Soapbox Reviews

Not only do Webpass give me fast 45Mbps symmetrical access for $45/month, with no capricious restrictions or anticompetitive shenanigans, but they are also real mensches.