Author Archives: justinbaldock

Setting up the Mac for Commander X16 Assembler development

I have been playing around with C64 assembly for a few months and when I discovered the Commander X16 project I wanted to play. I couldn’t find the tools easily on the Mac so I used my virtual Windows 10 machine.

The Commander X16 project is creating a modern 8-bit hobby computer similar to the Commodore 64. The emulator, ROM, programming guides, etc are available from Github.

Recently I worked out a way to do development on the Mac. I needed several tools. The X16 emulator is available for the Mac. Check out the latest GitHub release. Then I used Visual Studio code from Microsoft.

Then I needed the missing part of the puzzle. A 65C02 assembly compiler that could run on the Mac. The CC65 project includes the assembly tool ca65. The source can be downloaded from GitHub which I did. On the Mac for Git, I use SourceTree. I then got Apple’s Developer Xcode 10.1, I did not get the latest version because my main desktop is only running Mac OS 10.13. Regardless it is big, over 6GB to download and almost 13GB installed. Once Xcode was installed I was able to go into the src directory in the cc65 folder and run the make script which surprised me by working perfectly. 

Mac OS 10 terminal window building the cc65 suite of tools.

I recommend using a GIT tool and keeping an eye on cc65 because it appears to be getting a lot of updates mostly for the X16. So you may need to update your local source and re-make when there are updates.

Now I had the basic building blocks. Now time to configure Visual Studio Code. On the left hand go to the 4 squares icon for extensions. Then in the search bar at the top enter cc65. It should find the ‘ca65 Macro Assembler Language Support’ extension. Click on install.

Visual Studio Code – Finding and Installing cc65 extention

Now I needed to configure tasks to point to the location of my ca65 and x16emu. Go to the Terminal menu and select Configure Default Build Task.

Visual Studio Code – Configure Default Build Task from Terminal Menu.

The next window you can select the default ‘Create tasks.json file from template’

Visual Studio Code – Create tasks.json file from template

Then select ‘MSBuild Executes the build target’

Visual Studio Code – Selecting the MSBuild template.

You should then have default .vscode folder and tasks.json file

Visual Studio Code – Default tasks.json.

I then edited the tasks.json to the below. If you adjust the locations of your ca65 and your x16emu it should work for you too.
Note: You may notice a difference between the image above and the code below. When I initially wrote this post I had just switched to the cc65 suite of tools and I thought using ca65 was the correct command-line tool to create a prg. It isn’t, that created object code which then needs to be linked using ld65. However, it is possible to use cl65 to compile and link.

    // See
    // for the documentation about the tasks.json format
    "version": "2.0.0",
    "tasks": [
            "label": "x16-build-ca65",
            "type": "shell",
            "command": "/users/justin/GITHUB/cc65/bin/cl65 --verbose -o build.prg --cpu 65c02 -t cx16 ${file}",
            "args": [
            "group": {
                "kind": "build",
                "isDefault": true
            "presentation": {
                "clear": true
            "problemMatcher": "$msCompile"
            "label": "x16-run-prg",
            "type": "shell",
            "command": "/users/justin/Documents/Commander-X16/x16emu_mac-r36/x16emu -prg ${workspaceFolder}/build.prg ",
            "args": [
            "group": {
                "kind": "test",
                "isDefault": true
            "presentation": {
                "clear": true
            "problemMatcher": "$msCompile"

Once you’ve typed up some assembly select the file, go up to the ‘Terminal’ menu and select ‘Run Build Task’

Visual Studio Code – Running build task against assembler file

Down in the lower part of the Visual Studio Code window you should see the build messages.

Visual Studio Code – Successfully building a X16 prg

Now you should have a build.prg file listed in your project. You can select this, go to the ‘Terminal’ menu and select ‘Run Task…’ You should then see a list of possible tasks to run. Hopefully, you noticed in the above JSON tasks listing above that I called the 2 tasks “x16-build-ca65” and “x16-run-prg”. If you select x16-run-prg it should run the build.prg you’ve just created. The x16 emulator should launch with your prg loaded.

Note: I did have a problem with running x16emu tasks were the path had a space character. Originally when running x16emu I had a path of “/users/justin/Documents/Commander X16/x16emu_mac-r36/x16emu” and it was reporting an error, file not found at “/users/justin/Documents/Commander” so I changed the directory to include the – character instead and it works.

Visual Studio Code – Successfully launching the X16emu with the created build.prg

I would encourage any feedback or comments to improve this guide.

Diving back into electronics

As a teenager I had started to study electronics but I never finished my diploma because I got a job, started working and just never looked back.

I recently was looking in to the Amiga scene again. The last time I dipped my toes in was over 10 years ago. I found a thriving community of people modding / recreating / having a good time.

I decided I wanted to get back in to it.

I have access to the Lydia online learning catalogue so I decided to brush up on my electronics skills and start learning some new ones. CPLD/FPGAs have become cheap and are making custom boards for old Amigas easier then ever to make.

The last week has seen me study;

I am hopefull this will give me a good starting foundation to start making some contribution to this community.

Security Onion and Beats clients

I was setting up a Security Onion server and wanted to use Beats to send the Windows event logs to it. I was having some real difficulty with it. I had configured Security Onion and I had allowed connections to port 5044 using so-allow for all of the network. I thought I had configured Beats correctly in winlogbeat.yml. From the clients I could send syslog fine. But beats would give me the error.

2019-07-29T08:57:05.545+0930        INFO        pipeline/output.go:93        Attempting to reconnect to backoff(elasticsearch( with 64 reconnect attempt(s)

2019-07-29T08:57:05.549+0930        INFO        [publish]        pipeline/retry.go:189        retryer: send unwait-signal to consumer

2019-07-29T08:57:05.550+0930        INFO        [publish]        pipeline/retry.go:191          done

2019-07-29T08:57:05.551+0930        INFO        [publish]        pipeline/retry.go:166        retryer: send wait signal to consumer

2019-07-29T08:57:05.552+0930        INFO        [publish]        pipeline/retry.go:168          done

I could not telnet to, I would get a connection refused. Running netstat -nao showed that my server was listening on port 5044. I was scratching my head. After much googling without luck I stumbled upon this link

The important comment which got me working was “I didn’t remove the one ‘#’ from output.logstash” it was then that I realised that my winlogbeat.yml had a problem. By default it was sending its to output.elasticsearch to the correct host and port but the wrong connection. Commenting out output.elasticsearch and un-commenting output.logstash and restarting the service and my pesky errors went away and I started to get data in elastic.

Now its time to figure out how to filter the data before it leaves the windows hosts to reduce the stress on the server system.

Disabling time sync on a Mac guest VM

So I wanted to run some old software which wouldn’t work in 2019 and with newer Mac OS versions. On my iMac I have VMware Fusion installed so I installed Mac OS Sierra and installed VMware Tools so I could drag and drop files between the hots and VM. In VMWare Fusion I went to advanced and disabled time sync. Should be pretty simple.

On reboot the guest virtual machine was still adjusting time.

So I opened up terminal, “sudo su -” to give myself full admin rights and searched for the VMware tools “find / -name “VMware*” and found the cli program in “/Library/Application Support/VMware Tools/vmware-tools-cli”

I ran the program “./vmware-tools-cli timesync status” found it was disabled.

I adjusted the time and date and then rebooted the VM. The time and date resynchronises to the current date and time again. 

I did a lot of reading and searching. I reset the time and date to the past and ran “/Library/Application Support/Vmware Tools/ –restart” and watched as the time and date reset to current. Ok, so now I knew the program causing it. It was calling “launchctl load \” and pointing it to the config file ‘/Library/LaunchDaemons/’ Reading the plist file I could see it was starting vmware-tools-daemon.

I did more searching and found the following VMware document

Click to access vmware-tools-user-guide.pdf

This is where I found out a very important detail about the above “Synchronise Time” option above. This option is for periodic time synchronisation. Every minute it will check the guest virtual machine and make sure the time is correct.

However time synchronisation will happen after certain operations are done;

  • When you start the VMware Tools daemon, such as during a reboot or power on operation
  • When you resume a virtual machine from a suspend operation
  • After you revert to a snapshot
  • After you shrink a disk

To fully disabled time synchronisation you need to edit the VMX file. Shut down the virtual machine and then find the VM file for it. Then control click / right click on the file and select “Show Package Contents” you should then see a list of files which make up the package. Control click / right click on the .vmx file and select “Open with” and select TextEdit. How add the below text to disable all synchronising.

tools.syncTime = “FALSE”
time.synchronize.continue = “FALSE”
time.synchronize.restore = “FALSE”
time.synchronize.resume.disk = “FALSE”
time.synchronize.shrink = “FALSE” = “FALSE”

After this adjust the time and date then restart the guest virtual machine. Your guest VM should now maintain its own time and date.

10 things to improve myself

I recently commented on a LinkedIn post by Molly Fletcher (10-things-require-zero-talent-molly-fletcher) I thought it was a  good article and I wanted my son to see it. I also thought it was a good reminder for myself. He doesn’t use LinkedIn, so I thought I should lead by example and make a poster to put up at home. Here is the result.

10 things that require 0 talent (A3 pdf)

10 things that require 0 talent

Home Security Onion experiences – Part 1

Recently my partner was complaining about very poor internet performance from her computer. I looked at it for a while but without a baseline to compare it to I had no idea what was normal. I thought it was time I starting using security onion to do some snooping on my home network. I had a few spare Mac Mini’s but they were all much older 32bit CPU models. That was fine but I really wanted to play with ELK as well. Looking on eBay I saw that the Mac Mini were holding their value way to well for what I wanted. So I purchased an Intel NUC, Celeron J3455 (4 Core @ 1.5Ghz) with 8GB RAM. I dropped a spare 500gb SSD in to it. I figure for a 3 user house hold that should have more than enough grunt to do the job. I do classify my house hold as a high-tech house. Each person with smart phones, tablets, work/study computers and gaming rigs, etc.

Being a Mac user at home I needed to find a app to convert the .iso file into a bootable USB. I found that UNetbootin ( did the job rather nicely. I did have some initial problems with the Verbatim 8GB USB stick. It would not boot. Having a look at the USB stick it appeared there was only 80MB of files on it. Which didn’t seem right. I used a SanDisk 8GB with UNetbootin and there was 2GB of files and it installed Security Onion all ok. So just a warning about old & cheap USB drives.


Installed and rebooted, I called my host seconion. Then ran the Setup, which configured the networking. I was going to admin the NUC over wireless and have it capture everything over the copper. I just needed to figure out which interface was which. I opened up the ‘Network’ window under the top right hand corner. This showed me a Wi-Fi connection but didn’t name the interface. Checking the wired connection displayed the MAC address for it. Opening up a terminal window I typed ‘ifconfig’ to display the available networking. I could see that the copper was enp3s0 and the wireless had to be wlp2s0. It recommended a static IP so I set it to After setting the subnet mask, gateway, DNS I was prompted for the sniffing interface which I set as enp3s0. After that it was another reboot.

After the reboot the wireless no longer connected to my wireless network. A quick bit of googling and I found that was expected. The network configuration script doesn’t handle wireless. Which makes sense in a way because of SSID / passwords etc. Still being new I needed to do a lot more searching before I found a few handy posts. and were the two posts I needed. What I did was

sudo su -

I then copied the result hex string. I was going to need that shortly

vi /etc/network/interfaces
iface wlan0 inet static # dhcp or static
netmask #change this as appropriate for your network, this value is usually right
gateway #change this as appropriate for your network
address #only needed for a static IP address
dns-nameservers #only needed for a static IP address
wpa-driver wext #you shouldn’t need to change this
wpa-ssid YOURSSID #just type the name of your SSID here
wpa-ap-scan 1 #if the name of your SSID is hidden usually, type 2 instead of 1
wpa-proto RSN #if you use WPA1 type WPA (why are you using WPA?!), if you use WPA2 type RSN
wpa-key-mgmt WPA-PSK #usually WPA-PSK (if you share a key) but sometimes WPA-EAP (for enterprises)
wpa-psk YOURHEXKEYFROMABOVE #the hex key that you generated earlier

I then did a reboot and I could now access the wireless network again. I could ping out and other hosts could ping it. That was good enough for now.

Running the setup again it detects that networking has been configured. It then prompted me to select ‘Evaluation mode’ or ‘Production mode’ for a home network Evaluation mode sounded perfect. I selected enp3s0 as the interface to be monitored.

The setup script then had me setup a user for Kibana, Squert and Sguil.2

A polite pop up at the end of the install let me know that setup logs where in /var/log/nsm/sosetup.log, and that bro logs would be hiding in /nsm/bro/
A sostat will give detailed info about service status, sostat-quick will give me a guided tour of the sostat output, sostat-redacted will give me redacted info to share with the Security Onion mailing list.
The location for downloaded rules from Pulledpork were in /etc/nsm/rules/downloaded.rules local rules should be added to /etc/nsm/rules/local.rules and that I could have PulledPork modify the rules by modifying the files in /etc/nsm/pulledpork/ and that the rules would be updated every morning and I could do a manual update rule-update. Also I could tune sensors by modifying the files in /etc/nsm/name-of-sensor/
The 3rd last message was very important and I had glossed over it the first time. The local ufw firewall is configured to only allow port 22. If I needed to connect over other ports I needed to run sudo so-allow.
The 2nd last pop-up was a reminder to check out the website, FAQ,Wiki, IRC channel etc for help. The very last pop-up of what felt like about 10 was a reminder that professional support was provided if required.

I then modifed the firewall. I wanted my host to be a syslog device and I wanted to be able to manage it from my local network.

justin@seconion:~$ sudo so-allow
This program allows you to add a firewall rule to allow connections from a new IP address.

What kind of device do you want to allow?

[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp
[b] - Logstash Beat - port 5044/tcp
[c] - apt-cacher-ng client - port 3142/tcp
[f] - Logstash Forwarder - Standard - port 6050/tcp
[j] - Logstash Forwarder - JSON - port 6051/tcp 
[l] - syslog device - port 514
[o] - ossec agent - port 1514/udp
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp

If you need to add any ports other than those listed above,
you can do so using the standard 'ufw' utility.

For more information, please see the Firewall page on our Wiki:

Please enter your selection (a - analyst, c - apt-cacher-ng client, l - syslog, o - ossec, or s - Security Onion sensor, etc.):
Please enter the IP address of the analyst you'd like to allow to connect to port(s) 22,443,7734:
We're going to allow connections from to port(s) 22,443,7734.

Here's the firewall rule we're about to add:
sudo ufw allow proto tcp from to any port 22,443,7734

We're also whitelisting in /var/ossec/etc/ossec.conf to prevent OSSEC Active Response from blocking it. Keep in mind, the OSSEC server will be restarted once configuration is complete.

To continue and add this rule, press Enter.
Otherwise, press Ctrl-c to exit.

Rule added
Rule has been added.

Here is the entire firewall ruleset:

UFW Rules

To Action From
-- ------ ----
22,443,7734/tcp ALLOW 
22/tcp ALLOW Anywhere 
22,443,7734/tcp ALLOW 
22/tcp (v6) ALLOW Anywhere (v6)

Docker IPTables Rules

To Action From
-- ------ ----

Added whitelist entry for in /var/ossec/etc/ossec.conf.

Restarting OSSEC Server...

I selected a. It was going to open the ports 22,443,7734 but I needed to put in an IP address. I didn’t want a single IP, I wanted a range. So I put

justin@seconion:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22,443,7734/tcp ALLOW 
22/tcp ALLOW Anywhere 
22,443,7734/tcp ALLOW 
22/tcp (v6) ALLOW Anywhere (v6)

I then re-ran it and allowed syslog connections as well.

I was up and running. Now time to plug in between my switch and router.