Author: flihp

I'm me.

thinkpad keys on awesome WM

~ flihp ~ 2 Comments

The last bit of configuration that my laptop required before I’d call it “usable” with the new window manager was related to the function keys. This doesn’t have anything to do with configuring the awesome window manager directly but it does address a few small configurations necessary to provide some functionality that I was used to having gnome do by default.

Linux has great support for Thinkpads in general and my x61s specifically. With basic power management packages installed and the kernel thinkpad_acpi driver loaded not only did S3 work fine but my Thinkpad function key to put my laptop to sleep worked out of the box! The only keys that didn’t work right out of the box were an easy fix.

Screen Brightness

Traveling as much as I do I find that I use the manual controls for screen brightness quite a bit. If you’re on a plane often times it’s really nice to be able to dial down the screen brightness to absolutely minimal levels to preserve your battery and your eyes. The gnome-power-manager is the gnome component that takes care of this and it’s simple enough to install. Nothing interesting here except a new found appreciation for how much Gnome does out of the box and why it’s so big.

Volume and Mute

Lastly configuring the volume buttons was a must. If you’re just interested in getting them to work, install the gnome-settings-daemon and add a command to your rc.lua file to run it. I spent a little time getting to the bottom of it and learned a little bit.

Fire up a terminal and run the xev command to see the keyboard events from each key. A regular keyboard key will generate some output like:

KeyPress event, serial 29, synthetic NO, window 0x1600001,
    root 0x105, subw 0x0, time 316658902, (470,254), root:(472,689),
    state 0x0, keycode 24 (keysym 0x71, q), same_screen YES,
    XLookupString gives 1 bytes: (71) "q"
    XmbLookupString gives 1 bytes: (71) "q"
    XFilterEvent returns: False

KeyRelease event, serial 29, synthetic NO, window 0x1600001,
    root 0x105, subw 0x0, time 316658990, (470,254), root:(472,689),
    state 0x0, keycode 24 (keysym 0x71, q), same_screen YES,
    XLookupString gives 1 bytes: (71) "q"
    XFilterEvent returns: False

Those are they key press and release events triggered by typing a ‘q’. Pressing one of the volume buttons looks a little different:

KeyPress event, serial 28, synthetic NO, window 0x1000001,
    root 0x105, subw 0x0, time 316864564, (132,42), root:(134,477),
    state 0x0, keycode 121 (keysym 0x1008ff12, XF86AudioMute), same_screen YES,
    XLookupString gives 0 bytes: 
    XmbLookupString gives 0 bytes: 
    XFilterEvent returns: False

KeyRelease event, serial 28, synthetic NO, window 0x1000001,
    root 0x105, subw 0x0, time 316864684, (132,42), root:(134,477),
    state 0x0, keycode 121 (keysym 0x1008ff12, XF86AudioMute), same_screen YES,
    XLookupString gives 0 bytes: 
    XFilterEvent returns: False

You’ll notice that they keycode indicates the XF86AudioMute button was pressed this time instead of q but the XLookupString returns 0 bytes.

Basically the three volume buttons are is associated with virtual X keys: XF86AudioMute, XF86AudioRaiseVolume, XF86AudioLowerVolume. It’s pretty straight forward to use xbindkeys to map these to alsa commands to manually mute, raise or lower the volue. My .xbindkeys looked like this:

"amixer  set Master 2dB+"
  XF86AudioRaiseVolume

"amixer set Master 2dB-"
  XF86AudioLowerVolume

"amixer set Master toggle"
  XF86AudioMute

Some prefer to link these keys to the PCM volume control. I found that toggle (as well as mute/unmute) doesn’t work for the PCM channel. I’m honestly not sure what the PCM channel is even for so I reserve the right to change this in the future. There’s lots of howto’s out there with people implementing shell hacks to fake a mute / unmute for the PCM channel using xbindkeys if you’re interested enough to search.

So the above configuration and a quick entry in my rc.lua to kick off xbindkeys was enough to get this working. The one down side to using xbind keys: it doesn’t have a cool little volume indicator that pops up to show the volume level when you press your volume keys 🙂

giving up on sound daemons

~ flihp ~ 2 Comments

After whipping up a quick script to kill and restart jackd when my laptop goes into S3 (/etc/pm/sleep.d) I had a revelation: any processes connected to jackd would have to reconnect. This doesn’t happen and sound is just lost. So for jackd to be usable on a laptop they need to support S3 directly and currently in the Debian unstable repositories Jackd doesn’t.

I gave esound a try in place of jack but with totem esd ran the cpu up to 20% for a flash movie which is pretty nuts. It had a noticeable impact on the video playback so esound got uninstalled as quickly as it was installed.

Finally I just fell back to using alsa directly. This actually worked perfectly and I’m not sure why I didn’t just go this route in the first place.

jackd won’t wake up

~ flihp ~ Leave a comment

My last post ended with me describing some troubles getting jackd to wake after my laptop went into S3. I managed to get some debug info out of jack after running it as a dbus service through qjackctl:

ERROR: JackAudioDriver::ProcessAsync: read error, skip cycle
alsa_driver_xrun_recovery
ERROR: ALSA: channel flush for playback failed (File descriptor in bad state)

The CPU utilization at this point goes way up.

A quick search turns up a Debian bug #601008 and bugs filed against a number of other Linux distros. There’s also an open ticket on this issue in Jack’s tracker.

So all the right people know about the issue. The Jack folks even recommend a very sane work around which is manually suspend and resume Jack before and after S3 (hacking suspend / resume manually). I like the idea of jack getting a notification over dbus even more though. That would be very clean. Hopefully we’ll see some action on this soon. Till then I’m looking for a work around.

Getting Started with the Awesome Window Manager

~ flihp ~ Leave a comment

I’ve been a Gnome user for a while now. It’s been good to me but I’m a minimalist and lately it feels like I’ve been spending a lot of time fighting against Gnome. This past week I bought a new SSD for my laptop but instead of just copying my system over to this new disk I decided to rebuild it from scratch and give the Awesome Window Manager a try.

First off Awesome is beyond minimal. Get comfortable on the keyboard if you give this a try. I’m a huge fan, the less I have to touch the mouse the happier I am. The one thing that gave me trouble was getting my sound up and running. Here’s how I got to a fix:

Autostart

Gnome does lots of stuff for you that I didn’t even know was happening. I’m not going to get into the complicated stuff like auto mounting encrypted volumes (that’s for next time). This time It’s the simple stuff: running daemons when you log in.

The Awesome wiki has an Autostart page that was super useful. I grabbed the simple run_once function and put this in rc.lua. This works for starting stuff like xscreensaver:

run_once("xscreensaver","--no-splash")

The problem I ran into with sound was actually related. Squeeze changed the way the jackd server gets started. There used to be an init script that fired it up but no more. Squeeze dropped this behavior and now pushes off the responsibility to user space applications so if you app expects jackd to be running be prepared to start it.

So after installing banshee it freaked out crapping errors all over the console. There were tons of exceptions indicating that lots of the expected Gnome infrastructure was missing but the one that’s actually relevant to why sound wasn’t working is:

Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
jack server is not running or cannot be started

With an error message that says “… or cannot be started” you’d think banshee tried to start jackd but once I started jackd manually the problem went away. So starting jackd when awesome starts up is the answer!

run_once("jackd","-d alsa -d hw:0")

gnome-power-manager and S3 sleep

If you’re on a laptop like me you’ll want gnome-power-manager running. It’s comforting having that battery icon in the tray right? Anyway just throw it in your rc.lua file same as before. Squeeze has great support for my ThinkPad x61s so all of the acpi tool and even the function keys work great for putting my system into S3.

jackd and S3 don’t play nice

The problem I’m dealing with now is that after my laptop wakes up from S3 jackd is hosed. It doesn’t crash outright but I don’t get any sound from Totem or other media players (yeah I prefer Totem over Banshee) so I’ve gotta restart it after I wake up from a suspend.

I’m not sure how to automate this yet. Hopefully it won’t come down to hacking the suspend scripts directly. I’m not even sure where these live … till next time.

managing IPsec packets with iptables

~ flihp ~ 2 Comments

A few weeks back I upgraded my wireless router and added an racoon based IPsec VPN. When I built my first home router / wireless access point a few years ago I did so to get some experience configuring Linux systems and writing firewall rules. I’ve revisited this script a number of times as I’ve added new functionality to the access point and now I’ve added a few rules for IPsec traffic that I figured were worth mentioning here.

First off the script is a “default drop” policy. This means that any packets that don’t match a rule in the firewall ending in a jump to ACCEPT target are dropped. More specifically the default policy for the input, output and forward chains are DROP:

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

This means that any traffic that doesn’t have an explicit rule that allows it to pass will be dropped. The design goal I had in mind is two write all rules that allow traffic to be as exact as possible so as to not match any unintended traffic. This is as close to mandatory access control for network traffic as I can figure.

Rules for IKE exchange

Hopefully I’ll get a chance to publish the whole script but it’s pretty long (600 lines or so) and needs some cleanup. But the rules I’ve added to allow the racoon server are pretty clean and they’re super useful so here they are:

The first stage of establishing the VPN tunnel is direct negotiation between the client and the access point (the wireless router in this case). The racoon server listens on ports 500 and 4500 and it negotiates directly with the clients racoon server on the same ports. I’m including just the raw rules here but you should wrap these up in functions to keep your scripts clean:

iptables --table filter --append INPUT 
  --in-interface extif                 
  --proto udp                          
  --destination ${PUBLIC_IP}           
  --dport 500                          
  --source  0.0.0.0/                   
  --sport 500                          
  --jump ACCEPT

iptables --table filter --append INPUT 
  --in-interface extif                 
  --proto udp                          
  --destination ${PUBLIC_IP}           
  --dport 4500                         
  --source  0.0.0.0/0                  
  --sport 4500                         
  --jump ACCEPT

iptables --table filter --append OUTPUT 
  --out-interface extif                 
  --proto udp                           
  --destination 0.0.0.0/0               
  --dport 500                           
  --source ${PUBLIC_IP}                 
  --sport 500                           
  --jump ACCEPT

iptables --table filter --append OUTPUT 
  --out-interface extif                 
  --proto udp                           
  --destination 0.0.0.0/0               
  --dport 4500                          
  --source ${PUBLIC_IP}                 
  --sport 4500                          
  --jump ACCEPT
}

Notice that I’ve limited the interface through which the IKE traffic can be accepted and transmitted as well as the IP of the server and the source and destination ports. The loosest part is that of the clients IP which we can’t know in advance. These rules are pretty standard, the interesting ones come next.

Rules for VPN traffic

So now our clients can negotiate security associations with the IKE server. This allows them to get IP addresses on the VPN network but they can’t talk to any other systems on the VPN or the other networks connected to the router (my file server etc).

VPN talking to internal network

To enable this we need FOWARD rules allowing traffic from the VPN network (10.0.2.0/24 that arrives on the interface ‘extif’) to go to the other network connected to the router (10.0.1.0/24 that arrives on the interface ‘wirif’). Typically this would look like:

iptables -A FORWARD         
  --in-interface extif      
  --source 10.0.2.0/24      
  --out-interface wirif     
  --destination 10.0.1.0/24 
  --jump ACCEPT

iptables -A FORWARD         
  --in-interface wirif      
  --source 10.0.1.0/24      
  --out-interface extif     
  --destination 10.0.2.0/24 
  --jump ACCEPT

These rules look pretty tight right? We’ve limited the the networks that can communicate and the interfaces on which the traffic should originate. We can do better though.

I’m particularly wary of the interface on the router that’s connected to the internet. The iptables rules above will allow the traffic we want to allow but it doesn’t require that the traffic from the 10.0.2.0/24 network arrive over the VPN! Theoretically an attacker that isn’t on the VPN could spoof traffic with the VPN IP and exchange packets with the protected 10.0.1.0/24 network. This is bad.

Policy Matching

So we need to add to these rules policy that will require the packets come from, and go to the VPN network through the IPsec tunnel. I’d never even heard of the iptables policy module till I was searching for the answer to this problem. Here’s what I came up with:

iptables --append FORWARD    
  --match policy             
  --dir in                   
  --pol ipsec                
  --mode tunnel              
  --tunnel-dst ${PUBLIC_IP}  
  --tunnel-src 0.0.0.0/0     
  --in-interface extif       
  --source 10.0.2.0/24       
  --out-interface wirif      
  --destination 10.0.1.0/24  
  --jump ACCEPT

iptables --append FORWARD    
  --match policy             
  --dir out                  
  --pol ipsec                
  --mode tunnel              
  --tunnel-dst 0.0.0.0/0     
  --tunnel-src ${PUBLIC_IP}  
  --in-interface wirif       
  --source 10.0.1.0/24       
  --out-interface extif      
  --destination 10.0.2.0/24  
  --jump ACCEPT

This allows the two networks to communicate, but this time it specifies that the packets must travel through the IPsec tunnel as we’d expect.

So now our VPN users can connect to the racoon server on the firewall and can talk to hosts behind the firewall. What’s left? Well my router / firewall also happens to have a dnsmasq server that offers clients DHCP leases and DNS service. The DNS service is particularly useful for those connecting to my storage server so they don’t have to memorize IP addresses.

Offering DNS services to VPN users

VPN users should be able to use the DNS service too (they don’t need DHCP since they get their IPs from racoon). The rules to allow this are very similar to the FORWARD rules above:

iptables --append INPUT     
  --match policy            
  --pol ipsec               
  --dir in                  
  --mode tunnel             
  --tunnel-dst ${PUBLIC_IP} 
  --tunnel-src 0.0.0.0/0    
  --protocol udp            
  --in-interface extif      
  --source 10.0.2.0/24      
  --source-port 1024:65535  
  --destination 10.0.1.1/24 
  --destination-port 53     
  --jump ACCEPT

iptables --append OUTPUT        
  --match policy                
  --pol ipsec                   
  --dir out                     
  --mode tunnel                 
  --tunnel-dst 0.0.0.0/0        
  --tunnel-src ${PUBLIC_IP}     
  --protocol udp                
  --source $10.0.1.1/24         
  --source-port 53              
  --out-interface extif         
  --destination 10.0.2.0/24     
  --destination-port 1024:65535 
  --jump ACCEPT

These rules are pretty self explanatory once you understand the syntax. There’s lots of info in these rules too, we identify the direction of the packets through the ipsec tunnel, the endpoints of the tunnel and the standard IP stuff: source address and port, destination and port as well as the interfaces.

That’s it. 8 rules are all that’s required to allow VPN users to connect, speak to hosts on my internal network and to talk to the DNS server. Using the policy match these rules are pretty exact … if there’s anyway I can make them better let me know in the comments.

madwifi on lenny router

~ flihp ~ Leave a comment

For the past two months my day job has taken over my life. As always, during the height of my insane work schedule my wireless router started acting up. I guess I needed something to break so I had an excuse to take a much needed break from work. I’d pretty much forgotten I even had a wireless access point because it had been so long since it required any attention. I learned a few things that are even worth mentioning here in the process

First off the router I had to fix wasn’t an off-the-shelf 802.11 box. It was actually my first PC Engines router built on the old wrap1e103. It ran Debian Sarge and had an Atheros AR5413 802.11abg which was hot shit when I bought it.

Needless to say there wasn’t any reason to try to fix this system. It’s old, tired and wasn’t experiencing any specific problems except running really slow every once in a while. Best bet was to upgrade.

Almost a year ago I blogged about a VPN gateway that I built on a new PCEngines ALIX platform. I drafted that system to replace this dying Sarge box. Upgrading to Lenny and faster hardware was long over due. It wasn’t all smooth sailing though.

Turns out the madwifi drivers are in flux and the drivers available on Lenny are pretty unstable. Luckily a little Googling turned up someone who already did the research for me and solved this problem! Their fix did the trick and likely saved me a full night of scouring the interwebs. Following these directions the madwifi drivers came up fine in hostap mode and were offering DNS and DHCP through dnsmasq within minutes.

I even had enough time left over to set up the VPN so I can login to my home network while I’m on the road. Since I’ve been traveling every other week all summer this is going to come in handy. The iptables rules for this got pretty interesting so I’ll probably post something about that in the near future.

LaTeX for your logic homework

~ flihp ~ 1 Comment

It’s been a long time since I’ve posted. Day job has taken over my life. It’s had me attached to a keyboard working 12 hour days for pretty much a month now. I haven’t had much chance or desire to geek out after getting home from work as a result.

With the fall semester starting up (my last class!) I have spent some time playing with LaTeX again. I’ve been using LaTeX off and on for a few years to prepare labs and reports for school and even some proposals for work though I’ve never done more than minor edits to existing LaTeX styles. For my fall class I’m using LaTeX in a similar capacity but with a fun twist: I’m formatting propositional logic proofs.

First off the class is CSE 774: Access Control, Security, and Trust taught by Dr. Shiu-Kai Chin at Syracuse University. He co-authored a boot by the same name if you’re interested in the content. Long story short Dr. Chin and Dr. Older developed a small logic language based on the logic of Abadi and Lampson. They use their logic to formally reason about access control decisions in a number of systems. Interesting stuff.

Most of the homework I’ve been doing requires either doing formal proofs or manipulating formulas and constructing Kripke Structures. The first assignment got messy quick so instead of copying all of my work over I decided I’d type it up in LaTeX. I managed to use generic math mode (the align environment) for most of my work but the structured proofs needed something extra.

Thankfully some industrious academics out there ran into this problem long ago and wrote two different styles for typesetting Fitch-style structured deduction. Both have their strengths and in the end I used a mix of the two. The fitch style is simple and straight forward. That said I couldn’t figure out a way to get it to display multi-line formulas which was a problem since the logic we’re using is quite verbose. I managed to track down another fitch style, this one by Peter Selinger which handles multi-line formulas quite well.

I know people are always looking for a way to get their work done more quickly and LaTeX isn’t going to help you there. So in the end my homework didn’t get done any faster but it sure looked nice when I was done 🙂

T100 Engine Covers

~ flihp ~ Leave a comment

In my first two years riding my motorcycle I learned a few things the hard way. Long story short I laid my Thruxton down twice, once on each side. They weren’t bad spills but I got a few cool scars out of the deal and so did my bike.

A few weeks ago I purchased new T100 (chrome!) engine covers and today I’m fixing up the last of the damage left over from my wipe-outs. The alternator cover isn’t too bad but the primary got beat up something aweful. Here’s what my covers looked like before:

Removing Old Engine Covers

The first and most obvious step is draining your oil. The primary and alternator covers are wet seals and if you break them you’re gonna leak all of your oil out on to your driveway / garage floor. I’ve planned this maintenance around an oil change anyway so I drained my oil completely and have a new oil filter ready to go.

I started on my primary cover: removed the bolts and started to pull. This thing wasn’t budging so I broke out my rubber mallet. That’s right, when all else fails hit it with a hammer … but not one that will scratch up your new chrome parts! A few good taps around the seams and the seal gave and started dripping oil all over the place. Have a pan ready and set yourself up on some cardboard to catch any stray drips.

The cover should come off easy enough but the seal is likely to break up leaving bits stuck around the edges. You’ve got to get all of this off before you can put the new cover and seal on so break out a razor and carefully scrape what’s left of the old seal off the engine. Be very careful not to get little bits of the seal on any of your engine’s internals. You do not want little bits of plastic floating around gumming up the works.

When you’re done the mounting surface on the engine should look nice and clean. Here’s what the primary side looks like (forgot to shoot the alternator side):

Alternator Cover

On the alternator side you’ll notice some wires that run out from between the engine case and the cover. These connect to the stator and power your electrical. The seals around these are a bit of a pain. You’ll have to transfer the coils to you new cover then worry about the wires.

When you reattach the alternator cover you’ll have to get your new seal in place but that probably won’t be enough. The wires have a rubber housing that you should seal up too. I opted to “borrow” some Form-A Gasket Sealant from my room mate.

This stuff is nasty. Get ready to apply it with your fingers and then spend some time scrubbing it off your hands later. You want to put enough on to fill the cracks but if you put so much on that it oozes out. It’s probably oozing out inside the case too which is not a good thing.

When you’ putting the the cover back on you’ll wish you had a few extra hands. Holding the seal, the wires and the cover in place at the same time is a pain, especially with the seal goop getting on everything. Once you juggle it all into place torque down the bolts to the spec (9Nm if I remember correctly which isn’t much).

The sprocket cover is easy in comparison. No seals no nothing. Just throw it on. Here’s what they look like, nice and shiny:

Primary Cover

The primary side doesn’t have any wires for you to worry about but it’s more of a pain. First off if you’re bike is on it’s kick stand the primary side will be tilted toward the ground which will make putting the cover back on much more difficult. Specifically there are a few metal pins that are seated in the cover and they’ll slide out much more easily if the engine is tilted downward.

Pay attention to the small cog at the lower front of the engine on this side. There’s a funny washer sitting over the pin holding it in place. This pin has a corresponding hole it will fit into on the inside of the primary cover. If you’re not careful while the cover is off this washer and pin may slip out. Be very careful of this.

Also on the primary side is the clutch leaver that you’ll have to transfer from your old cover to the new one. These are held in place by 7 or 8 hex screws that Triumph was kind enough to goop up with red locktite. This makes removing them very difficult and you’ve got to be extra careful to keep from stripping them.

I’ll admit that I stripped one but managed to get it out still. I had to take a trip to the local fastener shop in Syracuse to get a replacement. As much as the locktite is a pain when you’re removing the bolts it’s a good idea to use some when you put them in your new cover. Having one of these come loose in your engine would pretty much be the end of it.

I probably don’t have to say this but when you do transfer the clutch leaver over keep an eye on the set-up in the old cover and make sure you get everything in place right. It’s not hard but I’m sure it can be screwed up if you’re not careful. Be sure to keep track of the pin seated in the case that actuates the clutch. Mine kept dropping out of place when I was putting the cover back on.

Speaking of putting the primary cover back on, it’s a pain in the ass! If you’ve got an extra set of hands around you’re gonna need them. Here’s what it should look like when you’re done.

Oil and a Paryer

So when both covers are back on with the seals in place and torqued down, finish your oil change (change your filter etc). It’s not uncommon for the seals to leak a little bit at first until their seated. If they keep leaking after you’ve had the engine running for a bit try tightening down the bolts a little more but not too much. If this doesn’t fix your leak then something more serious went wrong (damaged seal?).

If you were looking at the pictures closely you’ll notice there weren’t any pipes on my Thruxton. I timed changing the engine covers with sending my pipes out to a local guy who runs a paint booth / powder coating shop out of his garage. More to come on that.

Debian Logo Rights and Misuse

~ flihp ~ 2 Comments

I’ve been traveling a whole bunch for work lately. A month or two ago I was on the road the hotel I was staying in was hosting a job fair that was put on by a company called the Catalyst Career Group. I couldn’t help but notice their logo looked familiar.

So after standing on my head in the middle of the lobby I realized that it’s just the Debian logo upside down. The Debian project is pretty explicit about the license they distribute their logo under [1] and this doesn’t follow the license by my reading of it.

Now what to do about it? The Debian legal mailing list [2] looks like the right place. I’ll update on the results of this one. Interesting stuff.

[1] http://www.debian.org/logos/
[2] http://www.debian.org/legal/

Thruxton Sprockets

~ flihp ~ 4 Comments

The chain on my Thruxton was about 6 years old and looking pretty ratty so I decided it was time for a new one. My buddy recently did some homework on chains and he ended up buying an EK X Ring chain so I followed suit. After hitting my Haynes manual to find out the right specs (525, 104 links) I picked one up. Found a good deal on an EK MVXZ 525 through ebay along with a chain tool to break the old one, and get the new one on.

Old Chain

My first mistake was trying to break the old chain off of my Thruxton with a $20 chain tool and not enough of the rivet ground down. So I broke the pin on that one and, surprise, it didn’t come with a spare. I took a pretty good chunk out of my knuckle when the pin broke and I was a bit pissed so I switched over to the cutting wheel and just cut the chain off. Should have just done that in the first place. Glad to have the old chain off too since it had a few links that weren’t flexing right. That’s why it felt funny while I was riding.

Since I was without a chain tool now I took the new one down to Destiny Motorsports and Garry cut it down for me. Great spot if you’re in Syracuse and you need an inspection or service. They’ve always done right by me and this time was no different.

Rear Sprocket

Now that I had the new chain at the right length I had to switch out the sprockets. I figured since I had the chain off it would make sense to upgrade the sprockets with some after market ones from British Customs. I picked up an aluminum rear sprocket and a fancy steel front too. I didn’t change the tooth ratio but I’m tempted to try a smaller front sprocket in the future.

Anyways getting the rear sprocket off was easy enough. Remove the rear wheel, pull the old one, put on the new one. The white stuff on the new sprocket is just lithium grease from the new chain. They come covered in that stuff and you’re gonna want to wipe as much of it off the chain before you ride on it.

Front Sprocket

Getting the front sprocket off was a bit of a trick. First off you’ve gotta bend back a huge washer that is bent down on the nut that holds the sprocket on. I did it with a screw driver but I’m sure there are better ways. This nut is huge by the way. 36 or 38mm and sockets that big get super pricey, not to mention a driver for it and a torque wrench if you want to torque it back down to spec.

After putting the new sprocket on you’ve gotta torque down the nut and flatten out the washer again. Flattening the washer down on the sprocket isn’t something you can do with a screwdriver. A small punch works perfectly if you’ve got one laying around.

New Chain

Pressing the master link on the new chain on is a real pain. I’ve already gone through one cheep chain tool so this time I got the real deal from EK. This tool is worth every penny and makes getting the master link on much easier than it would be normally. They’ve still got the EK chain tool on special at Moto-Chains so if you’re gonna buy one I’d recommend this one. It’ll press on the plates and press out pins. You can even use it for riveting.

So this is what the master link looks like after it’s been riveted. I didn’t take a picture of the chain when it was completely new. The photo below is the chain after 1200 miles through the white mountains. I was rushing to get the new chain on for the trip and forgot to snap a photo when it was fresh.

So that’s it. The new chain and sprockets are great. Not something you really notice when you’re riding but that’s the whole point. My old chain had a few links that weren’t flexing right and I could definitely feel the kinks when I was riding on it. This new one is super smooth which is the effect I was going for.