Using Lion and Requiem to Remove FairPlay DRM

I prefer to buy my movies from Apple’s iTunes Store. They are instantly available across all my Apple devices and allows me to get high quality versions without having to deal with the Blu-ray “bag of hurt”.

However, I don’t like the idea of movies that I have purchased being removed from my library or being unplayable for arbitrary reasons. I also like being able to use Plex, so I also need the DRM removed for that to work.

To solve these problems, I remove the FairPlay DRM from the movies using a tool called Requiem. Requiem works great, is fast, and is free – but Apple patched against Requiem some time ago. However, it still works fine on a fresh install of Lion running iTunes 10.5.1. Virtualization to the rescue!

I first tried running Lion in a trial version of VMware Fusion as that had out of the box support for virtualizing Mac OS X, but ultimately didn’t feel it was worth an $80 Fusion license for this when my usual virtualization solution (VirtualBox) could probably do the trick just fine. Indeed it could, but I ran into a few hiccups along the way. My solutions are documented below in case it helps anyone else.

I copied the VMDK image over to a new VirtualBox VM, which resulted in a black screen when booting. This was resolved by switching the chipset under “System” from ICH9 to PIIX3. After that, the machine refused to boot past ‘root device uuid is xxxxx-xxxx-xxxx’. Turns out, Lion won’t boot on Macs with Intel Haswell CPUs, so I had to fake the CPU in VirtualBox using the following command:

VBoxManage modifyvm <vmname> --cpuidset 00000001 000006fb 00000800 80000209 078bfbff

After that, Lion booted up fine and I could go back to removing that pesky Fairplay DRM.

Update 2015-02-10: Turns Out™, 1080 videos didn’t come along until iTunes 10.6, so I found on old dmg installer of that and upgraded iTunes. Then I had to go into iTunes’s settings (Store section) and make sure it downloaded HD content in 1080p instead of 720p. Requiem 4.1 supports both iTunes 10.6 and DRM removal of the 1080p videos.

Update 2017-02-27: So Apple seems to have closed the 1080p hole on iTunes 10.x. Even when prefer 1080p is selected, and with no other changes, it will only download 720p. Better than nothing, I suppose…

My Must-have Mac Apps

Recently, a friend converted over to the Mac from a PC and wanted to know what everyone’s “must-have” Mac apps were. As I recently obtained a new work MacBook Pro, the list was pretty fresh in mind as I set them all up.

Blame The Mac Power Users for any impact hese have on your wallet… it’s where I found/heard about most of them. Some can often be found on sale or part of a bundle, such as MacHeist. Prices are as of 2014-05-28.

In no particular order:

  • Dropbox – first install on any new Mac. (Free)
  • 1Password 4 – Fantastic password manager, also available on iOS. ($49.99)
  • Alfred 2 – Launch utility, Spotlight has nothing on this. (free, PowerPack enables additional features for £17)
  • iTerm2 – I prefer this over (Free)
  • Homebrew – For installing software from source. (Free)
  • OmniFocus – Get things done. ($39.99 Standard, $79.99 Pro)
  • YNAB 4 – Best finance app I’ve ever used. ($59)
  • DaisyDisk – Find & clean up large files on your Mac. ($9.99)
  • Soulver – Nice calculator/scratchpad app. ($11.95)
  • TextExpander – saves me hours of typing a year. ($34.95)
  • Bartender – Clean up menubar clutter. ($15)
  • Hazel – automatic actions on files. ($28)
  • Keyboard Maestro – Hotkey manager on steroids. ($36)
  • Caffeine – Keep your Mac from sleeping with the lid open. (Free)
  • NoSleep – Prevent your Mac from going to sleep when you shut the lid. (Free)
  • Fantastical – Great quick entry/viewing for calendar entries. ($19.99)
  • Authy Bluetooth – pairs with the iOS app – simplifies 2-Factor auth logins. (Free)
  • Patterns – useful for testing regexps. ($2.99)
  • Dash – man(1) on steroids. (Free)
  • iStat Menus – key system stats in your menubar. ($16)
  • coconutBattery – detailed information on your battery health. (Free)
  • Palua – toggles F1 vs. Fn keys on a per-app basis. ($0.99)
  • Moom – automatic window arrangements based on different displays. ($10)
  • Better Touch Tool – allow for custom gestures on trackpads or a Magic Mouse. (Free)
  • Tunnelblick – Simple OpenVPN client. (Free)
  • Adium – Messaging client. (Free) Standalone Install

I’ve just released an open-source (under MIT license), stand-alone version of my service, It can be found on GitHub.

I hope this will be of use to those who would like a self-hosted version for security or privacy reasons.

Wordpress Is Dead, Long Live Octopress

For many years, this blog (such as it is) ran on Blosxom, which was ok but not great. Back in January of this year, I figured I would give something new a try. I rebooted the site using Wordpress. I imagined posting from Editorial on my iPad, but that never really happened.

A recent episode of the Accidental Tech Podcast had me thinking about my own site more, and figured another change was in order.

So, Wordpress is dead, long live Octopress! It seemed to be the most common choice amongst other Linode users in a Twitter poll. It also statically generates the site and can be done from anywhere and then pushed to my server, which is nice.

As a bonus, this lets me purge MySQL off my server. Good riddance.

OS X 10.9 and

A while back, I was searching for a solution to automatically disable Wi-Fi interfaces on Macs when an Ethernet device was active.  This was the solution I found that worked:

However, when setting this up on a new 15” Retina MacBook Pro, it failed because it was running OS X 10.9.  My MacBook Air running OS X 10.9.1 worked, however.  This was because they were doing something like this in bash:

SW_VER=`/usr/bin/sw_vers -productVersion`
if [ `echo "if(${SW_VER%.*}<=10.7)r=1;r"|/usr/bin/bc` -eq 1 ];

This breaks because ${SW_VER%.*} expands to “10” when SW_VER=10.9, and 10 is not <= 10.7.  I fixed the script by going to my old friend, cut.  Here’s a diff which makes it work on both 10.9 and 10.9.x:

--- /Library/Scripts/ 2013-10-16 21:52:10.000000000 -0400
+++ 2014-01-31 14:27:49.000000000 -0500
@@ -15,8 +15,9 @@

SW_VER=`/usr/bin/sw_vers -productVersion`
+SW_VER_MAJOR=`echo $SW_VER|cut -f1,2 -d.`

-if [ `echo "if(${SW_VER%.*}<=10.7)r=1;r"|/usr/bin/bc` -eq 1 ];
+if [ `echo "if(${SW_VER_MAJOR}<=10.7)r=1;r"|/usr/bin/bc` -eq 1 ];
@@ -56,7 +57,7 @@
# networksetup syntax changed in Snow Leopard

-if [ `echo "if(${SW_VER%.*}<=10.6)r=1;r"|/usr/bin/bc` -eq 1 ];
+if [ `echo "if(${SW_VER_MAJOR}<=10.6)r=1;r"|/usr/bin/bc` -eq 1 ];
AP_CMD="/usr/sbin/networksetup -setairportpower ${AIRPORT}"
AP_STATUS="/usr/sbin/networksetup -getairportpower ${AIRPORT}"

A gist with the correct script and corresponding /Library/LaunchDaemons plist can be found here.

OS X 10.9 Mavericks and Packet Loss

After upgrading to OS X 10.9 (“Mavericks”), I started getting packet loss on our corporate network. This is apparently a bug in Mavericks relating to ARP, Unicast and GLBP:

A simple temporary workaround appears to work:

sudo sysctl -w

For a permanent fix, place it in /etc/sysctl.conf:

$ grep unicast /etc/sysctl.conf

This is supposedly fixed in OS X 10.9.2.

Update 2014-03-16: seems to be better in 10.9.2, but not gone – I still need the above workaround on my system.

It’s 2014…

… and I’ve decided that it’s time to bite the bullet and just move this site over to Wordpress – which may or may not improve me posting here :)

Citrix and SHA-2

Recently at work, we had to install some new SSL certificates.  All seemed to well, except for the Citrix Secure Gateway – when some clients (such as Macs) tried to connect, they got something like:

Citrix Receiver for Mac SSL Error 61: You have not chosen to trust "Foobar", the issuer of the server's security certificate.

This was obnoxious to track down. You need to upgrade to Citrix Receiver 11.7 for Mac or later, which adds support for SHA-2 certificates.

Oh, and there’s still no support for SHA-2 on iOS or Android.  Meh.

Update 2014-06-16Citrix Receiver 5.9 for iOS and Citrix Receiver 3.5 for Android finally added support for SHA-2 certificates.

What Year Is This Again?

People setting up new FTP servers on non-standard ports (say, 5001 instead of 21)… here’s how to get around it with ip_conntrack_ftp:

In /etc/modprobe.d/conntrack.conf:

options nf_conntrack_ftp ports=21,5001