MeeGo Conference 2010 in Dublin

The MeeGo Conference 2010 took place from 2010-11-15 until 2010-11-17 and it was quite good. I think I haven’t seen so much money being put into a conference so far. That’s not to be read as a complaint though 😉

The conference provided loads of things, i.e. lunch, which was apparently sponsored by Novell. It was very good: Yummie lamb stew, cooked salmon and veg was served to be finished with loads of ice cream and coffee. Very delicious. Breakfast was provided by Codethink as far as I can tell. The first reception in the evening was held by Collabora and drinks and food were provided. That was, again, very well and a perfect opportunity to meet and chat with people. In fact, I’ve met a lot old folks that II haven’t seen for at least half a year. But with the KDE folks entering the scene I’ve also met a few new interesting people.

The venue itself is very interesting and they definitely know how to accommodate conference attendees. It’s a stadium and very spacious. There were an awful lot of stadium people taking care of us. The rooms were well equipped although I was badly missing power supply.

The second evening was spent in the Guinness Warehouse, an interesting museum which tells you how the Guinness is made. They also have a bar upstairs and food, drinks and music was provided. I guess the Guinness couldn’t have been better 🙂

Third evening was spent in the Stadium itself to watch Ireland playing Norway. Football that is. There was a reception with drinks and food downstairs in the Presidents Suite. They even handed out own scarfs which read “MeeGo Conference”. That was quite decadent. Anyway, I’ve only seen the first half because I was at the bar for the second half, enjoying Guinness and Gin Tonic 😉

Having sorted out the amnesties (more described here), let’s have a look at the talks that were given. I actually attended a few, although I loved to have visited more.

Enterprise Desktop – Yan Li talked about his work on making MeeGo enterprise ready, meaning to have support for VPNs, Exchange Mail, large LDAP address books, etc… His motivation is to bring MeeGo to his company, Intel. It’s not quite there yet, but apparently there is an Enterprise MeeGo which has a lot of fixes already which were pushed upstream but are not packaged in MeeGo yet. His strategy to bring the devices to the people was to not try to replace the people’s old devices but rather give them an additional device to play with. Interesting approach and I’d actually like to see the results in a year or so.

Compliance – There is a draft specification but the final one will be ready soon. If you want to be compliant, you have to ensure that you are using MeeGo API (Qt, OpenGL ES, …) only. That will make it compatible for the whole minor version series. There will also be profiles (think: Handset, Netbook) which well define additional APIs or available screen estate. In return, you are allowed to use the MeeGo name and the logo. Your man asked the audience to try the compliance tools and give feedback and to review the handset profile draft.

Security – There will be a MSSF, a Mobile Simplified Security Framework in MeeGo 1.2. It’s a MAC system which is supposed to be in mainline. So yes, it is yet another security framework in Linux and I didn’t really understand, why it’s necessary. There’ll be a “Trusted Execution Environment’ (TrEE) as well. That will mean that the device has to have a TPM with a hardwired key that you can’t see nor exchange. I don’t necessarily like TPMs. Besides all that, “Simplified Mandatory Access Control” (SMACK) will be used. It is supposedly like SELinux, but doesn’t suck as much. Everything (processes, network packets, files, I guess other IPC, …) will get labels and policies will be simple. Something like “Application 1 has a red label and only if you have a red label, too, you can talk to Appilcation 1”. We’ll see how that’ll work. On top of all that, an Integrety Protection “IMA” system will be used to load and execute signed binaries only.

Given all that, I don’t like the development in this direction. It clearly is not about the security of the person owning the device in question but about protecting the content mafia. It’s a clear step into the direction of Digital Restriction Management (DRM) under the label of protection the users data. And I’m saying that they are trying to hide it, but they are not calling it by its right name either.

A great surprise was to see Intel and Nokia handing out Lenovo Ideapads to everybody. We were asked to put MeeGo on the machine, effectively removing the Windows installation. Three years ago, when I got my x61s, it was a piece of cake to return your Windows license. By now, things might have changed. We’ll see. I’ll scratch the license sticker off the Laptop and write a letter to Lenovo and see what happens. Smth like this (copied from here):

Lenovo Deutschland GmbH
Gropiusplatz 10
70563 Stuttgart

Rückgabe einer Windows-Lizenz

Sehr geehrte Damen und Herren,

hiermit gebe ich die gemeinsam mit einem Lenovo-Notebook erworbene Windows-Lizenz gemäß des End User License Agreement (EULA) von Microsoft Windows zurück.

Das EULA von Windows gewährt mir das Recht, beim Hersteller des Produkts, mit dem ich die Lizenz erworben habe, den Preis für die Windows-Lizenz zurückerstattet zu bekommen, falls die mitgelieferte Windows-Lizenz beim Start nicht aktiviert und registriert wurde und das EULA nicht akzeptiert worden ist. Ich habe der EULA nicht zugestimmt, da sie zahlreiche für mich inakzeptable Punkte enthält, beispielsweise:

– Die Aktivierung der Software sendet Hardware-Informationen an Microsoft (Punkt 2 des EULA).
– „Internetbasierte Dienste“ wie das „Windows-Updatefeature“ können von Microsoft jederzeit gesperrt werden (Punkt 7 des EULA). Dadurch existiert de facto kein Recht auf Security-Updates.

Ich entschied mich stattdessen für das Konkurrenz-Produkt Ubuntu, da dieses eine bessere Qualität aufweist und ein verbraucherfreundlicheres EULA hat.

Sie haben anderen Lenovo-Kunden in der Vergangenheit die Rückgabe der Windows-Lizenz verweigert mit der Verweis, dass es sich bei dem mit dem Gerät erworbenen Windows-Betriebssystem um einen “integrativen Bestandteil” des Produkts handle und man die Windows-Lizenz nur mit dem gesamten Produkt zurückgeben kann.

Diese Auffassung ist aus den folgenden Gründen nicht zutreffend:
– Windows-Lizenzen werden auch einzeln verkauft, eine Bindung von Software an ein bestimmtes Hardware-Gerät (OEM-Vertrag) ist nach deutschem Recht nicht zulässig. [1]
– Das betreffende Notebook lässt sich auch mit anderen, einzeln erhältlichen Betriebssystemen (u.a. Ubuntu) produktiv betreiben. Insbesondere Ihre Produkte laufen mit Ubuntu (mit sehr wenigen Ausnahmen) ganz hervorragend.
– Jedoch lässt sich das vorliegende Notebook nicht ohne Windows-Lizenz oder ganz ohne Betriebssystem erwerben.

Mir sind desweiteren mehrere Fälle bekannt, in denen Sie erfolgreich mit dem von mir verwendeten Formular Windows-Lizenzen zurückerstattet haben.

Ich bitte Sie deshalb, mir die Kosten für die Windows-Lizenz zurückzuerstatten und die erworbene Windows-Lizenz einzeln zurückzunehmen.

Hilfsweise teilen sie mir mit, wie ich das Geraet als ganzes zurureck geben kann.

Mit freundlichen Grüßen

[1] Vgl. dazu das Urteil des BGH I ZR 244/97 vom 6. Juli 2000
(http://tiny.cc/IZR24497 sowie http://www.jurpc.de/rechtspr/20000220.htm).

The performance of MeeGo on that device is actually extremely bad. WiFi is probably the only thing that works out of the box. The touchpad can’t click, the screen doesn’t rotate, the buttons on the screen don’t do anything, locking the screen doesn’t work either, there is no on-screen keyboard, multi touch doesn’t work with the screen, accelerometer doesn’t work. It’s almost embarrassing. But Chromium kinda works. Of course, it can’t actually do all the fancy gmail stuff like phone or video calls. The window management is a bit weird. If you open a browser it’ll get maximised and you’ll get a title bar for the window. And you can drag the title bar to unmaximise the window. But if you then open a new browser window, it’ll be opened on a new “zone”. Hence, it’s quite pointless to have a movable browser window with a title bar. In fact, you can put multiple (arbitrary) windows in zone if you manually drag and drop them from the “zones” tab which is accessible via a quake style top panel. If you put multiple windows into one zone, the window manager doesn’t tile the windows. By the way: If you’re using the touchscreen only, you can’t easily open this top panel bar, because you can’t easily reach the *very* top of the screen. I hope that many people will have a look at these issues now and eventually fix them. Anyway, thanks Intel and Nokia 🙂

jOEpardy released as Free Software

As mentioned in an earlier post, I was investigating the possibility to set jOEpardy free. It’s a Java program that let’s you hold a Jeopardy session based on a XML file. It has been used quite a few times and is pretty stable. A boatload of credits go to Triphoenix, who coded an awful lot without very much time, probably lacking sleep or coffee or even both. Thanks.

So to make the announcement: jOEpardy is GPLv3+ software (*yay*) and you can download the code via Mercurial here: https://hg.cryptobitch.de/joepardy. I don’t intend to make tarball or binary releases as I (at your option) either don’t have the time or simply don’t see a need.

But to actually use it, you want to have some buzzers. You could play it with a regular keyboard though. At the end of the day, you need to generate a keycodes for a “1”, a “2”, a “3” or a “4”. If you’re nerdy enough, you can get yourself an emergency button in the next hardware store and solder some tiny serial logic to it. Then you could read that serial signal and convert to X events via xtest.

You’ll figure smth out 😉

Stip-OUT report

For my recent year in Dublin I got a “STIP-OUT” scholarship from my local university and I was supposed to write a tiny report. So here it comes (in German though).

I won’t go into too much detail about the course I attended just yet, but in a nutshell: Dublin was a nice experience, personally and technically. Going to Dublin for a year abroad is a good option to just “get out”, because although it is different, it is still European enough. However, people and universities work differently. Everything is very open but also very stressful.

Oh srsly? 300MBs for a scanner driver (/.-)

My granny asked me to bring her a driver for her all-in-one scanner thingy, because it would take her too long to download it. Well, I wasn’t too sure whether it’s HP’s fault by not supporting the generic classes or Windows 7‘s fault by not implementing the USB Printer or Scanner class driver (But they should). However, I didn’t think a driver can be that huge. However, HP supposes you to download 290 whopping MB! For making their product work!

But they are serious. You cannot download anything smaller than that. ๏̯͡๏ I thought they were kidding me. Must be a very complicated device… Well, I’m copying their BLOBs onto a pendrive now…

The beauty of a free (Maemo) handset

During GUADEC, I of course wanted to use my N900. But since the PR1.2 update, the Jabber client wouldn’t connect to the server anymore, because OpenSSL doesn’t honor imported CAs. So the only option to make it connect is to ignore SSL errors. But as I’m naturally paranoid, I didn’t dare to connect… It’s a nerdy conference with a lot of hackers after all.

Fortunately, I had all those nice Collaborans next to me and I could ask loads of (stupid?) questions. Turns out, that the Jabber client (telepathy-gabble) on the N900 is a bit old and uses loudmouth and not wocky.

So I brought my SDK back to life (jeez, it’s very inconvenient to do stuff with that scratchbox setup 🙁 ) and I was surprised that apt-get source libloudmouth1-0 was sufficient to get the code. And apt-get build-dep libloudmouth1-0 && dpkg-buildpackage -rfakeroot built the package. Almost easy (I had to fix loads of dependency issue but it then worked out).

As neither I nor the Collaborans knew how to integrate with the Certificate Manager, I just wanted to make OpenSSL aware of the root CA which I intended to drop somewhere in ~/.certs or so.

After a couple of busy conference days I found out that code which implements the desired functionality already exists but was commented out. So I adapted that and now loudmouth imports certificates from /home/user/.config/telepathy/trusted-cas.pem or /home/user/.config/telepathy/certs /home/user/.maemosec-certs/ssl-ca before it connects. The former is just a file with all root CAs being PEM encoded. The latter is a directory where you have to put PEM or DER encoded certs into and then run c_rehash . in it the certificate manager puts the certificates in after you’ve imported it. Because just loading any .pem or .der file would have been to easy to work with. It was hard for me to understand OpenSSL’s API. This article helped me a bit though, so you might find it useful, too.

So if you want your jabber client on the N900 to connect to a SSL/TLS secured server that uses a root CA that is not in the built in certificate store, grab the .deb here. You can, of course, get the source as well.

Turns out, that there is a workaround mentioned in bug 9355 hence you might consider it to be easier to modify system files yourself instead of letting the package manager do it.

Bottom line being that it’s wonderful to be allowed to study the code. It’s wonderful to be allowed fix stuff. And it’s wonderful to be allowed to redistribute the software. Even with my own modifications. And that it will be that way for the lifetime of that piece of software. I do love Free Software.

mrmcd1001b Impressions

I had the pleasure to be invited to the MetaRheinMain ChaosDays 1001b (mrmcd1001b) in Darmstadt. This years motto was “Beyond Science Fiction” and ~250 people gathered together to discuss “Society and Technology in 20th century fiction and 21th century reality”.

The presented talks were mostly interesting, although I didn’t attend that many. I spent most of the time talking to people or giving (two) talks myself: Security in Mobile Devices and Virtualised USB Fuzzing.

The first one went as expected and I think the attendees enjoyed it very much. Again, talking about technical details that a buffer overflow on x86 involves is not that much fun but I think it went at least alrightish. Slides can be found here.

The second talk was kind of a rehearsal for my final thesis presentation. So I took the chance to prepare myself for Dublin and present brand new stuff^tm. I started off crashing a Linux PC with my N900 and went then to the talk. It was a bit confusing, I guess. But in fairness: It was very late in every sense of the word 😉 But I got positive feedback nonetheless so it’s better if you make up your own mind with the slides. Although I don’t think the slides alone are that interesting.

For some reason, people were interested in the commands that I’ve used for the demo:

Boot Ubuntu
/opt/muelli/qemu/bin/qemu-system-x86_64 -enable-kvm -hda ubuntu.img -cdrom ~/ISOs/ubuntu-10.04.1-desktop-amd64.iso -monitor stdio -serial vc -m 1G -loadvm 1
Setup Filter

usb_filter_setup /tmp/filter export PYTHONPATH=~/hg/scapy-com/ python recordingfilter.py /tmp/filter /tmp/phonet.dump

Attach device

info usbhost usb_add host:0421:01c8 sudo chown muelli /dev/bus/usb/002/004

usb_filter_remove usb_del 0.2

Replay

usb_add emul:full:/tmp/filter cat /tmp/filter.in & cat /tmp/phonet.dump.out > /tmp/filter.out

usb_del 0.0 kill %%

Fuzz (didn’t really work because of a Heisenbug)

python emulator.py --relaxed /tmp/filter /tmp/phonet.dump.combined python fuzzingemulator.py /tmp/filter webcam.dump usb_del 0.0

Fully Virtualise

usb_add emul:full:/tmp/filter python usbmachine.py /tmp/filter.in /tmp/filter.out usb-devices

Freedom not Fear 2010 on 2010-09-11 in Berlin

Call for Action!

Do you in or near Berlin? Or just happen to be there on 2010-09-11? Then go out for once! It’s good for your body, your mind and society. Again, Freedom Not Fear will take place and you are most welcome to join! You’re not in Berlin, great! Freedom not Fear will also take place in

The demands are:

1. Cutbacks on surveillance measures

abolition of the blanket logging of our communication and locations (data retention)
abolition of the blanket collection of our biometric data as well as RFID passports
protection from surveillance at the workplace by introducing effective labour data protection laws
no permanent student ID numbers
no handing over of personal information without cause; no European wide standardized state run collection of information (Stockholm Program)
no systematic surveillance of monetary transactions or any other mass data analysis within the EU (Stockholm Program)
no information exchange with the US or any other state lacking effective data protection laws
abolition of permanent CCTV camera surveillance and ban of all behavioral detection techniques
no blanket registration of passengers traveling with airlines or by boat (PNR data)
no secret searches of private computer systems, neither online nor offline
no introduction of the e-health insurance card in the presently planned form
no systematic surveillance of financial transactions data or similar mass data analysis in the EU (SWIFT)
no blanket registration of all air and sea travellers (PNR data)
no automated registration of vehicle number plates and locations
no secret searches of private computer systems, neither online nor offline

2. Evaluation of existing surveillance powers

We call for an independent review of all existing surveillance powers as to their effectiveness, proportionality, costs, harmful side-effects and alternative solutions. We particularly call on the European parliament to immediately re-evaluate existing and planned projects on interior security that restrict fundamental rights of the people in Europe.

3. Moratorium on new surveillance powers

Following the “arms race” in security measures over the past few years, we demand an immediate stop to new interior security laws that further restrict civil liberties.

4. Ensure freedom of expression, dialogue and information on the Internet

safeguard net neutrality with binding laws
keep the Internet free, unfiltered and uncensored, without blocking lists or pre-publication controls, neither by state institutions nor by Internet service providers
no Internet disconnection policies (“three strikes”, “graduated response”)
outlaw installation of filtering infrastructures on ISP networks
content deletion must require an order by an independent and impartial judge, the right to legal recourse must be ensured
establish a digital Human Rights Charter for the 21st century, with global protections of digital civil rights
introduction of an unlimited right to quote multimedia content, which nowadays is indispensable for public debate in democracies
protection of internet platforms for preserving the free expression of opinion (participatory websites, forums, comments on blogs etc.), which nowadays is threatened by inadequate laws encouraging self-censorship (chilling effect)

Cleanternet – campaign for a cleaner and safer Internet – cleanternet.org from alexanderlehmann on Vimeo.

Freedom Not Fear 2010

FOSS.in 2010 does take place \o/

I am delighted to see that this years FOSS.in will indeed take place. There were rumours about it not happening but fortunately you will have the opportunity to have a great time from 2010-12-15 to 2010-12-17!

You might have realised already, that his is only three days:

This year, the event is 3 days instead of the usual 5 days – a 5 day event was simply too exhausting for everyone (participants and team). Also, we have moved the event into the middle of December, to give students of colleges that usually have their exams end-November or early-December a chance to attend. Our American friends will be happy to note that we have moved the event safely out of Thanksgiving range

As last year, I expect the conference to be great. I do hope, that GNOME will be well represented, especially since GNOME-3 will be released and we have the potential to attract many new hackers. Also, because the KDE folks were staffed very well and we were not.

Got a N900 yay

A while back, during FOSS.in, I participated at a Maemo “hacking” contents. The goal was to produce something valuable for Maemo and get a N900 in return. I basically ported Gajim to the N900 and, drumroll, I won! *yay*

Unfortunately, it took them a while to ship that thing so that I received it half a year later or so. But then it was amazingly fast. I received a parcel from Helsinki (2031km far away) which was sent 20hrs earlier. The parcel thus was traveling at ~100km/h. Great service, DHL! Thanks a million Nokia, Thanks Maemo Bangalore!

I really like the N900 because it’s a Linux based device. Well, there is Android, right? But Nokia actually does send it’s patches upstream and they invite you to get root on the device you own. Plus everything is pretty much standard. There is D-Bus, there GTK+, there is Python, there is Linux, … Hence, building and running stuff is pretty easy. I am looking forward to run my DNS Tunnel and DOOM and play around with the USB.

I am now busy playing with my new N900.

Practicum Status Update Week 10

As mentioned in the last report, I skipped one week in favour of the GUADEC.

I had a funny C problem. Consider the following two functions:

 
static int
safe_read (void *data, size_t length, FILE* file)
{
	int status = fread(data, length, 1, file);
 
	if (status == -1) error_report("%s: read packet (%lu) data on stream %p "
								   "failed (%d): %s",
								   __FUNCTION__, length, file,
								   status, strerror(errno));
	status = fflush(file);
	return status;
}
 
static int
safe_write (void *data, size_t length, FILE* file)
{
	int status = fwrite(data, length, 1, file);
 
	if (status == -1) error_report("%s: writing packet (%lu) data on stream %p "
								   "failed (%d): %s",
								   __FUNCTION__, length, file,
								   status, strerror(errno));
	status = fflush(file);
	return status;
}

Now you might want to deduplicate the code and make it one big and two small functions:

 
static int
safe_operation (size_t (func) (void *, size_t, size_t, FILE*), void *data, size_t length, FILE* file)
{
	int status = func(data, length, 1, file);
	const char *funcstr = "undeclared";
 
//	switch (*func) {
//		case fread:
//			funcstr = "read";
//			break;
//		case fwrite:
//			funcstr = "write";
//			break;
//		default:
//			funcstr = "?";
//			break;
//	}
 
	if (status == -1) error_report("%s: %s (%p) packet (%lu) data on stream %p "
								   "failed (%d): %s",
								   __FUNCTION__, funcstr, *func, length, file,
								   status, strerror(errno));
	status = fflush(file);
	return status;
}

but it wouldn’t compile because fread and fwrite have slightly different signatures.
The solution is to:

 
typedef size_t (*fwrite_fn)(const void * __restrict, size_t, size_t, FILE * __restrict);
 
static int
safe_operation (fwrite_fn func, void *data, size_t length, FILE* file)
{
        int status = func(data, length, 1, file);
        const char *funcstr = "undeclared";
 
        if (status == -1) error_report("%s: %s (%p) packet (%lu) data on stream %p "
                                                                   "failed (%d): %s",
                                                                   __FUNCTION__, funcstr, *func, length, file,
                                                                   status, strerror(errno));
        status = fflush(file);
        return status;
}
 
int
main(void)
{
        int x;
 
        safe_operation((fwrite_fn)fread, &amp;x, sizeof x, stderr);
        safe_operation(fwrite, &amp;x, sizeof x, stderr);
        return 0;
}

Thanks to Roland for pointing that out.

On smth unrelated: Fought with OpenSSL and it’s API and documentation. But more on that in a different post.
Fortunately, only Gajim crashed once. Well rhythmbox locks up, too, as it always does

Annoyed by the fact, that it takes ages to “make” a freshly made kernel!

muelli@bigbox ~/git/linux-2.6 $ time make 
  CHK     include/linux/version.h
  CHK     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
  CHK     include/generated/compile.h
  CHK     include/linux/version.h
make[2]: `scripts/unifdef' is up to date.
  TEST    posttest
Succeed: decoded and checked 1382728 instructions
Kernel: arch/x86/boot/bzImage is ready  (#14)
  Building modules, stage 2.
  MODPOST 2107 modules
WARNING: modpost: Found 4 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'

real	14m7.842s
user	1m33.747s
sys	0m25.388s
muelli@bigbox ~/git/linux-2.6 $

Trying to automatically create a FAT image and fill populate it with the built modules is more cumbersome than expected. guestmount is way too much overhead: It requires qemu and channels the data out over the network (sic!). I just want a FUSE implementation that is capable of writing a FAT image! There seems to be UMFUSE but it’s packaged for Debian/Ubuntu and not for Fedora.Find the sources is quite a challenge (it’s here: https://view-os.svn.sourceforge.net/svnroot/view-os/trunk/fuse-modules/fat) but I can’t build it, because they haven’t really prepared their code for anybody else to build it. After being harassed to generate the ./configure file (autoconf,; aclocal; autoconf), it also wants shtool to be installed AND in a local directory (/.-). I gave up as it kept bugging me about a missing config.sub. But I still wanted to get that FUSE module so I dug up my Ubuntu chroot and apt-get sourced the files, ./configure && make && make install. Beautiful. Turns out, that the official FUSE wiki lists two ways to mount a FATfs: the one I’ve just described and a dead project (FatFuse).

I then threw together this shellscript:

##!/bin/bash
 
MOD_DIR=/tmp/linux-modules/
FAT_IMAGE=/tmp/modules.$$.fat
FAT_MOUNT=/tmp/share/
FAT_TARGET_IMAGE=/tmp/modules.fat
 
make modules_install INSTALL_MOD_PATH="$MOD_DIR" &&
 
bytes=$(( $(du -s $MOD_DIR | awk '{print $1}') + $(( 20 * 1024)) ))
#
# create FAT image
dd if=/dev/zero of=$FAT_IMAGE bs=1024 count=$bytes &&
mkfs.vfat $FAT_IMAGE &&
fusefat -o nonempty -o rw+ $FAT_IMAGE $FAT_MOUNT &&
cp -dRx $MOD_DIR/* $FAT_MOUNT
fusermount -u $FAT_MOUNT &&
echo $FAT_IMAGE &&
ln -sf $FAT_IMAGE $FAT_TARGET_IMAGE

and I start qemu like that:
/opt/muelli/qemu/bin/qemu-system-x86_64 -drive file=/tmp/ubuntu-snapshots.qcow2,if=virtio -kernel ~/git/linux-2.6/arch/x86_64/boot/bzImage -append 'selinux=0 root=/dev/vda init=/sbin/init' -m 1G -drive file=/tmp/modules.fat,if=virtio,readonly=on -monitor stdio -loadvm 1
which allows me to access the module on the FAT drive on /dev/vdb. I can also snapshot the booted machine which saves me an awful lot of time for booting. But it took me quite a while to make QEmu do that, because the snapshot parameter for the disk does not save snapshots! Also, the FAT drive has to marked as readonly for QEmu to only save snapshots on the only remaining writable drive. But QEmu fails to make a drive readonly if the selected interface is IDE. Thus, you need virtio… Thanks to the helpful folks on IRC…

So yeah, all in all, I didn’t make any substantial progress :-/ I hope to finish a Webcam in software soonish though.