How to watch / stream more than 10000 TV channels for free on any Android TV based Smart TV without using a separate decoder or set top box

Prerequisites: Android TV based Smart TV

Not required: any hardware decoder, the Smart TV itself is enough for streaming TV channels

Steps:

  1. Install OTT Navigator from Google Play Store on Android TV Smart TV ( https://play.google.com/store/apps/details?id=studio.scillarium.ottnavigator&hl=en&gl=US )
  2. Install .m3u playlist file in OTT Navigator using following source:

https://github.com/iptv-org/iptv

3. The microphone icon in OTT Navigator uses the microphone of your smart TV’s remote control. So you can use your smart TV’s remote control to say which TV channel you want to look for (for example: just say “Tennis” to find all channels with “Tennis” in their name)

#!/bin/bash
# This script allows you to permanently enable Face ID/facial recognition instead of
# sudo password when using sudo commands
#  Based on following guide:  https://itsfoss.com/face-unlock-ubuntu/
sudo add-apt-repository ppa:boltgolt/howdy
sudo apt update
sudo apt install howdy
sudo apt install v4l-utils
#######################################################################
# add correct videocamera device into /lib/security/howdy/config.ini 
DEVICENAME=`v4l2-ctl --list-devices |grep dev |head -n 1` 
echo $DEVICENAME

# configure howdy to set device_path to value stored in variable DEVICENAME
# for example: devicename might be /dev/video0
sudo howdy config

# video section of /lib/security/howdy/config.ini file could contain following lines:

# The path of the device to capture frames from 
#device_path = /dev/video0


####################################################################### 
# Use the following command to associate a face to the currently logged in user:
sudo howdy add
# List all the known face models for a user
sudo howdy list
#!/bin/bash
# Prerequisites: Raspberry Pi 3 or 4, Raspbian Lite / Raspberry Pi OS Lite, snapd, npm
# Prerequisites: Conbee II Zigbee USB stick
# Recommend using Raspberry Pi to avoid connection issues regarding zigbee2mqtt
# Wired ethernet connection is required during install - wireless connection did not allow 
# performing supervised Home Assistant install
# Last modification date of this script: 2021/4/6
# Author of script: Mark Rijckenberg

# First assign a fixed local IP address to the Raspberry Pi that will be running deCONZ and Home Assistant
# Define the static IP address(es) in /etc/dhcpcd.conf and in the network settings of the (wireless) router

sudo usermod -a -G dialout root
sudo gpasswd -a root dialout
sudo usermod -a -G dialout homeassistant
sudo gpasswd -a homeassistant dialout
sudo usermod -a -G dialout $USER
sudo gpasswd -a $USER dialout

# insert Conbee II Zigbee USB stick into Raspberry Pi
# run following command to determine on which serial port the Conbee II is operating: 
# It could be on /dev/ttyACM0 ...
ls -l /dev/serial/by-id
# detected devicename for Conbee II in Home Assistant:
# /dev/serial/by-id/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2421421-if00

# first delete any previous installations of deconz:
sudo apt purge deconz
# Install deCONZ app for Conbee II Zigbee USB stick:
# https://github.com/marthoc/docker-deconz
# only way to get deCONZ Zigbee gateway and Conbee II Zigbee USB stick correctly detected in Home Assistant is
# by installing deCONZ via following docker image:
docker run -d --name=deconz --net=host   --restart=always -v /etc/localtime:/etc/localtime:ro  -v /opt/deconz:/root/.local/share/dresden-elektronik/deCONZ  --device=/dev/serial/by-id/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2421421-if00 marthoc/deconz:stable

# deconz service and Home Assistant should all run with root account

# do not run deconz or deconz-gui as a service to avoid issues connecting to deCONZ:
# make sure deCONZ is not running on any other computer than the Raspberry Pi
sudo systemctl stop deconz
sudo systemctl stop deconz-gui
sudo systemctl disable deconz
sudo systemctl disable deconz-gui

# navigate to http://raspberrypi.local/pwa/login.html on Raspberry Pi 4
# after installing deCONZ to configure password on Phoscon-GW
# Phoscon-GW is able to detect the Livarno Lux GU10 Zigbee dimmable lights
# Lights can only get detected by Phoscon-GW during initial blinking phase

# use following instructions to install SUPERVISED version of Home Assistant:
# https://peyanski.com/how-to-install-home-assistant-supervised-official-way/#Install_Docker
# then install Home Assistant which will use deCONZ/Phoscon-GW as Zigbee gateway
# deconz and Home Assistant should all run with the same account
# Then install deCONZ Binding/Integration via Home Assistant::Configuration::Integrations
# If there are ever issues connecting to deCONZ binding via Home Assistant,
# then delete and reinstall the deCONZ integration via Home Assistant::Configuration::Integrations

# Go to Phoscon Web app via http://raspberrypi.local/pwa/login.html on Raspberry Pi 4
# Click on Phoscon app::Settings::Gateway::"Authenticate app" to allow discovery of Phoscon Gateway by
# third party application like Home Assistant
# Then use the deCONZ binding in Home Assistant to start scanning and authenticating with Phoscon Gateway using API key
# Go to Phoscon app::Settings::Gateway to update firmware on Conbee II Zigbee USB stick

# Install and start deCONZ add-on via Home Assistant 
# website::Supervisor:Add-on store  (http://raspberrypi.local:8123/hassio/store)

# Install Home Assistant app on smartphone and connect to Home Assistant gateway using local URL 
# http://raspberrypi.local:8123

# Communication flow is like this: Home Assistant app -> Home Assistant Server (backend) -> DeCONZ/Phoscon 
# Zigbee device gateway -> connected Zigbee devices

# install Mosquitto broker add-on via Home Assistant webinterface - Supervisor  -Add-on store

# install zigbee2mqtt to avoid use of any proprietary zigbee gateways/bridges (like the Aqara gateway)
# Home Assistant + Conbee II + deCONZ + zigbee2mqtt + Mosquitto broker (=Open Source MQTT broker) allows 
# controlling the Aqara Water Sensor (Zigbee) without using Aqara gateway
sudo apt update
sudo apt install snapd npm
# skip this line:sudo snap install --edge janlochi-zigbee2mqtt
# Add the repository URL under Home Assistant webinterface - Supervisor  -Add-on store - Manage add-on repositories:
# Add following URL: https://github.com/zigbee2mqtt/hassio-zigbee2mqtt
# In Home Assistant webinterface - Supervisor - Dashboard - Zigbee2MQTT - Configuration
# make sure following configuration lines exist:
# serial:
#  port: /dev/serial/by-id/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2421421-if00
#  adapter: deconz
# more info here:   https://www.zigbee2mqtt.io/information/supported_adapters.html#conbee-ii


# Xiaomi Aqara SJCGQ11LM Smart Home Water Sensor IP67 Waterproof - water sensor pairing process:
# https://www.zigbee2mqtt.io/devices/SJCGQ11LM
# Phoscon-GW::Devices::Sensors(part of deCONZ) is solely responsable for manually 
# detecting the water sensor -> this worked for me

# info on how to erase configuration files if there is an unrecoverable configuration error:
# https://community.home-assistant.io/t/cant-remove-docker-containers/60659/6

# Configure tor server and Tor Hidden Service on Raspberry Pi and configure Tor Browser on client 
# (laptop or desktop pc) using following guide (replaces use of https certificates):  
# https://community.home-assistant.io/t/tor-onion-service-configuration/195171
# This will allow you to perform a secure connection to the Home Assistant webpage from a remote location
# using the Tor Browser (web browser) on a laptop or desktop PC
sudo apt install tor
sudo systemctl enable tor
sudo systemctl start tor
 

#!/bin/bash
# This bash shell script is compatible with Debian 10 Buster running in Qubes OS 4
# Required free disk space: at least 3.5 GB free disk space in / (root) directory
sudo apt update
sudo apt install gnome-software-plugin-flatpak flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub org.libreoffice.LibreOffice
flatpak install flathub org.onlyoffice
flatpak install flathub com.wps.Office
flatpak update
# enable ufw firewall in Ubuntu 18.04 or newer:
# restrict Internet access to certain ports
sudo apt install ufw gufw
sudo ufw status
sudo ufw status > /tmp/ufw-status-old
sudo ufw disable
sudo ufw reset
# inbound rules are not needed
#sudo ufw allow in to any port 53
#sudo ufw allow in to any port 80
#sudo ufw allow in to any port 443
#sudo ufw allow in to any port 853
#sudo ufw allow in to any port 5938
# only outbound rules are required
sudo ufw allow out to any port 53
# http needed in order to get and update packages via apt command:
sudo ufw allow out to any port 80
# NTP port 123 needed to sync time:
sudo ufw allow out to any port 123
sudo ufw allow out to any port 443
# following port needed for DNS-over-TLS:
sudo ufw allow out to any port 853
# following port needed so that TeamViewer works:
sudo ufw allow out to any port 5938
# following port needed so that gpg can connect to keyserver:
sudo ufw allow out to any port 11371
sudo ufw enable
sudo ufw status
sudo ufw status > /tmp/ufw-status-new

Imagine you have an AppVM called appvm1 which is based on a TemplateVM called templatevm1 in Qubes OS 4.0

Imagine you get the error “Firewall has been modified manually – please use qvm-firewall for any further configuration.” when trying to use the Firewall rule editor GUI via Qube Manager for the AppVM called appvm1.

Solution procedure so that you can use the firewall rule GUI again for that AppVM:

Inspect the existing list of active firewall rules for your TemplateVM using following command (replacing templatevm1 with the actual name of your TemplateVM):

sudo qvm-firewall templatevm1 list

Run following command several times in Dom0 until there are no rules left for the TemplateVM (replacing templatevm1 with the actual name of your TemplateVM):

sudo qvm-firewall templatevm1 del --rule-no 0

Then run following command to set a single default rule in that virtual machine (replacing templatevm1 with the actual name of your TemplateVM):

sudo qvm-firewall templatevm1 add action=accept

Then run this exact same qvm-firewall procedure for the problematic AppVM appvm1

Then reboot your PC and the firewall GUI should be working fine again.

 

# Start of bash shell script:
# ProcDump is a Linux reimagining of the classic
# ProcDump tool from the Sysinternals suite of tools 
# for Windows. ProcDump provides a convenient way for Linux 
# developers to create core dumps of their application based 
# on performance triggers.
cd
sudo rm -rf procdump-for-linux
sudo apt update
sudo apt install git checkinstall build-essential
git clone https://github.com/microsoft/procdump-for-linux
cd procdump-for-linux
sudo make
sudo checkinstall
# End of shell script

 

Checkinstall configuration and terminal output should be similar to this:

This package will be built according to these values:

0 – Maintainer: [ <restricted> ]
1 – Summary: [ Package created with checkinstall 1.6.2 ]
2 – Name: [ procdump ]
3 – Version: [ 20181112 ]
4 – Release: [ 1 ]
5 – License: [ GPL ]
6 – Group: [ checkinstall ]
7 – Architecture: [ amd64 ]
8 – Source location: [ procdump-for-linux ]
9 – Alternate source location: [ ]
10 – Requires: [ ]
11 – Provides: [ procdump ]
12 – Conflicts: [ ]
13 – Replaces: [ ]

Enter a number to change any of them or press ENTER to continue:

Installing with make install…

========================= Installation results ===========================
mkdir -p //usr/bin
cp bin/procdump //usr/bin
mkdir -p //usr/share/man/man1
cp procdump.1 //usr/share/man/man1

======================== Installation successful ==========================

Copying documentation directory…
./
./LICENSE
./README.md

Copying files to the temporary directory…OK

Stripping ELF binaries and libraries…OK

Compressing man pages…OK

Building file list…OK

Building Debian package…OK

Installing Debian package…OK

Erasing temporary files…OK

Writing backup package…OK
OK

Deleting temp dir…OK
**********************************************************************

Done. The new package has been installed and saved to

/home/<restricted>/procdump-for-linux/procdump_20181112-1_amd64.deb

You can remove it from your system anytime using:

dpkg -r procdump

**********************************************************************

#######################################################################################################################v
# enable new DNS over TLSv1.2 encrypted communications
# in Ubuntu 18.04 64-bit using a bash shell script
# Source: https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls
sudo apt purge unbound avahi-daemon
LogTime=$(date '+%Y-%m-%d_%Hh%Mm%Ss')

cp /etc/resolv.conf $HOME/resolv.conf_$LogTime
cp /etc/nsswitch.conf $HOME/nsswitch.conf_$LogTime
cp /etc/systemd/resolved.conf $HOME/resolved.conf_$LogTime
cp /etc/network/interfaces $HOME/interfaces_$LogTime

sudo service resolvconf stop
sudo update-rc.d resolvconf remove

sudo apt install stubby
systemctl status stubby
sudo netstat -lnptu | grep stubby
sudo netstat -lnptu | grep systemd-resolve

cp /etc/resolv.conf /tmp/resolv.conf
grep -v nameserver /tmp/resolv.conf > /tmp/resolv.conf.1
echo 'nameserver 127.0.0.1' >> /tmp/resolv.conf.1
# echo 'nameserver 2620:fe::fe' >> /tmp/resolv.conf.1
echo 'domain dnsknowledge.com' >> /tmp/resolv.conf.1
echo 'options rotate' >> /tmp/resolv.conf.1
sudo cp /tmp/resolv.conf.1 /etc/resolv.conf
sudo service resolvconf start

# configure DNS server on Ubuntu 18.04 LTS:
cp /etc/network/interfaces /tmp/interfaces
grep -v nameservers /tmp/interfaces > /tmp/interfaces.1
grep -v search /tmp/interfaces.1 > /tmp/interfaces.2
grep -v options /tmp/interfaces.2 > /tmp/interfaces.3
#echo 'dns-nameservers 9.9.9.9 2620:fe::fe' >> /tmp/interfaces.3
echo 'dns-nameservers 127.0.0.1' >> /tmp/interfaces.3
echo 'dns-search dnsknowledge.com' >> /tmp/interfaces.3
echo 'dns-options rotate' >> /tmp/interfaces.3
sudo cp /tmp/interfaces.3 /etc/network/interfaces

# enable systemd caching DNS resolver
rm /tmp/nsswitch.conf
rm /tmp/nsswitch.conf.1
cp /etc/nsswitch.conf /tmp/nsswitch.conf
grep -v hosts /tmp/nsswitch.conf > /tmp/nsswitch.conf.1
# dns must be mentioned in next line, or else wget does not work
echo 'hosts: files mdns4_minimal [NOTFOUND=return] resolv dns myhostname mymachines' >> /tmp/nsswitch.conf.1
sudo cp /tmp/nsswitch.conf.1 /etc/nsswitch.conf

# set DNS server to 127.0.0.1
rm /tmp/resolved.conf
rm /tmp/resolved.conf.1
cp /etc/systemd/resolved.conf /tmp/resolved.conf
grep -v DNS /tmp/resolved.conf > /tmp/resolved.conf.1
#echo 'DNS=9.9.9.9' >> /tmp/resolved.conf.1
echo 'DNS=127.0.0.1' >> /tmp/resolved.conf.1
echo 'DNSSEC=yes' >> /tmp/resolved.conf.1
sudo cp /tmp/resolved.conf.1 /etc/systemd/resolved.conf
sudo systemd-resolve --flush-caches
sudo systemctl restart systemd-resolved
sudo systemd-resolve --flush-caches
sudo systemd-resolve --status

# It is probably also necessary to manually set
# the DNS server to 127.0.0.1 in the router's configuration
# and in the NetworkManager GUI

# Then reboot your PC to enable new DNS over TLSv1.2 encrypted communications
# Use wireshark application and capture encrypted DNS packages on port 853 
# There should be no more DNS handshakes on port 53 and only encrypted DNS handshakes on port 853

# Test DNSSEC validation using dig command-line tool
# See: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
dig pir.org +dnssec +multi
host dnsknowledge.com

# To get similar functionality on iOS: install "DNSCloak" application
# To get similar functionality on Android: install "Intra" application

Please first visit this bug report that I filed:

https://bugs.chromium.org/p/chromium/issues/detail?id=889072#c2

So disabling the cipher suites below in Mozilla Firefox will make certain websites inaccessible, but will make the browsing experience more secure.

It is up to you to decide if you want extra security or not.

If you wish to proceed, visit following website to test the weaknesses in your Mozilla Firefox browser:

https://www.ssllabs.com/ssltest/viewMyClient.html

Then upgrade Mozilla Firefox to the latest version.

In Mozilla Firefox, navigate to   “about:config”

Set security.tls.version.max to 4

Set security.tls.version.min to 3

Set security.ssl3.rsa_aes_128_sha to false

Set security.ssl3.rsa_aes_256_sha to false

Set security.ssl3.rsa_des_ede3_sha to false

Go back to this website to retest weaknesses:

https://www.ssllabs.com/ssltest/viewMyClient.html

After the changes above, only following Protocols and Cipher Suites should be supported by Mozilla Firefox.

HTTPS protocols TLS 1.0 and older are known to be weak and should be disabled as described above.

TLS_RSA_*_CBC_SHA Cipher Suites should not be used anymore, as they are considered weak. But disabling them will make certain websites inaccessible.

Protocols
TLS 1.3 Yes
TLS 1.2 Yes

 

Cipher Suites (in order of preference)
TLS_AES_128_GCM_SHA256 (0x1301)   Forward Secrecy 128
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   Forward Secrecy 256
TLS_AES_256_GCM_SHA384 (0x1302)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256

Further instructions (more extensive) can be found here:

https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

Whonix 13 is approaching end-of-life:

https://www.qubes-os.org/news/2018/08/24/whonix-13-approaching-eol/

So I decided to install Whonix 14 from scratch in Qubes OS 4.0.

I personally had more success installing the new Whonix 14 templates using following procedure (instead of attempting to upgrade from Whonix 13 to Whonix 14) : 

https://www.whonix.org/wiki/Qubes/Install

After installing the new whonix-gw-14 and whonix-ws-14 TemplateVMs, I had to create a new AppVM called sys-whonix-14 and connect sys-whonix-14 to TemplateVM whonix-gw-14. During creation of sys-whonix-14, make sure to enable Networking.

In sys-whonix-14, run
sudo anon-connection-wizard
to set up Tor networking.

Run following commands in Dom0:

qubes-prefs default_dispvm whonix-ws-14-dvm

qubes-prefs updatevm sys-whonix-14

Last step is to set sys-whonix-14 as updatevm in configuration file /etc/qubes-rpc/policy/qubes.UpdatesProxy   in Dom0

Check the new settings in Dom0 by running the command   qubes-prefs (not qvm-prefs)

That should do it.

Hope this helps someone out there 🙂