Monday, September 11, 2017

Simple ICS Lab - Part 2 - Raspbian Stretch Lite Setup and Test

The steps in this post cover installation of the Raspbian Stretch Lite OS onto a microSD card for use in the Raspberry Pi 3 (RPi). Some initial testing will also be done to verify the RPi is working properly. The RPi will function as a PLC as part of the Simple ICS Lab. This is how we are able to make a connection between the physical and cyber world.

Manipulating the microSD card file system is difficult to do from a VM since low-level access to the disk sectors is required. Because of this the instructions below are performed on the Windows 10 host. It is still possible to image the microSD card if you are running a non-Windows host. In that case, you should load the relevant Etcher binary for your OS during those sets of instructions. The menu options and operation of Etcher between Windows and Linux is very similar.

You will need the following items to successfully complete all the steps below:
  • Host computer running VirtualBox
  • Lubuntu ICS VM from Simple ICS Lab - Part 1
  • Raspberry Pi 3 and power supply
  • A microSD card at least 4 GB in size
  • Your Wi-Fi network information including SSID and Pre-Shared Key/password
Acquire Raspbian
  • Open your web browser and go to the Raspbian downloads page by entering "" into the address bar.
  • On the Downloads page click the "Download ZIP" button under "Raspbian Stretch Lite" on the right side of the screen.
  • Once downloaded we want to verify that the SHA-256 hash of our file matches the SHA-256 hash shown on the downloads page. You can see the SHA-256 hash value from the downloads page below:
  • By verifying that a SHA-256 hash of our downloaded file matches the SHA-256 hash on the web site we can be certain that we have a valid and accurate image file of the Raspbian Stretch Lite OS.
  • Open a Command Prompt window and use the certUtil command to calculate the file hash. I saved the .zip file to the Downloads folder and need to change to that directory as seen in the screenshot.
    • certUtil -hashfile SHA256
  • Compare the calculated SHA-256 hash to the SHA-256 hash from the web site. If the two values do not match re-download and verify again to ensure a good .zip file has been obtained.
Burn the Raspbian Image to MicroSD
  • Now that we have verified the SHA-256 hash, extract the .img file from the .zip archive.
  • In a file manager window click on the file so it is highlighted.
  • Click on the "Extract" option across the top menu bar, or right-click and choose "Extract All..." (Your method to extract the file may differ slightly. Use Google if necessary to find out how to extract the file for your OS.)
  • Proceed through the prompts to extract the image file and note where the file is saved. (Typically a new directory will be created within the Downloads directory.)
  • The extracted file must be written to a microSD card for use in the RPi. We will use an application called Etcher to perform this step.
  • In a web browser window go to the Etcher site by entering "" into the address bar.
  • Click on the "Download for Windows x64" button.
  • Run the Etcher setup file once the download is complete. Follow through the typical program installation prompts to install Etcher.
  • When the installation completes the main Etcher window should be displayed.
  • Insert a microSD card into the computer before continuing within the main Etcher window.
  • Click on the "Select image" button in the Etcher window. A file chooser dialog should appear. Navigate to and select the 2017-08-16-raspbian-stretch-lite.img file and click the "Open" button.
  • The main Etcher window should update to show the .img file chosen. Additionally, the microSD card should have automatically been selected if it is the only removable drive in the computer. If Etcher detected multiple removable drives a "Select drive" button will be shown in the middle of the window allowing the selection of the drive to be used.
  • With the .img file selected and the microSD identified the Etcher window now looks like the screenshot below.
  • Click the "Flash!" button to begin the process of flashing the .img file to the microSD card.
  • The main Etcher window will update to show "Starting…" in place of the "Flash!" button.
  • If prompted, allow administrator and/or enter administrator credentials to continue the process.
  • A progress indicator will be shown in place of "Starting…" as the image flashing progresses.
  • After flashing the image to the microSD card the Etcher window will update to show the progress of validating that the image was written successfully.
  • Finally, the Etcher window will update to indicate the flash is complete.

Preconfigure Wi-Fi and SSH

A couple of configuration updates are needed before putting the microSD card into the RPi for the first time.

As part of the Simple ICS Lab the RPi will run without a monitor or input devices. Because of this we must create a configuration file and specify Wi-Fi parameters so the RPi can connect to the network upon first boot. In addition, we will configure the RPi so that SSH is enabled. This will allow us to remotely access the RPi once it is running.

The steps below are based on instructions available at the following two web pages:
NOTE: A program called Notepad++ is used to create files for these steps. If you do not already have Notepad++ installed, download and follow the installation instructions at:
IMPORTANT: If Windows gives you a message that "There's a problem with this drive. Scan the drive now and fix it." ignore it! You will still be able to access the microSD and manipulate files as necessary following the steps below.

  • Open Notepad++.
  • A window for a new empty file should display. If you do not see a "new 1" tab, click in the menu bar on "File", then select "New".
  • Enter the following text into the new file. 
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev

  • Be sure to change the value for "country" if necessary and update the placeholder text, YOUR_NETWORK_NAME and YOUR_PASSWORD, with your actual Wi-Fi network SSID and PSK password. Be sure to keep the double quotes around your values.
  • Your file should look similar to the following:
  • Windows and Linux use different text file formats. We need to perform an EOL (End-of-Line) conversion before saving the file because of this.
  • In the menu bar click on "Edit", select "EOL Conversion", and then click "Unix (LF)".
  • Save the new file onto the microSD card. In the menu bar click on "File", then select "Save As…"
  • In the file chooser window select your microSD card. (In the screenshot below, the microSD card is the D: drive.) Specify the "File Name:" as wpa_supplicant.conf and set "Save as type:" to All types (*.*). Click the Save button to finish. (If you do not see your microSD card, remove it and then reinsert it into your computer.)
  • Once the file is saved the Wi-Fi preconfiguration is complete. When Raspbian Stretch Lite first boots it will move the file to /etc/wpa_supplicant/. This allows the RPi to connect to your Wi-Fi network.
  • To preconfigure SSH, click on "File" in the Notepad++ menu bar and choose "New".
  • Next, click on "File" in the Notepad++ menu bar and choose "Save As…". (We just need an empty file named "ssh" to cause the RPi to enable SSH.)
  • In the file chooser window select your microSD card. Specify the "File Name:" as ssh and set "Save as type:" to All types (*.*). Click the Save button to finish.
  • Once the empty file is saved the SSH preconfiguration is complete. When Raspbian Stretch Lite boots for the first time and sees that a file named "ssh" exists, SSH will be enabled.
  • Close Notepad++ and eject the microSD card from the Windows computer.
Boot and Test the RPi

Now that Raspbian Stretch Lite has been flashed to the microSD card and preconfigured we can use it to boot the RPi.

When the RPi boots up it will receive an IP address on your Wi-Fi network. The first thing to do is identify all the active devices on the Wi-Fi network prior to starting the RPi. Once we have a list of devices we will then boot the RPi and perform a second scan of the network. With two listings of IP addresses we can compare them to find the additional IP address of the RPi.

Your host system should be connected to the same Wi-Fi network you intend to use with the RPi for the steps below to work properly. The host system is the computer on which you are running the Lubuntu ICS VM.
  • Start up the Lubuntu ICS VM that was created in Simple ICS Lab - Part 1 if it is not already running.
  • Log in if necessary to reach the Lubuntu desktop.
  • IP addresses are made up of 4 octets. These steps assume your Wi-Fi network uses a class C, or /24 subnet. The commands below should be appropriate for practically all home networks.
  • Identify the IP address of the Lubuntu ICS VM. Click on the network adapter status icon in the status bar near the lower-left of the desktop. Select "Connection Information" from the context menu.
  • A new window should appear displaying network connection information including the IPv4 IP Address assigned to the Lubuntu ICS VM.
  • The IP address is in the screenshot above. The first three octets of the IP address, 172.16.16, will be used in the next set of steps to scan the Wi-Fi network. Write down or copy the first three octets of your Lubuntu ICS VM's IP address. They will be needed to run the commands properly on your system.
  • The LXTerminal program will be used to execute commands in order to create the initial list of IP addresses.
  • Click the lower-left menu button on the desktop, select "System Tools" and then click "LXTerminal". (If you would prefer to launch LXTerminal from a desktop icon, right-click on "LXTerminal" and choose "Add to desktop". You can then double-click the new desktop icon to start LXTerminal.)
  • To install the nmap utility which we will use to scan for IP addresses run the command:
    • sudo apt-get install nmap 
  • Enter your password when prompted.
  • Enter "Y" to continue when prompted.
  • You will be returned to the command prompt when the installation of nmap is complete.
  • Run the nmap command below, replacing the 172.16.16 portion of the command with the 3 octets from your system's IP address that you wrote down earlier.
    • nmap -n -sn -oG - | awk '/Up$/{print $2}' | tee /tmp/initiallist
  • After a few moments you should see a list of IP addresses with the same first 3 octets for your system. Below is an example from running the command on a network where the first 3 octets are 172.16.16. Your output will be different.
  • If you are interested, Google nmap, awk, and tee for more information on the commands and their options.
  • Now that we have our initial list of active IP addresses we can boot up the RPi.
  • If the microSD card is not already inserted into the RPi, securely seat it in the microSD slot.
  • Connect power to the RPi and wait 3 to 5 minutes to ensure it has completed booting.
  • Next, run the nmap command below to generate an updated list of active IP addresses on your Wi-Fi network. The command is nearly identical to the previous one except the IP addresses are written to a different temporary file name.
    • nmap -n -sn -oG - | awk '/Up$/{print $2}' | tee /tmp/updatedlist
  • You may be able to visually see the differences between the output in your LXTerminal window. To make sure we don't miss any differences run the command:
    • diff -y /tmp/initiallist /tmp/updatedlist
  • The output from the command should show a difference. This is very likely the IP address the RPi received when it connected to your Wi-Fi network.
  • The example below shows that the output identified two differences, and
  • We will test each IP address by attempting to connect via SSH. The IP address for the RPi will accept the SSH connection attempt and prompt for authentication.
  • Run the ssh command below. The -l option is used to specify the username for Raspbian Stretch Lite.
    • ssh -l pi
  • In this case the IP address refused the connection.
  • Next, an attempt will be made to connect to the remaining IP address identified in the differences output.
    • ssh -l pi
  • When prompted to continue connecting enter "yes".
  • The default password for the user pi is raspberry
  • This time you can see in the output that a successful connection was made to the RPi.
  • To disconnect enter exit and press "Enter" on your keyboard.

Testing Complete

Once a successful connection is made to the RPi the booting and testing are complete. We have shown that the device properly connected to the Wi-Fi network and allowed a connection via SSH.

NOTE: The RPi IP address responding to a connection via SSH will remain the same while it is powered on. If you power off the RPi and/or return at a later date to continue working with the RPi, you may need to rediscover the IP address using the instructions above. Consider accessing your home router's configuration settings and setting up a reserved DHCP IP address for the RPi. Refer to your home router's instruction manual, or Google to get additional information.


If your RPi has trouble connecting to Wi-Fi you can remove the microSD card and attempt the wpa_supplicant.conf setup again. Be sure to double-check the ssid and password values, avoiding any typos.

The setup in this post assumes the Wi-Fi network is using WPA2 with AES encryption. Check the forum thread below if you have additional problems connecting to Wi-Fi. The forum thread discusses other parameters that can be used when setting up the connection.