Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


PC Engines APU2 - Debian 9.6 / Stretch


  • It seems the APU2 won't boot from USB3 drive and external USB2 card reader. Booting from a USB2 thumb drive was not a problem. Or try to update the BIOS / firmware.
  • This is a netinstall, you'll need an internet connection.
  • Enable Legacy console redirection in BIOS.

Install Debian 9 (using USB)

  • Download amd64 netinst ISO:
    curl -L -O
  • Copy image to USB drive:
    sudo dd if=debian-9.6.0-amd64-netinst.iso of=/dev/sdX bs=4k status=progress
  • Unmount USB drive.
  • Boot APU2 from USB (press F10 for boot menu).
  • Press h and <ENTER>.
  • Then enter the following 'install' line the following line:
    #Press F2 through F10 for details, or ENTER to boot: 
    install vga=off console=ttyS0,115200n8
  • Press <ENTER> to start install.
  • During install, deselect any desktop environment and select the SSH server and standard system utilities.
  • At first reboot, you'll get the following error:
    text is deprecated. Use set gfxpayload=vga=off before linux command instead.
  • Reboot, and at the grub menu press e and remove the vga=off option. Press ctrl-x to boot.

Post install configuration

  • Log in as root
  • Fix grub:
    sed -i 's/vga=off\ //g' /etc/default/grub
  • Reboot to test.
  • Configure network.
  • Configure SSH. Use SSH to complete the configuration.
  • System should be updated during install, but you can check / install if there are any updates.
    apt update
    apt upgrade
  • Known watchdog problem, it doesn't work with i2c and ccp loaded.
    [    4.912372] sp5100_tco: SP5100/SB800 TCO WatchDog Timer Driver v0.05
    [    4.912619] sp5100_tco: PCI Vendor ID: 0x1022, Device ID: 0x780b, Revision ID: 0x42
    [    4.912630] sp5100_tco: I/O address 0x0cd6 already in use
  • To fix for now, blacklist the following modules.
    cat >> /etc/modprobe.d/blacklist.conf <<EOF
    blacklist i2c_piix4
    blacklist ccp
  • Alternatively you can blacklist sp5100_tco if you don't need it.
    echo "blacklist sp5100_tco" > /etc/modprobe.d/sp5100_tco.conf
  • Update initramfs:
    update-initramfs -u
  • Configure iptables (allow only SSH and ICMP)
    apt install iptables-persistent
    iptables -F 
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT ! -i lo -d -j REJECT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    ip6tables -F 
    ip6tables -P INPUT DROP
    ip6tables -P FORWARD DROP
    ip6tables -P OUTPUT DROP
    # for local resolving
    ip6tables -A INPUT -i lo -d ::1/128 -s ::1/128 -j ACCEPT
    ip6tables -A OUTPUT -o lo -d ::1/128 -s ::1/128 -j ACCEPT
    iptables-save > /etc/iptables/rules.v4
    ip6tables-save > /etc/iptables/rules.v6
  • Configure systemd-timesync:
    sed -i '/^#NTP/c\' /etc/systemd/timesyncd.conf
    systemctl enable systemd-timesyncd --now
  • Beep after boot:
    apt install beep
    cat > /etc/systemd/system/beep.service <<EOF
    Description=Beep when started
    ExecStart=/usr/bin/beep -f 1800 -l 20 -d 20 -r 10
    systemctl enable beep.service
  • Temperature reading:
    apt install lm-sensors hddtemp
    hddtemp /dev/sda
    /dev/sda: SATA SSD: 33°C
    Adapter: PCI adapter
    temp1:        +54.4°C  (high = +70.0°C)
                           (crit = +105.0°C, hyst = +104.0°C)
    Adapter: PCI adapter
    power1:        5.56 W  (interval =   0.01 s, crit =   6.00 W)
  • Front LEDs
    apt install build-essential curl
    curl -O
    tar xf apu2-leds.tgz 
    cd apu2
    make install
    modprobe ledtrig_default_on; modprobe ledtrig_heartbeat
    echo heartbeat > /sys/class/leds/apu2:1/trigger
apu2_debian_stretch.txt · Last modified: 2021/10/09 15:14 by