Saturday, October 26, 2013

security fail: home DVR/camera systems

Many people, such as myself, decide to invest in home security camera systems.  Most of them nowadays allow you connect directly to the system via your smartphone.   As I am in the computer security field, I tend to wonder just how secure things are in my own home.  So I put my NiteOwl 16 channel DVR system to the Pepsi challenge.  It failed horribly.

Whenever I send my username and password across the internet to look at my home security cameras, the credentials are sent in clear text.  Anyone in computer security knows is a not a good thing.  Clear-text credentials are very easy to intercept.  And most people don't know how to properly defend themselves and their home against cyber threats.  So lots of people will use one password for everything.  So if someone was to intercept this DVR password, the attacker has a lot of helpful information.

The intercepted information will include:

  1. the username, which is likely the username also used in at least one of the computers on the victim's home network. 
  2. the username's password, which is also likely to be the same password on the computer mentioned above
  3. the destination IP address, which tells the attacker where you are and what to attack.  
Given how many people use the same password for everything and leave their home network devices on the default settings, sending a clear-text password can be a recipe for disaster.  So let's see which home security DVR systems failed the test.

NiteOwl - failed

Zmodo - failed

A-See Pro - failed

Q-See:  no credentials passed at first, but I can't be sure it never will since I don't have the DVR to make a valid connection.  Chances are the exchange happens after the javascript file is executed.  If I can find someone with a Q-See system, I should be able to properly verify.
Samsung:  At first it looked ok since unlike the others, it was not sending clear text passwords up front.

But then i noticed it was providing a field called "Authorization" and a value that looked like a base64 code.   So i took the code to my favorite web site for decoding base64

And there is our username/password.  Weak security, but better than nothing compared to the others.

Defender:  same thing as Samsung, just base64

Lorex - failed
Swann - failed

still testing a few more, but so far I am not impressed by any of them.

My advice for now, if you have one of these systems, make sure the password you use to connect to the system is a password you do NOT use for anything else.  Also make sure the cameras are not recording anything sensitive.  If they are, I recommend disconnecting the DVR from the internet.

Sunday, October 6, 2013

SSH PKA the easy way

this tutorial involves 2 computers, a client and a server.  As you should know, a client will connect to the server.  You can always add an ssh server to your client machine, but we aren't going to worry about that today.

on the client machine:
# cd /home/username
The username needs to be the username you are going to use to connect, and that username must exist on the server machine as well.  You can do it other ways, but that is a complication we won't get into today.
# mkdir .ssh
# chmod 700 .ssh/
# cd .ssh
# ssh-keygen -t rsa -b 2048

(some ssh servers like hardware appliances require dsa, so use ssh-keygen -t dsa in those cases)
Accept the default values and it should put the keys in the folder you just created.
# chmod 640
# chmod 600 id_rsa

# nano /etc/ssh/ssh_config
Add the following line (or uncomment the line if it already exists)
IdentityFile ~/.ssh/id_rsa
Then use CTRL-O to save and CTRL-X to exit

One the server machine:
Install the SSH server software.
For Ubuntu, use
# apt-get install openssh-server.  
For RHEl/centOS, use
# yum install openssh-server. 

Now make the folder and key on this machine as well.
# cd /home/username
# mkdir .ssh

# chmod 700 .ssh/
# cd .ssh/
# touch authorized_keys
# chmod 740 authorized_keys

Now you need to get the pub file from the client machine over to the server.  I will include a command to use SCP to transfer it using SSH.  But in general, you should always think of ways to transfer keys using out of band methods, like maybe email or USB, etc.
# scp username@client.ip.address:/home/username/.ssh/ /home/username/.ssh/
Replace username with your username and client.ip.address with the IP address of the client machine, or you can use the DNS name as long as your DNS is working.

Now that the pub key is transferred, let's lock it down and enable.
# chmod 640
# cat >> authorized_keys
# nano /etc/ssh/sshd_config

Adjust the port and other settings after you get the ssh server working.  for now, let's just get the keys working.  Look for the below settings and uncomment them and change the values as needed.   The settings below are how they should be.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys
Now use CTRL-O to save and CTRL-X to exit

Restart the server, for RHEL use:
# service sshd restart
For Ubuntu, use:
# /etc/init.d/sshd restart

Now go back to your client machine and test
# ssh ServerMachineIP
Replace ServerMachineIP with the IP of the server machine.  If you are using the same username on both machines, then you don't need to specify a username.  It assumes you are using the same username as the client machine.

If it works, you should be taken directly to a new shell with the

username@client:~$ ssh serverName
Last login: Sat Oct  5 15:45:53 2013 from
[username@serverName ~]$ 

If something goes wrong, use the logs to find out what the client and server are complaining about.

from the client machine, use:
# ssh -vvv ServerMachineIP 

From the server machine, run a tail on the logs:
# tail -f /var/log/secure
In most cases, secure is the log you need.  but if not, just google it.

If you want to connect to a different user account, all you need to do is:
- on the server machine: do the above server machine steps but instead of going to the /home/username folder, go to the user folder that belongs to user you wish to login as.  eg.  /home/Robert
- on the client machine:  just specify the username when you connect
# ssh Robert@serverMachineIP

You CAN place them in the /root/.ssh folder and connect to the server as root.  But you will need to make sure the sshd_config file is set to allow login as root.  In general, it's best to use normal accounts to login via SSH, then use the su - command (switch user) to switch to the root account.
PermitRootLogin yes

Monday, September 30, 2013

Using Radius authentication with Apache web server

The following will install radius authentication on your RHEL/CentOS apache web server.   You can use these instructions for different linux builds, you will just need to adjust by finding the correct folder locations and package names.  Also this is a 64-bit system, so for 32-bit change the package names from x86_64 to i386 or whatever YUM tells you is available.

This configuration assumes you already have a functioning web server.  If you don't please find a separate tutorial on apache web server for your OS.  You must have the radius server configured before attempting this configuration.   You need to add each user to that linux box beforehand (useradd).  This will replace htpasswd authentication, but will only work for users defined in the radius server and the local linux server.

To my knowledge, you cannot have both radius and htpasswd authentication running at the same time.  Also, applications that have their own authentication system outside of htpasswd (such as mysql) will not work with radius since they are checking their own database and not the radius server.   It's likely possible, but not included in this config.

Do this at your own risk.  If you screwed up your system because of these instructions, feel free to contact me so I can laugh at you.

  • install packages
    yum install httpd-devel.x86_64 apr-devel apr-util-devel apr.x86_64 apr-util-devel.x86_64
  • Go to  and locate the latest download URL
  • Go to temp folder make a new temp folder
  • # mkdir /opt/mem
    # cd /opt/mem
  • Download the file
    # wget URLLOCATION
    Where URLLOCATION is the URL you located in the above step
  • Unzip the file
    # bunzip2 FILENAME
    # tar -xzvf
    Where FILENAME is the name of the file
  • Go to the folder
    Where FOLDERNAME is the name of the folder created during unzip
  • # cd /opt/mem/FOLDERNAME
  • Run configure
    # ./configure --prefix=/etc/httpd --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config
  • Make files
    # Make# Make install
  • Go to and locate the latest mod_auth_xradius download
  • Go to temp folder make a new temp folder
    # mkdir /tmp/mod
    # cd /tmp/mod
  • Download the file
    # wget URLLOCATION
    Where URLLOCATION is the URL you located in the above step
  • Unzip the file
    # bunzip2 FILENAME
    # tar -xzvf
    Where FILENAME is the name of the file
  • Go to the folder
    Where FOLDERNAME is the name of the folder created during unzip
  • If you are using MORE than one radius server, you will need to patch a file to allow this.  If you are only using one radius server, you can skip the patching. 
  • Create patch file
    # touch patch.txt
    # nano patch.txt
  • Copy this patch data into the editor and save the file.
@@ -125,15 +125,15 @@
     rctx = xrad_auth_open();

     /* Loop through the array of RADIUS Servers, adding them to the rctx object */
-    sr = (xrad_server_info *) dc->servers->elts;
     for (i = 0; i < dc->servers->nelts; ++i) {       
-        rc = xrad_add_server(rctx, sr[i].hostname, sr[i].port, sr[i].secret,
+        sr = &(((xrad_server_info*)dc->servers->elts)[i]);
+        rc = xrad_add_server(rctx, sr->hostname, sr->port, sr->secret,
                              dc->timeout, dc->maxtries);
         if (rc != 0) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "xradius: Failed to add server '%s:%d': (%d) %s",
-                          sr[i].hostname, sr[i].port, rc, xrad_strerror(rctx));
+                          sr->hostname, sr->port, rc, xrad_strerror(rctx));
             goto run_cleanup;
@@ -294,7 +294,7 @@
     /* To properly use the Pools, this array is allocated from the here, instead of
         inside the directory configuration creation function. */
     if (dc->servers == NULL) {
-        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info*));
+        dc->servers = apr_array_make(parms->pool, 4, sizeof(xrad_server_info));
     sr = apr_array_push(dc->servers);

  • Patch the file
    # patch -i patch.txt
  • When asked what file to patch, type in src/mod_auth_xradius.c
  • Now Run config
    # ./configure --with-apxs=/usr/sbin/apxs --with-apr-memcache=/etc/httpd/lib
  • Run make
    # make
    # make install
  • Edit config
    # nano /etc/httpd/conf/httpd.conf
  • Search for DocumentRoot "/var/www/html"
  • Paste the following text directly under DocumentRoot "/var/www/html" and save the file
  ## This Loads mod_auth_xradius into Apache
    LoadModule auth_xradius_module modules/

    ## radius cache location
    AuthXRadiusCache dbm "conf/auth_xradius_cache"

    ## Cache timeout in seconds
    AuthXRadiusCacheTimeout 600
                Save and Exit the file.
  • Edit the main httpd conf file
    # nano /etc/httpd/conf/httpd.conf
  • Locate this text <Directory "/var/www/html">
    and add the following text directly underneath
        ## This is what the client sees in their Prompt.
        AuthName "Radius Authentication required"

        ## Type of authentication to use.
        AuthType basic
        AuthBasicProvider xradius

        ## Address and the Shared Secret of the RADIUS Server to contact.
        AuthXRadiusAddServer "" "RADIUSSECRET"
        AuthXRadiusAddServer "" "RADIUSSECRET"

        ## Time in Seconds to wait for replies from the RADIUS Servers
        AuthXRadiusTimeout 600 

        ## Number of times to resend a request to a server if no reply is received.
        AuthXRadiusRetries 3

        ## disallow blank passwords
        AuthXRadiusRejectBlank on

        ## This tells apache that we want a valid user and password.
        require valid-user
Where RADIUSSECRET is the shared radius secret password in the password safe.

Any folder/site/app you want to inherit web auth (radius) authentication must be a child folder of the html folder.  Anything outside the html folder will not inherit cached radius credentials and will not allow radius authentication.  Those folder will have to use standard web authentication.

If your radius server does not use port 1812, change the above accordingly.

  • Save and exit the editor.
  • Run ldconfig
    # ldconfig /usr/local/lib
  • Create cache file
    # touch /etc/httpd/conf/authxcache
    # chown apache:root /etc/httpd/conf/authxcache
  • Restart httpd
    # service httpd restart
  • Test radius auth by going to the homepage.  You may need to restart your browser.
    • If radius authentication is not working, check /var/log/httpd/ssl_error_log for errors.  If you see an error
      xradius: Failed to add server ':1812': (-1)
      Then your patch failed or you did not successfully patch the .c file.  You can refer to for assistance. 
As a last resort, you can go back and edit httpd.conf and comment out one of the listed radius servers.  Without the patch, the module works fine as long as there is only one server defined.

Using Radius authentication with SSH

The following will configure your linux-based SSH server to use a pre-defined radius server for authentication instead of plain password authentication.  You must configure the radius server before starting this configuration.  This is for Linux 64-bit bit but for 32-bit just change package names from .x86_64 to i686.:

·         Download install package (make sure the server can access the internet via port 80/443)
# yum install freeradius pam_radius.x86_64 pam_radius.x86_64 pam.x86_64 
type y when it asks you if this is OK, hit ENTER
·         Edit the conf file
# nano /etc/pam_radius.conf
·         Add the correct radius server info as follows        secret      5         secret      5
·         Use CTRL-O to save the file and CTRL-X to exit.
·         Set file permissions
# chmod 600 /etc/pam_radius.conf
·         edit the sshd_config file
# nano /etc/ssh/sshd_config
o   Uncomment the line PubkeyAuthentication yes
o   Uncomment the line UsePAM yes
Save and exit the file
·         edit the pam sshd config file
# nano /etc/pam.d/sshd
Move the first line down to become the second line.   This line needs to be the first line:
auth       sufficient   /lib/security/ debug client_id=linux
o   The first line must be listed as above.  If the default first line is still listed, radius will not authenticate properly.  
o   If you do NOT wish to allow standard password authentication WITH radius authentication, you can # comment the second line to force all auth requests to use dual factor.
o   If the machine is 64 bit, change /lib to /lib64
·         Enable standard authentication to switch users
# nano /etc/pam.d/su
·         Move this line to the top of the list.  This will allow you to auth using radius, but change user using normal password.
auth            include         system-auth
Save and exit the file.
·         Edit the system auth file
# nano /etc/pam.d/system-auth
·         Comment out this line
password    requisite try_first_pass retry=3
and add these lines to replace it
# password complexity requirements
password    requisite min=disabled,disabled,12,8,7 retry=3
·         In the “auth” section toward the top, add these lines
# lock out users after 10 failed attempts
auth        required onerr=fail deny=5unlock_time=21600
·         restart the sshd service
# service sshd restart
·         Test Radius Authentication
o   Make sure the user account is valid, you have to add the user account to linux before it will auth using pam.
o   Make sure the server IP is listed in the radius CLIENTS file.  If it’s a new server, chances are it has not yet been added.
o   Check /var/log/secure for failures.  If you see PAM [error: /lib64/security/ cannot open shared object file then that .so file is not installed. It’s easiest to just copy the file from another server that is working or you can google the rpm for pam_radius_auth
·         If radius auth works, update the sshd_config file to forbid root login
# nano /etc/ssh/sshd_config
o   Uncomment the line PermitRootLogin no or change the value to no
o   Uncomment the line PermitEmptyPasswords no and make sure it is set to no
·         Save and exit.

·         set always on
chkconfig --level 35 sshd on

Wednesday, August 28, 2013

My Official Sh*t list.

As time goes on, certain people or organizations are banned by me and me alone.  Here is who and why:

The LDS Church - Born into the Church I had a front row seat at everything they taught.  Then I went to college and did a research paper on the LDS Church.  Doing that helped me see the full version of everything the taught me, and everything they tried to avoid teaching me.  I also learned all the little things the most Mormons don't know, simply because the high majority of Mormons don't bother to ask questions.

There are so many things about the LDS Church that is just plain wrong, but my biggest tiff is how the Church is really a Corporation.  Not only a corporation, but a TAX EXEMPT corporation.  They have MILLIONS of dollars invested in private enterprise, most of which is tax exempt.  The money invested comes directly from the members of the LDS Church.  None of the members have any vote regarding the investments made with their money, and none of the members receive any dividends or any kind of return from any of the profits generated by such investments.  Even better, all members of the Church are REQUIRED to give 10% of their annual income to the church.

I'm proud to say, I never gave them a penny growing up.   But they sure gave me a lot of shit for it.   Also please realize, I don't dislike Mormons.  I simply pity them for believing the Church's lies just as much as they pity everyone else for not being Mormon.  I only hate the Church for exploiting it's members by pretending to be a christian religion.   There's A TON of other reasons I hate the church, but I don't need to prove anything to you.  Do your own homework.

Articles that best illustrate my opinion of the church:

GoDaddy - First they strongly supported SOPA.  Then suddenly, when all their clients were cancelling their services, suddenly GoDaddy was all against SOPA.  What a coincidence.  Then some rumors got out that GoDadddy was never really for SOPA.  The issue was simply not brought to the correct leaders of GoDaddy and so the company's official position was never released until the exodus began.

Bull Shit.

I suspect GoDaddy owned by the LDS Church or someone that belongs to the Church.  Cuz they sure pulled a 180 just like the LDS Church did in 1890.  There's other reasons I don't like them, but this was the worst one for me.  If you look at what a whore GoDaddy has become exploiting the internet and its customers, you can see the reasons why GoDaddy would, in fact, be in favor or legislation like SOPA.

Arnold Schwarzenegger - Yes we loved you as the Terminator and maybe some people enjoyed Kindergarten Cop.   But you never knew anything about politics.  Your declining acting career isn't a good reason to take up politics.   Most actors start directing or producing, like Tom Hanks or Jon Favreau.

So, in between explosion movies, were you taking classes on Political Science or volunteering serving in a local council position?  You are the reason the electoral college is a good idea.  If popular vote matter one bit, the President could be anyone like Brad Pitt or Martha Stewart based on nothing more than popularity.   And California proved this point.

Can't really say Arnie did any more harm to CA than other governators.   But he sure did make CA a laughing stock.   CA was already crazy enough, and now the Terminator is the Governor.   Time to move.

Apple - Don't get me wrong, I like apple products.  They are smooth and efficient.  But Apple Corp can suck my balls before I will ever give them a penny.  They survive on overpriced products, proprietary licensing, misinformation, and elitism.  Thanks to all that, they breed a retarded generation of end users that believe with all their heart that they are better than people that don't have Apple products, and that Apple can do no wrong.

Here's a good example of how Apple uses the elitist peer pressure to keep their customers hooked on Apple.

Square-Enix -  I am a huge Final Fantasy fan.   Went to one of the conventions and spent years playing the online game FFXI.   Loved the game as it was, at that time, the closest thing to Dungeons and Dragons.   I know that makes me sound like a nerd, but whatever.

Over time, SE did a series of "bad moves" that were widely hated by most players.  They constantly repressed its community of players making add-on apps illegal claiming that everything not made by SE was considered cheating.   We all knew this was horse shit because all most of us wanted was to play the game in a window so we could use other apps in the background, like a media player.  You might not understand this if you've never played an MMORPG, but you can only listen to the built-in game music for so long before you go insane.  So we didn't feel a windower was a bad thing.  SE did not agree.

But the straw the broke the camel's back, Absolute Virtue.  AV is a mega-boss that very few people (if anyone) ever defeated.  Many people asked SE for hints on how to defeat AV because they couldn't figure out any weaknesses.   Finally, SE did release a video of some people fighting AV and they eventually defeated him.   The video zoomed in on the log during certain moments which emphasized there was something worth knowing.  The video grew a TON of discussion and people kept trying to beat him, but they failed.   I followed this topic closely and found a post where someone specifically asked one the SE developers about AV.  The developer admitted the fight for AV was generally expected to be an 18 hour fight....18 normal hours (not game hours).

A couple years passed and another 1 or 2 expansion packs were added to the game.  With one of the expansion packs, a new mega-boss emerged, called Pandemonium Warden.   Like AV, some people tried to defeat PW.  The same discussion grew on how to defeat him.  The consensus was the fight to beat PW was going to take at least 10 hours, maybe 18.  So one brave group tried.  They posted their results on a message board when they woke up.   Turns out, they fought for over 22 hours straight.  By 20 hours, a few people began to develop severe headaches and some people vomited.  At ~22 hours, the team leader threw in the towel and told everyone to go to sleep.

The news of this attempt sent shockwaves through the player community. Many peeople were outraged because they didn't see the post about AV being an 18 hour fight so they had no idea SE would create such an impossible character.  ESPECIALLY since SE has such a strong view against such ethics, or so they say.   Before you can even login to the server to play the game, you are presented with a window that won't go away until it finally times out after about 5 seconds.  On this window, it read:
A Word to Our Players
Exploring Vana'diel is a thrilling experience.
During your time here, you will be able to talk, join, and adventure with many other individuals in an experience that is unique to online games.
That being said, we have no desire to see your real life suffer as a consequence.
Don't forget your family, your friends, your school, or your work

They claim to have no desire to let our real life suffer, but they deliberately make more than one meg-boss that requires more than 18 hours to defeat.

About a week after the discussion bomb exploded about PW, SE announced they made some changes to a few bosses that were "too difficult" to defeat.   The next day, another group announced they attempted to fight AV again.  They added that AV was weak enough to defeat in less than an hour.  Another group followed about a week later saying that AV was so weak, they were able to defeat AV in 1 minute 45 seconds.  

Some players that were outraged at this change because they had already spent a lot of time trying to figure out the challenge, and SE had completely taken all the fun away from the challenge.  People accused them of making AV a pussy to save their own skin.  SE then released yet another statement denying that AV and PW were never meant to be such a long fight.   But as I mentioned earlier, I saw the proof myself that they did in fact mean for the bosses to be as strong as they were.

I understand that no company is going to admit they fucked up because of liability.  But to publicly LIE to all of it's players was an Absolute Shame.

Thursday, July 18, 2013

Restarting Nagios prompts for password

There is no discussion for this topic as far as I can see so here is my resolution in case it helps anyone

The setup process I have lined up ends up forcing Nagios to ask for a password every time the service is restarted.  The service still starts up fine even if the password is incorrect.  So it really doesnt matter except for one major problem.  If the computer reboots unexpectedly, the service hangs waiting for someone to hit ENTER.  So to fix this, I modified the service script

# vi /etc/rc.d/init.d/nagios
o Search for Starting nagios
o You will see this line
su - $NagiosUser -c "touch $NagiosVarDir/nagios.log $NagiosRetentionFile"
o Change the line to this text (or you can comment out the original line and add a new line as pictured below)
touch $NagiosVarDir/nagios.log $NagiosRetentionFile

o Save and exit the file.
o Restart nagios
# service nagios restart
o Done.

Tuesday, June 4, 2013

Scion xB 2005 - Fuel Filter replacement DIY

Warning: this is for educational purposes only.  Neither I nor anyone else on the planet is responsible for your stupid decisions and lack of thinking.  The information provided here is the best of my documenting ability and nothing more.  Like ANYTHING on the internet, it should not be considered as the full truth with no missing pieces.  If I leave anything out, it's your responsibility to find the rest of the puzzle.   ie, if you blow your car or yourself into a million pieces, it's YOUR fault.

Note:  This took a lot more effort than I had anticipated even with the other DIY articles I found on this subject.  I personally will be paying someone to do it for me next time.  If you decide to take this on, I suggest you go ahead an replace the fuel pump while you are at it, as long as you have at least 60,000 miles on the toaster.  My pump died at 94k miles.

Before you begin, make sure you have access to tools as you will need a wide range of them.  You will find out what size as you go.  I am not going to list those details.

Other DIY articles have stated you need to remove the back seat.  This is not entirely correct.  You CAN remove the back seat, but it is not necessary.  Removing it will just make things less crowded.  You can just use some bunjee cords and connect the two hinges of the back seat to the back door hinge and that will keep the seat up and out of your way.   If you decide not to remove the back seat, skip ahead to the next step.

Removing the back seat (optional)

First remove all the "trunk" gear, like the spare tire and emergency gear, until you see the floor/frame.   You will see 3 bolts connecting the seat to the frame.  You will need to unscrew these.

 You will find one more in the front of the seat (circled).  Lift up the seat and it will pop off the hinge easily.  Pull the seat belts through the cushion holes to allow the seat to go higher, making it easier to remove the bolt.   Dont bother removing the bolt for the seat belts (squared).

Return to the back and release the vertical locks for the back seat, lowering the seat back.   In the far corners you will see the seat back is connected to the frame/  Pull apart the carpet covers to expose the bolt.  remove these bolts and the seat can now be removed.

On to the filter:

Now that the seat is removed, or if you just lifted up the seat, you now have the exposed carpet.   Lift away the center square of carpet and you will see the image below.

Pull apart the rubber cover that protects the wiring.

use a flat screwdriver to pry open the metal cover.  It's only sealed by sticky goop so no bolts need to be removed.  pry apart the cover plate carefully and spread it apart evenly.  If you focus on one point you will easily bend the cover plate.

As you can see, it's very dirty underneath.  so as you go from here, use some wet wipes to clean the area as much as possible. you do not want to get dirt in your fuel system.

Below are the components labeled as best I could provide.  You will need to remove all four of these components to remove the filter assembly.
Edit:  turns out the intake valve is actually the return valve.  the intake is inside the tank filtered by the sock first.

for the sensor, use one hand to squeeze the release and the other hand to pull the harness toward the back of the car.

Now remove the guage.  Use some pliers to squeeze the top of the release, then use large pliers to remove THE ENTIRE GRAY harness.  It looks like the top part comes off, but all the gray you see will pop off.

With these two removed, the engine will not receive any more gas.  Start the car and let it die on its own.  this will drain the lines (as much as possible) of gasoline.   Once the car dies, disconnect the battery and make sure it will not accidentally reconnect.

optional step:  you can disconnect the gas line from the engine.  this will simply reduce the pressure in the line and less gas will spill out when you remove the out valve later.

Now let's remove the out valve.  You will see a small yellow C-shaped pin that holds down the valve.  Slide this pin toward the front of the car and DO NOT LOSE OR BREAK IT.   This is a proprietary part that cannot be found in auto part stores (I already tried, the ones in stores are too thick).

 Unscrew the bolts (all of them).  two of the bolts hold down the intake valve cover piece.

  Remove the cover piece and you will see the intake valve clamp (circled).   Keep cleaning.  Remove the valve from the assembly.  This proved to be very difficult for me because the 2 release switches simply would not release the lock.  I had to pry apart the pins in the direction the releases were supposed to be moving it just to get the valve removed.

WANING:  don't damage the valve too much. if you have to replace it, you cannot just replace the valve head that connects to the assembly.  The part you get from toyota is the entire hose piece and running that in and under the car will not be a fun task.

If you can, place both valves in plastic bags to prevent dirt or dust from getting into the valves.

Before you attempt to remove the filter assembly, take note of the positions of the two circled items.  You will need to place the pieces back in these positions, or you will have a hell of a time re-seating the  bolts or the guage may not work.

Now that all bolts and valves are removed, you can start to remove the filter assembly.  BE CAREFUL, go slow and steady.  You will need to rotate and tilt the filter to get it out because of the gauge level arm and the filter sock.   You can use the return pipe (circled above) to pull up and rotate the filter.

Place the filter in a clean pan.

At the base of the filter, remove the plastic cover.  There is a rubber cap underneath the plastic which covers the base of the sock.  remove the rubber piece and keep all these items handy and clean.

I dont have a picture, but you need to remove the guage level arm.  it's not that hard, just don't force it cuz you can easily break it.

The circled area is the release lever.  Press the lever down with a screwdriver and then move the gauge assembly toward the base of the filter (in the direction of the arrow).

 now remove the top portion, you will see the 4 latches that can be easily undone using a screwdriver.

Note the circled area.  the round plastic piece fell right off for me.  So if it falls off for you, this is where it goes and how it should be placed.

The circled area below will contain the small o-ring.  remove it from the old unit and place it in the new unit.

I dont have any pictures from here.  but remove the rest of the items from the filter assembly and reassemble using the new filter.  disconnect the wire harnesses and then push out the center piece (that's the fuel pump) that connects to the sock by pushing to toward the base.  remove the regulator that is next to the sock and place everything in the same position on the new unit.  restore everything back the way you found it by reversing the above steps.  

Once you get everything connected, don't patch up the cover yet until you've tested it.  reconnect the battery and disable any alarms you may have.  some people will say you can turn the key to ON and it will begin pressurizing the fuel system.  this is not true for xB 2005 (likely for 2006 or older as well).  I tested this and confirmed the fuel pump only works while the starter is cranking.  So when you are ready, you will just have to keep the starter going for an extra 5-15 seconds to get enough fuel into the system to start.  If it doesnt start by then, you may have forgotten something, a bad connection, or a bad fuel pump.  

Start the car and make sure it runs for a good 30 seconds.  Turn off the engine and wait 30 minutes.  start the car again.  If all is well, you can patch up the cover and replace the seat.   If you have problems you are going to have to double check your steps.