@sskaje

Ubuntu build .Net Core App

By @sskaje
Link: https://sskaje.me/2021/06/ubuntu-build-net-core-app/

Ubuntu 20.04，打算build Il2cppDumper 6.2.2 的 .Net Core 版本，因为作者没有上传二进制到releases里。

参考微软官方文档：https://docs.microsoft.com/zh-cn/dotnet/core/install/linux-ubuntu

wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb

sudo dpkg -i packages-microsoft-prod.deb

sudo apt-get update
sudo apt-get install -y apt-transport-https
sudo apt-get update 
sudo apt-get install -y dotnet-sdk-3.1 dotnet-sdk-5.0

wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb

sudo dpkg -i packages-microsoft-prod.deb

sudo apt-get update

sudo apt-get install -y apt-transport-https

sudo apt-get update

sudo apt-get install -y dotnet-sdk-3.1 dotnet-sdk-5.0

环境装好后，准备仓库

git clone https://github.com/Perfare/Il2CppDumper.git
git clone https://github.com/sskaje/EnumExtractor.git

1 2	git clone https://github.com/Perfare/Il2CppDumper.git git clone https://github.com/sskaje/EnumExtractor.git

Build 直接用 dotnet publish 完成

cd Il2cppDumper
dotnet publish --output ../out --framework netcoreapp3.1
cd ../EnumExtractor
dotnet publish --output ../out

cd Il2cppDumper

dotnet publish --output ../out --framework netcoreapp3.1

cd ../EnumExtractor

dotnet publish --output ../out

因为 Il2cppDumper 作者支持了多个framework，如果不指定就会报下边类似的错误

/usr/share/dotnet/sdk/5.0.300/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.Sdk.CrossTargeting.targets(27,5): error NETSDK1129: The 'Publish' target is not supported without specifying a target framework. The current project targets multiple frameworks, you must specify the framework for the published application. &#91;/opt/tools/il/Il2CppDumper/Il2CppDumper/Il2CppDumper.csproj]

/usr/share/dotnet/sdk/5.0.300/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.Sdk.CrossTargeting.targets(27,5): error NETSDK1129: The 'Publish' target is not supported without specifying a target framework. The current project targets multiple frameworks, you must specify the framework for the published application. [/opt/tools/il/Il2CppDumper/Il2CppDumper/Il2CppDumper.csproj]

由于在 Linux 上build的，所以直接输出了可以执行的二进制文件（ELF，也+x了），不需要从github上下载之后用 dotnet 启动 dll 去执行了，dotnet 执行的方法也很简单

dotnet Il2cppDumper.dll

1	dotnet Il2cppDumper.dll

Ubuntu build .Net Core App by @sskaje: https://sskaje.me/2021/06/ubuntu-build-net-core-app/

VMware.com Evaluate Everything

By @sskaje
Link: https://sskaje.me/2021/05/vmware-com-evaluate-everything/

Just for fun.

You are not authorised to read all content in this post. Please login…

VMware.com Evaluate Everything by @sskaje: https://sskaje.me/2021/05/vmware-com-evaluate-everything/

红米音箱固件更新检查逻辑

By @sskaje
Link: https://sskaje.me/2021/04/redmi-play-firmware-upgrade-check/

前一篇，看到了https的协议内容，其中使用了 ota check 检查固件版本，但是实测返回出来的内容是一个只有3k不到的 HDR 开头的文件，猜测这个文件应该是一个加密或者压缩后的response，例如json。

ota这个命令在 /bin/ota，本身是个 shell 脚本，直接读内容，可以看到所有的命令调用的都是 matool 以及它的各个 symlink。其中命令

case "$1" in
    success)
    set_upgrade_status success
    ;;
    check)
    check
    ;;
    ble)
    check_and_upgrade $2 $3 $4
    ;;
    upgrade)
    check_and_upgrade $2 $3 $4
    ;;
    slient)
    slient_check_and_upgrade
    ;;
    *)
esac

case "$1" in

success)

set_upgrade_status success

;;

check)

check

;;

ble)

check_and_upgrade $2 $3 $4

;;

upgrade)

check_and_upgrade $2 $3 $4

;;

slient)

slient_check_and_upgrade

;;

esac

执行 ota ble，输出如下。（输出被我掐了，因为我怕直接进了更新，就没法调试了）

root@L07A:~# ota ble
--2021-04-13 16:19:53--  https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/l07a/mico_skr_firmware_xxxx_1.76.2.bin
Resolving cdn.cnbj1.fds.api.mi-img.com... 220.194.223.76, 123.125.46.228, 2408:8706:0:5700:40::3, ...
Connecting to cdn.cnbj1.fds.api.mi-img.com|220.194.223.76|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2560 (2.5K) &#91;application/octet-stream]
Saving to: '/tmp/mico_ota.bin'

/tmp/mico_ota.bin                                           100%&#91;=========================================================================================================================================&gt;]   2.50K  --.-KB/s    in 0.001s  

2021-04-13 16:19:53 (3.94 MB/s) - '/tmp/mico_ota.bin' saved &#91;2560/2560]

Start downloading kernel :   100%

Start downloading rootfs :   100%


^C

root@L07A:~# ota ble

--2021-04-13 16:19:53-- https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/l07a/mico_skr_firmware_xxxx_1.76.2.bin

Resolving cdn.cnbj1.fds.api.mi-img.com... 220.194.223.76, 123.125.46.228, 2408:8706:0:5700:40::3, ...

Connecting to cdn.cnbj1.fds.api.mi-img.com|220.194.223.76|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 2560 (2.5K) [application/octet-stream]

Saving to: '/tmp/mico_ota.bin'

/tmp/mico_ota.bin 100%[=========================================================================================================================================>] 2.50K --.-KB/s in 0.001s

2021-04-13 16:19:53 (3.94 MB/s) - '/tmp/mico_ota.bin' saved [2560/2560]

Start downloading kernel : 100%

Start downloading rootfs : 100%

从charles里拿到rootfs的下载链接，找个linux下下来，直接 squashfuse rootfs_1.76.2_xxxxxx.bin /mnt/ 挂载了，可以看数据。

回过头来，研究协议和算法。

从 ota 这个脚本里看到，执行升级的时候，先把那个小文件下载为 /tmp/mico_ota.bin，再用 /bin/flash.sh /tmp/mico_ota.bin 。再从整个squashfs里找 “Start downloading” 这个字符串，发现在 /bin/skr 里。

再细看里边的代码，最终发现解包命令 miso -x xxx.bin，就在调用 skr 命令的前几行。解包完的目录里多了三个文件

-rw-r--r--    1 root     root           559 Apr 13 16:38 mico_l07a_firmware.json
-rw-r--r--    1 root     root           396 Apr 13 16:38 system.cfg
-rw-r--r--    1 root     root           780 Apr 13 16:38 version

-rw-r--r-- 1 root root 559 Apr 13 16:38 mico_l07a_firmware.json

-rw-r--r-- 1 root root 396 Apr 13 16:38 system.cfg

-rw-r--r-- 1 root root 780 Apr 13 16:38 version

其中 .json 文件里包含了 kernel 和 rootfs的下载链接。

再一个，检查更新的接口有个参数s，是一个签名参数。先ldd

root@L07A:~# ldd /usr/bin/matool
	/lib/ld-musl-armhf.so.1 (0xb6f44000)
	libxiaomi_mico.so =&gt; /usr/lib/libxiaomi_mico.so (0xb6f08000)
	libxiaomi_miot.so =&gt; /usr/lib/libxiaomi_miot.so (0xb6ef3000)
	libmico-common.so =&gt; /usr/lib/libmico-common.so (0xb6ed0000)
	libxiaomi_http.so =&gt; /usr/lib/libxiaomi_http.so (0xb6eba000)
	libxiaomi_json.so =&gt; /usr/lib/libxiaomi_json.so (0xb6ea6000)
	libxiaomi_crypto.so =&gt; /usr/lib/libxiaomi_crypto.so (0xb6e8b000)
	libssl.so.1.0.0 =&gt; /usr/lib/libssl.so.1.0.0 (0xb6e37000)
	libxiaomi_utils.so =&gt; /usr/lib/libxiaomi_utils.so (0xb6e04000)
	liblibma.so =&gt; /usr/lib/liblibma.so (0xb6de9000)
	libblobmsg_json.so =&gt; /lib/libblobmsg_json.so (0xb6dd6000)
	libcurl.so.4 =&gt; /usr/lib/libcurl.so.4 (0xb6d8a000)
	libglog.so.0.3.5 =&gt; /usr/lib/libglog.so.0.3.5 (0xb6d57000)
	libjson-c.so.2 =&gt; /usr/lib/libjson-c.so.2 (0xb6d3f000)
	libmbedtls.so.9 =&gt; /usr/lib/libmbedtls.so.9 (0xb6cf3000)
	libubox.so =&gt; /lib/libubox.so (0xb6cda000)
	libubus.so =&gt; /lib/libubus.so (0xb6cc4000)
	libz.so.1 =&gt; /usr/lib/libz.so.1 (0xb6ca3000)
	libcrypto.so.1.0.0 =&gt; /usr/lib/libcrypto.so.1.0.0 (0xb6b76000)
	libuuid.so.1 =&gt; /usr/lib/libuuid.so.1 (0xb6b62000)
	libglib-2.0.so.0 =&gt; /usr/lib/libglib-2.0.so.0 (0xb6a70000)
	libgobject-2.0.so.0 =&gt; /usr/lib/libgobject-2.0.so.0 (0xb6a24000)
	libiconv.so.2 =&gt; /usr/lib/libiconv.so.2 (0xb69d9000)
	libintl.so.8 =&gt; /usr/lib/libintl.so.8 (0xb69c0000)
	libthrift_c_glib.so.0 =&gt; /usr/lib/libthrift_c_glib.so.0 (0xb698e000)
	libstdc++.so.6 =&gt; /lib/libstdc++.so.6 (0xb688d000)
	libgcc_s.so.1 =&gt; /lib/libgcc_s.so.1 (0xb6873000)
	libc.so =&gt; /lib/ld-musl-armhf.so.1 (0xb6f44000)
	libconfig.so.11 =&gt; /usr/lib/libconfig.so.11 (0xb685a000)
	libnghttp2.so.14 =&gt; /usr/lib/libnghttp2.so.14 (0xb682e000)
	libpcre.so.1 =&gt; /usr/lib/libpcre.so.1 (0xb67e3000)
	libffi.so.6 =&gt; /usr/lib/libffi.so.6 (0xb67cf000)
root@L07A:~#

root@L07A:~# ldd /usr/bin/matool

/lib/ld-musl-armhf.so.1 (0xb6f44000)

libxiaomi_mico.so => /usr/lib/libxiaomi_mico.so (0xb6f08000)

libxiaomi_miot.so => /usr/lib/libxiaomi_miot.so (0xb6ef3000)

libmico-common.so => /usr/lib/libmico-common.so (0xb6ed0000)

libxiaomi_http.so => /usr/lib/libxiaomi_http.so (0xb6eba000)

libxiaomi_json.so => /usr/lib/libxiaomi_json.so (0xb6ea6000)

libxiaomi_crypto.so => /usr/lib/libxiaomi_crypto.so (0xb6e8b000)

libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0xb6e37000)

libxiaomi_utils.so => /usr/lib/libxiaomi_utils.so (0xb6e04000)

liblibma.so => /usr/lib/liblibma.so (0xb6de9000)

libblobmsg_json.so => /lib/libblobmsg_json.so (0xb6dd6000)

libcurl.so.4 => /usr/lib/libcurl.so.4 (0xb6d8a000)

libglog.so.0.3.5 => /usr/lib/libglog.so.0.3.5 (0xb6d57000)

libjson-c.so.2 => /usr/lib/libjson-c.so.2 (0xb6d3f000)

libmbedtls.so.9 => /usr/lib/libmbedtls.so.9 (0xb6cf3000)

libubox.so => /lib/libubox.so (0xb6cda000)

libubus.so => /lib/libubus.so (0xb6cc4000)

libz.so.1 => /usr/lib/libz.so.1 (0xb6ca3000)

libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0xb6b76000)

libuuid.so.1 => /usr/lib/libuuid.so.1 (0xb6b62000)

libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0xb6a70000)

libgobject-2.0.so.0 => /usr/lib/libgobject-2.0.so.0 (0xb6a24000)

libiconv.so.2 => /usr/lib/libiconv.so.2 (0xb69d9000)

libintl.so.8 => /usr/lib/libintl.so.8 (0xb69c0000)

libthrift_c_glib.so.0 => /usr/lib/libthrift_c_glib.so.0 (0xb698e000)

libstdc++.so.6 => /lib/libstdc++.so.6 (0xb688d000)

libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb6873000)

libc.so => /lib/ld-musl-armhf.so.1 (0xb6f44000)

libconfig.so.11 => /usr/lib/libconfig.so.11 (0xb685a000)

libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0xb682e000)

libpcre.so.1 => /usr/lib/libpcre.so.1 (0xb67e3000)

libffi.so.6 => /usr/lib/libffi.so.6 (0xb67cf000)

root@L07A:~#

再根据请求的关键词 countryCode，找到固件版本检查的接口构造方法在 libxiaomi_mico.so 里，ida 加载后发现一个 uuid “8007236f-a2d6-4847-ac83-c49395ad6d65”，

...
  sub_2202C(&amp;v87, "8007236f-a2d6-4847-ac83-c49395ad6d65");
  xiaomi::mico::api::UpgradeAPI::computeS(&amp;v84, &amp;v67, &amp;v87);
...

...

sub_2202C(&v87, "8007236f-a2d6-4847-ac83-c49395ad6d65");

xiaomi::mico::api::UpgradeAPI::computeS(&v84, &v67, &v87);

...

Google一搜，好多不同的小米设备都是用这个。大致算法如下

&lt;?php
$s = 'channel=release&amp;countryCode=CN&amp;filterID=序列号/序列号&amp;locale=zh_CN&amp;platform=L07A&amp;version=1.70.8&amp;8007236f-a2d6-4847-ac83-c49395ad6d65';
$b = base64_encode($s);
$m = md5($b);
var_dump(strtoupper($m));

<?php

$s = 'channel=release&countryCode=CN&filterID=序列号/序列号&locale=zh_CN&platform=L07A&version=1.70.8&8007236f-a2d6-4847-ac83-c49395ad6d65';

$b = base64_encode($s);

$m = md5($b);

var_dump(strtoupper($m));

红米音箱固件更新检查逻辑 by @sskaje: https://sskaje.me/2021/04/redmi-play-firmware-upgrade-check/

红米音箱Play 开发调试实验 updating

By @sskaje
Link: https://sskaje.me/2021/03/%e7%ba%a2%e7%b1%b3%e9%9f%b3%e7%ae%b1play-%e5%bc%80%e5%8f%91%e8%b0%83%e8%af%95%e5%ae%9e%e9%aa%8c-updating/

前盖有内扣，拆好之后直接引三根针出来就可以ttl了。

密码： substr(md5($SN . “5775B10D-15C0-7827-97B9-88EA07FCA97A”), 0, 14)，hash salt在 /bin/mi_console 里写死了，根据设备型号判断。

串口波特率115200.

手动启动 ssh。

cd /tmp
dropbearkey -t rsa -f dropbear_rsa_host_key
dropbear -r dropbear_rsa_host_key

cd /tmp

dropbearkey -t rsa -f dropbear_rsa_host_key

dropbear -r dropbear_rsa_host_key

劫持流量，发现客户端不认第三方的https证书，错误提示是 SSL handshake with client failed: CA certificate could not be matched with a known, trusted CA (unknown_ca)。查了下libxiaomi_http.so，设置了CURLOPT_CAPATH /etc/ssl/certs，然而系统本身是squashfs直接挂载的ro，所以需要曲线救国。

ldd 查看 libxiaomi_http.so，发现引用了 libmbedtls.so libssl.so libcrypto.so，libcurl 的 vtls 里看了下实现，用了这个函数，同时对比了各个实现，决定还是手工加一下证书。

鉴于系统是readonly挂载的，所以上 overlay 。

cd /tmp
mkdir certs workdir
mount -t overlay -o lowerdir=/etc/ssl/certs,upperdir=/tmp/certs,workdir=/tmp/workdir none /etc/ssl/certs/

cd /tmp

mkdir certs workdir

mount -t overlay -o lowerdir=/etc/ssl/certs,upperdir=/tmp/certs,workdir=/tmp/workdir none /etc/ssl/certs/

这样就可以在 /tmp/certs 里加证书，实现自定义ca。

具体操作我是在一台ubuntu上，把证书pem 文件命名为 .crt后缀放在 /usr/local/share/ca-certificates 下然后执行 update-ca-certificates 再去看 /etc/ssl/certs 里的symlink的hash。

我开发机的charles ca 证书 hash 是 6a3a5fb6.0，所以在我的小爱音箱里，我把证书 pem 文件copy到 /tmp/certs 然后创建symlink。

cp xxxxxx /tmp/certs/dev-charles.pem
cd /tmp/certs
ln -s dev-charles.pem 6a3a5fb6.0

cp xxxxxx /tmp/certs/dev-charles.pem

cd /tmp/certs

ln -s dev-charles.pem 6a3a5fb6.0

再执行 ota check 的实话，观察charles，已经能看到ssl的请求了。

红米音箱Play 开发调试实验 updating by @sskaje: https://sskaje.me/2021/03/%e7%ba%a2%e7%b1%b3%e9%9f%b3%e7%ae%b1play-%e5%bc%80%e5%8f%91%e8%b0%83%e8%af%95%e5%ae%9e%e9%aa%8c-updating/

meilisearch ubuntu systemd

By @sskaje
Link: https://sskaje.me/2021/01/meilisearch-ubuntu-systemd/

正在寻求ES的轻量化解决方案，看到了meilisearch，于是上手实验了一把。留了个systemd 配置笔记。

原始安装文档 https://docs.meilisearch.com/guides/advanced_guides/installation.html，官方给的 apt 的安装只有二进制文件，没有配置文件没有启动脚本。

简单来

/etc/default/meilisearch

MEILI_DB_PATH=/var/lib/meilidb
MEILI_HTTP_ADDR=127.0.0.1:7700
MEILI_MASTER_KEY=my-prod-key
MEILI_ENV=production
MEILI_NO_ANALYTICS=1

MEILI_DB_PATH=/var/lib/meilidb

MEILI_HTTP_ADDR=127.0.0.1:7700

MEILI_MASTER_KEY=my-prod-key

MEILI_ENV=production

MEILI_NO_ANALYTICS=1

/etc/systemd/system/meilisearch.service

&#91;Unit]
Description=MeiliSearch
After=systemd-user-sessions.service

&#91;Service]
EnvironmentFile=/etc/default/meilisearch
Type=simple
ExecStart=/usr/bin/meilisearch 

&#91;Install]
WantedBy=default.target

[Unit]

Description=MeiliSearch

After=systemd-user-sessions.service

[Service]

EnvironmentFile=/etc/default/meilisearch

Type=simple

ExecStart=/usr/bin/meilisearch

[Install]

WantedBy=default.target

启动

systemctl daemon-reload
systemctl start meilisearch

1 2	systemctl daemon-reload systemctl start meilisearch

meilisearch ubuntu systemd by @sskaje: https://sskaje.me/2021/01/meilisearch-ubuntu-systemd/