Category: Uncategorized

  • Proxmox VE 恢复 root SSH 登录

    Proxmox VE 的各种说明里都是让进单用户模式去改密码,之前试过几个古老版本,live usb载入 + chroot + passwd 改出来的root密码都无效,不知道原因。

    现在换另外一个方案,增加 ssh authorized_keys。

    在 pve里,authorized_keys 使用的是symbolic link,链接到了 /etc/pve/priv/authorized_keys

    # ls -al root/.ssh/
    total 24
    drwxr-xr-x 2 root root 4096 Mar 24  2021 .
    drwx------ 3 root root 4096 Dec 11  2020 ..
    lrwxrwxrwx 1 root root   29 Dec 11  2020 authorized_keys -> /etc/pve/priv/authorized_keys
    

    根据 PVE 的wiki (https://pve.proxmox.com/wiki/Proxmox_Cluster_File_System_(pmxcfs)#_recovery) ,/etc/pve 使用的是他家的 pmxcfs 文件系统,数据实际存储在 /var/lib/pve-cluster/config.db

    file 一下,可以看出是 sqlite3,打开,只有一张表 tree,定义如下:

    CREATE TABLE tree (  inode INTEGER PRIMARY KEY NOT NULL,  parent INTEGER NOT NULL CHECK(typeof(parent)=='integer'),  version INTEGER NOT NULL CHECK(typeof(version)=='integer'),  writer INTEGER NOT NULL CHECK(typeof(writer)=='integer'),  mtime INTEGER NOT NULL CHECK(typeof(mtime)=='integer'),  type INTEGER NOT NULL CHECK(typeof(type)=='integer'),  name TEXT NOT NULL,  data BLOB);
    

    特别简单。

    改数据就直接 update 表。

  • Proxmox VE 虚拟机磁盘挂载


    QEMU QCOW Image (v3)

    # file vm-101-disk-0.qcow2 
    vm-101-disk-0.qcow2: QEMU QCOW Image (v3), 107374182400 bytes (v3), 107374182400 bytes

    apt install qemu-utils
    
    modprobe nbd max_part=8
    qemu-nbd --connect=/dev/nbd0 vm-1061-disk-0.qcow2
    
    # unload 
    qemu-nbd -d /dev/nbd0
    

    After this

    
    Disk /dev/nbd0: 100 GiB, 107374182400 bytes, 209715200 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: dos
    Disk identifier: 0x28288fb3
    
    Device      Boot    Start       End   Sectors  Size Id Type
    /dev/nbd0p1 *        2048   3905535   3903488  1.9G 83 Linux
    /dev/nbd0p2       3905536  11718655   7813120  3.7G 82 Linux swap / Solaris
    /dev/nbd0p3      11718656 209715199 197996544 94.4G 83 Linux

    RAW

    vm-1014-disk-1.raw: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,1), end-CHS (0x3ff,254,63), startsector 1, 209715199 sectors, extended partition table (last)
    

    losetup -f -P --show vm-1014-disk-1.raw
    # output like /dev/loop16
    
    # unload 
    losetup -d /dev/loop16

    After this

    Disk /dev/loop16: 100 GiB, 107374182400 bytes, 209715200 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: gpt
    Disk identifier: 49400ED0-2144-4854-BA3D-64A88C3EC9C8
    
    Device        Start       End   Sectors  Size Type
    /dev/loop16p1  2048 209713151 209711104  100G Microsoft basic data
    GPT PMBR size mismatch (1952448511 != 1953525167) will be corrected by write.
    The backup GPT table is not on the end of the device.

    LVM

    From lsblk

    /dev/mapper/pve-vm--118--disk--0

    apt-get install kpartx
    kpartx -a /dev/mapper/pve-vm--118--disk--0
    

    After this,

    # ls /dev/mapper/pve-vm--118--disk--*
    /dev/mapper/pve-vm--118--disk--0  /dev/mapper/pve-vm--118--disk--0p1  /dev/mapper/pve-vm--118--disk--0p2  /dev/mapper/pve-vm--118--disk--0p3
    
    # fdisk -l 
    ...
    
    Disk /dev/mapper/pve-vm--118--disk--0: 50 GiB, 53687091200 bytes, 104857600 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 65536 bytes / 65536 bytes
    Disklabel type: dos
    Disk identifier: 0x28288fb3
    
    Device                             Boot    Start       End  Sectors  Size Id Type
    /dev/mapper/pve-vm--118--disk--0p1 *        2048   3905535  3903488  1.9G 83 Linux
    /dev/mapper/pve-vm--118--disk--0p2       3905536  11718655  7813120  3.7G 82 Linux swap / Solaris
    /dev/mapper/pve-vm--118--disk--0p3      11718656 104855551 93136896 44.4G 83 Linux
    
    # undo
    kpartx -d /dev/mapper/pve-vm--118--disk--0

  • Protected: 海康威视R1开SSH(文章加密,勿扰)

    This content is password protected. To view it please enter your password below:

  • Proxmox VE Import VMware VM (VMX)

    1 Download OVFTool on PVE: https://developer.broadcom.com/tools/open-virtualization-format-ovf-tool/latest, extract

    2 Navigate to VMX directory, command like

    /root/ovftool/ovftool myVM.vmx /root/myVM.ova

    3 Extract OVA

    cd /root
    mkdir extracted
    tar -C extracted -xvf myVM.ova

    4 Import VM

    cd extracted
    qm importovf 117 myVM.ovf  local-lvm

    117 is my new VMID

    5 Remove OVA and OVF

    rm -fr /root/myVM.ova /root/extracted

    6 Start VM and install virtio drivers.

  • 海康威视R1关闭外网访问

    关闭几个dns的解析,然后杀进程,就是每次都得手动

    # block mqtt
    chmod -x /histor/bin/emclient
    killall  emclient
    
    # block proxy
    # msgType=110 to api.hiksemi.cn//gateway/api
    # got proxyDataHost/proxyFilePort/proxyServerPort
    chmod -x /histor/bin/network/proxyDaemon
    killall proxyDaemon
  • Install DebugServer for iOS

    Extract DebugServer

    $ ls /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/
    
    ...
    
    $ hdiutil mount /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/15.5/DeveloperDiskImage.dmg
    正在检查“Whole_Disk”的校验和…
    ..................................................................................................................................................................................................................................................
                              Whole_Disk:已验证CRC32 $D034FA6C
    已验证CRC32 $8E250F8D
    /dev/disk4          	                               	/Volumes/DeveloperDiskImage
    
    $ cp /Volumes/DeveloperDiskImage/usr/bin/debugserver . 
    $ hdiutil unmount /Volumes/DeveloperDiskImage
    "/Volumes/DeveloperDiskImage" unmounted successfully.
    
    $ file debugserver 
    debugserver: Mach-O universal binary with 2 architectures: [arm64:Mach-O 64-bit executable arm64] [arm64e:Mach-O 64-bit executable arm64e]
    debugserver (for architecture arm64):	Mach-O 64-bit executable arm64
    debugserver (for architecture arm64e):	Mach-O 64-bit executable arm64e
    
    $ xcrun -sdk iphoneos lipo -thin arm64  debugserver -output debugserver_arm64
    

    Entitlements

    View

    codesign -d -v --entitlements - --xml debugserver_arm64 
    Executable=/Users/sskaje/Work/hiksemi/debugserver_arm64
    Identifier=com.apple.debugserver
    Format=Mach-O thin (arm64)
    CodeDirectory v=20400 size=5134 flags=0x2(adhoc) hashes=150+7 location=embedded
    Signature=adhoc
    Info.plist entries=5
    TeamIdentifier=not set
    Sealed Resources=none
    Internal requirements count=0 size=12
    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>seatbelt-profiles</key><array><string>debugserver</string></array><key>com.apple.private.cs.debugger</key><true/><key>com.apple.private.memorystatus</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/><key>com.apple.private.logging.diagnostic</key><true/><key>com.apple.backboardd.debugapplications</key><true/><key>com.apple.frontboard.debugapplications</key><true/><key>com.apple.backboardd.launchapplications</key><true/><key>com.apple.frontboard.launchapplications</key><true/><key>com.apple.springboard.debugapplications</key><true/></dict></plist>

    ent.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    	<key>com.apple.private.cs.debugger</key><true/>
    	<key>com.apple.private.memorystatus</key><true/>
    	<key>com.apple.security.network.client</key><true/>
    	<key>com.apple.security.network.server</key><true/>
    	<key>com.apple.private.logging.diagnostic</key><true/>
    	<key>com.apple.backboardd.debugapplications</key><true/>
    	<key>com.apple.frontboard.debugapplications</key><true/>
    	<key>com.apple.backboardd.launchapplications</key><true/>
    	<key>com.apple.frontboard.launchapplications</key><true/>
    	<key>com.apple.springboard.debugapplications</key><true/>
    
    	<key>run-unsigned-code</key> <true/>
    	<key>get-task-allow</key> <true/>
    	<key>task_for_pid-allow</key> <true/>
    
    </dict>
    </plist>
    

    debugserver has entitlements

    	<key>seatbelt-profiles</key>
    	<array>
    	<string>debugserver</string>
    	</array>

    it causes

    iPhone:~ root# debugserver 192.168.11.40:12345 -waitfor HiStor 
    debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-1316.2.4.18
     for arm64.
    Waiting to attach to process HiStor...
    Listening to port 12345 for a connection from 192.168.11.40...
    Failed to get connection from a remote gdb process.
    Exiting.
    

    Replace Entitlements

    codesign -s - --entitlements ent.xml -f debugserver_arm64 
    debugserver_arm64: replacing existing signature

    Scp to server

    scp debugserver_arm64 root@192.168.11.11:~/

    If on palera1n

    cp debugserver_arm64 /var/jb/usr/bin/debugserver

    HiStor

    $ debugserver '*:12345' -waitfor HiStor

    lldb

    (lldb) platform select remote-ios
      Platform: remote-ios
     Connected: no
      SDK Path: "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/iPhone8,1 15.8.2 (19H384)"
     SDK Roots: [ 0] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/iPhone8,1 15.8.2 (19H384)"
    (lldb) target create HiStor
    Current executable set to '/Users/sskaje/Work/hiksemi/ios/Payload/HiStor.app/HiStor' (arm64).
    (lldb) process connect connect://192.168.11.156:12345
    

    Useless note

    (lldb) memory read -f y -c 4 -s 1 $pc
    0x105280e98: 48 61 74 94
    (lldb) memory write  $pc f0 60 74 94 
    (lldb) memory read -f y -c 4 -s 1 $pc
    0x105280e98: f0 60 74 94
    

  • 海康威视 R1 开SSH的探索

    618买了个海康威视R1,N100 + 8G内存,配置很好,但是看评价说系统很差,我想想再差还能差到哪儿,等了一周多到货了,终于发现,买了一个NAS却感觉设备不是自己的,体验很糟糕。

    不想刷黑群晖,所以这个方向不讨论了。

    从数据安全角度出发,我需要让设备可以被禁止访问外网,或者限定访问目标和内容,防止数据泄漏。于是设备跑了两天多,我只敢把之前下载的电影动漫放上去,其他资料一个都不敢放,白瞎了4*8T。

    已知信息,N100,往上有黑群晖教程并提及优先USB引导。所以搞了个Debian的live usb,启动,点点按按看到了bios的提示,也进了Debian。

    系统是装在一个32GB的flash上的,基于debian改造的一个系统。

    之前劫持NAS的互联网流量时,抓到了固件更新的接口,但是格式应该是自定义格式,里边能提取一个 histor.img,但是应该是加密或者其他处理过的,没法用。

    Debian进去后,逐个分区看,找到了一个 histor.img 和一个 sq.img。整盘dd出来,从 linux 里直接挂载分区,并squashfuse 加载img,一切都正常。期间涉及到的命令为:

    # from https://askubuntu.com/a/998269
    # 挂载
    losetup -f -P hiksemi-r1.img
    # 看所有loop
    losetup -l
    # 找到这个设备后mount

    两个img,一个是root fs,一个是海康自己的软件,尝试用web 的一些出错,找到了几个文件,里边都加载了完整的server 的逻辑,所以挑了一个出来反编译。而在其他文件里发现了一些跟ssh,跟调试,跟密码有关的脚本或者配置文件。

    目前还在进行中,有部分进展不适合发出来,后边再看怎么写

    UPDATE 20240812

    有人来问进展,搞定了,但是没计划公开。分析过程比较复杂,提root过程用了一些奇怪的技巧。配置没法持久化,每次重启都需要重新开,不必浪费时间了,有需求的请刷其他系统。

  • OpenWRT x86 + Quectel 5G Module

    # On PVE Host

    Create a Linux VM without disk, in my PVE, the new VM id is 115.

    wget https://openwrt.proxy.ustclug.org/snapshots/targets/x86/64/openwrt-x86-64-generic-ext4-combined.img.gz
    gunzip openwrt-x86-64-generic-ext4-combined.img.gz
    qemu-img resize -f raw openwrt-x86-64-generic-ext4-combined.img 20G
    qm importdisk 115 openwrt-x86-64-generic-ext4-combined.img local-lvm
    rm -f openwrt-x86-64-generic-ext4-combined.img

    From VM Hardware, click the newly imported disk, open the dialog and save.

    Then Change boot order, add the disk.

    Start OpenWRT VM

    # On OpenWRT

    uci set network.lan.ipaddr='192.168.11.243'
    uci commit
    sed -i -e 's/downloads.openwrt.org/openwrt.proxy.ustclug.org/g' /etc/opkg/distfeeds.conf
    reboot
    
    # Now you should be able to access VM from other machines.
    
    # temporary internet access
    ip route add default via 192.168.11.1
    echo 'nameserver 192.168.11.1' > /etc/resolv.conf
    
    opkg update
    
    # install web ui
    opkg install luci bash mtr
    
    # change default shell to bash
    sed -i -e 's/bin\/ash/bin\/bash/g' /etc/passwd
    
    # install wwan module (NCM mode) support
    opkg install kmod-usb-net-rndis kmod-usb-acm luci-proto-ncm picocom
    
    # Resize disk
    # https://openwrt.org/docs/guide-user/advanced/expand_root
    opkg install parted losetup resize2fs
    wget -U "" -O expand-root.sh "https://openwrt.org/_export/code/docs/guide-user/advanced/expand_root?codeblock=0"
    . ./expand-root.sh
    
    reboot

    # On PVE Console

    Load Quectel Module by Adding USB Hardware

    # On OpenWRT Console

    Network > Interfaces > Add New Interface

    Name: wwan

    Protocol: DHCP client

    Device: usb0

    You should be able to find usb0 by `ip a`

    Firewall, set Zone to WAN.

    Save & Apply

    # Note

    DO NOT ATTACH Quectel WWAN module before OpenWRT fully booted.

  • EdgeRouter 4 Install msd_lite / msd

    msd_lite

    http://www.netlab.linkpc.net/wiki/en:software:msd:lite

    Deprecated, but recommended!!! You can also use Multi Stream daemon (msd)

    Steps:

    1 Clone code on computer, because my ER-4 reports dpkg errors, due to the outdated debian stretch. Then upload to ER-4

    git clone --recursive https://github.com/rozhuk-im/msd_lite.git
    tar zcvf msd_lite.tar.gz msd_lite
    scp msd_lite.tar.gz ubnt@192.168.1.1:/tmp/

    2 On ER-4, install build-essential, cmake

    For build-essential, read EdgeRouter 4 Build & Install udpxy

    # apt install cmake
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    You might want to run 'apt --fix-broken install' to correct these.
    The following packages have unmet dependencies:
     cmake : Depends: cmake-data (= 3.7.2-1) but it is not going to be installed
             Depends: libarchive13 (>= 3.0.4) but it is not going to be installed
             Depends: libjsoncpp1 (>= 1.7.4) but it is not going to be installed
             Depends: libuv1 (>= 1.4.2) but it is not going to be installed
     dpkg-dev : Depends: xz-utils but it is not going to be installed
    E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).
    
    
    
    # apt install cmake cmake-data  libarchive13 libjsoncpp1 libuv1 

    3 build on ER-4

    tar xvf /tmp/msd_lite.tar.gz
    cd msd_lite
    mkdir build
    cd build
    cmake ..
    make 
    make install

    4 configure and run

    /etc/msd_lite.conf

    
    <?xml version="1.0" encoding="utf-8"?>
    
    <!--
     Sizes in kb, time in seconds
    -->
    
    <!--
    <skt> <rcvLoWatermark>XXXX</rcvLoWatermark> - DOES NOT WORK on Linux!
    man socket(7):
    ...
    The select(2) and poll(2) system calls currently do not respect the SO_RCVLOWAT
    setting on Linux, and mark a socket readable when even a single byte of data is
    available.
    ...
    -->
    
    
    <msd>
    	<log>
    		<file>/var/log/msd_lite.log</file>
    	</log>
    
    	<threadPool>
    		<threadsCountMax>1</threadsCountMax> <!-- 0 = auto -->
    		<fBindToCPU>yes</fBindToCPU> <!-- Bind threads to CPUs. -->
    		<fCacheGetTimeSyscall>yes</fCacheGetTimeSyscall> <!-- Cache gettime() syscalls.. -->
    		<timerGranularity>100</timerGranularity> <!-- 1/1000 sec -->
    	</threadPool>
    
    
    <!-- HTTP server -->
    	<HTTP>
    		<bindList>
    			<bind><address>0.0.0.0:7088</address><fAcceptFilter>y</fAcceptFilter></bind>
    			<bind><address>[::]:7088</address></bind>
    		</bindList>
    
    		<hostnameList> <!-- Host names for all bindings. -->
    			<hostname>*</hostname>
    		</hostnameList>
    	</HTTP>
    
    
    	<hubProfileList> <!-- Stream hub profiles templates. -->
    		<hubProfile>
    			<fDropSlowClients>no</fDropSlowClients> <!-- Disconnect slow clients. -->
    			<fSocketHalfClosed>no</fSocketHalfClosed> <!-- Enable shutdown(SHUT_RD) for clients. -->
    			<fSocketTCPNoDelay>yes</fSocketTCPNoDelay> <!-- Enable TCP_NODELAY for clients. -->
    			<fSocketTCPNoPush>yes</fSocketTCPNoPush> <!-- Enable TCP_NOPUSH / TCP_CORK for clients. -->
    			<precache>4096</precache> <!-- Pre cache size. Can be overwritten by arg from user request. -->
    			<ringBufSize>1024</ringBufSize> <!-- Stream receive ring buffer size. Must be multiple of sndBlockSize. -->
    			<skt>
    				<sndBuf>512</sndBuf> <!-- Max send block size, apply to clients sockets only, must be > sndBlockSize. -->
    				<sndLoWatermark>64</sndLoWatermark>  <!-- Send block size. Must be multiple of 4. -->
    				<congestionControl>htcp</congestionControl> <!-- TCP_CONGESTION: this value replace/overwrite(!) all others cc settings: cc from http req args, http server settings, OS default -->
    			</skt>
    			<headersList> <!-- Custom HTTP headers (sended before stream). -->
    				<header>Pragma: no-cache</header>
    				<header>Content-Type: video/mpeg</header>
    				<header>ContentFeatures.DLNA.ORG: DLNA.ORG_OP=01;DLNA.ORG_CI=0;DLNA.ORG_FLAGS=01700000000000000000000000000000</header>
    				<header>TransferMode.DLNA.ORG: Streaming</header>
    			</headersList>
    		</hubProfile>
    	</hubProfileList>
    
    
    	<sourceProfileList> <!-- Stream source profiles templates. -->
    		<sourceProfile>
    			<skt>
    				<rcvBuf>512</rcvBuf> <!-- Multicast recv socket buf size. -->
    				<rcvLoWatermark>48</rcvLoWatermark> <!-- Actual cli_snd_block_min if polling is off. -->
    				<rcvTimeout>2</rcvTimeout> <!-- STATUS, Multicast recv timeout. -->
    			</skt>
    			<multicast> <!-- For: multicast-udp and multicast-udp-rtp. -->
    				<ifName>br0</ifName> <!-- For multicast receive. -->
    			</multicast>
    		</sourceProfile>
    	</sourceProfileList>
    </msd>
    
    

    I only modified the multicast -> ifName to br0.

    RUN

    msd_lite -c /etc/msd_lite.conf -v

    msd

    http://www.netlab.linkpc.net/wiki/software:msd:index

    Same as msd_lite, but powerful.

  • 北京联通猫棒 IPTV

    故事背景:家里拉了很多年的千兆,这两年才从 FTTB 换成 FTTH。但是之前买的千兆套餐不送 IPTV 了,而光改的时候,联通的工作人员帮我改了桥接,但是所有口都绑定了 Internet。现在开通IPTV需要初装费,还要月费,所以我就没开通。本来是不想折腾的,因为实在没空,但是被催了好久猫棒的事情,所以就临时下了个单,花了一天做了些实验。

    (more…)