Blog

Proxmox VE 虚拟机磁盘挂载

QEMU QCOW Image (v3)

# file vm-101-disk-0.qcow2 
vm-101-disk-0.qcow2: QEMU QCOW Image (v3), 107374182400 bytes (v3), 107374182400 bytes

apt install qemu-utils

modprobe nbd max_part=8
qemu-nbd --connect=/dev/nbd0 vm-1061-disk-0.qcow2

# unload 
qemu-nbd -d /dev/nbd0

After this


Disk /dev/nbd0: 100 GiB, 107374182400 bytes, 209715200 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x28288fb3

Device      Boot    Start       End   Sectors  Size Id Type
/dev/nbd0p1 *        2048   3905535   3903488  1.9G 83 Linux
/dev/nbd0p2       3905536  11718655   7813120  3.7G 82 Linux swap / Solaris
/dev/nbd0p3      11718656 209715199 197996544 94.4G 83 Linux

RAW

vm-1014-disk-1.raw: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,1), end-CHS (0x3ff,254,63), startsector 1, 209715199 sectors, extended partition table (last)

losetup -f -P --show vm-1014-disk-1.raw
# output like /dev/loop16

# unload 
losetup -d /dev/loop16

After this

Disk /dev/loop16: 100 GiB, 107374182400 bytes, 209715200 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 49400ED0-2144-4854-BA3D-64A88C3EC9C8

Device        Start       End   Sectors  Size Type
/dev/loop16p1  2048 209713151 209711104  100G Microsoft basic data
GPT PMBR size mismatch (1952448511 != 1953525167) will be corrected by write.
The backup GPT table is not on the end of the device.

LVM

From lsblk

/dev/mapper/pve-vm--118--disk--0

apt-get install kpartx
kpartx -a /dev/mapper/pve-vm--118--disk--0

After this,

# ls /dev/mapper/pve-vm--118--disk--*
/dev/mapper/pve-vm--118--disk--0  /dev/mapper/pve-vm--118--disk--0p1  /dev/mapper/pve-vm--118--disk--0p2  /dev/mapper/pve-vm--118--disk--0p3

# fdisk -l 
...

Disk /dev/mapper/pve-vm--118--disk--0: 50 GiB, 53687091200 bytes, 104857600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 65536 bytes / 65536 bytes
Disklabel type: dos
Disk identifier: 0x28288fb3

Device                             Boot    Start       End  Sectors  Size Id Type
/dev/mapper/pve-vm--118--disk--0p1 *        2048   3905535  3903488  1.9G 83 Linux
/dev/mapper/pve-vm--118--disk--0p2       3905536  11718655  7813120  3.7G 82 Linux swap / Solaris
/dev/mapper/pve-vm--118--disk--0p3      11718656 104855551 93136896 44.4G 83 Linux

# undo
kpartx -d /dev/mapper/pve-vm--118--disk--0

2024-08-24

Protected: 海康威视R1开SSH(文章加密，勿扰）

This content is password protected. To view it please enter your password below:

Password:

2024-08-11
Proxmox VE Import VMware VM (VMX)
1 Download OVFTool on PVE: https://developer.broadcom.com/tools/open-virtualization-format-ovf-tool/latest, extract

2 Navigate to VMX directory, command like
```
/root/ovftool/ovftool myVM.vmx /root/myVM.ova
```
3 Extract OVA
```
cd /root
mkdir extracted
tar -C extracted -xvf myVM.ova
```
4 Import VM
```
cd extracted
qm importovf 117 myVM.ovf  local-lvm
```
117 is my new VMID

5 Remove OVA and OVF
```
rm -fr /root/myVM.ova /root/extracted
```
6 Start VM and install virtio drivers.

…
2024-07-27

海康威视R1关闭外网访问

关闭几个dns的解析，然后杀进程，就是每次都得手动

# block mqtt
chmod -x /histor/bin/emclient
killall  emclient

# block proxy
# msgType=110 to api.hiksemi.cn//gateway/api
# got proxyDataHost/proxyFilePort/proxyServerPort
chmod -x /histor/bin/network/proxyDaemon
killall proxyDaemon

2024-07-08

Install DebugServer for iOS

Extract DebugServer

$ ls /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/

...

$ hdiutil mount /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/15.5/DeveloperDiskImage.dmg
正在检查“Whole_Disk”的校验和…
..................................................................................................................................................................................................................................................
                          Whole_Disk：已验证CRC32 $D034FA6C
已验证CRC32 $8E250F8D
/dev/disk4          	                               	/Volumes/DeveloperDiskImage

$ cp /Volumes/DeveloperDiskImage/usr/bin/debugserver . 
$ hdiutil unmount /Volumes/DeveloperDiskImage
"/Volumes/DeveloperDiskImage" unmounted successfully.

$ file debugserver 
debugserver: Mach-O universal binary with 2 architectures: [arm64:Mach-O 64-bit executable arm64] [arm64e:Mach-O 64-bit executable arm64e]
debugserver (for architecture arm64):	Mach-O 64-bit executable arm64
debugserver (for architecture arm64e):	Mach-O 64-bit executable arm64e

$ xcrun -sdk iphoneos lipo -thin arm64  debugserver -output debugserver_arm64

Entitlements

View

codesign -d -v --entitlements - --xml debugserver_arm64 
Executable=/Users/sskaje/Work/hiksemi/debugserver_arm64
Identifier=com.apple.debugserver
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=5134 flags=0x2(adhoc) hashes=150+7 location=embedded
Signature=adhoc
Info.plist entries=5
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>seatbelt-profiles</key><array><string>debugserver</string></array><key>com.apple.private.cs.debugger</key><true/><key>com.apple.private.memorystatus</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/><key>com.apple.private.logging.diagnostic</key><true/><key>com.apple.backboardd.debugapplications</key><true/><key>com.apple.frontboard.debugapplications</key><true/><key>com.apple.backboardd.launchapplications</key><true/><key>com.apple.frontboard.launchapplications</key><true/><key>com.apple.springboard.debugapplications</key><true/></dict></plist>

ent.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.private.cs.debugger</key><true/>
	<key>com.apple.private.memorystatus</key><true/>
	<key>com.apple.security.network.client</key><true/>
	<key>com.apple.security.network.server</key><true/>
	<key>com.apple.private.logging.diagnostic</key><true/>
	<key>com.apple.backboardd.debugapplications</key><true/>
	<key>com.apple.frontboard.debugapplications</key><true/>
	<key>com.apple.backboardd.launchapplications</key><true/>
	<key>com.apple.frontboard.launchapplications</key><true/>
	<key>com.apple.springboard.debugapplications</key><true/>

	<key>run-unsigned-code</key> <true/>
	<key>get-task-allow</key> <true/>
	<key>task_for_pid-allow</key> <true/>

</dict>
</plist>

debugserver has entitlements

	<key>seatbelt-profiles</key>
	<array>
	<string>debugserver</string>
	</array>

it causes

iPhone:~ root# debugserver 192.168.11.40:12345 -waitfor HiStor 
debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-1316.2.4.18
 for arm64.
Waiting to attach to process HiStor...
Listening to port 12345 for a connection from 192.168.11.40...
Failed to get connection from a remote gdb process.
Exiting.

Replace Entitlements

codesign -s - --entitlements ent.xml -f debugserver_arm64 
debugserver_arm64: replacing existing signature

Scp to server

scp debugserver_arm64 root@192.168.11.11:~/

If on palera1n

cp debugserver_arm64 /var/jb/usr/bin/debugserver

HiStor

$ debugserver '*:12345' -waitfor HiStor

lldb

(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/iPhone8,1 15.8.2 (19H384)"
 SDK Roots: [ 0] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/iPhone8,1 15.8.2 (19H384)"
(lldb) target create HiStor
Current executable set to '/Users/sskaje/Work/hiksemi/ios/Payload/HiStor.app/HiStor' (arm64).
(lldb) process connect connect://192.168.11.156:12345

Useless note

(lldb) memory read -f y -c 4 -s 1 $pc
0x105280e98: 48 61 74 94
(lldb) memory write  $pc f0 60 74 94 
(lldb) memory read -f y -c 4 -s 1 $pc
0x105280e98: f0 60 74 94

2024-07-01

海康威视 R1 开SSH的探索
618买了个海康威视R1，N100 + 8G内存，配置很好，但是看评价说系统很差，我想想再差还能差到哪儿，等了一周多到货了，终于发现，买了一个NAS却感觉设备不是自己的，体验很糟糕。

不想刷黑群晖，所以这个方向不讨论了。

从数据安全角度出发，我需要让设备可以被禁止访问外网，或者限定访问目标和内容，防止数据泄漏。于是设备跑了两天多，我只敢把之前下载的电影动漫放上去，其他资料一个都不敢放，白瞎了4*8T。

已知信息，N100，往上有黑群晖教程并提及优先USB引导。所以搞了个Debian的live usb，启动，点点按按看到了bios的提示，也进了Debian。

系统是装在一个32GB的flash上的，基于debian改造的一个系统。

之前劫持NAS的互联网流量时，抓到了固件更新的接口，但是格式应该是自定义格式，里边能提取一个 histor.img，但是应该是加密或者其他处理过的，没法用。

Debian进去后，逐个分区看，找到了一个 histor.img 和一个 sq.img。整盘dd出来，从 linux 里直接挂载分区，并squashfuse 加载img，一切都正常。期间涉及到的命令为：
```
# from https://askubuntu.com/a/998269
# 挂载
losetup -f -P hiksemi-r1.img
# 看所有loop
losetup -l
# 找到这个设备后mount
```
两个img，一个是root fs，一个是海康自己的软件，尝试用web 的一些出错，找到了几个文件，里边都加载了完整的server 的逻辑，所以挑了一个出来反编译。而在其他文件里发现了一些跟ssh，跟调试，跟密码有关的脚本或者配置文件。

目前还在进行中，有部分进展不适合发出来，后边再看怎么写

UPDATE 20240812

有人来问进展，搞定了，但是没计划公开。分析过程比较复杂，提root过程用了一些奇怪的技巧。配置没法持久化，每次重启都需要重新开，不必浪费时间了，有需求的请刷其他系统。
2024-06-29

OpenWRT x86 + Quectel 5G Module

# On PVE Host

Create a Linux VM without disk, in my PVE, the new VM id is 115.

wget https://openwrt.proxy.ustclug.org/snapshots/targets/x86/64/openwrt-x86-64-generic-ext4-combined.img.gz
gunzip openwrt-x86-64-generic-ext4-combined.img.gz
qemu-img resize -f raw openwrt-x86-64-generic-ext4-combined.img 20G
qm importdisk 115 openwrt-x86-64-generic-ext4-combined.img local-lvm
rm -f openwrt-x86-64-generic-ext4-combined.img

From VM Hardware, click the newly imported disk, open the dialog and save.

Then Change boot order, add the disk.

Start OpenWRT VM

# On OpenWRT

uci set network.lan.ipaddr='192.168.11.243'
uci commit
sed -i -e 's/downloads.openwrt.org/openwrt.proxy.ustclug.org/g' /etc/opkg/distfeeds.conf
reboot

# Now you should be able to access VM from other machines.

# temporary internet access
ip route add default via 192.168.11.1
echo 'nameserver 192.168.11.1' > /etc/resolv.conf

opkg update

# install web ui
opkg install luci bash mtr

# change default shell to bash
sed -i -e 's/bin\/ash/bin\/bash/g' /etc/passwd

# install wwan module (NCM mode) support
opkg install kmod-usb-net-rndis kmod-usb-acm luci-proto-ncm picocom

# Resize disk
# https://openwrt.org/docs/guide-user/advanced/expand_root
opkg install parted losetup resize2fs
wget -U "" -O expand-root.sh "https://openwrt.org/_export/code/docs/guide-user/advanced/expand_root?codeblock=0"
. ./expand-root.sh

reboot

# On PVE Console

Load Quectel Module by Adding USB Hardware

# On OpenWRT Console

Network > Interfaces > Add New Interface

Name: wwan

Protocol: DHCP client

Device: usb0

You should be able to find usb0 by `ip a`

Firewall, set Zone to WAN.

Save & Apply

# Note

DO NOT ATTACH Quectel WWAN module before OpenWRT fully booted.

2024-06-13

EdgeRouter 4 Install msd_lite / msd

msd_lite

http://www.netlab.linkpc.net/wiki/en:software:msd:lite

Deprecated, but recommended!!! You can also use Multi Stream daemon (msd)

Steps:

1 Clone code on computer, because my ER-4 reports dpkg errors, due to the outdated debian stretch. Then upload to ER-4

git clone --recursive https://github.com/rozhuk-im/msd_lite.git
tar zcvf msd_lite.tar.gz msd_lite
scp msd_lite.tar.gz ubnt@192.168.1.1:/tmp/

2 On ER-4, install build-essential, cmake

For build-essential, read EdgeRouter 4 Build & Install udpxy

# apt install cmake
Reading package lists... Done
Building dependency tree       
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 cmake : Depends: cmake-data (= 3.7.2-1) but it is not going to be installed
         Depends: libarchive13 (>= 3.0.4) but it is not going to be installed
         Depends: libjsoncpp1 (>= 1.7.4) but it is not going to be installed
         Depends: libuv1 (>= 1.4.2) but it is not going to be installed
 dpkg-dev : Depends: xz-utils but it is not going to be installed
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).



# apt install cmake cmake-data  libarchive13 libjsoncpp1 libuv1

3 build on ER-4

tar xvf /tmp/msd_lite.tar.gz
cd msd_lite
mkdir build
cd build
cmake ..
make 
make install

4 configure and run

/etc/msd_lite.conf


<?xml version="1.0" encoding="utf-8"?>

<!--
 Sizes in kb, time in seconds
-->

<!--
<skt> <rcvLoWatermark>XXXX</rcvLoWatermark> - DOES NOT WORK on Linux!
man socket(7):
...
The select(2) and poll(2) system calls currently do not respect the SO_RCVLOWAT
setting on Linux, and mark a socket readable when even a single byte of data is
available.
...
-->


<msd>
	<log>
		<file>/var/log/msd_lite.log</file>
	</log>

	<threadPool>
		<threadsCountMax>1</threadsCountMax> <!-- 0 = auto -->
		<fBindToCPU>yes</fBindToCPU> <!-- Bind threads to CPUs. -->
		<fCacheGetTimeSyscall>yes</fCacheGetTimeSyscall> <!-- Cache gettime() syscalls.. -->
		<timerGranularity>100</timerGranularity> <!-- 1/1000 sec -->
	</threadPool>


<!-- HTTP server -->
	<HTTP>
		<bindList>
			<bind><address>0.0.0.0:7088</address><fAcceptFilter>y</fAcceptFilter></bind>
			<bind><address>[::]:7088</address></bind>
		</bindList>

		<hostnameList> <!-- Host names for all bindings. -->
			<hostname>*</hostname>
		</hostnameList>
	</HTTP>


	<hubProfileList> <!-- Stream hub profiles templates. -->
		<hubProfile>
			<fDropSlowClients>no</fDropSlowClients> <!-- Disconnect slow clients. -->
			<fSocketHalfClosed>no</fSocketHalfClosed> <!-- Enable shutdown(SHUT_RD) for clients. -->
			<fSocketTCPNoDelay>yes</fSocketTCPNoDelay> <!-- Enable TCP_NODELAY for clients. -->
			<fSocketTCPNoPush>yes</fSocketTCPNoPush> <!-- Enable TCP_NOPUSH / TCP_CORK for clients. -->
			<precache>4096</precache> <!-- Pre cache size. Can be overwritten by arg from user request. -->
			<ringBufSize>1024</ringBufSize> <!-- Stream receive ring buffer size. Must be multiple of sndBlockSize. -->
			<skt>
				<sndBuf>512</sndBuf> <!-- Max send block size, apply to clients sockets only, must be > sndBlockSize. -->
				<sndLoWatermark>64</sndLoWatermark>  <!-- Send block size. Must be multiple of 4. -->
				<congestionControl>htcp</congestionControl> <!-- TCP_CONGESTION: this value replace/overwrite(!) all others cc settings: cc from http req args, http server settings, OS default -->
			</skt>
			<headersList> <!-- Custom HTTP headers (sended before stream). -->
				<header>Pragma: no-cache</header>
				<header>Content-Type: video/mpeg</header>
				<header>ContentFeatures.DLNA.ORG: DLNA.ORG_OP=01;DLNA.ORG_CI=0;DLNA.ORG_FLAGS=01700000000000000000000000000000</header>
				<header>TransferMode.DLNA.ORG: Streaming</header>
			</headersList>
		</hubProfile>
	</hubProfileList>


	<sourceProfileList> <!-- Stream source profiles templates. -->
		<sourceProfile>
			<skt>
				<rcvBuf>512</rcvBuf> <!-- Multicast recv socket buf size. -->
				<rcvLoWatermark>48</rcvLoWatermark> <!-- Actual cli_snd_block_min if polling is off. -->
				<rcvTimeout>2</rcvTimeout> <!-- STATUS, Multicast recv timeout. -->
			</skt>
			<multicast> <!-- For: multicast-udp and multicast-udp-rtp. -->
				<ifName>br0</ifName> <!-- For multicast receive. -->
			</multicast>
		</sourceProfile>
	</sourceProfileList>
</msd>

I only modified the multicast -> ifName to br0.

RUN

msd_lite -c /etc/msd_lite.conf -v

msd

http://www.netlab.linkpc.net/wiki/software:msd:index

Same as msd_lite, but powerful.

2024-01-06

北京联通猫棒 IPTV

故事背景：家里拉了很多年的千兆，这两年才从 FTTB 换成 FTTH。但是之前买的千兆套餐不送 IPTV 了，而光改的时候，联通的工作人员帮我改了桥接，但是所有口都绑定了 Internet。现在开通IPTV需要初装费，还要月费，所以我就没开通。本来是不想折腾的，因为实在没空，但是被催了好久猫棒的事情，所以就临时下了个单，花了一天做了些实验。
(more…)

2024-01-06

EdgeRouter 4 Build & Install udpxy

Please DON’T use udpxy, check msd_lite!!!

Source Code: http://gigapxy.com/download/udpxy/

# show version
Version:      v2.0.9-hotfix.7
Build ID:     5622762
Build on:     06/15/23 11:31
Copyright:    2012-2020 Ubiquiti Networks, Inc.
...

Steps:

1 Configure apt source

EdgeOS 2.0 is based on debian stretch, outdated.

# cat /etc/apt/sources.list.d/stretch.list
deb http://archive.debian.org/debian/ stretch main contrib
deb http://archive.debian.org/debian/ stretch-updates main contrib
deb http://archive.debian.org/debian/ stretch-backports main contrib

deb http://archive.debian.org/debian-security/ stretch/updates main

2 install build-essential

apt install build-essential

3 Get source, and build

wget http://gigapxy.com/download/udpxy/udpxy-src.tar.gz
tar xvf udpxy-src.tar.gz
cd udpxy-1.0.25-1/
make

Then you will see error like cc not found.

CC=gcc make

You’ll see

gcc: error trying to exec 'as': execvp: No such file or directory

This is because the binutils package provided by UBNT is almost empty.

wget -c https://archive.debian.org/debian/pool/main/b/binutils/binutils_2.28-5_mips.deb
dpkg --unpack binutils_2.28-5_mips.deb

Backup your config, Install manually.

Then

CC=gcc make
CC=gcc make install

2024-01-05