mrmcd1001b Impressions

I had the pleasure to be invited to the MetaRheinMain ChaosDays 1001b (mrmcd1001b) in Darmstadt. This years motto was “Beyond Science Fiction” and ~250 people gathered together to discuss “Society and Technology in 20th century fiction and 21th century reality”.

The presented talks were mostly interesting, although I didn’t attend that many. I spent most of the time talking to people or giving (two) talks myself: Security in Mobile Devices and Virtualised USB Fuzzing.

The first one went as expected and I think the attendees enjoyed it very much. Again, talking about technical details that a buffer overflow on x86 involves is not that much fun but I think it went at least alrightish. Slides can be found here.

The second talk was kind of a rehearsal for my final thesis presentation. So I took the chance to prepare myself for Dublin and present brand new stuff^tm. I started off crashing a Linux PC with my N900 and went then to the talk. It was a bit confusing, I guess. But in fairness: It was very late in every sense of the word 😉 But I got positive feedback nonetheless so it’s better if you make up your own mind with the slides. Although I don’t think the slides alone are that interesting.

For some reason, people were interested in the commands that I’ve used for the demo:

Boot Ubuntu
/opt/muelli/qemu/bin/qemu-system-x86_64 -enable-kvm -hda ubuntu.img -cdrom ~/ISOs/ubuntu-10.04.1-desktop-amd64.iso -monitor stdio -serial vc -m 1G -loadvm 1
Setup Filter

usb_filter_setup /tmp/filter export PYTHONPATH=~/hg/scapy-com/ python recordingfilter.py /tmp/filter /tmp/phonet.dump

Attach device

info usbhost usb_add host:0421:01c8 sudo chown muelli /dev/bus/usb/002/004

usb_filter_remove usb_del 0.2

Replay

usb_add emul:full:/tmp/filter cat /tmp/filter.in & cat /tmp/phonet.dump.out > /tmp/filter.out

usb_del 0.0 kill %%

Fuzz (didn’t really work because of a Heisenbug)

python emulator.py --relaxed /tmp/filter /tmp/phonet.dump.combined python fuzzingemulator.py /tmp/filter webcam.dump usb_del 0.0

Fully Virtualise

usb_add emul:full:/tmp/filter python usbmachine.py /tmp/filter.in /tmp/filter.out usb-devices

Freedom not Fear 2010 on 2010-09-11 in Berlin

Call for Action!

Do you in or near Berlin? Or just happen to be there on 2010-09-11? Then go out for once! It’s good for your body, your mind and society. Again, Freedom Not Fear will take place and you are most welcome to join! You’re not in Berlin, great! Freedom not Fear will also take place in

The demands are:

1. Cutbacks on surveillance measures

abolition of the blanket logging of our communication and locations (data retention)
abolition of the blanket collection of our biometric data as well as RFID passports
protection from surveillance at the workplace by introducing effective labour data protection laws
no permanent student ID numbers
no handing over of personal information without cause; no European wide standardized state run collection of information (Stockholm Program)
no systematic surveillance of monetary transactions or any other mass data analysis within the EU (Stockholm Program)
no information exchange with the US or any other state lacking effective data protection laws
abolition of permanent CCTV camera surveillance and ban of all behavioral detection techniques
no blanket registration of passengers traveling with airlines or by boat (PNR data)
no secret searches of private computer systems, neither online nor offline
no introduction of the e-health insurance card in the presently planned form
no systematic surveillance of financial transactions data or similar mass data analysis in the EU (SWIFT)
no blanket registration of all air and sea travellers (PNR data)
no automated registration of vehicle number plates and locations
no secret searches of private computer systems, neither online nor offline

2. Evaluation of existing surveillance powers

We call for an independent review of all existing surveillance powers as to their effectiveness, proportionality, costs, harmful side-effects and alternative solutions. We particularly call on the European parliament to immediately re-evaluate existing and planned projects on interior security that restrict fundamental rights of the people in Europe.

3. Moratorium on new surveillance powers

Following the “arms race” in security measures over the past few years, we demand an immediate stop to new interior security laws that further restrict civil liberties.

4. Ensure freedom of expression, dialogue and information on the Internet

safeguard net neutrality with binding laws
keep the Internet free, unfiltered and uncensored, without blocking lists or pre-publication controls, neither by state institutions nor by Internet service providers
no Internet disconnection policies (“three strikes”, “graduated response”)
outlaw installation of filtering infrastructures on ISP networks
content deletion must require an order by an independent and impartial judge, the right to legal recourse must be ensured
establish a digital Human Rights Charter for the 21st century, with global protections of digital civil rights
introduction of an unlimited right to quote multimedia content, which nowadays is indispensable for public debate in democracies
protection of internet platforms for preserving the free expression of opinion (participatory websites, forums, comments on blogs etc.), which nowadays is threatened by inadequate laws encouraging self-censorship (chilling effect)

Cleanternet – campaign for a cleaner and safer Internet – cleanternet.org from alexanderlehmann on Vimeo.

Freedom Not Fear 2010

FOSS.in 2010 does take place \o/

I am delighted to see that this years FOSS.in will indeed take place. There were rumours about it not happening but fortunately you will have the opportunity to have a great time from 2010-12-15 to 2010-12-17!

You might have realised already, that his is only three days:

This year, the event is 3 days instead of the usual 5 days – a 5 day event was simply too exhausting for everyone (participants and team). Also, we have moved the event into the middle of December, to give students of colleges that usually have their exams end-November or early-December a chance to attend. Our American friends will be happy to note that we have moved the event safely out of Thanksgiving range

As last year, I expect the conference to be great. I do hope, that GNOME will be well represented, especially since GNOME-3 will be released and we have the potential to attract many new hackers. Also, because the KDE folks were staffed very well and we were not.

Got a N900 yay

A while back, during FOSS.in, I participated at a Maemo “hacking” contents. The goal was to produce something valuable for Maemo and get a N900 in return. I basically ported Gajim to the N900 and, drumroll, I won! *yay*

Unfortunately, it took them a while to ship that thing so that I received it half a year later or so. But then it was amazingly fast. I received a parcel from Helsinki (2031km far away) which was sent 20hrs earlier. The parcel thus was traveling at ~100km/h. Great service, DHL! Thanks a million Nokia, Thanks Maemo Bangalore!

I really like the N900 because it’s a Linux based device. Well, there is Android, right? But Nokia actually does send it’s patches upstream and they invite you to get root on the device you own. Plus everything is pretty much standard. There is D-Bus, there GTK+, there is Python, there is Linux, … Hence, building and running stuff is pretty easy. I am looking forward to run my DNS Tunnel and DOOM and play around with the USB.

I am now busy playing with my new N900.

Practicum Status Update Week 10

As mentioned in the last report, I skipped one week in favour of the GUADEC.

I had a funny C problem. Consider the following two functions:

 
static int
safe_read (void *data, size_t length, FILE* file)
{
	int status = fread(data, length, 1, file);
 
	if (status == -1) error_report("%s: read packet (%lu) data on stream %p "
								   "failed (%d): %s",
								   __FUNCTION__, length, file,
								   status, strerror(errno));
	status = fflush(file);
	return status;
}
 
static int
safe_write (void *data, size_t length, FILE* file)
{
	int status = fwrite(data, length, 1, file);
 
	if (status == -1) error_report("%s: writing packet (%lu) data on stream %p "
								   "failed (%d): %s",
								   __FUNCTION__, length, file,
								   status, strerror(errno));
	status = fflush(file);
	return status;
}

Now you might want to deduplicate the code and make it one big and two small functions:

 
static int
safe_operation (size_t (func) (void *, size_t, size_t, FILE*), void *data, size_t length, FILE* file)
{
	int status = func(data, length, 1, file);
	const char *funcstr = "undeclared";
 
//	switch (*func) {
//		case fread:
//			funcstr = "read";
//			break;
//		case fwrite:
//			funcstr = "write";
//			break;
//		default:
//			funcstr = "?";
//			break;
//	}
 
	if (status == -1) error_report("%s: %s (%p) packet (%lu) data on stream %p "
								   "failed (%d): %s",
								   __FUNCTION__, funcstr, *func, length, file,
								   status, strerror(errno));
	status = fflush(file);
	return status;
}

but it wouldn’t compile because fread and fwrite have slightly different signatures.
The solution is to:

 
typedef size_t (*fwrite_fn)(const void * __restrict, size_t, size_t, FILE * __restrict);
 
static int
safe_operation (fwrite_fn func, void *data, size_t length, FILE* file)
{
        int status = func(data, length, 1, file);
        const char *funcstr = "undeclared";
 
        if (status == -1) error_report("%s: %s (%p) packet (%lu) data on stream %p "
                                                                   "failed (%d): %s",
                                                                   __FUNCTION__, funcstr, *func, length, file,
                                                                   status, strerror(errno));
        status = fflush(file);
        return status;
}
 
int
main(void)
{
        int x;
 
        safe_operation((fwrite_fn)fread, &amp;x, sizeof x, stderr);
        safe_operation(fwrite, &amp;x, sizeof x, stderr);
        return 0;
}

Thanks to Roland for pointing that out.

On smth unrelated: Fought with OpenSSL and it’s API and documentation. But more on that in a different post.
Fortunately, only Gajim crashed once. Well rhythmbox locks up, too, as it always does

Annoyed by the fact, that it takes ages to “make” a freshly made kernel!

muelli@bigbox ~/git/linux-2.6 $ time make 
  CHK     include/linux/version.h
  CHK     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
  CHK     include/generated/compile.h
  CHK     include/linux/version.h
make[2]: `scripts/unifdef' is up to date.
  TEST    posttest
Succeed: decoded and checked 1382728 instructions
Kernel: arch/x86/boot/bzImage is ready  (#14)
  Building modules, stage 2.
  MODPOST 2107 modules
WARNING: modpost: Found 4 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'

real	14m7.842s
user	1m33.747s
sys	0m25.388s
muelli@bigbox ~/git/linux-2.6 $

Trying to automatically create a FAT image and fill populate it with the built modules is more cumbersome than expected. guestmount is way too much overhead: It requires qemu and channels the data out over the network (sic!). I just want a FUSE implementation that is capable of writing a FAT image! There seems to be UMFUSE but it’s packaged for Debian/Ubuntu and not for Fedora.Find the sources is quite a challenge (it’s here: https://view-os.svn.sourceforge.net/svnroot/view-os/trunk/fuse-modules/fat) but I can’t build it, because they haven’t really prepared their code for anybody else to build it. After being harassed to generate the ./configure file (autoconf,; aclocal; autoconf), it also wants shtool to be installed AND in a local directory (/.-). I gave up as it kept bugging me about a missing config.sub. But I still wanted to get that FUSE module so I dug up my Ubuntu chroot and apt-get sourced the files, ./configure && make && make install. Beautiful. Turns out, that the official FUSE wiki lists two ways to mount a FATfs: the one I’ve just described and a dead project (FatFuse).

I then threw together this shellscript:

##!/bin/bash
 
MOD_DIR=/tmp/linux-modules/
FAT_IMAGE=/tmp/modules.$$.fat
FAT_MOUNT=/tmp/share/
FAT_TARGET_IMAGE=/tmp/modules.fat
 
make modules_install INSTALL_MOD_PATH="$MOD_DIR" &&
 
bytes=$(( $(du -s $MOD_DIR | awk '{print $1}') + $(( 20 * 1024)) ))
#
# create FAT image
dd if=/dev/zero of=$FAT_IMAGE bs=1024 count=$bytes &&
mkfs.vfat $FAT_IMAGE &&
fusefat -o nonempty -o rw+ $FAT_IMAGE $FAT_MOUNT &&
cp -dRx $MOD_DIR/* $FAT_MOUNT
fusermount -u $FAT_MOUNT &&
echo $FAT_IMAGE &&
ln -sf $FAT_IMAGE $FAT_TARGET_IMAGE

and I start qemu like that:
/opt/muelli/qemu/bin/qemu-system-x86_64 -drive file=/tmp/ubuntu-snapshots.qcow2,if=virtio -kernel ~/git/linux-2.6/arch/x86_64/boot/bzImage -append 'selinux=0 root=/dev/vda init=/sbin/init' -m 1G -drive file=/tmp/modules.fat,if=virtio,readonly=on -monitor stdio -loadvm 1
which allows me to access the module on the FAT drive on /dev/vdb. I can also snapshot the booted machine which saves me an awful lot of time for booting. But it took me quite a while to make QEmu do that, because the snapshot parameter for the disk does not save snapshots! Also, the FAT drive has to marked as readonly for QEmu to only save snapshots on the only remaining writable drive. But QEmu fails to make a drive readonly if the selected interface is IDE. Thus, you need virtio… Thanks to the helpful folks on IRC…

So yeah, all in all, I didn’t make any substantial progress :-/ I hope to finish a Webcam in software soonish though.

GUADEC 2010 – The Hague

I’ve been to GUADEC *yay*! I am going to summarize some of the talks I’ve attended and some of the many seriously interesting conversations I’ve during this week. But in short: This was one of the best GUADECs, progress wise. I met many people, brought my teams (bugsquad and membership-committee) forward, had new inspirations and fixed some bugs 🙂

But the week started with some work. Apparently, the network was not fully set up yet and we had to use a lot of duct tape to set everything up. After people saw me being “in charge” for the network, they started to complain why the network was not running properly 😉 The problem was, that the Uplink was kind of broken. Basically a big firewall blocked that many connections because it thought it was under attack. The solution then was to claim some of the universities IP addresses and do a big SNAT for the users.

Having said that, the network was up and running perfectly on Wednesday, making it a perfectly networked GUADEC 🙂 The last GUADECs usually had some troubles with the connection even after the event started (remember the broken uplink on Gran Canaria or the rather bad wireless situation in Birmingham?).

The Hotel’s wireless was ridiculously expensive. They wanted 10 quid for 24 hours. But I realized, that the default gateway is announced as being at 192.168.1.1 and if you visited that with a web browser, you’d find out that it was a Zyxel VSG-1200. Turns out, documentation is very verbose, including a default username and password… The rest is left as an exercise for the reader. If you didn’t want to go that route, you could easily claim an active MAC-Address and IP and reuse the authentification…

The talks were streamed and I hope recordings will be made available soon. Good summaries were already given in the official GUADEC blog and various others so I won’t go into too much detail, because .

I haven’t seen covered that Xan and Fernando mocked about the newly promulgated Speaker Guidelines which they didn’t respect either. It’s an interesting discussion though. It is obviously a shield for attacks from the outside so that we (as GNOME) can point to these guidelines if one of our speakers might have offended anyone. But do we, as GNOME, need such a thing in first place? And what happens if we refer to those guidelines over and over again but nobody complies with those? Probably nothing. But do we need to lie to ourselves then? Can’t we expect the people to have enough common sense? Do we want to be a community where we can’t assume enough common sense?

An issue that I didn’t really understand was that the usual picking on Canonical took place. Apparently, people expected Canoncial to contribute more since 1999 than they actually did. But they have been founded 2004… That comment summarizes that fact well. Also, I don’t really get why people expect a distributor to engineer stuff in, say, GNOME. I don’t hear anybody complaining about, say, Mandriva or Gentoo.

Bred Kuhn told us to save human lives by rolling out more crypto within GNOME. I couldn’t agree more. But sadly, we have a long way to go. For now, you can’t even handle your OpenPGP key in a sane way, i.e. rolling over to a new key. It strikes me that we still don’t have a concept encrypted end to end communication, i.e. with Telepathy (well, email is too broken to be tackled). Apparently XTLS should be used. But no PKI will be used, thus discouraging the enhancement of the OpenPGP Web of Trust. It would be absolutely brilliant if Telepathy used OpenPGP keys (maybe even create one if none existed). If then spoken with another entity via Telepathy, it could ask the user to verify the other persons identity via, say, a Videochat. That chat would use the public key material for encryption. The assumption is that the two parties know each other and that a man-in-the-middle cannot spoof valid data quick enough. The other persons key would then more or less automatically be signed. I talked a lot to Stef Walter and other people around GNOME-Keyring and Seahorse and we had good ideas. Let’s see how much we can get done.
But we’ll have a long way to go, since GNOME doesn’t even provide fundamental encryption for it’s webservices, i.e. live.gnome.org or even the RequestTracker 🙁

As for the teams I feel responsible for, I met with a few Bugsquad folks and we’ve discussed a few things. I am still in Post-GUADEC mode to get everything off my Todo-List that accumulated over GUADEC. The most immediate action is to get close bugs of deprecated modules and get rid of the products in Bugzilla. Other lower priority issues are to (finally!) organise a bugday and test a JetPack which helps dealing with Bugzilla…

I also had a few discussion related to the GNOME Foundation Membership process. We somehow have to think about the people that feel intimidated joining the GNOME Foundation. Also we will discuss our strategy and policy of evaluating non trivial contributions to GNOME.

Having said all that. I want to that the GNOME Foundation for paying my accommodation and making such a productive week possible.

Practicum Status Update Week 8

Over the weekend, I’ve talked at the ChaosBBQ in Dortmund, Germany. A nice and small conferency gathering.
This week I had only a few bugs (that I reported):
- Rhythmbox crashed again (hacking without music is dreadful)
- Weird SELinux problems after resuming from suspend
The filter stuff is actually more complex than I initially thought: I do indeed have to handle async USB URBs which makes the code look more ugly and taste more like spaghetti. Anyway, the filter stuff should fully work now *yay*.

I hope the video works. If it doesn’t, please download first. So we can replace packets on the fly, in and out. And of course, you could design a more complex scenario: Let the first read pass by unmodified but after that modify the packets.
Read a bit in “Essential Linux Device Drivers” which is an interesting to read book. I like the relaxed writing style. I haven’t gotten to the nitty gritty USB details yet though.
Wireshark can sniff USB communication, too. And it can save as a pcap file. And it dissects bits of the protocols. At least it shows the SCSI request for an USB Massstorage. I have to test whether it knows, say, webcams. First investigations show that it only supports USB Massstorage though. And it’d be interesting whether it can sniff the communication I’m filtering with QEmu.

Apparently, USB network magic for pcap is 0xdc:

typedef struct pcap_hdr_s {
        guint32 magic_number;   /* magic number */
        guint16 version_major;  /* major version number */
        guint16 version_minor;  /* minor version number */
        gint32  thiszone;       /* GMT to local correction */
        guint32 sigfigs;        /* accuracy of timestamps */
        guint32 snaplen;        /* max length of captured packets, in octets */
        guint32 network;        /* data link type */
} pcap_hdr_t;

Wirehsark dumps the following:

0000000: d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00  ................
0000010: ff ff 00 00 dc 00 00 00 43 8e 44 4c d7 96 05 00  ........C.DL....

So I might be able to implement saving to PCap at some stage.

Next week will be GUADEC! *yay* But that will also mean that I can’t work that much.
So my emulation seems to work now, too. I now need to speak the right protocol. So if you know a good resource that describes how a, say, USB Webcam behaves on the bus, drop me a line. Or anything that can dissect USB packets would be fine.

Chaos BBQ 2010

Over the weekend, I had the opportunity to attend ChaosBBQ in Dortmund, Germany. It’s a small yet interesting gathering of hackers and it is a very relaxed conferency happening. With a BBQ 😉

This years motto was “contruct, desctruct!” and I was more on the destructing side: I presented two topics: Security in Mobile Devices and a Magnetic Stripe Card workshop.

The Security in Mobile Devices talk went quite well and I think I encouraged people to start hacking their devices 🙂 It’s funny though: I almost see blood coming out of the people ears when I go through the very technical part about buffer overflows. 2/3 seems to be bored or overwhelmed. The other 1/3 seems to be very interested and crave for more details. But I get everybody back when I have more pictures and videos about funny exploits and when I’m able to slander about Apple 😉 Again, I talked about a mixture of Hardware and Platform security and gave examples of previous hacks and how to actually start breaking your gadget.

The magnet card workshop was interesting, too. I presented how magnetic stripe technology actually works. And because we were curious hackers, we explored how it’s been used and how we can hack stuff. I told a few warstories that will hopefully be able to expand on in the future (although I don’t know whether DCU will like it 😉 ). Since it was more of a workshop, people contributed with technical details (thx to the guys from das Labor 🙂 ) or other interesting facts.

I had a nice weekend in Dortmund and I can recommend attending the ChaosBBQ if you’re looking for a tiny yet open gathering of interested geeks and hackers.

Practicum Status Update Week 7

Read about Radare. Apparently, they have “USB support” but I could only see a USB communication sniffer. So Radare doesn’t dissect USB pakets 🙁
Installed GDB from git, because the GDB in Fedora 13 crashes way too often. I didn’t file as many new bugs this week though 😉 I seem to have worked around all my crashers…

Fought a lot with git 🙁 It’s incredibly hostile. I tried to rebase stuff and it keeps bugging me with old commits still being visible although I’ve changed them 🙁 I probably haven’t understood what it does yet. Tried to fix as much as possible using git reflog. Of course, the man page references options (–verbose in my case) that are not existant. Brilliant. I don’t know why I actually expected git to help me.
This is hilarious, too:

muelli@bigbox ~/git/qemu $ git rebase setup_fds 
First, rewinding head to replay your work on top of it...
Applying: Temporary migration to usb_packet_filter_setup_fds
Using index info to reconstruct a base tree...
Falling back to patching base and 3-way merge...
Auto-merging usb-linux.c
CONFLICT (content): Merge conflict in usb-linux.c
Failed to merge in the changes.
Patch failed at 0001 Temporary migration to usb_packet_filter_setup_fds

When you have resolved this problem run "git rebase --continue".
If you would prefer to skip this patch, instead run "git rebase --skip".
To restore the original branch and stop rebasing run "git rebase --abort".


muelli@bigbox ~/git/qemu $ nano usb-linux.c # hack hack hack
muelli@bigbox ~/git/qemu $ git add usb-linux.c
muelli@bigbox ~/git/qemu $ git rebase --continue
Applying: Temporary migration to usb_packet_filter_setup_fds
No changes - did you forget to use 'git add'?

When you have resolved this problem run "git rebase --continue".
If you would prefer to skip this patch, instead run "git rebase --skip".
To restore the original branch and stop rebasing run "git rebase --abort".

muelli@bigbox ~/git/qemu $

WTF?!

That one is brilliant, too:

muelli@bigbox ~/git/qemu $ git rebase -i setup_fds
# Stupid me: I selected "f" for the very first entry in that edit window
Cannot 'fixup' without a previous commit
# Fair enough, let me restart then:
muelli@bigbox ~/git/qemu $ git rebase setup_fds 
Interactive rebase already started
# O_o WTF? What else, besides aborting, could I possibly do anyway?!
muelli@bigbox ~/git/qemu $ git rebase --abort
muelli@bigbox ~/git/qemu $ git rebase setup_fds 
# Now it works...

Reimplemented host side USB filters to obtain valid USB communication. I have various simple filters: PassThrough, Logging and Replacing. The first one does nothing but return the data w/o any modification. The second one writes the bytes it reads and writes to files. The third one replaces 512 “A”s with 512 “B”s. Still need separate packets from the device in question to the host from packets from the host to the device to obtain valid device behaviour without reading all of the documentation. That will give me a good starting point to actually do the fuzzing.
That replace filter produced interesting results. I replaced every “A” transmitted by a “B”. On the host, I created a file on a mass storage with 4KB “A”s. When “cat”ting the file from the guest, I saw “A”s. But copying the file in the guest resulted in the new file having all “B”s. I expected the “cat” showing all “B”s, too. And as far as I can see, the “A”s are actually replaced for the “cat”.

Of course, Istanbul crashed while trying to make that screencast.
Note that the filter code actually changed by now, not only because I enhanced the protocol (in the version you’re seeing, only USB payload is exchanged. In the new version, also the PID, device address and device endpoint are filtered) but also because I refactored the communication bits into a USBPacket class.
I missed to show the pen drive from the host point of view after having copied the file in the guest, but the “bbbb” file is full of “B”s.
I’m on my way to emulating a USB device, i.e. make the guest think it has a USB device attached but the device is a program running on the guest. I basically copied the USB serial driver and the HID driver and modified them to get packets from a pipe and send them to a pipe. I had serious problems with QEmu: QEmu didn’t register my new “device”. Now I called the right function to initialize the USB device and voila, it attaches it like it should.
Now I need to obtain valid USB communication using the filter so that I can respond to incoming packets properly.
Dear lazyweb, I’m wondering whether I could make my OS load an application but then break on main() so that I can attach a debugger. I cannot run the application *with* GDB. Instead, I want to attach a GDB after the program is fully loaded. Maybe LD_PRELOADing on main() will work?

Practicum Status Update Week 6

So the plan is to modify a Linux driver to see results more easily (once the fuzzing part works). So I tried to get a working environment where I can boot my modified Linux kernel in. My problem being, that I don’t necessarily want to create initrds and somehow want the modules to be inside the guest machine. And I do want modules because I don’t want to boot after I’ve changed a tiny bit of the code. So I debootstrapped onto the filesystem on the host and tried to run Qemu with that directory as virtual FAT drive:
sudo /opt/muelli/qemu/bin/qemu -monitor stdio -m 1G -kernel /opt/ubuntu/boot/vmlinuz-2.6.32-21-generic -initrd /opt/ubuntu/boot/initrd.img-2.6.32-21-generic -hda fat:ro:/opt/ubuntu/ -runas muelli
But it fails because the directory is too big.
I then debootstrapped into a fixed size container and for now I’m going with
/opt/muelli/qemu/bin/qemu-system-x86_64 -m 1G -smp 1 -hda /opt/ubuntu.img -snapshot -kernel ~/git/linux-2.6/arch/x86_64/boot/bzImage -append ‘root=/dev/sda’
But that doesn’t seem to work well, because the virtual machine just stops working. Attaching a debugger tells me that the qemu process basically stopped. Weird.
I basically followed these instructions but in order to make Eclipse index my Linux Kernel, I had to start it with -vmargs -Xmx1024M.
But debugging the kernel is a bit hard because something with the protocol is weird. The suggested fix doesn’t help.
QEmu wouldn’t install windows 7 x86_64, because of a “wrong CPU” type of error. Fortunately, the STOP codes are well documented. Trying to install it on x86 is not possible. I booted the ISO for two days without any success.
Found a good overview of USB classes per Windows Version. The USB classes themselves are not very well documented though. But in fairness, I haven’t read the 600+ pages spec yet.
Spent ages trying to make sscanf split a string on a colon. Jeez, it’s horrible. I even thought about doing a system("python -c 'mystring.split(':')'") or so… Ended up using strtok:
if (((speedstr = strtok(copy, ":")) == NULL) || ((filterfilename = strtok(NULL, "\0")) == NULL)) { error_report(); else {}
gdb attached to a process crashed from eclipse. GDB also likes to crash if the remote server went down.
And listening to music with Rhythmbox is hard, too >.<
QEmu crashes if given a wrong kernel image.
Found Patents related to fuzzing, but Zotero won’t import those to my library.
I had funny results with the filter: I replaced every “A” transmitted by a “B”. On the host, I created a file on a mass storage with 4KB “A”s. When “cat”ting the file from the guest, I saw “A”s. But copying the file in the guest resulted in the new file having all “B”s. I expected the “cat” showing all “B”s, too. And as far as I can see, the “A”s are actually replaced for the “cat”.