IssueThe dnsmasq can’t start to running.Why? The ujail is enabled by default on OpenWrt 22.03, and no privilege to do some jail operation in systemd-nspawn container. e.g. mount /tmp/xxx to /dev/logHow to fix0x1.Uninstall procd-ujail and procd-seccompopkg remove procd-ujail opkg remove procd-seccomp0x2. Fix dnsmasq service script/etc/init.d/dnsmasq:[ -x /sbin/ujail -a -e /etc/capabilities/ntpd.json ] && { procd_add_jail dnsmasq ubus log procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFI ...继续阅读 (34)

What is stack clash style attacks?计算机上运行的程序都需要一块特殊的内存区域称为“栈”，栈空间通常是动态单向增长的，以Linux内核为例，操作系统为了防止栈空间过早分配产生的内存浪费，采用了栈延迟分配策略，按Page粒度逐步向低地址扩展增长。栈可用空间最低地址位置上有个特殊的页称为Stack Guard Page，当访问到达该页时，将触发严重错误，使程序终止执行。攻击者故意分配较大的栈空间，但不触发访问，可有可能跳过对Stack Guard Page的访问，如果精心安排，或运气较好，就有可能将低地址方向的其它内存区域作为栈来使用，从而有机会突破栈不可执行保护。How to prevent?GCC编译器实现了stack clash protection功能，通过参数-fstack-clash-protection可启用。不是所有的目标架构都实现以支持该功能。How it works?GCC实现stack clash protection的方法是为每个函数生成一段代码，该代码执行在业务代码之前，按Page粒度逐个预访问函数framesize空间，达到一定能触发stack guard page访问的目的。下面以一段MIPS架构汇编代码示例：#includeint main (int argc, char *argv[]) { char buffe ...继续阅读 (24)

Control-flow graph(a) an if-then-else(b) a while loop(c) a natural loop with two exits, e.g. while with an if…break in the middle; non-structured but reducible(d) an irreducible CFG: a loop with two entry points, e.g. goto into a while or for loopJava caseIrreducibleLoop.javapublic class IrreducibleLoop { public static void test(int loop) { } }IrreducibleLoop.jasmsuper public class IrreducibleLoop version 63:0 { public Method "":"()V" stack 1 locals 1 { aload_0; invokespecial Method java/lang/Object."":"()V"; return; } public static Method te ...继续阅读 (26)

function put_route() { ip route del default dev pppoe-wanct proto static table 100 ip route add default dev pppoe-wanct proto static table 100 ip rule del pref 32760 ip rule add pref 32760 from ${1} lookup 100 } put_route ${ip} ...继续阅读 (29)

Issue/usr/libexec/sftp-server: not found-O Use the legacy SCP protocol for file transfers instead of the SFTP protocol. Forcing the use of the SCP protocol may be necessary for servers that do not implement SFTP, for backwards-compatibility for particular filename wildcard patterns and for expanding paths with a ‘~’ prefix for older SFTP servers. ...继续阅读 (35)

usb 1-3.4: USB disconnect, device number 18 usb 1-3.1: new full-speed USB device number 19 using xhci_hcd usb 1-3.1: New USB device found, idVendor=1a86, idProduct=7523, bcdDevice= 2.54 usb 1-3.1: New USB device strings: Mfr=0, Product=2, SerialNumber=0 usb 1-3.1: Product: USB2.0-Ser! ch341 1-3.1:1.0: ch341-uart converter detected ch341-uart ttyUSB0: break control not supported, using simulated break usb 1-3.1: ch341-uart converter now attached to ttyUSB0 usb 1-3.1: usbfs: interface 0 claimed by ch341 while 'brltty' sets config #1 ch341-uart ttyUSB0: ch341-uart converter now disconnected from ...继续阅读 (25)

nftablesudp dport { 80, 443 } reject with icmpx port-unreachableiptables-p udp --match multiport --dports 80,443 -j REJECT ...继续阅读 (21)

The dnsmasq is enables rebind protection by default, this reject DNS records that contains reserved address (RFC1918).Remove argument to disable it:--stop-dns-rebindOpenWrtLUCIMenu: Network->DHCP and DNSUnchecked Rebind protection. ...继续阅读 (18)

The 64-bit ARM (AArch64) calling convention allocates the 31 general-purpose registers as:[2]x31 (SP): Stack pointer or a zero register, depending on context.x30 (LR): Procedure link register, used to return from subroutines.x29 (FP): Frame pointer.x19 to x29: Callee-saved.x18 (PR): Platform register. Used for some operating-system-specific special purpose, or an additional caller-saved register.x16 (IP0) and x17 (IP1): Intra-Procedure-call scratch registers.x9 to x15: Local variables, caller saved.x8 (XR): Indirect return value address.x0 to x7: Argument values passed to and results returned ...继续阅读 (26)

~/.config/gtk-3.0/gtk.css:/* Decrease the tabs bar height in gnome-terminal * See: * https://stackoverflow.com/questions/36869701/decrease-the-tabs-bar-height-in-gnome-terminal */ terminal-window notebook > header.top button { padding: 0 0 0 0; background-image: none; border: 0; margin-right: 10px; } terminal-window notebook > header.top > tabs > tab { margin: 0 0 0 0; padding: 0 0 0 0; } terminal-window notebook > header.top > tabs > tab label { padding: 0 0 0 0; margin: 0 0 0 0; }BeforeAfterFrom:https://stackoverflow.com/questions/36869701/decrease-the-tabs-bar-height-i ...继续阅读 (20)

Handle interrupts of ethernet device on high performance cpus./etc/systemd/system/irq-eth0.service[Unit] Description=IRQ SMP Affinity After=network.target [Service] Type=oneshot ExecStart=/usr/bin/bash -c 'echo 4-5 > /proc/irq/31/smp_affinity_list' [Install] WantedBy=multi-user.target ...继续阅读 (18)

Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: ssh-rsaWorkaround:Host 192.168.0.1 HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa ...继续阅读 (24)

前段时间，在研究HLS的AES加密，由于一个地方电视台的HLS流有AES加密，在查看了相关的加解密方案后发现使用的是简单的AES的CBC模式，在CBC的模式下，会设置一个IV，初始化向量。但是我在解密的时候，使用了一个由于理解错误而产生的一个错误IV居然也能解密视频并进行播放，于是就有了这篇张文章。AES五种加密模式（CBC、ECB、CTR、OCF、CFB）虽然有五种加密，但是常用的还是CBC，CBC的全称Cipher Block Chaining ，有点类似于区块链哈，我们先来看下加密方式CBC加密上面的图片从左往右看，初始化IV只有在第一个块加密的时候才会用到，而第N个块的加密IV则是用的N-1(N>1)个加密后的二进制数组。CBC解密CBC的解密则也是从左往右看，但是加密时IV在解密时候，只会用于对第一个块进行解密，其他块的解密则是使用上一块的加密二进制作为IV进行解密操作。加密时，用iv和key去加密第一个块，然后用第一个块的加密数据作为下一个块的iv，依次迭代。解密时，用n-1个块的加密数据作为iv和key去解密第n个块（n>1），只有第一个块才会用加密时的iv去解密第一个块。按照这样的逻辑来看，那么如果解密时，使用了iv错误，出问题的数据应该只有第一个块。通过上面的分析就能知道，加密的时候，iv会影响所有数据的加密结果，而解密时，iv只会影响第一个加密块的解密结果，其他 ...继续阅读 (22)

sudo fallocate -l 100G /path/to/swap.img sudo chmod 0600 /path/to/swap.img sudo mkswap /path/to/swap.img ...继续阅读 (16)

This is an example of configuring transparent proxy(tproxy) with nftables. The tproxy application ishev-socks5-tproxyNetfilter rulesDON’T FORGOT TO ADD UPSTREAM ADDRESS TO BYPASS IPSET!!Or use nftables skuid/skgid match to exclude proxy process.table inet mangle { set byp4 { typeof ip daddr flags interval elements = { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 20 ...继续阅读 (43)

Enable bold font for GNOME Terminal:0x01# Get profile id dconf dump /org/gnome/terminal/legacy/ # Set bold font dconf write /org/gnome/terminal/legacy/profiles:/:b1dcc9dd-5262-4d8d-a863-c897e6d979b9/font "'Monospace Bold 14'"0x02Preferences->Profiles->->Colors:Select “Show bold text in bright colors” ...继续阅读 (26)

1. Open Settings.2. Click Keyboard Shortcuts.3. Click Alternate Characters Key.4. Select Right Supter. ...继续阅读 (25)

sh configure \ --with-extra-cflags="-Wno-error" \ --with-extra-cxxflags="-Wno-error" ...继续阅读 (23)

By default an exception can only occur during a function call or a throw. If we needs to catch excpetions thrown from trapping instructions, using the `-fnon-call-exceptions`.Docs:-fnon-call-exceptions Generate code that allows trapping instructions to throw exceptions. Note that this requires platform-specific runtime support that does not exist everywhere. Moreover, it only allows trapping instructions to throw exceptions, i.e. memory references or floating point instructions. It does not allow exceptions to be thrown from arbitrary signal handlers such as SIGALRM.Example:#include #includ ...继续阅读 (27)

For performance, sometimes we need to adjust the address space layout. The following way allows the shared or executable object to be loaded with preferred base address.When the dynamic link maps the shared object, the virtual address of segment(that in ELF program header) will be used as the mapping address hints.Type 1Link with text-segment starting address.# Adjust base address to 0x10000 */ gcc -shared ... -Wl,-Ttext-segment=0x10000Type 2We can adjust the virtual address of loaded segment by linker scripts.0x1 Get link script templategcc -shared -Wl,--verbose > ld.scriptClear the contents ...继续阅读 (21)

~/.gdbinit:add-auto-load-safe-path /.gdbinit in project working directory:set pagination off set $_exitcode = -1 run if $_exitcode != -1 quit endOver! ...继续阅读 (19)

adb shell settings put global captive_portal_https_url https://www.google.cn/generate_204Over! ...继续阅读 (14)

市面上常见的硬盘盒或硬盘柜几乎都设计了电源按钮开关，并不是外部供电就自动开机的，这也是一种保护措施。但如果我们用这类产品连接家庭服务器或NAS的话，在意外停电恢复后，外置硬盘盒设备就不能访问了，需要手工按一下电源开关。那么，有没有方法可以使这类产品能自动开机呢？方法不仅有，还不止一种哦。[if lt IE 9]>document.createElement('video'); ...继续阅读 (31)

+------+-----+----------+------+ Model NanoPi-M4 +------+----------+-----+------+ | GPIO | wPi | Name | Mode | V | Physical | V | Mode | Name | wPi | GPIO | +------+-----+----------+------+---+----++----+---+------+----------+-----+------+ | | | 3.3V | | | 1 || 2 | | | 5V | | | | | | I2C2_SDA | | | 3 || 4 | | | 5V | | | | | | I2C2_SCL | | | 5 || 6 | | | GND(0V) | | | | 32 | 7 | GPIO1_A0 | OUT | 0 | 7 || 8 | | ALT | GPIO4_C1 | 15 | 145 | | | ...继续阅读 (21)

0x01 Installationgit clone --depth 1 https://github.com/heiher/nginx cd nginx git clone --depth 1 https://github.com/heiher/nginx-dav-ext-module ./auto/configure --prefix=/opt/nginx \ --with-compat \ --with-file-aio \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_degradation_module \ --with-http_flv_module \ --with-http_geoip_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_realip_module \ --with-http_secure_link_module \ --wi ...继续阅读 (32)

Tagged packetUntagged packetINOUTINOUTTagged PortUnmodifiedUnmodifiedTag by PVIDTag by PVIDUntagged PortDropUntagTag by PVIDUnmodifiedOver! ...继续阅读 (22)

-fverbose-asmPut extra commentary information in the generated assembly code to make it more readable. This option is generally only of use to those who actually need to read the generated assembly code (perhaps while debugging the compiler itself).-O3gcc -O3 -fverbose-asm -o t.s t.c.arch armv8-a .file "t.c" // GNU C17 (GCC) version 9.2.0 (aarch64-unknown-linux-gnu) // compiled by GNU C version 9.2.0, GMP version 6.1.2, MPFR version 4.0.2, MPC version 1.1.0, isl version isl-0.21-GMP // GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072 // options passed: t.c -march=a ...继续阅读 (20)

在Linux系统上，使用dd命令清除SSD存储数据比较慢，快速的方法是使用blkdiscard命令。# Clear all data sudo blkdiscard DEVICE # Clear specific range sudo blkdiscard -o OFFSET -l LENGTH DEVICEOver! ...继续阅读 (16)

背景某个设备配套的刷机程序是个Linux recovery kernel，刷机过程会先从U盘加载刷机脚本，仅在签名校验通过后才执行脚本。本文记录了分析和移除签名校验的方法。分析刷机程序是一个bzImage文件，从启动的输出来看，内部包含了一个initrd，在initrd中实现了读取U盘中的脚本和签名校验过程。查看initrd内容通过增加启动参数(cmdline）rdinit=/bin/sh，可以使Kernel启动后执行/bin/sh，而不是默认的/init程序，有了命令行接口后，就可以查看initrd的内容。~ # busybox find / / /.ash_history /init /etc /etc/shadow /etc/passwd /.gnupg /.gnupg/trustdb.gpg /.gnupg/secring.gpg /.gnupg/pubring.gpg~ /.gnupg/pubring.gpg /bin /bin/kexec /bin/gpg2 /bin/busybox /bin/dd /bin/umount /bin/sleep /bin/rmdir /bin/rm /bin/reboot /bin/mount /bin/mkdir /bin/ls /bin/cat /bin/sh /mnt /sys /proc /dev /dev/pts /dev/l ...继续阅读 (34)

在macOS上通过虚拟机运行其它操作系统，又不想用商业软件，那么开源的QEMU是一个比较好的选择。QEMU的功能支持还是比较全面的，除了功能以外，使用虚拟机软件的用户最关心的就是性能了，一个好消息是macOS 10.10+版本已经引人了硬件虚拟化支持框架，也就是Hypervisor.framework，另一个好消息是QEMU也已支持该框架，也就是hvf accelerator。Requirements1. macOS 10.10+2. MacportsIssues已经使用过的用户可能已经发现，QEMU使用hvf accelerator并开启多核是有问题的呀。的确，QEMU使用hvf accelerator以单核运行时没有问题，当使用-smp参数指定多核时，很大概率上虚拟机硬件初始化都完成不了就死机了。不过，好消息是该问题也已经修复了，导致这个问题的原因是hvf accelerator代码设计没有考虑到虚拟机启动后所有hvf vcpu都在并行执行指令，其中包括硬件初始化的I/O模拟操作，多个CPU同时对同一硬件执行初始化显然是不行的。Patch(已经合并上游社区)Install QEMUcd ~ git clone https://github.com/hevz/macports sudo vim /opt/local/etc/macports/sources.conf# Add l ...继续阅读 (24)