Saturday, 16 September 2023

Building and Running the Linux Kernel Using Qemu: In a Nutshell

xb@dnxb:~$ sudo apt update
# Install the necessary packages for building the Linux kernel:
xb@dnxb:~$ sudo apt-get install build-essential libncurses5-dev bison flex libssl-dev libelf-dev
# libvirt-bin is now split into libvirt-daemon-system and libvirt-clients.
xb@dnxb:~$ sudo apt install qemu-kvm qemu virt-manager virt-viewer libvirt-daemon-system libvirt-clients

# To resolve the error "pahole (pahole) is not available" while making the kernel.
xb@dnxb:~$ sudo apt install dwarves
# Test in Ubuntu, not using Linux source at github
xb@dnxb:~$ sudo apt install linux-source
# After the installation, the source is typically located in `/usr/src/`
xb@dnxb:~$ cd /usr/src/
# You'll need to modify the subsequent commands "...5.4.0..." based on the latest version.
xb@dnxb:/usr/src$ cd linux-source-5.4.0
xb@dnxb:/usr/src/linux-source-5.4.0$ cp linux-source-5.4.0.tar.bz2 ~/Downloads/
xb@dnxb:/usr/src/linux-source-5.4.0$ cd ~/Downloads/

# OR use `pv linux-source-5.4.0.tar.bz2 | tar -xjf-` to monitor the extraction progress.
xb@dnxb:~/Downloads$ tar xjf linux-source-5.4.0.tar.bz2
# ... If you use Nautilus for extraction, you need to copy it from /usr/src/ to a regular user path before extracting.
# ... However, when using Nautilus, you might need to eliminate any redundant directories that were created by mistake. Eliminate them early, as changes in directory timestamps seem to slow down the remaking process.
# e.g. xb@dnxb:~/Downloads/redundant_folder/linux-source-5.4.0$

# To fix `No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'. Stop.` when make kernel from Ubuntu because the .config file contains "debian/" certs:
xb@dnxb:~/Downloads/linux-source-5.4.0$ cp -r /usr/src/linux-source-5.4.0/debian ./
xb@dnxb:~/Downloads/linux-source-5.4.0$ cp -r /usr/src/linux-source-5.4.0/debian.master ./

# As an initial modification trial, add "hello world" after `pr_notice("%s", linux_banner);`:
xb@dnxb:~/Downloads/linux-source-5.4.0$ grep -i hello init/main.c -C 2
page_address_init();
pr_notice("%s", linux_banner);
pr_notice("Hello, World! from the Kernel by hole\n");
early_security_init();
setup_arch(&command_line);
xb@dnxb:~/Downloads/linux-source-5.4.0$

# ARCH=x86_64 is optional, while the default ARCH=x86 lets you toggle off the 64-bit kernel in the menu.
# Just click <Exit> then [Save]. If re-edit main.c to add print, no need run this:
xb@dnxb:~/Downloads/linux-source-5.4.0$ make menuconfig ARCH=x86_64
xb@dnxb:~/Downloads/linux-source-5.4.0$ make -j$(nproc) ARCH=x86_64
# If you re-edit main.c to add a print, you don't need to run `make modules`, just `make -j$(nproc) ARCH=x86_64 && make bzImage -j$(nproc) ARCH=x86_64`
# "Section mismatch" warnings can be safely ignored.
# Can type '?' to see details if seeing "[N/m/y/?] (NEW) ?", simply "y"
xb@dnxb:~/Downloads/linux-source-5.4.0$ make modules -j$(nproc) ARCH=x86_64
xb@dnxb:~/Downloads/linux-source-5.4.0$ make bzImage -j$(nproc) ARCH=x86_64

# Despite the ARCH=x86_64 setting, the kernel image path is ./arch/x86/boot/bzImage.
# The reason is the unified source code for x86 and x86_64 in the Linux kernel.
# x86 covering both x86 & x86_64 through scripts/subarch.include and .config .
# The x86_64 path is simply a symbolic link to x86.
# Use the x86 path to qemu as it's the real location for the kernel image.
xb@dnxb:~/Downloads/linux-source-5.4.0$ file ./arch/x86_64/boot/bzImage
./arch/x86_64/boot/bzImage: symbolic link to ../../x86/boot/bzImage
xb@dnxb:~/Downloads/linux-source-5.4.0$ realpath ./arch/x86/boot/bzImage
/home/xiaobai/Downloads/linux-source-5.4.0/arch/x86/boot/bzImage
xb@dnxb:~/Downloads/linux-source-5.4.0$

# Create an Initramfs:
# For a simple test, you can create a very basic initramfs that only has a /init script. Here's an example:
# replace 'hole' with your preferred directory name
xb@dnxb:~/Downloads/linux-source-5.4.0$ mkdir hole; cd hole/
xb@dnxb:~/Downloads/linux-source-5.4.0/hole$ mkdir -p myinitramfs
xb@dnxb:~/Downloads/linux-source-5.4.0/hole$ cd myinitramfs/
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs$ mkdir -p bin sbin etc tmp proc sys usr/bin usr/sbin
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs$ echo -e '#!/bin/sh\nmount -t proc none /proc\nmount -t sysfs none /sys\nexec /bin/sh' > init
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs$ chmod +x init
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs$ cd ..

# You can visit https://busybox.net/downloads/ to get the latest version. You'll need to modify the subsequent commands "...1.36.1..." based on the latest version:
xb@dnxb:~/Downloads/linux-source-5.4.0/hole$ wget https://busybox.net/downloads/busybox-1.36.1.tar.bz2
xb@dnxb:~/Downloads/linux-source-5.4.0/hole$ tar xjf busybox-1.36.1.tar.bz2
xb@dnxb:~/Downloads/linux-source-5.4.0/hole$ cd busybox-1.36.1/
# Load the default configuration:
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/busybox-1.36.1$ make defconfig
# "Settings" -> "Build Options" -> "Build static binary (no shared libs)" and press 'Y' otherwise will get "Kernel panic - not syncing: No working init found." after boot kernel.
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/busybox-1.36.1$ make menuconfig
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/busybox-1.36.1$ make -j$(nproc)

# Now, create the initramfs archive. CPIO is the preferred method because it effectively duplicates a file system, backs it up, and preserves unique file features like hardlinks and FIFOs:
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/busybox-1.36.1$ cd ../myinitramfs
# Use BusyBox as the shell program for initramfs:
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs$ cp ../busybox-1.36.1/busybox bin/
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs$ cd bin/
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs/bin$ ln -s busybox sh
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs/bin$ ln -s busybox mount
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs/bin$ cd ..
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs$ find . | cpio -H newc -o | gzip > ../myinitramfs.cpio.gz
xb@dnxb:~/Downloads/linux-source-5.4.0/hole/myinitramfs$ cd ../..

# Boot the kernel with qemu. You might need to press Enter to access the shell. To exit, use "Ctrl+a", release it, then press "x". If there's an issue, use killall qemu-system-x86_64.
# append "panic=10" will reboot 10 seconds after kernel panic
xb@dnxb:~/Downloads/linux-source-5.4.0$ qemu-system-x86_64 -kernel /home/xiaobai/Downloads/linux-source-5.4.0/arch/x86/boot/bzImage -initrd /home/xiaobai/Downloads/linux-source-5.4.0/myinitramfs.cpio.gz -append "console=ttyS0 earlyprintk=serial,ttyS0,115200 debug" -nographic
...




Wednesday, 17 May 2023

Is TikTok listening to my conversation?

My friend invited me to lunch and mentioned the word "cafe", but I didn't go.

After 4 hours, I noticed a post related to cafes in my Facebook news feed:


This post isn't very popular and I haven't heard the word "Cafe" for a long time, I can't even recall the last time. So I realized this post is not a coincidence, not again (something I type in ChatGPT also shows similar ads, either OpenAI or my keyboard is selling my data, as expected~).

So I quickly dumped adb logcat, hoping the relevant logs hadn't disappeared yet. Fortunately, it did retain the 05-16 19:39:17.603 log from the previous night:



The next thing I found is quite intriguing:


I recall my friend speaking to me around 12:30 pm (not sure of the exact time, but it was before 1 p.m.), and coincidentally, a suspicious log appears here that is too blatant to ignore!

The com.vivo.smartshot is a system app on my Vivo phone. I extracted the APK using that package name and found its app label is 'S-Capture' (gi is grep -i):


And yes, it has the microphone/record audio permission:


When I go to the system app settings, its permissions can't be turned off since it's a "system app"!



What is the "S-capture" app really? The Vivo site shows:



I'm only able to take a screenshot by swiping down with three fingers, but I don't see the floating dialogue for recording. It might be a different version, but I don't see any log showing SmartShot.

CVE of Vivo smartshot:


And the Calling a method in the system process without a qualified user is just a warning, not an indication of operation failure, as shown in AOSP:





I initially suspected that S-Capture was the problematic app, or that another app was exploiting the CVE associated with it.

Tuesday, 14 March 2023

ChatGPT is not the AI you expected

ChatGPT has explained why a non-existent book was listed in its response. 

It currently lacks a feature to flag items in its knowledge base as "existing" or "real," which can make it challenging to differentiate between genuine and imaginary entities.


This is similar to a human creating a dream that may not necessarily exist in the physical world. 
 
Dream is useful for creativity but you should not expect ChatGPT to always provide you with factual information.



Saturday, 6 August 2022

Chat bot 不是这样用的 - Celcom














Celcom Customer Service Messenger/Whatsapp chat robot:

1. 可以用 Live Chat Agent, AGENT, agent, Cool Agent, hi agent me 进入跟真人询问的环节,稍微复杂的就不行了。除了 Agent ,其它都是 I didn't quite understand/get, a bit advanced to me, Hmm..。

2. 五个月前 Live Chat Agent 无效应该是 fixed 了。

3. 输入 Support Inquiry/Case 后输入非号码的文字可以触发 invalid 后的 Live Chat Agent / AGENT 菜单建议。其他如 Account Status 选项出现就不能输入 Support Inquiry,必须等 OTP 失败/EXIT 后才能。

4. 不输入超过 256 字。输入 No 退出。


多少人被拒之门外 😶:
- https://www.facebook.com/groups/mobilemamak/posts/584040922949692/
- https://www.facebook.com/donat.darkhannaz/posts/pfbid02yiBUgta2DdLqZRcyqfEKdEmEczvSej1SLmVhDYoR9zXha7Nk1uzgRG1mhqpXmmW5l
- https://www.facebook.com/photo?fbid=5339132769450317
- https://www.facebook.com/zainal.ariffin.5/posts/pfbid034voWSUwWjGYQXDwbmAtSS5qCsNs4zo8TPyVK1rnbsJrn52itxTFjyaxMKwqSUdxvl

客服是省人工钱 + 避免小孩子乱玩,但是把 bug/投诉 蒙上双眼就 No case 真的不敢苟同。

之所以不拨打 1111 是因为曾一度(现在好像有了)没有 loss phone 选项, 只给你听广告。

另外吐槽一下,都 loss phone 了紧急 de-activate simcard 了还要浪费时间听 "且听我一个字一个字慢慢道来的广告"。

有些(旧?)手机很不友好,还要提前按 press keypad,否则真的摸不着要按哪里。 然后?重新听广告。

Chat bot 也有广告,用户有问题了已经很恼怒还要在迷宫般的 chatbot 重复看广告真的是花惹发。

淘宝也有类似问题,我都回复了几次大马客服手机打不进,却无限循环重复给大马客服手机号,绕了大圈子才升级到较好的人工客服。由于是 bug 客服也不是技术人员,最终仍然解决不了,但起码我得知手机 app 才能登陆到有问题的手机账号。

prestomall 也是花了一阵子才懂,需要手机 app 才能做到想要的换手机号功能。甭管淘宝或 prestomall, 网页版都不被重视是 buggy 的。


Saturday, 11 June 2022

How do scammers obtain TAC by calling your phone

Thought experiment. 😶


How do scammers obtain TAC by calling your phone.


1. A camera in a store, bank, or landlord caught you typing a password, phishing, or an 0 day exploit such as StrandHogg 2.0 (https://promon.co/resources/downloads/strandhogg-2-0-new-serious-android-vulnerability/, https://www.xda-developers.com/strandhogg-2-0-android-vulnerability-explained-developer-mitigation/).


2. The attacker calls you.


3. You pick up the phone and answer it. 


4. The attacker records your voice.


5. The attacker converts your voice to an inaudible form of Hey Google/Siri pattern (Dolphin Attack, https://dl.acm.org/doi/pdf/10.1145/3133956.3134052, https://www.securityweek.com/siri-alexa-google-now-vulnerable-ultrasound-attacks, https://www.helpnetsecurity.com/2020/03/03/ultrasonic-waves-access-cellphones/).


6. The attacker puts or delivers an ultrasound device near you. 


7. Now your phone is triggered to run commands by asking Hey Google or Siri in ultrasound. You don't realise it because humans can't hear ultrasound. See the demonstration video, get TAC by voice (I may use typing since my speaking is bad).  It has not been tested for ultrasound. The commands used: "Silent" -> "Dim the screen" -> "Open SMS app" -> "Send screenshot to 0133743923" -> "Please send" -> "Send".


8. If the attacker already has the victim's bank password, they just need to read the TAC SMS instead of exploiting other commands . Or reset the password via the leaked ATM card ID and password.

Note: Step #6, Direct voice transmission via phone call does not work because Google Assistant will not trigger since the Dialer app already uses a microphone.


Tuesday, 19 April 2022

How to open tiktok leaked(scraped?) db




TL;DR


The 8 tiktok json files are split, so you need `cat` to concatenate them to single xz file in order to extract files other than 001.

Then use jq to convert one-liner data file to json formatted file.

[1] cat tiktok.json.xz.00{1..8} > tiktok.json.xz.full; # bash

[2] Extract it in nautilus. Be patient, output size keep increasing until 176GB.

[3] <data jq '.' > tiktok.json


How I research from scratch:

I try jq on file tiktok.json.xz.001 extracted data file first, it failed with error at the end:

    parse error: Unfinished string at EOF at line 1, column 301400064

I need to know why jq failed first before proceed other huge file. 

I view the jq output last video id is 62077733563793408, and use this id to compare original data file.

I use python to read and split that id because normal utility `less`(-n better though) can't handle effectively such very long line.

I knew it failed ~10 lines only. 

So the reason jq failed is because of No closing "}" something which is make sense because it seems like split. 

Last characters of 001 data file:

    "playAddr": "https://v19-web-newkey.tiktokcdn.com/79eec1166f8ae077c86dd37a14d70288/5f84ddc0/video/s3/mp/s3-mp-v-0068/reg02/2016/02/08/08/15804438-6c1b-4a7a-8e35-f04687699854.mp4/?a=1988&br=0&bt

Before I try jq huge file(188.6 GB concatenated data file), I want to prove the files are continuation otherwise I waste my time on jq parse error.

So the next thing to prove is that 002 file really continue 001 file. 

I need extract the beginning part of 002 file from concatenated extracted data file to compare.

The normal command such as cut is heavy, so I try to use "low level" command `dd`.

The 001 data file is 26071203840 bytes (ls -la to get size, you don't use jq_001.out which already parsed). 

Then full data file simply round a bit within 10MB range to 26070000000 bytes. Then extract the total 10000000 bytes (10MB).

    dd if=full_data bs=1 skip=26070000000 count=10000000 of=skip_data

Again with python, `r = f.read()`, id `'62077733563793408' in r` is True. 

Then simply split(only 2 indexes) by '62077733563793408' and print r[1]. 

Then I can see `=0` continue `&bt` (last 3 characters of 001 data file), which proved that 002 has correct opening bytes to be able continuously parsed by jq on concatenated full data file:



It means that safe to proceed `cat`, extract, and `<data jq '.' > tiktok.json`. 

Be patient because it take times (data file 176GB, it took me 1 hour 8 minutes 40 seconds on jq, you can try 001 2GB file first to have expectation time of 14.1GB files).

After completed (195GB output file), I also use same step to compare to proved that the final output json item of parsed file same as data file.

Sunday, 16 January 2022

Facebook custom list feed is not really gone

 I thought that custom list feed gone long time ago:



But actually you can still access custom list news feed with this URL format (x.facebook OR m.facebook both can work):


                https://x.facebook.com/home.php?sk=fl_<LIST_ID>


List id can get from https://www.facebook.com/friends/friendlist , right-click the list item can copy list id of link https://www.facebook.com/lists/<LIST_ID>

I discover this because long time ago I created a custom app to launch custom friend list feed by clicking app icon, I wonder why it still working
(I chose this URL format because normal link not worked AND web browser required):

                am start -a android.intent.action.VIEW -d 'https://x.facebook.com/home.php?sk=fl_<LIST ID>'

Or alternatively simply visit https://m.facebook.com/ , hamburger menu on right can see old menu custom list too. Thanks to this video.