-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
346 lines (208 loc) · 260 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>ZnHoCn's Blog</title>
<link href="/atom.xml" rel="self"/>
<link href="https://znhocn.github.io/"/>
<updated>2018-12-28T15:34:30.128Z</updated>
<id>https://znhocn.github.io/</id>
<author>
<name>ZnHoCn</name>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title>TP-Link TL-MR10U Install Breed Bootloader + OpenWrt</title>
<link href="https://znhocn.github.io/posts/2018/12/26/TP-Link-TL-MR10U-Install-Breed-Bootloader-and-OpenWrt/"/>
<id>https://znhocn.github.io/posts/2018/12/26/TP-Link-TL-MR10U-Install-Breed-Bootloader-and-OpenWrt/</id>
<published>2018-12-26T15:14:20.000Z</published>
<updated>2018-12-28T15:34:30.128Z</updated>
<content type="html"><![CDATA[<p>淘了一个二手的 TL-MR10U 自己升级一下硬件,装个 OpenWrt 再配上 LAN-Tap 作为可随身携带的便捷抓包工具使用。<br>还是自带电源的,不然拖个充电宝太麻烦了,OpenWrt 官网上也有一个 <a href="https://openwrt.org/toh/views/toh_battery-powered" target="_blank" rel="noopener">Table of Hardware: Battery powered</a> 页面列出了所有官方支持的可刷 OpenWrt 的“充电宝”。<br><a id="more"></a><br><img src="//files.hakr.xyz/images//2018-12-26_01-0001.jpg" alt=""></p><h2 id="升级硬件"><a href="#升级硬件" class="headerlink" title="升级硬件"></a>升级硬件</h2><p>你需要购买 64MB RAM 芯片 (HY5DU121622DTP-D43) 16MB FLASH 芯片 (W25Q128);准备热风枪拆焊台、电烙铁、助焊剂、镊子等工具;以及一个 CH341A 编程器外加宽体 SOP8 烧录座。<br>具体怎么操作可以网上找视频看看。记得别用电烙铁抵着吸锡带去拖内存焊盘上剩余的高温锡,你绝对把焊盘给弄脱落的。其实只给旁边的原件区域贴上高温胶带,在焊盘上加点助焊剂再用热风枪把新元件吹焊上去即可。<br>拆前最好先拍照,好记得原件的第一 Pin 是哪个位置,以免之后焊错方向。</p><h2 id="备份原始固件"><a href="#备份原始固件" class="headerlink" title="备份原始固件"></a>备份原始固件</h2><p>把拆下的 FLASH 用编程器读出所有数据并保存到备份文件里,再把读取的数据写入到新的 64MB FLASH 芯片里,最后再把新 FLASH 焊回主板上。</p><h2 id="刷入-Breed-Bootloader"><a href="#刷入-Breed-Bootloader" class="headerlink" title="刷入 Breed Bootloader"></a>刷入 Breed Bootloader</h2><p>下载未锁分区的 <a href="https://pan.baidu.com/s/1OCUnvfjJHJar7Pk0Lgt_uQ" target="_blank" rel="noopener">openwr-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin</a> 固件,用于刷入 U-Boot。<br>下载完成后直接在 TP-Link 官方的 Web 控制台里上传固件进行升级,TL-MR10U 插上网线与电脑相联,等待数分钟让路由器完成重启。</p><p>使用 git-bash 附带的 <code>scp</code> 工具上传 Breed Bootloader 到 TL-MR10U 的 <code>/tmp</code> 目录里。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scp breed-ar9331-mr12u-r1163.bin [email protected]:/tmp/</span><br></pre></td></tr></table></figure><p>通过 SSH 登录 TL-MR10U </p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh [email protected]</span><br></pre></td></tr></table></figure><p>备份 U-Boot & ART</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">cat /proc/mtd</span><br><span class="line">dd <span class="keyword">if</span>=/dev/mtd0 of=/tmp/u-boot.bin</span><br><span class="line">dd <span class="keyword">if</span>=/dev/mtd4 of=/tmp/art.bin</span><br><span class="line">scp [email protected]:/tmp/*.bin . <span class="comment"># 在你的电脑终端上执行,从远端复制到电脑上</span></span><br></pre></td></tr></table></figure><p>刷入新的 <a href="https://breed.hackpascal.net/EOL/breed-ar9331-mr12u-r1163.bin" target="_blank" rel="noopener">Breed Bootloader</a></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mtd -r write breed-ar9331-mr12u-r1163.bin u-boot</span><br></pre></td></tr></table></figure><p>如果出现 Could not open mtd device: u-boot Can’t open device for writing! 意味着你使用了 OpenWrt 官方正式版固件,默认是锁了 U-Boot 的,需要使用未锁分区才行。未锁分区的固件需要自己改 OpenWrt 源代码配置再重新编译或者下载他人编译好的。</p><h2 id="还原-Atheros-ART"><a href="#还原-Atheros-ART" class="headerlink" title="还原 Atheros ART"></a>还原 Atheros ART</h2><ul><li>注:如果你更换了 FLASH 芯片,不还原 Atheros ART 数据会导致你路由器无法使用 WiFi 功能!</li></ul><p>ART 数据里存储着 WiFi 功能的配置和驱动,如果损坏或丢失 ART 都会导致你安装后的 OpenWrt 没有无线功能。<br>按住 RESET 键后打开电源,持续按住 5 秒左右就可进入 Breed 的恢复模式。确保路由器使用网线连接到了电脑后,在浏览器里输入 <code>192.168.1.1</code> 进入 Breed Web 恢复控制台。<br>在【固件更新】选项里选择【编程器固件】取消勾选保留 ART 只勾选保留 Bootloader ,上传之前使用编程器备份的 FLASH dump 文件。<br>也可直接使用之前备份的 ART 直接还原。</p><p><img src="//files.hakr.xyz/images/2018-12-26_01-0002.png" alt=""></p><h2 id="安装-OpenWrt"><a href="#安装-OpenWrt" class="headerlink" title="安装 OpenWrt"></a>安装 OpenWrt</h2><p>恢复完成并重启后,再次手动进入 Breed 恢复模式。在【固件更新】选项里选择【常规固件】只勾选固件并上传最新的 OpenWrt factory 固件,与此同时也可备份 ART 以便后续再次用到。固件可在 TL-MR10U 的 OpenWrt 官网页面下载。</p><p><img src="//files.hakr.xyz/images//2018-12-26_01-0003.png" alt=""></p><p>如果是使用命令行安装,命令如下:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">scp lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin [email protected]:/tmp/</span><br><span class="line">ssh root192.168.1.1</span><br><span class="line">mtd -r write lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin firmware</span><br></pre></td></tr></table></figure><p>OpenWrt TP-Link TL-MR10U: <a href="https://openwrt.org/toh/tp-link/tl-mr10u" target="_blank" rel="noopener">https://openwrt.org/toh/tp-link/tl-mr10u</a><br>Firmware OpenWrt Install: <a href="http://downloads.openwrt.org/releases/17.01.6/targets/ar71xx/generic/lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin" target="_blank" rel="noopener">lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-factory.bin</a><br>Firmware OpenWrt Upgrade: <a href="http://downloads.openwrt.org/releases/17.01.6/targets/ar71xx/generic/lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-sysupgrade.bin" target="_blank" rel="noopener">lede-17.01.6-ar71xx-generic-tl-mr10u-v1-squashfs-sysupgrade.bin</a></p><h2 id="配置-OpenWrt"><a href="#配置-OpenWrt" class="headerlink" title="配置 OpenWrt"></a>配置 OpenWrt</h2><p>安装完成后首先在 Web 控制台里配置密码;配置子网网段以防发生冲突;配置无线功能;配置互联网访问功能,可选择使用网线连接互联网或使用无线连接到另一个可访问互联网的 WiFi AP。<br>如果你想在非本路由所在网段访问该路由器的 SSH 和 Web 控制台的话记得在密码设置页面勾选上允许从远端主机访问已经在防火墙里添加开放允许 <code>22</code> 和 <code>80</code> 端口访问。</p><p>更新软件包</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">opkg update</span><br><span class="line">opkg list-upgradable | cut -f 1 -d <span class="string">' '</span> | xargs opkg upgrade</span><br></pre></td></tr></table></figure><p>让 OpenWrt 支持挂载 U盘</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">opkg install usbutils</span><br><span class="line">opkg install block-mount e2fsprogs kmod-usb-storage kmod-usb-storage-extras kmod-usb2 kmod-usb3 kmod-fs-ext4 kmod-fs-vfat</span><br><span class="line">opkg install kmod-nls-cp437 kmod-nls-iso8859-1 kmod-nls-utf8</span><br><span class="line">mkdir /mnt/sda1</span><br><span class="line">block detect > /etc/config/fstab </span><br><span class="line">uci <span class="built_in">set</span> fstab.@mount[0].enabled=<span class="string">'1'</span></span><br><span class="line">uci commit</span><br><span class="line">uci <span class="built_in">set</span> fstab.@global[0].check_fs=<span class="string">'1'</span></span><br><span class="line">uci commit</span><br><span class="line">block mount</span><br><span class="line">service fstab <span class="built_in">enable</span></span><br></pre></td></tr></table></figure><p>安装常用工具</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">opkg install tcpdump htop lsof</span><br></pre></td></tr></table></figure><h2 id="遇到的坑"><a href="#遇到的坑" class="headerlink" title="遇到的坑"></a>遇到的坑</h2><p>因为 ART 的问题我把官网所有能下载的 TL-MR10U 固件都刷了一遍;网上搜索到我 WiFi 不能用的解决办法都是修改 <code>/etc</code> 目录里的配置文件,然而我连无线网卡都识别不到。。。<br>TP-Link TL-MR10U 目前早已停产,能买到的都是二手的,另外这个系列还有 TL-MR11U, TL-MR12U, TL-MR13U 可以选择。</p><h2 id="Link"><a href="#Link" class="headerlink" title="Link"></a>Link</h2><ul><li><a href="https://oldwiki.archive.openwrt.org/doc/howto/generic.flashing" target="_blank" rel="noopener">Installing OpenWrt [Old OpenWrt Wiki]</a></li><li><a href="https://openwrt.org/docs/guide-user/installation/restore_art_partition" target="_blank" rel="noopener">OpenWrt Project: How to restore ART partition</a></li><li><a href="https://openwrt.org/docs/guide-developer/quickstart-build-images" target="_blank" rel="noopener">OpenWrt Project: Quick Image Building Guide</a></li><li><a href="https://www.cnblogs.com/11hwu2/articles/3702313.html" target="_blank" rel="noopener">Openwrt中的Art区域</a></li></ul>]]></content>
<summary type="html">
<p>淘了一个二手的 TL-MR10U 自己升级一下硬件,装个 OpenWrt 再配上 LAN-Tap 作为可随身携带的便捷抓包工具使用。<br>还是自带电源的,不然拖个充电宝太麻烦了,OpenWrt 官网上也有一个 <a href="https://openwrt.org/toh/views/toh_battery-powered" target="_blank" rel="noopener">Table of Hardware: Battery powered</a> 页面列出了所有官方支持的可刷 OpenWrt 的“充电宝”。<br>
</summary>
<category term="OpenWrt" scheme="https://znhocn.github.io/tags/OpenWrt/"/>
<category term="Breed Bootloader" scheme="https://znhocn.github.io/tags/Breed-Bootloader/"/>
<category term="TL-MR10U" scheme="https://znhocn.github.io/tags/TL-MR10U/"/>
</entry>
<entry>
<title>Android eMMC Data Recovery</title>
<link href="https://znhocn.github.io/posts/2018/12/19/Android-eMMC-Data-Recovery/"/>
<id>https://znhocn.github.io/posts/2018/12/19/Android-eMMC-Data-Recovery/</id>
<published>2018-12-19T10:32:41.000Z</published>
<updated>2018-12-21T07:28:10.571Z</updated>
<content type="html"><![CDATA[<p>最近升级了硬件工作台的工具,可以完成 BGA 的拆焊的工作了。把家里几年前进水的一只安卓手机,拿出来恢复一下里面的数据。<br>其实就是取下手机主板上的 eMMC 芯片再焊接到空的 U盘主控 PCB 板子上,读取里面的数据。这个方法只适合未全盘加密的设备使用,对于 iPhone 和全盘加密的 Android 只能修复主板或者拆下 ROM, CPU, Baseband 芯片,再焊接到完好的同型号主板上开机输入密码才能查看数据了。<br><a id="more"></a><br><img src="//files.hakr.xyz/images/2018-12-19_01-0001.png" alt=""></p><h2 id="硬件拆焊"><a href="#硬件拆焊" class="headerlink" title="硬件拆焊"></a>硬件拆焊</h2><p>这里我使用的是安国的 U盘主控 PCB 板子,具体买的时候根据手机 eMMC 芯片型号查询对应的 BGA 封装的类型选择对应的 U盘主控板。当然也可以使用 eMMC 转 SD 卡座,或者使用 SD 卡套直接焊接飞线来连接。</p><h2 id="读取-eMMC"><a href="#读取-eMMC" class="headerlink" title="读取 eMMC"></a>读取 eMMC</h2><p>我这里使用的是把 eMMC 焊接到 U盘主控板上来读取数据的方法。</p><h4 id="备份数据"><a href="#备份数据" class="headerlink" title="备份数据"></a>备份数据</h4><p>首先对焊接完成的 USB 设备进行数据的镜像备份,恢复数据是操作镜像文件,避免直接操作设备而损坏数据。<br>备份前为了确保 BGA 焊接是好的,需要看一下系统能否识别设备的分区表,Windows 系统直接在「磁盘管理」里查看,Linux 使用命令 <code>fdisk -l</code> 查看。<br>设备镜像备份工具在 Windows 上可使用 <a href="https://sourceforge.net/projects/win32diskimager/" target="_blank" rel="noopener">Win32 Disk Imager</a> 或 git-bash 里的 <code>dd</code> 命令备份,Linux 上也是使用 <code>dd</code> 命令备份。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">dd <span class="keyword">if</span>=/dev/sda of=dump_0.img bs=1024</span><br></pre></td></tr></table></figure><h4 id="查看镜像文件的分区表"><a href="#查看镜像文件的分区表" class="headerlink" title="查看镜像文件的分区表"></a>查看镜像文件的分区表</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">$ fdisk -l dump_0.img</span><br><span class="line">Ignoring extra data <span class="keyword">in</span> partition table 5.</span><br><span class="line">Ignoring extra data <span class="keyword">in</span> partition table 5.</span><br><span class="line">Disk dump_0.img: 3.6 GiB, 3875536896 bytes, 7569408 sectors</span><br><span class="line">Units: sectors of 1 * 512 = 512 bytes</span><br><span class="line">Sector size (logical/physical): 512 bytes / 512 bytes</span><br><span class="line">I/O size (minimum/optimal): 512 bytes / 512 bytes</span><br><span class="line">Disklabel <span class="built_in">type</span>: dos</span><br><span class="line">Disk identifier: 0xa91b46f7</span><br><span class="line"></span><br><span class="line">Device Boot Start End Sectors Size Id Type</span><br><span class="line">dump_0.img1 1024 4294968318 4294967295 2T 5 Extended</span><br><span class="line">dump_0.img2 26624 47103 20480 10M 83 Linux</span><br><span class="line">dump_0.img3 47104 67583 20480 10M 83 Linux</span><br><span class="line">dump_0.img4 101376 113663 12288 6M 83 Linux</span><br><span class="line">dump_0.img5 144384 1981439 1837056 897M 83 Linux</span><br><span class="line">dump_0.img6 4336640 4294968318 4290631679 2T 83 Linux</span><br></pre></td></tr></table></figure><h4 id="计算要挂载分区的位置"><a href="#计算要挂载分区的位置" class="headerlink" title="计算要挂载分区的位置"></a>计算要挂载分区的位置</h4><p>更具需要挂载分区的 Start 值乘以 Units 值得出挂载值</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">echo</span> $((4336640*512))</span><br><span class="line">2220359680</span><br></pre></td></tr></table></figure><h4 id="创建挂载目录"><a href="#创建挂载目录" class="headerlink" title="创建挂载目录"></a>创建挂载目录</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mkdir /mnt/emmc</span><br></pre></td></tr></table></figure><h4 id="挂载指定分区"><a href="#挂载指定分区" class="headerlink" title="挂载指定分区"></a>挂载指定分区</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mount -o loop,offset=2220359680 dump_0.img /mnt/emmc/</span><br></pre></td></tr></table></figure><h4 id="打包备份分区内的文件"><a href="#打包备份分区内的文件" class="headerlink" title="打包备份分区内的文件"></a>打包备份分区内的文件</h4><p>打包所有数据后可以复制到 Windows 上去解包查看具体的文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tar cvzf ~/dump_0_img6.tar.gz /mnt/emmc/</span><br></pre></td></tr></table></figure><h2 id="照片恢复"><a href="#照片恢复" class="headerlink" title="照片恢复"></a>照片恢复</h2><p>正常来说之前存储的照片如果没手动删除,那肯定是还在 DCIM 目录里的。但不幸的是我并没有在 DCIM 目录找到拍摄的照片,不过倒是存在一个 .thumbnails 文件夹。<br>.thumbnails 文件夹里有些缩略图和 .thumbdata5 的缓存文件。</p><h4 id="从-thumbdata-恢复照片"><a href="#从-thumbdata-恢复照片" class="headerlink" title="从 .thumbdata 恢复照片"></a>从 <code>.thumbdata</code> 恢复照片</h4><p>这里使用 Python 脚本对 .thumbdata 文件的内照片进行读取并保存,另外你也可以使用 <a href="https://x0a.github.io/thumbdata3-viewer/" target="_blank" rel="noopener">HTML5 Thumbdata3 Viewer</a> 这个 Web 版的程序来读取。<a href="https://files.iternull.com/script/python/thumbdata.py" target="_blank" rel="noopener">thumbdata.py</a> 是我更改后的脚本,原始版本来自 <a href="https://android.stackexchange.com/questions/58087/read-content-of-thumbdata-file" target="_blank" rel="noopener">Stack Exchange</a> 。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /mnt/emmc/</span><br><span class="line">$ find ./ -name *thumbdata*</span><br><span class="line">./DCIM/.thumbnails/.thumbdata5-1763508120_0</span><br><span class="line">$ mkdir ~/thumbnails</span><br><span class="line">$ cp DCIM/.thumbnails/.thumbdata5-1763508120_0 ~/thumbnails/</span><br><span class="line">$ <span class="built_in">cd</span> ~/thumbnails/</span><br><span class="line">$ wget https://files.iternull.com/script/python/thumbdata.py</span><br><span class="line">$ chmod 755 thumbdata.py</span><br><span class="line">$ ./thumbdata.py .thumbdata5-1763508120_0</span><br></pre></td></tr></table></figure><h2 id="联系人恢复"><a href="#联系人恢复" class="headerlink" title="联系人恢复"></a>联系人恢复</h2><p>联系人保存在 <code>data/data/com.android.providers.contacts/databases/</code> 目录下的 <code>contacts2.db</code> 数据库文件中的 <code>contacts</code>, <code>view_contacts</code> 表里。<br>通话记录保存在 <code>data/data/com.android.providers.contacts/databases/</code> 目录下的 <code>calllog.db</code> 数据库文件中的 <code>calls</code> 表里。<br>使用 <a href="https://sqlitebrowser.org/" target="_blank" rel="noopener">DB Browser for SQLite</a> 打开数据库文件即可读取出原始数据。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /mnt/emmc/</span><br><span class="line">$ find ./ -name contacts2.db</span><br><span class="line">./data/data/com.android.providers.contacts/databases/contacts2.db</span><br><span class="line">$ find ./ -name calllog.db</span><br><span class="line">./data/data/com.android.providers.contacts/databases/calllog.db</span><br></pre></td></tr></table></figure><h2 id="短信恢复"><a href="#短信恢复" class="headerlink" title="短信恢复"></a>短信恢复</h2><p>短信保存在 <code>data/data/com.android.providers.telephony/databases/</code> 目录下的 <code>mmssms.db</code> 数据库文件中的 <code>sms</code> 表里。<br>使用 <a href="https://sqlitebrowser.org/" target="_blank" rel="noopener">DB Browser for SQLite</a> 打开数据库文件即可读取出原始数据。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> /mnt/emmc/</span><br><span class="line">$ find ./ -name mmssms.db</span><br><span class="line">./data/data/com.android.providers.telephony/databases/mmssms.db</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<p>最近升级了硬件工作台的工具,可以完成 BGA 的拆焊的工作了。把家里几年前进水的一只安卓手机,拿出来恢复一下里面的数据。<br>其实就是取下手机主板上的 eMMC 芯片再焊接到空的 U盘主控 PCB 板子上,读取里面的数据。这个方法只适合未全盘加密的设备使用,对于 iPhone 和全盘加密的 Android 只能修复主板或者拆下 ROM, CPU, Baseband 芯片,再焊接到完好的同型号主板上开机输入密码才能查看数据了。<br>
</summary>
<category term="Android" scheme="https://znhocn.github.io/tags/Android/"/>
<category term="eMMC" scheme="https://znhocn.github.io/tags/eMMC/"/>
<category term="Data Recovery" scheme="https://znhocn.github.io/tags/Data-Recovery/"/>
</entry>
<entry>
<title>替换阿里智能插座控制模组為小米控制模组</title>
<link href="https://znhocn.github.io/posts/2018/07/21/Replace-Ali-socket-control-module-into-Xiaomi-control-module/"/>
<id>https://znhocn.github.io/posts/2018/07/21/Replace-Ali-socket-control-module-into-Xiaomi-control-module/</id>
<published>2018-07-21T03:11:11.000Z</published>
<updated>2018-08-02T07:55:53.048Z</updated>
<content type="html"><![CDATA[<p>用了半年多時間的阿里智能插座,實在是受不了它那做的超爛的「阿里智能」app 了,打開 app 后還要刷新幾下才能出現綁定的設備,<br>界面也超難用。決心還是換回小米的產品綫。<br><a id="more"></a></p><h2 id="模塊引脚"><a href="#模塊引脚" class="headerlink" title="模塊引脚"></a>模塊引脚</h2><p>小米控制模塊是早前研究「小米智能插座基础版」時拆出來的,吃灰很久了,使用是 88MW300 控制芯片;<br>阿里的控制模塊是阿里墙壁插座 10A 版本的,使用的是 ESP8266 芯片的 ESP-WROOM-02 WiFi 模塊。</p><p><img src="//files.hakr.xyz/images/2018-07-21_01-0001.jpg" alt=""></p><h2 id="轉換電路"><a href="#轉換電路" class="headerlink" title="轉換電路"></a>轉換電路</h2><p>從兩個智能插座裏拆出來的原始模塊是無法直接替換使用的,需要自己重新連接小米控制模塊的引脚,變成阿里控制模塊的 3 PIN 引脚。<br>外圍電路其實聼簡單的就只要加上 1 個藍色 LED / 1 個黃色 LED / 2 個 1k 電阻 / 1 個輕觸開關。</p><p><img src="//files.hakr.xyz/images/2018-07-21_01-0002.png" alt=""></p><h2 id="模塊焊接"><a href="#模塊焊接" class="headerlink" title="模塊焊接"></a>模塊焊接</h2><p>爲了節省成本,我沒定制 PCB,而是直接使用了洞洞板作爲轉接底板。</p><p><img src="//files.hakr.xyz/images/2018-07-21_01-0003.jpg" alt=""><br><img src="//files.hakr.xyz/images/2018-07-21_01-0004.jpg" alt=""><br><img src="//files.hakr.xyz/images/2018-07-21_01-0005.jpg" alt=""><br><img src="//files.hakr.xyz/images/2018-07-21_01-0006.jpg" alt=""></p><h2 id="問題"><a href="#問題" class="headerlink" title="問題"></a>問題</h2><p>什麽情況下才會需要這麽做?</p><ol><li>不想使用「阿里智能」的爛 app ,手上這好有個拆下來的「小米智能插座基础版」控制模塊。</li><li>不想使用「阿里智能」的爛 app ,又不想購買需要 Zigbee 網關的 Aqara智能墙壁插座;可以直連 WiFi 路由器。</li><li>需要 16A 的墻壁智能插座;目前只有阿里的智能插座有 16A 的版本其它廠商多爲 10A 版本。</li></ol>]]></content>
<summary type="html">
<p>用了半年多時間的阿里智能插座,實在是受不了它那做的超爛的「阿里智能」app 了,打開 app 后還要刷新幾下才能出現綁定的設備,<br>界面也超難用。決心還是換回小米的產品綫。<br>
</summary>
<category term="Xiaomi" scheme="https://znhocn.github.io/tags/Xiaomi/"/>
<category term="Mijia" scheme="https://znhocn.github.io/tags/Mijia/"/>
<category term="Smart Plug" scheme="https://znhocn.github.io/tags/Smart-Plug/"/>
<category term="Smart Socket" scheme="https://znhocn.github.io/tags/Smart-Socket/"/>
<category term="Ali" scheme="https://znhocn.github.io/tags/Ali/"/>
</entry>
<entry>
<title>如何製作紅色膠片 (Redscale Film)</title>
<link href="https://znhocn.github.io/posts/2018/05/05/How-to-Make-Redscale-Film/"/>
<id>https://znhocn.github.io/posts/2018/05/05/How-to-Make-Redscale-Film/</id>
<published>2018-05-05T13:37:09.000Z</published>
<updated>2018-05-05T15:04:03.268Z</updated>
<content type="html"><![CDATA[<p>紅色膠片 (Redscale Film) 風格是一種使用 35mm 膠片拍出來的紅黑色彩的照片。</p><p><img src="//files.hakr.xyz/images/2018-05-05-01_0009.jpg" alt=""></p><p><strong>準備材料:</strong></p><ol><li>全新的彩色膠捲</li><li>帶片頭的空膠捲暗盒</li><li>剪刀</li><li>膠帶</li><li>暗袋 (可選)<a id="more"></a></li></ol><p><img src="//files.hakr.xyz/images/2018-05-05-01_0001.jpg" alt=""></p><h3 id="步驟一"><a href="#步驟一" class="headerlink" title="步驟一"></a>步驟一</h3><p>打開全新彩色膠捲,剪掉片頭部分。</p><p><img src="//files.hakr.xyz/images/2018-05-05-01_0002.jpg" alt=""></p><h3 id="步驟二"><a href="#步驟二" class="headerlink" title="步驟二"></a>步驟二</h3><p>剪一段膠帶貼在剛剪掉片頭的新膠捲上。</p><p><img src="//files.hakr.xyz/images/2018-05-05-01_0003.jpg" alt=""></p><h3 id="步驟三"><a href="#步驟三" class="headerlink" title="步驟三"></a>步驟三</h3><p>把空膠捲暗盒片頭修剪平整,空膠捲片頭與新膠捲片頭感光面反響接合到一起。</p><p><img src="//files.hakr.xyz/images/2018-05-05-01_0004.jpg" alt=""></p><p>確認膠片面與膠捲暗盒方向接合正確。</p><p><img src="//files.hakr.xyz/images/2018-05-05-01_0005.jpg" alt=""></p><h3 id="步驟四"><a href="#步驟四" class="headerlink" title="步驟四"></a>步驟四</h3><blockquote><p>必須在無光環境下操作!</p></blockquote><p>在暗袋中轉動空膠捲暗盒,把膠片全部纏繞到空膠捲暗盒内。(逆時針轉動)<br>沒有暗袋的可以在在晚上關上燈放在被子裏操作。</p><h3 id="步驟五"><a href="#步驟五" class="headerlink" title="步驟五"></a>步驟五</h3><p>拉出一小段膠片,給原來的新膠捲暗盒留一小段膠片作爲下次使用的片頭位置処剪斷后收納起來。</p><p><img src="//files.hakr.xyz/images/2018-05-05-01_0006.jpg" alt=""></p><h3 id="步驟六"><a href="#步驟六" class="headerlink" title="步驟六"></a>步驟六</h3><p>再拉出一小段,對照最初剪下的片頭作爲模型剪出一個相機上用的片頭。</p><p><img src="//files.hakr.xyz/images/2018-05-05-01_0007.jpg" alt=""></p><p>最後把處理后的膠捲收納起來。</p><p><img src="//files.hakr.xyz/images/2018-05-05-01_0008.jpg" alt=""></p>]]></content>
<summary type="html">
<p>紅色膠片 (Redscale Film) 風格是一種使用 35mm 膠片拍出來的紅黑色彩的照片。</p>
<p><img src="//files.hakr.xyz/images/2018-05-05-01_0009.jpg" alt=""></p>
<p><strong>準備材料:</strong></p>
<ol>
<li>全新的彩色膠捲</li>
<li>帶片頭的空膠捲暗盒</li>
<li>剪刀</li>
<li>膠帶</li>
<li>暗袋 (可選)
</summary>
<category term="Film" scheme="https://znhocn.github.io/tags/Film/"/>
<category term="Redscale" scheme="https://znhocn.github.io/tags/Redscale/"/>
</entry>
<entry>
<title>我的國家不是政府</title>
<link href="https://znhocn.github.io/posts/2018/01/23/My-country-is-not-government/"/>
<id>https://znhocn.github.io/posts/2018/01/23/My-country-is-not-government/</id>
<published>2018-01-23T00:32:14.000Z</published>
<updated>2018-02-21T08:44:22.527Z</updated>
<content type="html"><![CDATA[<script src="/crypto-js.js"></script><script src="/mcommon.js"></script><h3 id="encrypt-message">Please enter the password to read the blog.</h3><link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css"> <link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap-theme.min.css"> <script src="//cdn.bootcss.com/jquery/1.11.3/jquery.min.js"></script> <script src="//cdn.bootcss.com/bootstrap/3.3.5/js/bootstrap.min.js"></script> <div id="security"> <div> <div class="input-group"> <input type="text" class="form-control" aria-label="Enter the password." id="pass"/> <div class="input-group-btn"> <button type="button" class="btn btn-default" onclick="decryptAES()">Decrypt</button> </div> </div> </div> </div> <div id="encrypt-blog" style="display:none"> U2FsdGVkX18+4POkZ6SbhVlyFAKUSxdRC7YBUOetHMEvsWy8IHBUBwq485empenHoeEm40KfBq0BzHMpgpJiGA5IUrgY8rU0J+26igm16yk+Xx30K4ZNeeo9Wu0BZ3DfJW+qpETEcACdDYYWbOdmlT5qv1rhYyR7wIW2TLHg6v+h2AfEQXmQTDVkScSqu9K+JATLzgDn2ZkFubQHvSgwRKhmolj4Dzzc3qEmOCQV1GYVOIo2E2hLAOjmcjCJS9DT5DYm0RZsG/tcpELmpHvk38y1KNnmqkmlIY1K5lCR0bJgmvQyhubn0l5NKqJwaeYk7wjStHBMGCp9bigUQwNzoSqMgGRXpeniNMuaygVwXS8Xh1d5YHnU9rUxxc1XoeUW4X6JnVuCd4hTqCxXQxd2O79CUx3IJL+qinRDTKtxQqinS/XDo5Oqz0YymDY5LBlfIhGMh2PaXd5ss2Q/czE7ziiA/Xeo2k0QYF0Tb7t+CXL5yBxLyVl6ms8seTAn4SvIc3sOQIABR6oW1Ftx1Gb2k1zKppHLRRqbB3Pwfk/ABj+CKrbmrgI8lWYqJ2imeivoffZ1YNinVPvt8j3v1dH9jZZD2LccVZWjzQu/KMCc6rwxqrmPcVwM1f2JDen/zG4zTCd4L9bjTYRs0Hh3sFc716UM2GS4Bt+QjrSa51RvDREgoqypIN5k9GdCUypZ54PW6lwC71W+SGbwqCaFDNkeGidEeQw9M00M+UXvSaiHMo5BOJtTtEUdqyqJLHEWdEP+J/0WEP0X9R0cAoeBU66LEV23gXzW87nFWatTN28Vr0NcGda5/k5jp8C/3CkA2AhE++aTXYDPbfiFvjZEC07l21T6mxdNo6ECWNbC+4DeLsKcHw9kRAj/P7oW6infv90x4Vgjvbz3wrpPa1kHICfNeg9HNOVQ4UPFzEKCbfhKZNCIfMdFB77UXC64ZhOnB3g5OsczTA/qIIGhz7iZX/zrN5MQt6IIdTrRlF0J8HUlFp2hxtNnsei6XXPKkeciY6LTmM5G+lMIadXuUx4hUTviDG1eHrjI6+oNrTM0YTKLfCmG/3Ym7MFsr8my+VDWYQ1hK+3d4qJx9iareRtOl9Ob94h04YNMLI3FzB1a5CH1c1bhBXoF/K5hT1215hgp7Si16pH7tz6qHmfkrEjuKzXuh1zfdcgtEOdm5quSd9m9kzeogtRPz5mE/+4k04K+GbTCZY9EnrXQvzCDDoYdco43V1TIZ9l1CXtYcOpGXFiUO98Z3igOpl70WcT3R+KjCQ+Eula4ad2o9TGERvNyGsg6oS+6biEerlk/a0vjz0lqko7HBEh1UoVonL4I2SJNWUXd6zl+bp22H5ti1tEEyhpOOp97w2sgb8ejbg7IqwNHQD7hQw/H6hMeWqRJGOL+xjPNsAFk/hO2c4vGGgz929psnvKwXoAbRuiACa7eMml12po3pbbkkVM2SbxaTYB9NLzwR2JuvOmoGYXw7KMhUN5ciAlmWrZjnJ2lC73NiVbSgV/qc7KUsfmqiOAlMvZLOk6AL9dobQRfcLF8tzqPEA5kIyir0PnwStLy8oNucd6XVF//Q6SuX7lUxUvlKFkDtRP3BO6v6afTTcZKFwAp0OENMCOZm7StLMOzuj1ucR576Pk5D/WrWBaVo8x1VpeKMMOsonHUxwX6XtsqxYE3e4oJfmu0D3dBzxGSywYitRBK444N15GMkKCUfEX2eiGFKOIB5DLd+ZxTAPSdFXAMuhfQydClRZ6cq37pR7adHUfsxjywfH5vPoYwYWBEq7d7XT+w/tbwdg4BCQhsGoufUIKdjG6d5nySMfWKdQ/F2D9NjGAsIUEziLc4syeRZXY6oq13RdLyBh40zfsUxm0epJZkUrGKdAqtvporp/SuUhh5WJd3AKnZxeNfv+x/uTkqc+wQMZPgHpQ6NlSECc05OTnR+n0cE+ze0yqKzsBieJ5wFpVfJfllGTo1HEPp+Ap+tD7Igx4Qy7/ijuEnaRUazk1uwqU43Yp79V6JM9liVq7JsZFVK9vy1OOr27CEb3H9En8lq1Lpq59p63JScnjTrEcUAuMIE06SpvYU0P8rWhtCqOiJDnCwRKHlqTRL45QoCtJtStq5q2kf6U9jl8wlaEZZw0qQ6z1nlCiOj4hkfIy8J8RU1ySGJK/s6s/Zn/SPxYHswcWiwulK/zn1JGQwrUfhEpI3JP41mmJOypLwvdDovCNzbX1S6M0e+5ljxC3UoxrvaUac39sqGnArZz/4VoysjJyr36S2UW9JQc01rmvU0GMmoetz9hcEhgGMG4Z1ELXfeicOdF9BDJUOMmfTXD4dBCJviPsSqJ5weTlBLJCklU59kNvW8ri8BhvG6kmhiCMNuagSRqEom+6PRBKRF6paCR4EkbEe1YPDftbNfPPRHc3pgwmz72FBP2/Ih/4nWl43ogcW4Zt9wcI8cvkIeLm3w7TVKnjXurKmW8SJNbJHmeLvIgfxHfLgY1DMnsEvMk5inZLXEDgb7WLaQgsTsWLwnmILQkrbIRI5oDgTqZemnIZtnHaO6j1mZ4ZfkbNiNMC3WK8dSycQYOIfPEARHeCSt96hqey+ZAGX1HXfa1RvqK27Cf7wQDTDW0Xcuqo37HxDi9QwZQiHn0huruHQBMkLN/2WtnuTVbLiutloeohNPcbI83omx7FfNv6zK9MxbXhgKu/3+Jz9RHj1MLIGarzjnW22IjknfdVlTYnKDDCvm7FfTh/bvPUDeYCmdy/T91j5qy2FIpQF5BMifWHt8KhMu3Q1p/+E/12kBIiEDg5q7Emc3MB0RIOhYkbmIg8hkPNBZ014B1cSlWcU8v1/Qzpz7nMo4HI0ajk7xQKuP9NdTQyfgE6HQRVPvxI73YJjguju2t4IoRlLXZFHn72z8/5GCbRTNDxQUm13ZtIxxFSDCT2HT68ZEmcsYiTwHD8J5Is2UVuTacM3IQk2V6MlSZDvwOwYShpY1WQ/XExqwPa4qg9FdumZD62f5lCm01CT3I7Po1uIXY2Xm8WCC0qHAt/hs43ERaVmXFGnxotwL5vLH8K+28bQSFXo2CYiufSyr57TqDVOWHUyRHwpPYH4C2bjK9fAKtcMbRieS90WLHjygm9z4ZYmGUjqYyn3peK99cUPn2nUPVkAvplvhfW6y2gFyqP3ZX2wSp2BInGbuAVF4eXC8Bg+vzq3s3pgGX0vnlpU4tpDDThI/c/ZiszXlLXgg81wGeh4E5dbY3BmNkYzcc7s3TuPEVW+gFxUbQKEXE1fEAzkb07ZKyb4N04MeWMtDh7hoygdqhNlZdiFEQcom3e4LyQ4N7zjvERQsHceQjO+J1vKT9x/0aF1JESjOwzjvq9lRee3RwdH2nafFL+j/xbNwgjtJhnZ/1vbAWQp2sSNqTUaBkFTs7OT3ng1Lr/KDgijXnq+YYCEREwe6+Ym39sVzsKDgu/wm8HaHD1gBcbIvzfzJbw5BSK9HPkab+zR1n0M4YAnCK7L9VfVECuIl4myklKycALH9xRmfH/3gyvqcZNyUOEuipCstL/roKNg+vD9Ncp0y8SYko43Ha5L5viusbtiOXosffHqIPVwO7D4TdtWVPfTiyeZvfLNg1AMNz9fF9clTDIC8AnhqMPJQCrg5T64bQikwdx4EOUrywjmUP5nO0mqARPxzfyxa7P1IiBtsHFP+YFDPCVsHN9Sy6+QXMnfo03DdfHytkAqcVBKOLnv8jjQvIkC5hesYGXpvNaKsr/eYfEZB7tzpf+8x5zBBsVIGv++3WMvsdsRvGY7ix96S6dQYAt9+FyR9Omn4odx2KOwxCiNv9QrFaeMjaurtcnRdgN7GajX2T/Qe01yJQnhHFVBQxSrL8QEACpd81nA1Mn8yZ/WGZjHd4tsz3E0gvPsTdaL46QFtUVLNjW+tetJ/X7nj+TMiho5GQpQrjhK+EZYjAX+FWMdyetTZA54S1QdXlZ4XT5MM/F3Q7rbFzpEP/aOLa7xoSEao/j30vCatDu+V3BB0W+gFjyyIBog3XSKQbP6UoU5vrpbBTC5CZp2E7Rivbc+TV9JSig8gnCvGzs1yIoYreDd7CiucVq2jwg9wJpWpZ2lj9FGv+u8xQQ4TR5F4c3/VA8maX5TV+BwnsGNwXZPgrPKqcE/qDnbTGZSFYsWRSTwUWtqNTWJWYIXjxTtOff8xElD/X2DD6yvC/vFxOahdcbmPwwhSUmWd0irHz778sEanew42VpSZvWW2WYBFLhsxmytwr+jwiYFXjReZx1S7DenUquYHNesPA/0wZJaAMCqjF2VZ0gfCAL41uynWavWS24IqO3180TVjCLwo31AsC2/WmKYo7i13JbQNQd9K2+BgCd3R7U/ZGVJeTG60+I2TbvrnXIxNHE1Omu4JAe8aAi2TevEj+2j3qVXxLpLZbssJFWbbuh6a5SQM172OBzrdPFfnjlq92qGtIv6rV7LEPrzjxgCFIR5zZL56nAOMdxrTH4PX9X1OOXwKe2a9uPMYwDtmOfTyGpbFCmjDVRhbkmFmEJBWI80iCTAddHSFT+6E8OM4V1wyJOWW3c5qc58rec1cBBkNS5O44Fq/rd0fxMjAD9+6vwvwg3UczhUrcpcVyg6grpQCeJKbEckQZrJJgNkNHASyMV0IOrmcsrTBOONNqTqex+doLS5QlWt0nSQ3uZOqj1JvNpO1vL2eN0xHfUyxRs2TtZNisSrS7yeY2uv5j8o0JVEnUzMfdXyI1y4nYr21/wl41n+Y/e22VZ9NLH39OEyOrORxOAhIhHK7uShIk1Z8Rcxx3UT2zCy6N94rNOnDQdES6i2bfRLMCoSB6R0wK/7C6aEcqNObiVQjJDw9H80k/JqnzlGkvFmjSQtMZuitHwa3bmH2LRESEYCeiTGNDFAp1P47Pd5prKq4qiranTedFxKrPlmbXaK/xySmBdWZdRWUWOrI0gzXmoV3tqpRGv/RKypayVQW1ds7JkHCNtM2yO+i7g6O2b9KvYS9vwIlzcoBoRJ6E3DDvK2DCfg0fxkHV0ANtsGjc/g0F3S/cizZNkoYki6gZsLDliQcvr+3WcdUjulyhGXrUcB3BPU+7/o30cOJnOcjrYBG07apzA1w22Z+hRBHR0vsjsIR2+62dSHr0kTHiR6vB8q7C3av+ZQ6r9696keXFoxXWG1cyZkKYLF2ZadFhQSOdDVer4q9632JuhtyIM1hM5LAmFOIiWsIZi6+uKaN3mWFzl2SBZSp+mXEXrsntQbAxudqtU6+G3GqjEqPLaYSyWTfnulPl8j0nRiBdd6irQNZPzfJ+dOCr8wtoYxt7H7+hbHk0VheeXKKjMZbAjP8+OLGB8FJKdkiHRswVk1Hm8qa9omMHYUOCuy+hK+S4+Mwxojccj/HFl8IDQ6YMXGzIvklfcilswL6PwR7tFBTsMb8jNixBVhuW134KCVpH4gYXG1ctvGcg8lKDMvPrFiwr9j1oTAG9gedsrFKu6N66fyl4L5nsGTElfCpku4nmfc0fyRu+6YJ7sOK41bTKR9+OAUOEzV5J6VZXiId1qL6v632a0NAgES+nshn64Yu3yz2vUPWmkhzvvPeb+WMas0SS8Dq8UFDpK7DN/P4uNNh2HLrkUYpHGNhhaPzBPas7WEleLJc+93xauOBEe0sW6y05hWxMS0e9r7eksE5YyKb0Bf/ZdiO3U9hz0+kBjgMMBenrH8OOrus5D+S2pzXVFNnZXMlt6TQRLyV6hVvQFrfIocG49Q4+Q91qCDlCvp0Lx+4lctTA7ur7rVGcTkN512LAr8GTT+J5hDB3OfC8+7QN3svI09zAopSP4wa6pCBd5mma8rHxApVs5+X00q05oBoTn0ClnRoF7/eA5w6hIWINQ3c8Q2YGaSOW4t3m04eL3efTw5q/CCXPTjyYPAs9H90U1h0qSjbSuwFK9Nig5mbIwtxblP3wEgELmIHpIYJWMH/sAco6qv/tgBkW7QD0qamjlfp483dGt69Q0I9De91srW4oEC6MYVlasAU997vHfNIKXJqvl8IMQH7JxoKmgoDqECzoz04G+g97ER6S99Rh0ZggGhKjQYXLTw7oVzfoCy4lNjS7v2mmKhimQfReRySflXgPgA0oxLJENUE6I/61wFnuhMoP+q9vy+RM+8x3xjgy2BEQUKgleL9FzBvBfnM4u2YRPGgZLyecHPaLn4SWIDyK/vSPJdH/sORcoeZLethudqBrOE2yy3JBKlAe040UDaBhwSWXPPF/3x/f+CE2xM9oaDw2qRTjVEDYwzimC1/VWOo/yDRw3+MhTl94UXYGgZ4jyNtcCZYdTU0cq8p23bux1M73qFDN+P4LBlmh9Q8yjJi5m5xyGPGchcDUy2TVPm6AbRrt4o4Vmf5LGwIAqoGDO5caH7bfAWr89s8pDEmaNfuUM+lW7zsz3LTB48uOq7hZvx+2D67ri2k8ppyb1vX12gVHIVl94Uyqn6Ueu6tzaKZMIfzaiv </div>]]></content>
<summary type="html">
The article has been encrypted, please enter your password to view.<br>
</summary>
<category term="Political" scheme="https://znhocn.github.io/tags/Political/"/>
</entry>
<entry>
<title>Annual summary 2017</title>
<link href="https://znhocn.github.io/posts/2017/12/30/Annual-summary-2017/"/>
<id>https://znhocn.github.io/posts/2017/12/30/Annual-summary-2017/</id>
<published>2017-12-30T14:11:09.000Z</published>
<updated>2018-05-30T12:48:18.076Z</updated>
<content type="html"><![CDATA[<script src="/crypto-js.js"></script><script src="/mcommon.js"></script><h3 id="encrypt-message">Please enter the password to read the blog.</h3><link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css"> <link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap-theme.min.css"> <script src="//cdn.bootcss.com/jquery/1.11.3/jquery.min.js"></script> <script src="//cdn.bootcss.com/bootstrap/3.3.5/js/bootstrap.min.js"></script> <div id="security"> <div> <div class="input-group"> <input type="text" class="form-control" aria-label="Enter the password." id="pass"/> <div class="input-group-btn"> <button type="button" class="btn btn-default" onclick="decryptAES()">Decrypt</button> </div> </div> </div> </div> <div id="encrypt-blog" style="display:none"> U2FsdGVkX1/AhYV7WcMcFvQG3IuHz5h775X8d5qw5kIhrFwy+ysgV/N7iBQvBYUEYy7g/9kNRU/8gxKbQBAX8qsC+nYJmgOa1yosWqrqz2igp7R2ucgBVZaaegtDU5f6JNZ3MADB1ph4MkAkGGfClutIk/M64nxBe+wdxHFufwUqI+xacZM8qWQ6ihyZ+lgWjwqrDSMpjnWqvh171ckVIWYNvzSMM33BlyOib+VFjx0DGWKoNWS8zea6Q6Ao2YaVJ9gCHxvkarmcsPxUKgC3ohABZuEfxdhkKPvuXvtifsfV33JToKq7uXPjscW0H5wiAwzFfhwtME0bW6CknNBBNeJao/IFty9Jxb0+wS6qsq5Snojt87il4V4N0sXBePUUh+z6P00/zm7BUlupbBUYfkSaM5YT9YECbiuqdW1Q2YcYiWYbytPmMT2phHL6a5OBpMHVB167Y7yZIBxd1pLbeW4ZddcnzkV89NKLqgBaH/Tr51OtR+GK76dVHMhXM8Sj25+O2I4ys5MA+0IF4oCe4fCTjuXOqcuj/qMP86BYv8jNSTfwazy7EUma9viuy7cCC5FjGNkVRJ+BOt6GwARy+PgiM+10GrRPpRfKOTiTmOXURV+Gag+cihwq3gNBFPDlSGKBDEWYMm+LLvw/giWA1nlyVugI+Xz2sHRcNo7uyfSbXAWWs1m58FfQpFCLaYo/Fe3//hk5NvD4U6WHjvTmf/aqMgZ+m0Rlabp7krFKTj1hRlb6EhaUreoIA2wcDW4IbyZfNRwkurNp2cdnGcE0uFkKYxvBV3C422sjaJS2ZNpdU0MtIWagD0D6sMqpoeCSURrnwfbXTLOkXT9QXMdYfIchQgKDM0VKbuBfK+s/ktY= </div>]]></content>
<summary type="html">
The article has been encrypted, please enter your password to view.<br>
</summary>
<category term="Annual summary" scheme="https://znhocn.github.io/tags/Annual-summary/"/>
</entry>
<entry>
<title>Hacking IP Camera (和慧眼-C08)</title>
<link href="https://znhocn.github.io/posts/2017/12/26/Hacking-IP-Camera-Hehuiyan-C08/"/>
<id>https://znhocn.github.io/posts/2017/12/26/Hacking-IP-Camera-Hehuiyan-C08/</id>
<published>2017-12-25T18:12:27.000Z</published>
<updated>2018-05-30T15:31:57.726Z</updated>
<content type="html"><![CDATA[<p><a href="http://www.hehuiyan.com/" target="_blank" rel="noopener">和慧眼</a>是中国移动推出的一个摄像网络监控服务平台,旗下有多款智能摄像头设备。这里我们研究使用的是 C08 型号的。<br>IPCamera 与 WebCam 的其中一个区别是 IPCamera 不带有 Web 控制台,你只能使用厂商提供的 APP 控制设备,无法在局域网内通过网页控制设备。<br>并且 IPCamera 基本上都要连接互联网使用厂商的云平台,这意味着你的数据都会传输到云端,还可能需要再付费租用它的云端平台功能使用权。<br><a id="more"></a></p><h2 id="1-拆解硬件"><a href="#1-拆解硬件" class="headerlink" title="1 拆解硬件"></a>1 拆解硬件</h2><p><img src="//files.hakr.xyz/images/2017-12-26_01-0001.jpg" alt=""><br><img src="//files.hakr.xyz/images/2017-12-26_01-0002.jpg" alt=""></p><h2 id="2-串口调试"><a href="#2-串口调试" class="headerlink" title="2 串口调试"></a>2 串口调试</h2><p>我们这里使用 CP2012 USB to TTL 工具连接到设备上焊接了跳线的 UART 接口</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0003.jpg" alt=""></p><p>使用 PuTTY 客户端连接 COM 端口开始上电调试</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">U-Boot 2010.06-svn2464 (Jan 21 2015 - 09:06:53)</span><br><span class="line">DRAM: 256 MiB</span><br><span class="line">gBootLogPtr:80b80008.</span><br><span class="line">Check spi flash controller v350... Found</span><br><span class="line">Spi(cs1) ID: 0xEF 0x40 0x18 0x00 0x00 0x00</span><br><span class="line">reset/hold pin now is RESET</span><br><span class="line">Spi(cs1): Block:64KB Chip:16MB Name:<span class="string">"W25Q128B"</span></span><br><span class="line">boot from spi</span><br><span class="line">boot from spi</span><br><span class="line">partition file version 2</span><br><span class="line">rootfstype squashfs root /dev/mtdblock4</span><br><span class="line">In: serial</span><br><span class="line">Out: serial</span><br><span class="line">Err: serial</span><br><span class="line">TEXT_BASE:81000000</span><br><span class="line">state:ff,err_count:00</span><br><span class="line">support SD update</span><br><span class="line">MMC: Card did not respond to voltage select!</span><br><span class="line">No EMMC device found!!!</span><br><span class="line">Hisilicon ETH net controler</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:2</span><br><span class="line">No such device: 0:2</span><br><span class="line">Try again use backup_serverip</span><br><span class="line">Hisilicon ETH net controler</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:2</span><br><span class="line">No such device: 0:2</span><br><span class="line">Failed to get info.txt</span><br><span class="line">Fail to get info file!</span><br><span class="line">Init error!</span><br><span class="line">Hisilicon ETH net controler</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:1</span><br><span class="line">No such device: 0:2</span><br><span class="line">No such device: 0:2</span><br><span class="line"><span class="comment">## Booting kernel from Legacy Image at 82000000 ...</span></span><br><span class="line"> Image Name: Linux-3.0.8</span><br><span class="line"> Image Type: ARM Linux Kernel Image (uncompressed)</span><br><span class="line"> Data Size: 1042164 Bytes = 1017.7 KiB</span><br><span class="line"> Load Address: 80008000</span><br><span class="line"> Entry Point: 80008000</span><br><span class="line"> Loading Kernel Image ...OK</span><br><span class="line">OK</span><br><span class="line">boot from spi</span><br><span class="line">partition file version 2</span><br><span class="line">rootfstype squashfs root /dev/mtdblock4</span><br><span class="line">cmdLine mem=44M console=ttyS0,115200 root=/dev/mtdblock4 rootfstype=squashfs</span><br><span class="line"></span><br><span class="line">Starting kernel ...</span><br><span class="line">Uncompressing Linux... <span class="keyword">done</span>, booting the kernel.</span><br></pre></td></tr></table></figure><p>尝试了多次,调试信息都是一直卡在 booting the kernel. 这,没弹出 Shell ,也没弹出登陆认证的请求。尝使用串口登陆 Shell 只能暂时放弃。</p><h2 id="3-网络调试"><a href="#3-网络调试" class="headerlink" title="3 网络调试"></a>3 网络调试</h2><h3 id="3-1-端口扫描"><a href="#3-1-端口扫描" class="headerlink" title="3.1 端口扫描"></a>3.1 端口扫描</h3><p>使用 Nmap 扫描设备开放端口</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">$ nmap -A 192.168.8.236</span><br><span class="line">Nmap scan report <span class="keyword">for</span> 192.168.8.236</span><br><span class="line">Host is up (0.0080s latency).</span><br><span class="line">Not shown: 997 closed ports</span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">23/tcp open telnet security DVR telnetd (many brands)</span><br><span class="line">554/tcp open rtsp</span><br><span class="line">| fingerprint-strings:</span><br><span class="line">| SIPOptions:</span><br><span class="line">| RTSP/1.0 401 Unauthorized</span><br><span class="line">| CSeq: 42</span><br><span class="line">|_ WWW-Authenticate: Basic realm=<span class="string">"MediaServer3.0"</span></span><br><span class="line">|_rtsp-methods: ERROR: Script execution failed (use -d to debug)</span><br><span class="line">5000/tcp open upnp?</span><br><span class="line">1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :</span><br><span class="line">SF-Port554-TCP:V=7.40%I=7%D=1/4%Time=5A4E4B5D%P=arm-unknown-linux-gnueabih</span><br><span class="line">SF:f%r(SIPOptions,57,<span class="string">"RTSP/1\.0\x20401\x20Unauthorized\r\nCSeq:\x2042\r\nW</span></span><br><span class="line"><span class="string">SF:WW-Authenticate:\x20Basic\x20realm=\"MediaServer3\.0\"\r\n\r\n"</span>);</span><br><span class="line">MAC Address: E0:50:8B:35:74:02 (Zhejiang Dahua Technology)</span><br><span class="line">Device <span class="built_in">type</span>: general purpose</span><br><span class="line">Running: Linux 2.6.X|3.X</span><br><span class="line">OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3</span><br><span class="line">OS details: Linux 2.6.32 - 3.5</span><br><span class="line">Network Distance: 1 hop</span><br><span class="line"></span><br><span class="line">TRACEROUTE</span><br><span class="line">HOP RTT ADDRESS</span><br><span class="line">1 8.00 ms 192.168.8.236</span><br><span class="line"></span><br><span class="line">OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line"><span class="comment"># Nmap done at Thu Jan 4 23:42:28 2018 -- 1 IP address (1 host up) scanned in 116.06 seconds</span></span><br></pre></td></tr></table></figure><p>扫描完成后看到设备上开放着 <code>23</code> <code>544</code> <code>5000</code> 3 个端口分别运行着 Telnet, RTSP, UPNP(疑似) 服务。</p><h3 id="3-2-网络数据包分析"><a href="#3-2-网络数据包分析" class="headerlink" title="3.2 网络数据包分析"></a>3.2 网络数据包分析</h3><p>这里使用安装了 <code>tcpdump</code> 且支持外接 USB 存储的 OpenWrt 路由器设备进行抓包。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ mount /dev/sdb1 /mnt/usb/ // 挂载 U盘</span><br><span class="line">$ <span class="built_in">cd</span> /mnt/usb/pcap/ // 进入 U盘挂载目录</span><br><span class="line">$ tcpdump -i wlan0-1 -w wlan0-1_$(date +%s).<span class="built_in">cap</span> // 抓取无线网卡上的数据流量</span><br></pre></td></tr></table></figure><p>抓取一段时间的数据包后使用 Wireshark 打开 <code>.pcap</code> 文件,分析 IPCamera 的数据通信流量。</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0004.png" alt=""></p><h2 id="4-固件提取"><a href="#4-固件提取" class="headerlink" title="4 固件提取"></a>4 固件提取</h2><h3 id="4-1-从-SPI-Flash-芯片里提取固件"><a href="#4-1-从-SPI-Flash-芯片里提取固件" class="headerlink" title="4.1 从 SPI Flash 芯片里提取固件"></a>4.1 从 SPI Flash 芯片里提取固件</h3><p>我们这里使用 Bus Pirate + 转接座 + SOP8 测试夹 工具来连接 SPI Flash 芯片提取固件。</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0005.jpg" alt=""></p><p>读取 SPI Flash 芯片内的数据到文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r flash_0.bin</span><br></pre></td></tr></table></figure><h3 id="4-2-从空气中提取固件"><a href="#4-2-从空气中提取固件" class="headerlink" title="4.2 从空气中提取固件"></a>4.2 从空气中提取固件</h3><p><strong>从空气中提取固件</strong> 在物联网时代里 OTA 固件升级模式下获得厂商原始升级固件的最佳方法!</p><p><a href="https://zh.wikipedia.org/wiki/%E7%A9%BA%E4%B8%AD%E7%BC%96%E7%A8%8B" target="_blank" rel="noopener">OTA</a>(Over-the-air) 从空中更新固件;从空气中提取固件其实就是从网络中提取固件,把更新固件时传输的所有数据包都抓取下来再重新把数据包组合起来还原固件的原始文件。这需要设备固件支持 OTA更新 才行,不过目前大多数厂商的 IoT 设备默认都有支持。</p><p>我们使用的这款型号的设备正好有推送新的固件更新,所以可以使用此方法获得固件。</p><p>这里使用安装了 <code>tcpdump</code> 且支持外接 USB 存储的 OpenWrt 路由器设备进行抓包。被抓包的设备必须连接到这路由器的 SSID 下。</p><p>抓取无线网卡上的数据流量</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ tcpdump -i wlan0-1 -w wlan0-1_$(date +%s).<span class="built_in">cap</span></span><br></pre></td></tr></table></figure><p>开始抓取流量后在 APP 控制端上点击对设备固件升级(更新前最好是对 SPI Flash 先备份,以保留旧版本的固件。)</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0006.png" alt=""></p><p>把抓取的数据包中的数据流保存到文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ tcpflow -r wlan0-1_1515316239.cap</span><br></pre></td></tr></table></figure><p><img src="//files.hakr.xyz/images/2017-12-26_01-0007.png" alt=""></p><p>查看未知格式的的数据文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ file * | grep data</span><br></pre></td></tr></table></figure><p><img src="//files.hakr.xyz/images/2017-12-26_01-0008.png" alt=""></p><p>递归扫描并提取出其中已知格式的文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ binwalk -Me 211.140.013.023.15050-172.016.042.116.42004</span><br></pre></td></tr></table></figure><p><img src="//files.hakr.xyz/images/2017-12-26_01-0009.png" alt=""></p><p>递归扫描并提取出的已知格式的文件</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0010.png" alt=""></p><h2 id="5-固件逆向"><a href="#5-固件逆向" class="headerlink" title="5 固件逆向"></a>5 固件逆向</h2><h3 id="5-1-解包固件"><a href="#5-1-解包固件" class="headerlink" title="5.1 解包固件"></a>5.1 解包固件</h3><p>从备份的 SPI Flash 数据里递归扫描并提取出其中已知格式的文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ binwalk -Me flash_0.bin</span><br></pre></td></tr></table></figure><p>查看递归提取后的文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> _flash_0.bin.extracted/</span><br><span class="line">$ tree -L 3</span><br><span class="line">$ ls -l squashfs-root*</span><br></pre></td></tr></table></figure><p><img src="//files.hakr.xyz/images/2017-12-26_01-0011.png" alt=""></p><p>查看 Linux 用户与密码</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> squashfs-root/</span><br><span class="line">$ <span class="built_in">cd</span> etc/</span><br><span class="line">$ cat passwd</span><br><span class="line">root:<span class="variable">$1</span><span class="variable">$jSqQv</span>.uP<span class="variable">$jgz4lwEx2pnDh4QwXkh06</span>/:0:0:root:/:/bin/sh</span><br></pre></td></tr></table></figure><p>查看 <code>passwd</code> 文件,发现系统里只有一个 root 用户,加盐后的的密码 Hash ,登陆 shell 为 <code>/bin/sh</code>。 使用 <a href="http://www.openwall.com/john/" target="_blank" rel="noopener">John the Ripper</a> 对 Hash 进行解码成明文密码。</p><p>以下是解出的密码<br>User: <code>root</code><br>Password: <code>vizxv</code></p><p>尝试使用这个账号登陆 Telnet 但并未成功。</p><h3 id="5-2-分析-Telnet"><a href="#5-2-分析-Telnet" class="headerlink" title="5.2 分析 Telnet"></a>5.2 分析 Telnet</h3><p>既然尝试使用系统用户登陆失败了,那只能从 Telnet 服务程序入手,分析它的登陆验证方式,找到正确的用户和密码。</p><p>查找 Telnet 服务程序</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> _flash_0.bin.extracted/squashfs-root/</span><br><span class="line">$ find ./ -name *telnet*</span><br><span class="line">./bin/telnet // Telnet 客户端</span><br><span class="line">./sbin/telnetd // Telnet 服务端</span><br></pre></td></tr></table></figure><p>使用 IDA Pro 对 <code>telnetd</code> 进行反汇编后发现 Telnet 的用户名和密码是硬编码在程序里的。</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0012.png" alt=""><br><img src="//files.hakr.xyz/images/2017-12-26_01-0013.png" alt=""></p><p><strong>Telnet 登陆账号</strong><br>User: <code>admin</code><br>Password: <code>7ujMko0admin</code></p><p>使用这个用户再次尝试登陆 Telnet </p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0014.png" alt=""></p><blockquote><p><strong>成功了!!!</strong><br>这个我们已经获得了 Shell 与 root 权限</p></blockquote><h3 id="5-3-收集系统运行信息"><a href="#5-3-收集系统运行信息" class="headerlink" title="5.3 收集系统运行信息"></a>5.3 收集系统运行信息</h3><p>这里登陆到 Telnet 手动收集信息,相较于使用 <a href="https://github.com/craigz28/firmwalker" target="_blank" rel="noopener">Firewalker</a> 脚本工具收集固件解包后的信息,能收集到设备在运行状态下内存里的更多信息。</p><p>收集运行的进程信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment"># ps</span></span><br><span class="line">PID USER TIME COMMAND</span><br><span class="line"> 1 root 0:00 init</span><br><span class="line"> 2 root 0:00 [kthreadd]</span><br><span class="line"> 3 root 0:00 [ksoftirqd/0]</span><br><span class="line"> 4 root 0:00 [kworker/0:0]</span><br><span class="line"> 5 root 0:01 [kworker/u:0]</span><br><span class="line"> 6 root 0:06 [rcu_kthread]</span><br><span class="line"> 7 root 0:00 [khelper]</span><br><span class="line"> 8 root 0:00 [kworker/u:1]</span><br><span class="line"> 72 root 0:00 [sync_supers]</span><br><span class="line"> 74 root 0:00 [bdi-default]</span><br><span class="line"> 76 root 0:00 [kblockd]</span><br><span class="line"> 168 root 0:00 [kswapd0]</span><br><span class="line"> 217 root 0:00 [fsnotify_mark]</span><br><span class="line"> 224 root 0:00 [crypto]</span><br><span class="line"> 238 root 0:00 [mtdblock0]</span><br><span class="line"> 243 root 0:00 [mtdblock1]</span><br><span class="line"> 248 root 0:00 [mtdblock2]</span><br><span class="line"> 253 root 0:00 [mtdblock3]</span><br><span class="line"> 258 root 0:00 [mtdblock4]</span><br><span class="line"> 263 root 0:01 [mtdblock5]</span><br><span class="line"> 268 root 0:00 [mtdblock6]</span><br><span class="line"> 273 root 0:00 [mtdblock7]</span><br><span class="line"> 281 root 0:00 [kpsmoused]</span><br><span class="line"> 282 root 0:00 [kworker/0:1]</span><br><span class="line"> 324 root 0:00 [jffs2_gcd_mtd7]</span><br><span class="line"> 342 root 0:00 /sbin/telnetd</span><br><span class="line"> 397 root 0:00 [khubd]</span><br><span class="line"> 418 root 0:00 [OSA_416_1]</span><br><span class="line"> 478 root 0:00 [OSA_462_3]</span><br><span class="line"> 483 root 0:00 [OSA_462_4]</span><br><span class="line"> 502 root 0:00 syshelper elper 60</span><br><span class="line"> 526 root 0:00 [cfg80211]</span><br><span class="line"> 533 root 0:01 /usr/bin/wpa_supplicant -g/var/tmp/wpa_supplicant-global -P/var/tmp/eth2.pid</span><br><span class="line"> 543 root 0:00 [kworker/u:2]</span><br><span class="line"> 548 root 0:00 [flush-mtd-unmap]</span><br><span class="line"> 556 root 0:54 VideoDaemon AEWB</span><br><span class="line"> 557 root 0:00 /bin/sh /etc/init.d/appauto</span><br><span class="line"> 581 root 0:00 /bin/sh ./usr/etc/app.sh</span><br><span class="line"> 587 root 1:58 /usr/bin/sonia</span><br><span class="line"> 612 root 0:01 [RTW_CMD_THREAD]</span><br><span class="line"> 913 root 0:00 [kworker/u:3]</span><br><span class="line"> 1295 root 0:00 -sh</span><br><span class="line"> 1427 root 0:00 ps</span><br><span class="line">~ <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集 Linux 版本信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/proc <span class="comment"># cat version</span></span><br><span class="line">Linux version 3.0.8 (@centos-68) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.30.2+eabi+linuxpthread)) )</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集处理器信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment"># cd /proc/</span></span><br><span class="line">/proc <span class="comment"># cat cpuinfo</span></span><br><span class="line">Processor : ARM926EJ-S rev 5 (v5l)</span><br><span class="line">BogoMIPS : 218.72</span><br><span class="line">Features : swp half fastmult edsp java</span><br><span class="line">CPU implementer : 0x41</span><br><span class="line">CPU architecture: 5TEJ</span><br><span class="line">CPU variant : 0x0</span><br><span class="line">CPU part : 0x926</span><br><span class="line">CPU revision : 5</span><br><span class="line"></span><br><span class="line">Hardware : hi3518</span><br><span class="line">Revision : 0000</span><br><span class="line">Serial : 0000000000000000</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集内存信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">/proc <span class="comment"># cat meminfo</span></span><br><span class="line">MemTotal: 41604 kB</span><br><span class="line">MemFree: 1832 kB</span><br><span class="line">Buffers: 3948 kB</span><br><span class="line">Cached: 11636 kB</span><br><span class="line">SwapCached: 0 kB</span><br><span class="line">Active: 20528 kB</span><br><span class="line">Inactive: 7928 kB</span><br><span class="line">Active(anon): 12920 kB</span><br><span class="line">Inactive(anon): 296 kB</span><br><span class="line">Active(file): 7608 kB</span><br><span class="line">Inactive(file): 7632 kB</span><br><span class="line">Unevictable: 0 kB</span><br><span class="line">Mlocked: 0 kB</span><br><span class="line">SwapTotal: 0 kB</span><br><span class="line">SwapFree: 0 kB</span><br><span class="line">Dirty: 0 kB</span><br><span class="line">Writeback: 0 kB</span><br><span class="line">AnonPages: 12896 kB</span><br><span class="line">Mapped: 7156 kB</span><br><span class="line">Shmem: 344 kB</span><br><span class="line">Slab: 3356 kB</span><br><span class="line">SReclaimable: 868 kB</span><br><span class="line">SUnreclaim: 2488 kB</span><br><span class="line">KernelStack: 728 kB</span><br><span class="line">PageTables: 476 kB</span><br><span class="line">NFS_Unstable: 0 kB</span><br><span class="line">Bounce: 0 kB</span><br><span class="line">WritebackTmp: 0 kB</span><br><span class="line">CommitLimit: 20800 kB</span><br><span class="line">Committed_AS: 449116 kB</span><br><span class="line">VmallocTotal: 966656 kB</span><br><span class="line">VmallocUsed: 17412 kB</span><br><span class="line">VmallocChunk: 931184 kB</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集 TCP 连接信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">/proc <span class="comment"># cat /proc/net/tcp</span></span><br><span class="line"> sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode</span><br><span class="line"> 0: 00000000:1388 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 403 1 c2658460 300 0 0 2 -1</span><br><span class="line"> 1: 00000000:022A 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 513 1 c2659180 300 0 0 2 -1</span><br><span class="line"> 2: 00000000:9390 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 415 1 c26588c0 300 0 0 2 -1</span><br><span class="line"> 3: 00000000:9391 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 412 1 c2658d20 300 0 0 2 -1</span><br><span class="line"> 4: 00000000:0017 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 162 1 c2658000 300 0 0 2 -1</span><br><span class="line"> 5: EC08A8C0:0017 7E08A8C0:CFA9 01 00000002:00000000 01:0000001D 00000000 0 0 1444 4 c26595e0 31 4 25 10 9</span><br><span class="line"> 6: EC08A8C0:A135 120D8CD3:BF86 01 00001E8F:00000000 01:0000001D 00000000 0 0 1052 2 c2659ea0 31 4 0 18 7</span><br><span class="line"> 7: EC08A8C0:B352 160D8CD3:3572 01 00000000:00000000 00:00000000 00000000 0 0 1042 1 c2659a40 21 4 30 5 3</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p><code>local_address</code> 与 <code>rem_address</code> 都是十六进制的表示方法,并且 IP 地址是倒过来的。<br><code>6B 02 A8 C0</code> 转换成石家庄为 <code>107 2 168 192</code> 转换正常的 IPv4 地址为 <code>192.168.2.107</code>。<br><code>0017</code> 为端口号也是使用十六进制表示的,转换成十进制是 <code>23</code>。<br>闲手动麻烦可以使用 <a href="https://gist.github.com/jkstill/5095725" target="_blank" rel="noopener">proc_net_tcp_decode</a> 这个脚本去转换。</p><p>收集 UDP 连接信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">/proc <span class="comment"># cat /proc/net/udp</span></span><br><span class="line"> sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops</span><br><span class="line"> 146: 00000000:9392 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 416 2 c1dcf800 0</span><br><span class="line"> 146: 00000000:9392 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 413 2 c1dcf600 0</span><br><span class="line"> 178: EC08A8C0:93B2 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1061 2 c0b16400 0</span><br><span class="line"> 178: FBFFFFEF:93B2 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1060 2 c0b16000 0</span><br><span class="line"> 186: 00000000:13BA 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 382 2 c1dcf400 0</span><br><span class="line">/proc <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集已安装的命令行工具</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment">#</span></span><br><span class="line">VideoDaemon cat dmesg grep ip logView netinit <span class="built_in">pwd</span> ssl/ top</span><br><span class="line">[ chgrp du halt ipaddr login netinit6 reboot <span class="built_in">stat</span> touch</span><br><span class="line">[[ chmod <span class="built_in">echo</span> head iplink ls netstat redirClient sync udhcpd</span><br><span class="line">aewDebug chown egrep hostapd iproute lsmod netwifi redir_stdio syshelper udpsvd</span><br><span class="line">appauto chroot env hush iprule mdev nice rm systools umount</span><br><span class="line">armbenv clearparam fdisk hwclock iptunnel mkdir nslookup rmdir tail uname</span><br><span class="line">arp cp fgrep ifconfig iwconfig mknod ping rmmod tcpsvd unlzma</span><br><span class="line">arping cut find ifenslave <span class="built_in">kill</span> mnt_jffs2 ping6 route telnet unzip</span><br><span class="line">ash date free ii killall modinfo pkill sed telnetd vi</span><br><span class="line">audioDebug dd fsync inetd killall5 more poweroff seq <span class="built_in">test</span> who</span><br><span class="line">bash df gethwid init less mount printenv sh tftp whoami</span><br><span class="line">busybox dh_keyboard getty insmod ln mv ps sonia tftpd wpa_supplicant</span><br><span class="line">~ <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集目录信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment"># mount</span></span><br><span class="line">rootfs on / <span class="built_in">type</span> rootfs (rw)</span><br><span class="line">/dev/root on / <span class="built_in">type</span> squashfs (ro,relatime)</span><br><span class="line">devtmpfs on /dev <span class="built_in">type</span> devtmpfs (rw,relatime,size=20760k,nr_inodes=5190,mode=755)</span><br><span class="line">proc on /proc <span class="built_in">type</span> proc (rw,relatime)</span><br><span class="line">sysfs on /sys <span class="built_in">type</span> sysfs (rw,relatime)</span><br><span class="line">devpts on /dev/pts <span class="built_in">type</span> devpts (rw,relatime,mode=600,ptmxmode=000)</span><br><span class="line">tmpfs on /var <span class="built_in">type</span> tmpfs (rw,relatime)</span><br><span class="line">/dev/mtdblock5 on /usr <span class="built_in">type</span> squashfs (ro,relatime)</span><br><span class="line">/dev/mtdblock7 on /mnt/mtd <span class="built_in">type</span> jffs2 (rw,relatime)</span><br><span class="line">usbfs on /proc/bus/usb <span class="built_in">type</span> usbfs (rw,relatime)</span><br><span class="line">~ <span class="comment">#</span></span><br><span class="line">~ <span class="comment"># pwd</span></span><br><span class="line">/</span><br><span class="line">~ <span class="comment">#</span></span><br><span class="line">~ <span class="comment"># touch aaa</span></span><br><span class="line">touch: aaa: Read-only file system</span><br><span class="line">~ <span class="comment">#</span></span><br><span class="line">~ <span class="comment"># mount | grep rw</span></span><br><span class="line">rootfs on / <span class="built_in">type</span> rootfs (rw)</span><br><span class="line">devtmpfs on /dev <span class="built_in">type</span> devtmpfs (rw,relatime,size=20760k,nr_inodes=5190,mode=755)</span><br><span class="line">proc on /proc <span class="built_in">type</span> proc (rw,relatime)</span><br><span class="line">sysfs on /sys <span class="built_in">type</span> sysfs (rw,relatime)</span><br><span class="line">devpts on /dev/pts <span class="built_in">type</span> devpts (rw,relatime,mode=600,ptmxmode=000)</span><br><span class="line">tmpfs on /var <span class="built_in">type</span> tmpfs (rw,relatime)</span><br><span class="line">/dev/mtdblock7 on /mnt/mtd <span class="built_in">type</span> jffs2 (rw,relatime)</span><br><span class="line">usbfs on /proc/bus/usb <span class="built_in">type</span> usbfs (rw,relatime)</span><br><span class="line">~ <span class="comment">#</span></span><br><span class="line">~ <span class="comment"># cd /var/</span></span><br><span class="line">/var <span class="comment"># touch aaa</span></span><br><span class="line">/var <span class="comment"># ls -l</span></span><br><span class="line">total 0</span><br><span class="line">-rw-r--r-- 1 root root 0 Jan 25 04:23 aaa</span><br><span class="line">drwxr-xr-x 10 root root 440 Jan 25 04:02 tmp</span><br><span class="line">p-wx------ 1 root root 0 Jan 25 04:00 videoDebug</span><br><span class="line">drwxr-xr-x 2 root root 80 Jan 25 04:00 web</span><br><span class="line">/var <span class="comment">#</span></span><br><span class="line">/var <span class="comment"># cd /mnt/mtd/</span></span><br><span class="line">/mnt/mtd <span class="comment"># touch aaa</span></span><br><span class="line">/mnt/mtd <span class="comment"># ls -l</span></span><br><span class="line">total 6</span><br><span class="line">drwxr-xr-x 2 root root 0 Jan 1 1970 3A</span><br><span class="line">drwxr-xr-x 3 root root 0 Jan 25 04:00 Config</span><br><span class="line">drwxr-xr-x 2 root root 0 Nov 11 2016 Log</span><br><span class="line">-rw-r--r-- 1 root root 256 Jan 25 04:25 RtcSramFile</span><br><span class="line">-rw-r--r-- 1 root root 256 Jan 25 04:25 RtcSramFileBackUp</span><br><span class="line">-rw-r--r-- 1 root root 0 Jan 25 04:27 aaa</span><br><span class="line">drwxr-xr-x 2 root root 0 Jan 1 2000 audiofiles</span><br><span class="line">-rw-r--r-- 1 root root 36 Jan 25 04:00 flgFile</span><br><span class="line">-rw-r--r-- 1 root root 36 Jan 25 04:00 flgFileBackUp</span><br><span class="line">-rw-r--r-- 1 root root 556 Jan 25 04:15 recordSramFile</span><br><span class="line">-rw-r--r-- 1 root root 556 Jan 25 04:15 recordSramFileBackUp</span><br><span class="line">-rw-r--r-- 1 root root 256 Jan 25 04:25 socRtcSram</span><br><span class="line">-rw-r--r-- 1 root root 256 Jan 25 04:25 socRtcSramBackUp</span><br><span class="line">-rw-r--r-- 1 root root 21 Jan 1 2000 wifiModifyTime</span><br><span class="line">/mnt/mtd <span class="comment">#</span></span><br><span class="line"></span><br><span class="line">~ <span class="comment"># ls -l</span></span><br><span class="line">total 0</span><br><span class="line">drwxr-xr-x 2 root root 993 Jan 1 1970 bin</span><br><span class="line">drwxr-xr-x 7 root root 3200 Jan 25 04:00 dev</span><br><span class="line">drwxr-xr-x 4 root root 258 Jan 1 1970 etc</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 home</span><br><span class="line">drwxr-xr-x 2 root root 534 Jan 1 1970 lib</span><br><span class="line">lrwxrwxrwx 1 root root 11 Jan 1 1970 linuxrc -> bin/busybox</span><br><span class="line">drwxr-xr-x 12 root root 170 Jan 1 1970 mnt</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 nfs</span><br><span class="line">dr-xr-xr-x 57 root root 0 Jan 1 1970 proc</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 root</span><br><span class="line">drwxr-xr-x 2 root root 423 Jan 1 1970 sbin</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 share</span><br><span class="line">drwxr-xr-x 2 root root 3 Jan 1 1970 slave</span><br><span class="line">drwxr-xr-x 11 root root 0 Jan 1 1970 sys</span><br><span class="line">lrwxrwxrwx 1 root root 8 Jan 1 1970 tmp -> var/tmp/</span><br><span class="line">drwx--x--x 9 25858 25858 96 Oct 14 2015 usr</span><br><span class="line">drwxrwxrwt 4 root root 100 Jan 25 04:00 var</span><br><span class="line">~ <span class="comment">#</span></span><br></pre></td></tr></table></figure><p>收集网卡信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">~ <span class="comment"># ifconfig</span></span><br><span class="line">eth2 Link encap:Ethernet HWaddr E0:50:8B:35:74:02</span><br><span class="line"> inet addr:192.168.8.236 Bcast:192.168.8.255 Mask:255.255.255.0</span><br><span class="line"> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</span><br><span class="line"> RX packets:8895 errors:0 dropped:234 overruns:0 frame:0</span><br><span class="line"> TX packets:35955 errors:0 dropped:0 overruns:0 carrier:0</span><br><span class="line"> collisions:0 txqueuelen:1000</span><br><span class="line"> RX bytes:894282 (873.3 KiB) TX bytes:43996613 (41.9 MiB)</span><br><span class="line"></span><br><span class="line">lo Link encap:Local Loopback</span><br><span class="line"> inet addr:127.0.0.1 Mask:255.0.0.0</span><br><span class="line"> UP LOOPBACK RUNNING MTU:16436 Metric:1</span><br><span class="line"> RX packets:73 errors:0 dropped:0 overruns:0 frame:0</span><br><span class="line"> TX packets:73 errors:0 dropped:0 overruns:0 carrier:0</span><br><span class="line"> collisions:0 txqueuelen:0</span><br><span class="line"> RX bytes:15590 (15.2 KiB) TX bytes:15590 (15.2 KiB)</span><br><span class="line"></span><br><span class="line">~ <span class="comment">#</span></span><br></pre></td></tr></table></figure><!--定位运行的服务与开放的端口号由于 `netstat` 和 `lsof -i` 命令在这系统都用不了,所有只能从 `/proc/` 目录里手动收集原始信息再解码成可读信息。--><!----><h3 id="5-4-找出-RTSP-用户名与密码"><a href="#5-4-找出-RTSP-用户名与密码" class="headerlink" title="5.4 找出 RTSP 用户名与密码"></a>5.4 找出 RTSP 用户名与密码</h3><p>使用 <a href="https://www.videolan.org/" target="_blank" rel="noopener">VLC media player</a> 连接到 IPCamera 的 RTSP 服务端,发现是个需要使用用户名和密码登陆认证的服务。</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0015.png" alt=""></p><p>使用 IDA Pro 对系统运行的几个私有程序进行反编译后发现配置文件大多都保存在 <code>/mnt/</code> 目录下。于是在 <code>/mnt/pd/product.zip</code> 文件里找到了几个账号。</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0016.png" alt=""></p><p>尝试这些账号登陆服务发现 <code>admin</code> 账号是可用的,并成功的连接到了 IPCamera 的 RTSP 服务。在 VLC media player 里能够直接看到实时视频与音频。</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0017.png" alt=""></p><h3 id="5-5-嗅探-5000-端口运行的服务"><a href="#5-5-嗅探-5000-端口运行的服务" class="headerlink" title="5.5 嗅探 5000 端口运行的服务"></a>5.5 嗅探 5000 端口运行的服务</h3><p>使用 NetCat 连接到 <code>5000</code> 端口,连接后并不返回任何信息,尝试发送字符信息也并未回复,且发送到一定字节信息后自动了关闭连接。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ nc 192.168.8.236 5000</span><br></pre></td></tr></table></figure><p>使用 <a href="https://github.com/0x90/miranda-upnp" target="_blank" rel="noopener">miranda-upnp</a> 工具扫描局域网内的运行着 UPnP 的设备也为发现有 IPCamera 的信息。目前未得出此端口运行的是什么服务。猜测可能是进行局域网内远程信息配置相关的。</p><h2 id="6-APP-逆向"><a href="#6-APP-逆向" class="headerlink" title="6 APP 逆向"></a>6 APP 逆向</h2><p>APP 里可能会保留部分有用的信息,这里尝试对其简单的分析。</p><h3 id="6-1-解包程序逆向代码"><a href="#6-1-解包程序逆向代码" class="headerlink" title="6.1 解包程序逆向代码"></a>6.1 解包程序逆向代码</h3><p>使用 Apktool 解包 <code>.apk</code> 文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ apktool d hhy.apk</span><br></pre></td></tr></table></figure><p>使用 dex2jar 将 <code>.dex</code> 文件转换成 <code>.class</code> 文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ <span class="built_in">cd</span> hhy/assets/</span><br><span class="line">$ dex2jar classes.dex</span><br></pre></td></tr></table></figure><p>使用 <a href="http://jd.benow.ca/" target="_blank" rel="noopener">JD-GUI</a> 查看反编译后的代码</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0018.png" alt=""></p><p>这里有找到 RTSP 相关的内容</p><h3 id="6-2-APP-网络通信分析"><a href="#6-2-APP-网络通信分析" class="headerlink" title="6.2 APP 网络通信分析"></a>6.2 APP 网络通信分析</h3><p>可以使用 <a href="https://portswigger.net/burp" target="_blank" rel="noopener">Burp Suite</a> 去分析/修改 APP 网络通信的数据内容。这里不做讲解。</p><h2 id="7-漏洞利用"><a href="#7-漏洞利用" class="headerlink" title="7 漏洞利用"></a>7 漏洞利用</h2><h3 id="7-1-作为直播摄像头"><a href="#7-1-作为直播摄像头" class="headerlink" title="7.1 作为直播摄像头"></a>7.1 作为直播摄像头</h3><p>这个 IPCamera 上运行着 RTSP 服务,我们可以尝试把视频流导入到 <a href="https://obsproject.com/" target="_blank" rel="noopener">OBS</a> 里,作为直播摄像头。</p><p>在 OBS 里添加 RTSP 作为媒体源</p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0019.png" alt=""></p><p><img src="//files.hakr.xyz/images/2017-12-26_01-0020.png" alt=""></p><h3 id="7-2-作为-DoS-肉鸡"><a href="#7-2-作为-DoS-肉鸡" class="headerlink" title="7.2 作为 DoS 肉鸡"></a>7.2 作为 DoS 肉鸡</h3><p>这个 IPCamera 还有空余存储,<code>/mnt/</code> 目录下也是可写的,并且系统内置可使用的 <code>tftp</code> <code>tftpd</code> 程序,你可以编写自己后门程序编译后通过 FTP 传输到设备上。</p><hr><ul><li>注: 在最新版本的固件里已经修复了这些漏洞</li></ul>]]></content>
<summary type="html">
<p><a href="http://www.hehuiyan.com/" target="_blank" rel="noopener">和慧眼</a>是中国移动推出的一个摄像网络监控服务平台,旗下有多款智能摄像头设备。这里我们研究使用的是 C08 型号的。<br>IPCamera 与 WebCam 的其中一个区别是 IPCamera 不带有 Web 控制台,你只能使用厂商提供的 APP 控制设备,无法在局域网内通过网页控制设备。<br>并且 IPCamera 基本上都要连接互联网使用厂商的云平台,这意味着你的数据都会传输到云端,还可能需要再付费租用它的云端平台功能使用权。<br>
</summary>
<category term="Reverse Engineering" scheme="https://znhocn.github.io/tags/Reverse-Engineering/"/>
<category term="Hacking" scheme="https://znhocn.github.io/tags/Hacking/"/>
<category term="Hardware" scheme="https://znhocn.github.io/tags/Hardware/"/>
<category term="IPCamera" scheme="https://znhocn.github.io/tags/IPCamera/"/>
</entry>
<entry>
<title>Hacking 飞利浦智能球泡灯</title>
<link href="https://znhocn.github.io/posts/2017/12/17/Hacking-Philips-Smart-Led-Ball-Lamp/"/>
<id>https://znhocn.github.io/posts/2017/12/17/Hacking-Philips-Smart-Led-Ball-Lamp/</id>
<published>2017-12-16T18:12:11.000Z</published>
<updated>2018-02-21T08:44:21.601Z</updated>
<content type="html"><![CDATA[<p><a href="https://item.mi.com/1172100033.html" target="_blank" rel="noopener">飞利浦智能球泡灯</a>是一款可连接 WiFi 通过米家手机 APP 进行控制的小米 IoT 智能设备。<br><a id="more"></a></p><h2 id="1-拆解硬件"><a href="#1-拆解硬件" class="headerlink" title="1 拆解硬件"></a>1 拆解硬件</h2><p>拆解篇幅请参考 <a href="https://blog.hakr.xyz/posts/2017/12/08/Philips-Smart-Led-Ball-Lamp-Dismantling-and-Firmware-extraction/" target="_blank" rel="noopener">《米家的飞利浦智睿球泡灯拆解与固件提取》</a> 这篇文章。其控制模块用的是 <a href="http://espressif.com/zh-hans/products/hardware/esp8266ex/overview" target="_blank" rel="noopener">ESP8266</a> 系列里的 <a href="http://espressif.com/zh-hans/products/hardware/esp-wroom-02/overview" target="_blank" rel="noopener">ESP-WROOM-02</a> 模块。</p><h2 id="2-串口调试"><a href="#2-串口调试" class="headerlink" title="2 串口调试"></a>2 串口调试</h2><h3 id="2-1-硬件连接"><a href="#2-1-硬件连接" class="headerlink" title="2.1 硬件连接"></a>2.1 硬件连接</h3><p>拆下 WiFi 控制模块后去掉外面包的热缩管,用热风枪吹掉背面的一颗 R41 的贴片元件(否则无法调试这个模块)。</p><p><img src="//files.hakr.xyz/images/2017-12-08_01-0006.jpg" alt=""></p><p>再按下图所示在模块的对应针脚上焊上跳线接到面包板上,使用 USB to TTL 工具连接到电脑,通过虚拟终端进行调试。</p><p><img src="//files.hakr.xyz/images/2017-12-08_01-0007.png" alt=""></p><p><strong>注:</strong> 图上两个模式的接法是反的,<code>IO0</code> 接 <code>GND</code> 进入的是刷固件的模式,RTOS 不会启动。<code>IO0</code> 接 <code>3.3V</code> 时进入的是串口模式,可以看到调试信息。</p><p><img src="//files.hakr.xyz/images/2017-12-08_01-0008.jpg" alt=""></p><h3 id="2-2-调试信息"><a href="#2-2-调试信息" class="headerlink" title="2.2 调试信息"></a>2.2 调试信息</h3><p>给模块设备上电后可以在虚拟终端上看到输出的启动信息,与简单的命令行控制台。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br></pre></td><td class="code"><pre><span class="line">state: 5 -> 0 (0)</span><br><span class="line">rm 0</span><br><span class="line">pm close 7 0 0/18186986</span><br><span class="line">del if0</span><br><span class="line">usl</span><br><span class="line">sul 0 0</span><br><span class="line">disconnect from ssid WIFI_012345, reason 8</span><br><span class="line">▒▒*▒P*V▒▒ET▒▒▒▒T▒▒+▒▒u▒U+UZ▒Z▒T▒▒TQT▒QQ▒▒jP▒T▒▒u▒▒▒▒▒ZT▒(E▒▒▒▒Q▒Eu▒▒▒▒▒QB▒▒▒U*B▒u▒▒▒ZT▒(UE▒▒▒▒Q*Eu▒▒▒▒▒URB▒▒▒Օ▒▒▒▒ZT▒(UE▒▒▒▒Q▒▒E▒j*Q▒▒EQT+▒▒u▒▒▒Zյ▒▒jUJTE▒▒jU▒▒▒▒*U▒UT▒▒▒</span><br><span class="line"> ▒UT▒E▒▒▒uT</span><br><span class="line"> ▒▒▒▒▒▒UE▒▒▒TT▒U▒▒UU(Z▒UR▒▒▒▒UQ*Q▒UT*E▒▒P▒P▒Vխ▒A▒QQQT▒OS SDK ver: 1.5.0-dev(7f7a714) compiled @ May 15 2017 17:20:32</span><br><span class="line">phy ver: 1055_1, pp ver: 10.7</span><br><span class="line"></span><br><span class="line">rf cal sector: 507</span><br><span class="line">tcpip_task_hdl : 3fff2080, prio:10,stack:512</span><br><span class="line">idle_task_hdl : 3fff2140,prio:0, stack:384</span><br><span class="line">tim_task_hdl : 3fff4980, prio:2,stack:512</span><br><span class="line">reset reason: 4</span><br><span class="line">08:00:00.003 [PT] Booting into normal mode...</span><br><span class="line">08:00:00.003 [PT] DeviceId: ZigBee Node, Dimmable Light</span><br><span class="line">pwm version:1.0.2</span><br><span class="line">08:00:00.003 [PT] RESTORE EVENT</span><br><span class="line">08:00:04.439 [PT] pSwitchOnRstCount: 1</span><br><span class="line">08:00:04.440 [PT] power on: bri 254</span><br><span class="line">08:00:04.440 [PT] power on: cct 5700</span><br><span class="line">08:00:04.440 [PT] StartUp to light</span><br><span class="line">data : 0x3ffe8000 ~ 0x3ffe8abc, len: 2748</span><br><span class="line">rodata: 0x3ffe8b90 ~ 0x3ffeae18, len: 8840</span><br><span class="line">bss : 0x3ffeae18 ~ 0x3fff1ea0, len: 28808</span><br><span class="line">heap : 0x3fff1ea0 ~ 0x40000000, len: 57696</span><br><span class="line"></span><br><span class="line">_| _| _|_|_| _|_|_| _|_|</span><br><span class="line">_|_| _|_| _| _| _| _|</span><br><span class="line">_| _| _| _| _| _| _|</span><br><span class="line">_| _| _| _| _| _|</span><br><span class="line">_| _| _|_|_| _|_|_| _|_|</span><br><span class="line">psm init success</span><br><span class="line">OTP read OK</span><br><span class="line">JENKINS BUILD NUMBER: N/A</span><br><span class="line">BUILD TIME: Jun 12 2017,10:09:36</span><br><span class="line">MIIO APP VER: 1.3.0_0033</span><br><span class="line">MIIO MCU VER: N/A</span><br><span class="line">MIIO WIFI VER: 1.5.0-dev(7f7a714)</span><br><span class="line">MIIO DID: 60566054</span><br><span class="line">MIIO WIFI MAC: 34ce0099b601</span><br><span class="line">free_heap[after init]: 12432</span><br><span class="line">*****xiaomi init pass*****</span><br><span class="line">mode : sta(34:ce:00:99:b6:01)</span><br><span class="line">add if0</span><br><span class="line">scandone</span><br><span class="line">state: 0 -> 2 (b0)</span><br><span class="line">state: 2 -> 3 (0)</span><br><span class="line">state: 3 -> 5 (10)</span><br><span class="line">add 0</span><br><span class="line">aid 6</span><br><span class="line">pm open phy_2,type:2 0 0</span><br><span class="line">cnt</span><br><span class="line"></span><br><span class="line">connected with WIFI_012345, channel 11</span><br><span class="line">dhcp client start...</span><br><span class="line">connect to ssid WIFI_012345, channel 11</span><br><span class="line">wifi phy mode: 3</span><br><span class="line">ip:192.168.2.109,mask:255.255.255.0,gw:192.168.2.2</span><br><span class="line">ip:192.168.2.109,mask:255.255.255.0,gw:192.168.2.2</span><br><span class="line"></span><br><span class="line">help // 输入 help 命令</span><br><span class="line">Debug commandlist</span><br><span class="line">=================</span><br><span class="line">[command] [ARG]</span><br><span class="line">----------------------- -------------</span><br><span class="line">help</span><br><span class="line">reboot</span><br><span class="line">restore</span><br><span class="line">setwifi ARG: <"ssid"> <"passwd"> RET: ok/ error</span><br><span class="line">getwifi ARG: none RET: <"ssid"> <rssi> / error</span><br><span class="line">gettemp ARG: get temperature data</span><br><span class="line">stop_mcmd ARG: stop miio cmd RET: none</span><br><span class="line">model ARG: <model_string> RET: <model></span><br><span class="line">getversion ARG: get firmware version</span><br><span class="line">getheap ARG: get heap: ok/error</span><br><span class="line">mac ARG: none RET: ok/error</span><br><span class="line">bri ARG: bright pwm test, 0-100 RET: ok/error</span><br><span class="line">cct ARG: cct pwm test, 0-100 RET: ok/error</span><br><span class="line">setcct ARG: cct control test, 0-100 RET: ok/error</span><br><span class="line">setbri ARG: bri control test, 0-100 RET: ok/error</span><br><span class="line">setbricct ARG: bri and cct control test, 0-100 RET: ok/error</span><br><span class="line">applyscene ARG: apply scene: ok/error</span><br><span class="line"></span><br><span class="line">......</span><br></pre></td></tr></table></figure><h2 id="3-网络调试"><a href="#3-网络调试" class="headerlink" title="3 网络调试"></a>3 网络调试</h2><p>网络调试我们需要用到一个可以使用命令行控制并带有 <code>tcpdump</code> 的 WiFi 路由器实现进/出数据包的抓取和 LAN Tap 工具实现进/出数据包的实时查看+抓取。<br>无线路由器一般使用 OpenWrt 系统的无线路由器都支持,这个我使用的是中国版的 WiFi Pineapple。</p><p>抓取所有通过 WiFi 连接的数据包</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tcpdump -i wlan0-1 -w wlan0-1_$(date +%s).<span class="built_in">cap</span></span><br></pre></td></tr></table></figure><p><img src="//files.hakr.xyz/images/" alt=""></p><h2 id="4-固件提取"><a href="#4-固件提取" class="headerlink" title="4 固件提取"></a>4 固件提取</h2><ul><li>请参考 <a href="https://blog.hakr.xyz/posts/2017/12/08/Philips-Smart-Led-Ball-Lamp-Dismantling-and-Firmware-extraction/" target="_blank" rel="noopener">《米家的飞利浦智睿球泡灯拆解与固件提取》</a></li></ul><h2 id="5-固件逆向"><a href="#5-固件逆向" class="headerlink" title="5 固件逆向"></a>5 固件逆向</h2><p><a href="http://espressif.com/zh-hans/products/hardware/esp8266ex/overview" target="_blank" rel="noopener">ESP8266</a> 芯片使用的是 <a href="https://en.wikipedia.org/wiki/Tensilica" target="_blank" rel="noopener">Xtensa</a>。</p><h3 id="5-1-使用-IDA"><a href="#5-1-使用-IDA" class="headerlink" title="5.1 使用 IDA"></a>5.1 使用 IDA</h3><p>IDA Pro 本身并不支持对 Xtensa 架构的反汇编,需要安装 <a href="https://github.com/themadinventor/ida-xtensa" target="_blank" rel="noopener">ida-xtensa</a> 这个第三方的插件来实现反汇编的功能。<br>ida-xtensa 插件目前仅支持 IDA Pro 6.6 以上的版本,但在最新的 IDA Pro 7.0 上使用会报错,本人后来使用的是 IDA Pro 6.8。<br>下载 ida-xtensa 插件把 <code>xtensa.py</code> 文件复制到 IDA Pro 安装目录里的 <code>procs/</code> 文件夹里后重新打开 IDA Pro。</p><p><img src="//files.hakr.xyz/images/2017-12-17_01-0001.png" alt=""><br><img src="//files.hakr.xyz/images/2017-12-17_01-0002.png" alt=""></p><h3 id="5-2-使用-Radare2"><a href="#5-2-使用-Radare2" class="headerlink" title="5.2 使用 Radare2"></a>5.2 使用 Radare2</h3><p>Radare2 原生支持对 Xtensa 架构的反汇编(并非所有版本都支持)。</p><p>查看当前的 Radare2 是否支持 Xtensa 架构反汇编</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ rasm2 -L | grep xtensa</span><br><span class="line">_dAe 32 xtensa GPL3 XTensa CPU</span><br></pre></td></tr></table></figure><p>使用 Radare2 打开固件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ r2 -a xtensa flash_0.bin</span><br></pre></td></tr></table></figure><p><img src="//files.hakr.xyz/images/2017-12-17_01-0003.png" alt=""></p><blockquote><p>目前本人的 Xtensa 汇编指令能力有限,后续的反汇编分析内容暂时写不出来。。。</p></blockquote><h3 id="5-3-固件移植"><a href="#5-3-固件移植" class="headerlink" title="5.3 固件移植"></a>5.3 固件移植</h3><p>尝试将之前 Dump 出来的固件移植到到 ESP8266 的开发板,但启动时在虚拟终端上看到了如下的报错信息循环传输。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"> ets Jan 8 2013,rst cause:2, boot mode:(3,7)</span><br><span class="line"></span><br><span class="line">load 0x40100000, len 2416, room 16</span><br><span class="line">tail 0</span><br><span class="line">chksum 0x01</span><br><span class="line">load 0x3ffe8000, len 764, room 8</span><br><span class="line">tail 4</span><br><span class="line">chksum 0x60</span><br><span class="line">load 0x3ffe82fc, len 792, room 4</span><br><span class="line">tail 4</span><br><span class="line">chksum 0xee</span><br><span class="line">csum 0xee</span><br><span class="line"></span><br><span class="line">2nd boot version : 1.6.1(30daab7)</span><br><span class="line"> SPI Speed : 40MHz</span><br><span class="line"> SPI Mode : DIO</span><br><span class="line"> SPI Flash Size & Map: 32Mbit(512KB+512KB)</span><br><span class="line">jump to run user1 @ 1000</span><br><span class="line"></span><br><span class="line">OS SDK ver: 1.5.0-dev(7f7a714) compiled @ May 15 2017 17:20:32</span><br><span class="line">rf_cal[0] !=0x05,is 0x00</span><br></pre></td></tr></table></figure><p>这是由于固件是从 ESP8266 系列里的 ESP-WROOM-02 模块里 Dump 出来的,我使用的 ESP8266 开发板是基于 ESP-12E 的,虽然两个模块使用的处理芯片是一个型号的,<br>但两个模块使用 Flash 并不一样,ESP-WROOM-02 的 Flash 大小是 <code>2MB</code>,ESP-12E 使用的 Flash 是 <code>4MB</code> 固件无法识别正确的存储空间导致无法正常启动,这跟开发有关,并非所有固件都这样。<br>于是我又重新买了一个基于 ESP-WROOM-02 模块的开发板重新尝试。</p><p><img src="//files.hakr.xyz/images/" alt=""></p><p>给开发板上电后在虚拟终端上没看到之前的报错,但又遇到新的报错信息。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">▒~1A▒|▒▒▒,▒h▒▒X▒OS SDK ver: 1.5.0-dev(7f7a714) compiled @ May 15 2017 17:20:32A▒▒*E(a▒▒▒ (▒dA#I-Aea*U▒I,!▒k▒t▒{▒S{`K</span><br><span class="line">phy ver: 1055_1, pp ver: 10.7</span><br><span class="line"></span><br><span class="line">rf cal sector: 1019</span><br><span class="line">tcpip_task_hdl : 3fff2080, prio:10,stack:512</span><br><span class="line">idle_task_hdl : 3fff2140,prio:0, stack:384</span><br><span class="line">tim_task_hdl : 3fff4980, prio:2,stack:512</span><br><span class="line">reset reason: 4</span><br><span class="line">08:00:00.004 [PT] Booting into normal mode...</span><br><span class="line">08:00:00.004 [PT] DeviceId: ZigBee Node, Dimmable Light</span><br><span class="line">pwm version:1.0.2</span><br><span class="line">08:00:00.005 [PT] RESTORE EVENT</span><br><span class="line">08:00:00.007 [PT] pSwitchOnRstCount: 1</span><br><span class="line">08:00:00.007 [PT] power on: bri 254</span><br><span class="line">08:00:00.007 [PT] power on: cct 5700</span><br><span class="line">08:00:00.007 [PT] StartUp to light</span><br><span class="line">data : 0x3ffe8000 ~ 0x3ffe8abc, len: 2748</span><br><span class="line">rodata: 0x3ffe8b90 ~ 0x3ffeae18, len: 8840</span><br><span class="line">bss : 0x3ffeae18 ~ 0x3fff1ea0, len: 28808</span><br><span class="line">heap : 0x3fff1ea0 ~ 0x40000000, len: 57696</span><br><span class="line"></span><br><span class="line">_| _| _|_|_| _|_|_| _|_|</span><br><span class="line">_|_| _|_| _| _| _| _|</span><br><span class="line">_| _| _| _| _| _| _|</span><br><span class="line">_| _| _| _| _| _|</span><br><span class="line">_| _| _|_|_| _|_|_| _|_|</span><br><span class="line">psm init success</span><br><span class="line">error: OTP read error, -2</span><br></pre></td></tr></table></figure><p>提示的是 OTP 读取错误。我在 <a href="http://wiki.jackslab.org/ESP8266_Memory_Map#dport0" target="_blank" rel="noopener">ESP8266 Memory Map</a> 里找到了 OTP 地址的信息,是厂商烧录在芯片里的只读数据,这里存储着硬件的 MAC 地址。<br>我在硬件的 Flash 模式下使用 <code>esptool.py</code> 读取了这个地址块的数据,正好与设备的 MAC 地址吻合,</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">$ esptool.py -p /dev/ttyUSB0 dump_mem 0x3FF00000 256 dport0_1.bin</span><br><span class="line">$ xxd dport0_1.bin</span><br><span class="line">0000000: 0000 0000 0000 0000 0f08 0000 0300 0000 ................</span><br><span class="line">0000010: 0000 0000 0000 0000 ff00 ffff 0000 0000 ................</span><br><span class="line">0000020: 0000 0000 0600 0000 0000 0000 0000 0000 ................</span><br><span class="line">0000030: 4040 0000 0000 0000 4108 0000 0000 0000 @@......A.......</span><br><span class="line">0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">0000050: ccb4 2601 b699 1372 26ba c239 00ce 3480 ..&....r&..9..4.</span><br><span class="line">0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">0000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">00000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">00000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br><span class="line">00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................</span><br></pre></td></tr></table></figure><p><strong>结论:</strong> 小米进行开发时使用了 OTP 地址的数据作为硬件的验证,OTP 保存的是 MAC 地址,且设备的 MAC 地址厂商查询到的就是小米,所以除非修改固件跳过这个验证否则无法成功移植到其他厂商生产的同型号的模块上。</p><h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><ul><li><a href="https://habrahabr.ru/post/255135/" target="_blank" rel="noopener">Reverse Engineering ESP8266 — часть 1</a></li><li><a href="https://habrahabr.ru/post/255153/" target="_blank" rel="noopener">Reverse Engineering ESP8266 — часть 2</a></li><li><a href="https://dustri.org/b/solving-game2-from-the-badge-of-black-alps-2017-with-radare2.html" target="_blank" rel="noopener">Solving game2 from the badge of Black Alps 2017 with radare2</a></li><li><a href="http://wiki.jackslab.org/ESP8266_Memory_Map" target="_blank" rel="noopener">ESP8266 Memory Map</a></li></ul>]]></content>
<summary type="html">
<p><a href="https://item.mi.com/1172100033.html" target="_blank" rel="noopener">飞利浦智能球泡灯</a>是一款可连接 WiFi 通过米家手机 APP 进行控制的小米 IoT 智能设备。<br>
</summary>
<category term="ESP8266" scheme="https://znhocn.github.io/tags/ESP8266/"/>
<category term="Hacking" scheme="https://znhocn.github.io/tags/Hacking/"/>
<category term="Hardware" scheme="https://znhocn.github.io/tags/Hardware/"/>
</entry>
<entry>
<title>米家的飞利浦智睿球泡灯拆解与固件提取</title>
<link href="https://znhocn.github.io/posts/2017/12/08/Philips-Smart-Led-Ball-Lamp-Dismantling-and-Firmware-extraction/"/>
<id>https://znhocn.github.io/posts/2017/12/08/Philips-Smart-Led-Ball-Lamp-Dismantling-and-Firmware-extraction/</id>
<published>2017-12-08T10:51:54.000Z</published>
<updated>2018-02-21T08:44:22.803Z</updated>
<content type="html"><![CDATA[<p><a href="https://item.mi.com/1172100033.html" target="_blank" rel="noopener">飞利浦智睿球泡灯</a>是一款可连接 WiFi 的小米智能设备,可通过米家手机应用进行控制。通过外包装上的 <a href="https://fccid.io/CMIIT-ID-2016DP3252" target="_blank" rel="noopener">CMIIT-ID: 2016DP3252</a> 号可查询到其使用的控制芯片是 ESP8266 系列里的 <a href="http://espressif.com/zh-hans/products/hardware/esp-wroom-02/overview" target="_blank" rel="noopener">ESP-WROOM-02</a> 模块。<br><a id="more"></a></p><h1 id="1-设备拆解"><a href="#1-设备拆解" class="headerlink" title="1 设备拆解"></a>1 设备拆解</h1><h2 id="1-1-打开灯罩"><a href="#1-1-打开灯罩" class="headerlink" title="1.1 打开灯罩"></a>1.1 打开灯罩</h2><p>使用热风枪先把粘胶加热一下,对着粘合处灯泡转着吹,别一直吹一个点否则会直接融化灯罩。</p><p>加热的差不多的时候可以用手掰开一条缝隙,拿可以撬的工具沿着边一点点撬开,这里使用开夏威夷果的钥匙挺方便的。</p><p><img src="//files.hakr.xyz/images/2017-12-08_01-0001.jpg" alt=""></p><h2 id="1-2-拆除-LED-板"><a href="#1-2-拆除-LED-板" class="headerlink" title="1.2 拆除 LED 板"></a>1.2 拆除 LED 板</h2><p>先用电烙铁拆焊掉 3 根导线,再把 LED 板撬下来,板与底座是胶粘合的,可以尝试先加热一下再撬。</p><p><img src="//files.hakr.xyz/images/2017-12-08_01-0002.jpg" alt=""></p><h2 id="1-3-取出电源与控制模块"><a href="#1-3-取出电源与控制模块" class="headerlink" title="1.3 取出电源与控制模块"></a>1.3 取出电源与控制模块</h2><p>电源模块与控制模块是焊在一起的,被一颗胶粘着与底座固定。需要用美工刀把这颗胶割开,再把整个模块向外拉。底部的零线和火线与灯座的金属接触部分并非是焊接上的而是卡住的,拉的时候用点力,多拉几次就能取出来。</p><p><img src="//files.hakr.xyz/images/2017-12-08_01-0003.jpg" alt=""></p><h2 id="1-4-拆下-WiFi-控制模块"><a href="#1-4-拆下-WiFi-控制模块" class="headerlink" title="1.4 拆下 WiFi 控制模块"></a>1.4 拆下 WiFi 控制模块</h2><p>WiFi 控制模块是通过 4 个针脚焊接在电源模块上的,需要用电烙铁来拆下它。</p><p><img src="//files.hakr.xyz/images/2017-12-08_01-0004.jpg" alt=""><br><img src="//files.hakr.xyz/images/2017-12-08_01-0005.jpg" alt=""></p><h2 id="1-5-焊接跳线"><a href="#1-5-焊接跳线" class="headerlink" title="1.5 焊接跳线"></a>1.5 焊接跳线</h2><p>拆下 WiFi 控制模块后去掉外面包的热缩管,再用热风枪吹掉背面的一颗 R41 的贴片元件(否则无法调试这个模块)。</p><p><img src="//files.hakr.xyz/images/2017-12-08_01-0006.jpg" alt=""></p><p>再按下图所示在模块的对应针脚上焊上跳线接到面包板上 </p><ul><li>注: 图上两个模式的接法是反的,<code>IO0</code> 接 <code>GND</code> 进入的是刷固件的模式,RTOS 不会启动。<code>IO0</code> 接 <code>3.3V</code> 时进入的是串口模式,可以看到调试信息。</li></ul><p><img src="//files.hakr.xyz/images/2017-12-08_01-0007.png" alt=""><br><img src="//files.hakr.xyz/images/2017-12-08_01-0008.jpg" alt=""></p><h1 id="2-固件提取"><a href="#2-固件提取" class="headerlink" title="2 固件提取"></a>2 固件提取</h1><h2 id="2-1-安装工具软件"><a href="#2-1-安装工具软件" class="headerlink" title="2.1 安装工具软件"></a>2.1 安装工具软件</h2><p>WiFi 控制模块是 ESP8266 的芯片,这里我们使用 <a href="https://github.com/espressif/esptool" target="_blank" rel="noopener">esptool</a> 这个工具。<br>这是一个 <a href="https://www.python.org/" target="_blank" rel="noopener">Python</a> 写的工具所以你需要先安装 <code>python</code> 和 <code>python-pip</code> 再用 <code>pip</code> 安装 <code>esptool</code> 。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">pip install esptool</span><br></pre></td></tr></table></figure><h2 id="2-2-固件提取操作"><a href="#2-2-固件提取操作" class="headerlink" title="2.2 固件提取操作"></a>2.2 固件提取操作</h2><p>使用 USB to TTL 工具 (建议使用 CP2102 芯片的) 把设备连接到你的电脑找到设备的串口号。</p><p>查看模块上的 Flash 芯片信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># esptool.py -p COM3 flash_id</span></span><br><span class="line"></span><br><span class="line">esptool.py v2.2</span><br><span class="line">Connecting....</span><br><span class="line">Detecting chip <span class="built_in">type</span>... ESP8266</span><br><span class="line">Chip is ESP8266EX</span><br><span class="line">Uploading stub...</span><br><span class="line">Running stub...</span><br><span class="line">Stub running...</span><br><span class="line">Manufacturer: c8</span><br><span class="line">Device: 4015</span><br><span class="line">Detected flash size: 2MB // 这个可以看到 Flash 芯片的大小是 2MB</span><br><span class="line">Hard resetting...</span><br></pre></td></tr></table></figure><p>读取芯片数据到文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">esptool.py -p COM3 read_flash 0x00000 0x200000 flash_0.bin // 0x00000 是起始地址, 0x200000 是结束地址,这里所指定 dump 的大小是 2MB</span><br></pre></td></tr></table></figure><p>一些使用示例</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">esptool.py -p COM3 chip_id // 查看主控芯片信息</span><br><span class="line">esptool.py -p COM3 flash_id // 查看 Flash 信息</span><br><span class="line">esptool.py -p COM3 read_mac // 查看 MAC 地址</span><br><span class="line">esptool.py -p COM3 image_info my_app.bin // 读取二进制固件文件的信息</span><br><span class="line">esptool.py -p COM3 dump_mem 0x3FF00000 65552 dport0_0.bin // dump 芯片内 Dport0 地址块的数据到文件</span><br><span class="line">esptool.py -p COM3 dump_mem 0x3ffe8000 2748 data_0.bin</span><br><span class="line">esptool.py -p COM3 dump_mem 0x3ffe8b90 8840 rodata_0.bin</span><br><span class="line">esptool.py -p COM3 dump_mem 0x3ffeae18 28808 bss_0.bin</span><br><span class="line">esptool.py -p COM3 dump_mem 0x3fff1ea0 57696 heap_0.bin</span><br><span class="line">esptool.py -p COM3 dump_mem 0x40000000 65536 iram_0.bin</span><br><span class="line">esptool.py -p COM3 read_flash_status // 查看 Flash 状态</span><br><span class="line">esptool.py -p COM3 read_flash 0x00000 0x100000 flash_0.bin // dump 1MB 大小的 Flash 数据到文件</span><br><span class="line">esptool.py -p COM3 read_flash 0x00000 0x200000 flash_0.bin // 2MB</span><br><span class="line">esptool.py -p COM3 read_flash 0x00000 0x400000 flash_0.bin // 4MB</span><br><span class="line">esptool.py -p COM3 read_flash 0x00000 0x800000 flash_0.bin // 4MB</span><br><span class="line">esptool.py -p COM3 read_flash 0x00000 0x1600000 flash_0.bin // 16MB</span><br><span class="line">esptool.py -p COM3 erase_flash // 擦除 Flash 芯片上的所有数据</span><br><span class="line">esptool.py -p COM3 write_flash 0x00000 my_app.bin // 写入新固件到 Flash</span><br></pre></td></tr></table></figure><p>更多用法去查看帮助</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">esptool.py help</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<p><a href="https://item.mi.com/1172100033.html" target="_blank" rel="noopener">飞利浦智睿球泡灯</a>是一款可连接 WiFi 的小米智能设备,可通过米家手机应用进行控制。通过外包装上的 <a href="https://fccid.io/CMIIT-ID-2016DP3252" target="_blank" rel="noopener">CMIIT-ID: 2016DP3252</a> 号可查询到其使用的控制芯片是 ESP8266 系列里的 <a href="http://espressif.com/zh-hans/products/hardware/esp-wroom-02/overview" target="_blank" rel="noopener">ESP-WROOM-02</a> 模块。<br>
</summary>
<category term="Mijia" scheme="https://znhocn.github.io/tags/Mijia/"/>
<category term="ESP8266" scheme="https://znhocn.github.io/tags/ESP8266/"/>
<category term="Firmware" scheme="https://znhocn.github.io/tags/Firmware/"/>
</entry>
<entry>
<title>如何获取 YouTube 4K 视频</title>
<link href="https://znhocn.github.io/posts/2017/08/15/How-to-Get-YouTube-4K-Videos/"/>
<id>https://znhocn.github.io/posts/2017/08/15/How-to-Get-YouTube-4K-Videos/</id>
<published>2017-08-15T08:34:53.000Z</published>
<updated>2018-02-21T08:44:22.276Z</updated>
<content type="html"><![CDATA[<p>通常能下载到清晰度最高的 YouTube 视频都是 720p 的,720p 以上的都是视频与音频是单独分开的,需要自己在本地手动合并成一个文件。<br><a id="more"></a><br>对于获取 YouTube 视频的下载链接可以使用第三方提供的服务来获取下载连接。比如: <a href="http://megavn.com/" target="_blank" rel="noopener">Download Youtube Online</a><br>通过第三方工具从 YouTube 下载的视频一般分为 2 种格式,<code>MP4</code> 与 <code>WebM</code> ,4K (2160p) 的视频使用是 <code>WebM</code> 格式的,音频有 <code>m4a</code>, <code>mp3</code>, <code>aac</code>, <code>wav</code> 几种格式。<br>当把 4K 的视频文件和音频文件下载到本地后需要使用 <a href="https://www.ffmpeg.org/" target="_blank" rel="noopener">FFmpeg</a> 对其转码与合并成一个新的 <code>MP4</code> 文件。</p><h3 id="转码-WebM-to-MP4"><a href="#转码-WebM-to-MP4" class="headerlink" title="转码 WebM to MP4"></a>转码 WebM to MP4</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ffmpeg -i input.webm -c:v libx264 output.mp4</span><br></pre></td></tr></table></figure><blockquote><p>WebM 格式的转码非常耗时。</p></blockquote><h3 id="合并-MP4-WAV-to-MP4"><a href="#合并-MP4-WAV-to-MP4" class="headerlink" title="合并 MP4 + WAV to MP4"></a>合并 MP4 + WAV to MP4</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ffmpeg -i input.mp4 -i input.wav -vcodec copy -acodec aac output.mp4</span><br></pre></td></tr></table></figure><h3 id="转码-合并"><a href="#转码-合并" class="headerlink" title="转码 + 合并"></a>转码 + 合并</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ffmpeg -i input.webm -i input.wav -c:a aac -c:v libx264 output.mp4</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<p>通常能下载到清晰度最高的 YouTube 视频都是 720p 的,720p 以上的都是视频与音频是单独分开的,需要自己在本地手动合并成一个文件。<br>
</summary>
<category term="YouTube" scheme="https://znhocn.github.io/tags/YouTube/"/>
<category term="4K" scheme="https://znhocn.github.io/tags/4K/"/>
</entry>
<entry>
<title>YubiKey 4 PGP 功能使用教程</title>
<link href="https://znhocn.github.io/posts/2017/06/03/YubiKey-4-GPG-Tutorial/"/>
<id>https://znhocn.github.io/posts/2017/06/03/YubiKey-4-GPG-Tutorial/</id>
<published>2017-06-02T16:23:15.000Z</published>
<updated>2018-02-21T08:44:23.409Z</updated>
<content type="html"><![CDATA[<p><a href="https://www.yubico.com/" target="_blank" rel="noopener">YubiKey</a> 是一款用于安全认证的硬件工具,其中的 YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey NEO, YubiKey NEO-n,这些产品型号是包含 OpenPGP Card 功能的。</p><p>你可将你的私钥移动到 YubiKey 里,在需要使用的时候插上,而不必担心私钥泄露或被恶意程序盗取,并且支持在多种操作系统上使用。</p><a id="more"></a><h2 id="1、生成密钥对"><a href="#1、生成密钥对" class="headerlink" title="1、生成密钥对"></a>1、生成密钥对</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --gen-key</span><br><span class="line"></span><br><span class="line">gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line">Please select what kind of key you want:</span><br><span class="line"> (1) RSA and RSA (default)</span><br><span class="line"> (2) DSA and Elgamal</span><br><span class="line"> (3) DSA (sign only)</span><br><span class="line"> (4) RSA (sign only)</span><br><span class="line">Your selection? 1 // 输入 1 选择默认的 RSA 加密算法</span><br><span class="line">RSA keys may be between 1024 and 4096 bits long.</span><br><span class="line">What keysize <span class="keyword">do</span> you want? (2048) 4096</span><br><span class="line">Requested keysize is 4096 bits</span><br><span class="line">Please specify how long the key should be valid.</span><br><span class="line"> 0 = key does not expire</span><br><span class="line"> <n> = key expires <span class="keyword">in</span> n days</span><br><span class="line"> <n>w = key expires <span class="keyword">in</span> n weeks</span><br><span class="line"> <n>m = key expires <span class="keyword">in</span> n months</span><br><span class="line"> <n>y = key expires <span class="keyword">in</span> n years</span><br><span class="line">Key is valid <span class="keyword">for</span>? (0) // 直接回车选择 0 默认永不过期</span><br><span class="line">Key does not expire at all</span><br><span class="line">Is this correct? (y/N) y // 输入 y 确定 下一步</span><br><span class="line"></span><br><span class="line">GnuPG needs to construct a user ID to identify your key.</span><br><span class="line"></span><br><span class="line">Real name: Test User // 输入你的姓名</span><br><span class="line">Email address: <span class="built_in">test</span>@example.com // 输入你的邮箱</span><br><span class="line">Comment: // 输入你的附加信息,可以是你的网络 ID 名称,或者直接回车跳过</span><br><span class="line">You selected this USER-ID:</span><br><span class="line"> <span class="string">"Test User <[email protected]>"</span></span><br><span class="line"></span><br><span class="line">Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o // 输入 o 回车后会要求你设置一个私钥的密码</span><br><span class="line">You need a Passphrase to protect your secret key.</span><br><span class="line"></span><br><span class="line">We need to generate a lot of random bytes. It is a good idea to perform</span><br><span class="line">some other action (<span class="built_in">type</span> on the keyboard, move the mouse, utilize the</span><br><span class="line">disks) during the prime generation; this gives the random number</span><br><span class="line">generator a better chance to gain enough entropy.</span><br><span class="line">We need to generate a lot of random bytes. It is a good idea to perform</span><br><span class="line">some other action (<span class="built_in">type</span> on the keyboard, move the mouse, utilize the</span><br><span class="line">disks) during the prime generation; this gives the random number</span><br><span class="line">generator a better chance to gain enough entropy.</span><br><span class="line">gpg: key A8C37A46 marked as ultimately trusted</span><br><span class="line">public and secret key created and signed.</span><br><span class="line"></span><br><span class="line">gpg: checking the trustdb</span><br><span class="line">gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model</span><br><span class="line">gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u</span><br><span class="line">pub 4096R/F891791F 2017-05-29</span><br><span class="line"> Key fingerprint = 628C 7B5D D284 224A 3321 4369 BC71 9F68 F891 791F</span><br><span class="line">uid [ultimate] Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 4096R/46D4D220 2017-05-29</span><br></pre></td></tr></table></figure><h2 id="2、添加验证密钥"><a href="#2、添加验证密钥" class="headerlink" title="2、添加验证密钥"></a>2、添加验证密钥</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --expert --edit-key F891791F</span><br><span class="line"></span><br><span class="line">gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line">Secret key is available.</span><br><span class="line"></span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: ultimate validity: ultimate</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">[ultimate] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> addkey</span><br><span class="line">This key is not protected.</span><br><span class="line">Please select what kind of key you want:</span><br><span class="line"> (3) DSA (sign only)</span><br><span class="line"> (4) RSA (sign only)</span><br><span class="line"> (5) Elgamal (encrypt only)</span><br><span class="line"> (6) RSA (encrypt only)</span><br><span class="line"> (7) DSA (<span class="built_in">set</span> your own capabilities)</span><br><span class="line"> (8) RSA (<span class="built_in">set</span> your own capabilities)</span><br><span class="line">Your selection? 8</span><br><span class="line"></span><br><span class="line">Possible actions <span class="keyword">for</span> a RSA key: Sign Encrypt Authenticate</span><br><span class="line">Current allowed actions: Sign Encrypt</span><br><span class="line"></span><br><span class="line"> (S) Toggle the sign capability</span><br><span class="line"> (E) Toggle the encrypt capability</span><br><span class="line"> (A) Toggle the authenticate capability</span><br><span class="line"> (Q) Finished</span><br><span class="line"></span><br><span class="line">Your selection? A</span><br><span class="line"></span><br><span class="line">Possible actions <span class="keyword">for</span> a RSA key: Sign Encrypt Authenticate</span><br><span class="line">Current allowed actions: Sign Encrypt Authenticate</span><br><span class="line"></span><br><span class="line"> (S) Toggle the sign capability</span><br><span class="line"> (E) Toggle the encrypt capability</span><br><span class="line"> (A) Toggle the authenticate capability</span><br><span class="line"> (Q) Finished</span><br><span class="line"></span><br><span class="line">Your selection? S</span><br><span class="line"></span><br><span class="line">Possible actions <span class="keyword">for</span> a RSA key: Sign Encrypt Authenticate</span><br><span class="line">Current allowed actions: Encrypt Authenticate</span><br><span class="line"></span><br><span class="line"> (S) Toggle the sign capability</span><br><span class="line"> (E) Toggle the encrypt capability</span><br><span class="line"> (A) Toggle the authenticate capability</span><br><span class="line"> (Q) Finished</span><br><span class="line"></span><br><span class="line">Your selection? E</span><br><span class="line"></span><br><span class="line">Possible actions <span class="keyword">for</span> a RSA key: Sign Encrypt Authenticate</span><br><span class="line">Current allowed actions: Authenticate</span><br><span class="line"></span><br><span class="line"> (S) Toggle the sign capability</span><br><span class="line"> (E) Toggle the encrypt capability</span><br><span class="line"> (A) Toggle the authenticate capability</span><br><span class="line"> (Q) Finished</span><br><span class="line"></span><br><span class="line">Your selection? Q</span><br><span class="line">RSA keys may be between 1024 and 4096 bits long.</span><br><span class="line">What keysize <span class="keyword">do</span> you want? (2048) 4096</span><br><span class="line">Requested keysize is 4096 bits</span><br><span class="line">Please specify how long the key should be valid.</span><br><span class="line"> 0 = key does not expire</span><br><span class="line"> <n> = key expires <span class="keyword">in</span> n days</span><br><span class="line"> <n>w = key expires <span class="keyword">in</span> n weeks</span><br><span class="line"> <n>m = key expires <span class="keyword">in</span> n months</span><br><span class="line"> <n>y = key expires <span class="keyword">in</span> n years</span><br><span class="line">Key is valid <span class="keyword">for</span>? (0)</span><br><span class="line">Key does not expire at all</span><br><span class="line">Is this correct? (y/N) y</span><br><span class="line">Really create? (y/N) y</span><br><span class="line">We need to generate a lot of random bytes. It is a good idea to perform</span><br><span class="line">some other action (<span class="built_in">type</span> on the keyboard, move the mouse, utilize the</span><br><span class="line">disks) during the prime generation; this gives the random number</span><br><span class="line">generator a better chance to gain enough entropy.</span><br><span class="line"></span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: ultimate validity: ultimate</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span><br><span class="line">[ultimate] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> q</span><br><span class="line">Save changes? (y/N) y</span><br></pre></td></tr></table></figure><h2 id="3、备份密钥"><a href="#3、备份密钥" class="headerlink" title="3、备份密钥"></a>3、备份密钥</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">gpg --armor --output public-key.asc --<span class="built_in">export</span> F891791F // 导出公钥到文件</span><br><span class="line">gpg --armor --output private-key.asc --<span class="built_in">export</span>-secret-keys F891791F // 导出私钥到文件</span><br><span class="line">gpg --armor --output subkeys-key.asc --<span class="built_in">export</span>-secret-subkeys F891791F // 导出子钥到文件</span><br></pre></td></tr></table></figure><h2 id="4、设置-OpenPGP-卡"><a href="#4、设置-OpenPGP-卡" class="headerlink" title="4、设置 OpenPGP 卡"></a>4、设置 OpenPGP 卡</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --card-edit</span><br><span class="line"></span><br><span class="line">Application ID ...: D2760001240102000060000000420000</span><br><span class="line">Version ..........: 2.1</span><br><span class="line">Manufacturer .....: Yubico</span><br><span class="line">Serial number ....: 00000042</span><br><span class="line">Name of cardholder: [not <span class="built_in">set</span>]</span><br><span class="line">Language prefs ...: [not <span class="built_in">set</span>]</span><br><span class="line">Sex ..............: unspecified</span><br><span class="line">URL of public key : [not <span class="built_in">set</span>]</span><br><span class="line">Login data .......: [not <span class="built_in">set</span>]</span><br><span class="line">Signature PIN ....: forced</span><br><span class="line">Key attributes ...: 2048R 2048R 2048R</span><br><span class="line">Max. PIN lengths .: 127 127 127</span><br><span class="line">PIN retry counter : 3 0 3</span><br><span class="line">Signature counter : 0</span><br><span class="line">Signature key ....: [none]</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line">General key info..: [none]</span><br><span class="line"></span><br><span class="line">gpg/card> admin // 进入管理员模式</span><br><span class="line">Admin commands are allowed</span><br><span class="line"></span><br><span class="line">gpg/card> passwd // 设置密码</span><br><span class="line">gpg: OpenPGP card no. D2760001240102000060000000420000 detected</span><br><span class="line"></span><br><span class="line">1 - change PIN</span><br><span class="line">2 - unblock PIN</span><br><span class="line">3 - change Admin PIN</span><br><span class="line">4 - <span class="built_in">set</span> the Reset Code</span><br><span class="line">Q - quit</span><br><span class="line"></span><br><span class="line">Your selection? 1 // 输入 1 选择设置普通 PIN 码,默认的 PIN 码为 123456 如果是新设备或重置后的都是默认码。</span><br><span class="line">PIN changed. // 设置时会先要求你输入普通 PIN 码的当前的密码,然后是设置新的 PIN 码,再是新的 PIN 码的二次确认。如果当前的 PIN 码输错 3 次就会被锁。</span><br><span class="line"></span><br><span class="line">1 - change PIN</span><br><span class="line">2 - unblock PIN</span><br><span class="line">3 - change Admin PIN</span><br><span class="line">4 - <span class="built_in">set</span> the Reset Code</span><br><span class="line">Q - quit</span><br><span class="line"></span><br><span class="line">Your selection? 3 // 输入 3 选择设置 Admin PIN 码,默认的 PIN 码为 12345678 如果是新设备或重置后的都是默认码。</span><br><span class="line">PIN changed. // 设置时会先要求你输入 Admin PIN 码的当前的密码,然后是设置新的 PIN 码,再是新的 PIN 码的二次确认。如果当前的 PIN 码输错 3 次就会被锁。</span><br><span class="line"></span><br><span class="line">1 - change PIN</span><br><span class="line">2 - unblock PIN</span><br><span class="line">3 - change Admin PIN</span><br><span class="line">4 - <span class="built_in">set</span> the Reset Code</span><br><span class="line">Q - quit</span><br><span class="line"></span><br><span class="line">Your selection? 2 // (可选)输入 2 选择设置 unblock PIN 码,也就解锁码,用于在普通 PIN 码被锁后解锁并重置新的普通 PIN 码。unblock PIN 码只能用于解锁普通 PIN 码,无法用于 Admin PIN 码。</span><br><span class="line">PIN unblocked and new PIN <span class="built_in">set</span>. // 设置时会先要求你输入 Admin PIN 码的当前的密码,然后是设置新的 unblock PIN 码,再是新的 unblock PIN 码的二次确认。</span><br><span class="line"></span><br><span class="line">1 - change PIN</span><br><span class="line">2 - unblock PIN</span><br><span class="line">3 - change Admin PIN</span><br><span class="line">4 - <span class="built_in">set</span> the Reset Code</span><br><span class="line">Q - quit</span><br><span class="line"></span><br><span class="line">Your selection? q // 输入 q 退出密码设置</span><br><span class="line"></span><br><span class="line">gpg/card> name // 设置姓名</span><br><span class="line">Cardholder<span class="string">'s surname: User // 持卡人的姓</span></span><br><span class="line"><span class="string">Cardholder'</span>s given name: Test // 持卡人的名字</span><br><span class="line"></span><br><span class="line">gpg/card> lang // 设置语言</span><br><span class="line">Language preferences: en</span><br><span class="line"></span><br><span class="line">gpg/card> sex // 设置性别 M 为男性 F 为女性</span><br><span class="line">Sex ((M)ale, (F)emale or space): m</span><br><span class="line"></span><br><span class="line">gpg/card> url // 设置公钥的网络链接</span><br><span class="line">URL to retrieve public key: https://www.example.com/public-key.asc // 链接地址</span><br><span class="line"></span><br><span class="line">gpg/card> login // 设置用户名</span><br><span class="line">Login data (account name): <span class="built_in">test</span></span><br><span class="line"></span><br><span class="line">gpg/card> </span><br><span class="line"></span><br><span class="line">Application ID ...: D2760001240102000060000000420000</span><br><span class="line">Version ..........: 2.1</span><br><span class="line">Manufacturer .....: Yubico</span><br><span class="line">Serial number ....: 00000042</span><br><span class="line">Name of cardholder: Test User</span><br><span class="line">Language prefs ...: en</span><br><span class="line">Sex ..............: male</span><br><span class="line">URL of public key : https://www.example.com/public-key.asc</span><br><span class="line">Login data .......: <span class="built_in">test</span></span><br><span class="line">Signature PIN ....: forced</span><br><span class="line">Key attributes ...: 2048R 2048R 2048R</span><br><span class="line">Max. PIN lengths .: 127 127 127</span><br><span class="line">PIN retry counter : 3 3 3 // 3 3 3 分别表示普通 PIN 码、unblock PIN 码、Admin PIN 码的输入错误计数器,默认为 3 输错一次减 1 ,减到 0 会被锁,被锁之前输入正确的 PIN 码会自动还原计数器。</span><br><span class="line">Signature counter : 0</span><br><span class="line">Signature key ....: [none]</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line">General key info..: [none]</span><br><span class="line"></span><br><span class="line">gpg/card> quit // 退出 OpenPGP 卡设置</span><br></pre></td></tr></table></figure><ul><li>注:在 Yubikey 4 中引入了一个新功能,当用户输入正确的 PIN 码和 <strong>触摸硬件</strong> 后才会进行签名、解密或身份验证操作。具体参考 <a href="https://developers.yubico.com/PGP/Card_edit.html" target="_blank" rel="noopener">YubiKey 4 touch</a> 里的内容。</li></ul><h2 id="5、移动密钥到-YubiKey-4"><a href="#5、移动密钥到-YubiKey-4" class="headerlink" title="5、移动密钥到 YubiKey 4"></a>5、移动密钥到 YubiKey 4</h2><ul><li>注:OpenPGP Card 是支持在自身硬件上直接生成密钥对的,但多数使用 PGP 非对称加密的用户都有自己的密钥所以这里使用移动已有密钥到 YubiKey 里。直接在硬件上生成密钥对是在 admin 模式下使用 <code>generate</code> 命令,生成的密钥是无法导出备份的!</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --edit-key F891791F</span><br><span class="line"></span><br><span class="line">gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line">Secret key is available.</span><br><span class="line"></span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: ultimate validity: ultimate</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span><br><span class="line">[ultimate] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> toggle</span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> keytocard</span><br><span class="line">Really move the primary key? (y/N) y</span><br><span class="line">Signature key ....: [none]</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line"></span><br><span class="line">Please select <span class="built_in">where</span> to store the key:</span><br><span class="line"> (1) Signature key</span><br><span class="line"> (3) Authentication key</span><br><span class="line">Your selection? 1</span><br><span class="line"></span><br><span class="line">You need a passphrase to unlock the secret key <span class="keyword">for</span></span><br><span class="line">user: <span class="string">"Test User <[email protected]>"</span></span><br><span class="line">4096-bit RSA key, ID F891791F, created 2017-05-29</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> key 1</span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb* 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> keytocard</span><br><span class="line">Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line"></span><br><span class="line">Please select <span class="built_in">where</span> to store the key:</span><br><span class="line"> (2) Encryption key</span><br><span class="line">Your selection? 2</span><br><span class="line"></span><br><span class="line">You need a passphrase to unlock the secret key <span class="keyword">for</span></span><br><span class="line">user: <span class="string">"Test User <[email protected]>"</span></span><br><span class="line">4096-bit RSA key, ID 46D4D220, created 2017-05-29</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb* 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> key 1</span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> key 2</span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb* 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> keytocard</span><br><span class="line">Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85</span><br><span class="line">Encryption key....: 8D17 89A0 5C2F B804 22E5 5C04 8A68 9CC0 D742 1CDF</span><br><span class="line">Authentication key: [none]</span><br><span class="line"></span><br><span class="line">Please select <span class="built_in">where</span> to store the key:</span><br><span class="line"> (3) Authentication key</span><br><span class="line">Your selection? 3</span><br><span class="line"></span><br><span class="line">You need a passphrase to unlock the secret key <span class="keyword">for</span></span><br><span class="line">user: <span class="string">"Test User <[email protected]>"</span></span><br><span class="line">4096-bit RSA key, ID C10AE6D4, created 2017-05-29</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">sec 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb* 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">(1) Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> quit</span><br><span class="line">Save changes? (y/N) y</span><br></pre></td></tr></table></figure><p>当前密钥移动到 OpenPGP 卡后就没法再导出无须硬件卡就可直接使用的密钥了,如果你在上面的步骤没有导出备份密钥,那么 OpenPGP 卡里是私钥将是你唯一的私钥且没法备份。</p><p>查看 OpenPGP 卡状态信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --card-status</span><br><span class="line"></span><br><span class="line">Application ID ...: D2760001240102000060000000420000</span><br><span class="line">Version ..........: 2.1</span><br><span class="line">Manufacturer .....: Yubico</span><br><span class="line">Serial number ....: 00000042</span><br><span class="line">Name of cardholder: Test User</span><br><span class="line">Language prefs ...: en</span><br><span class="line">Sex ..............: male</span><br><span class="line">URL of public key : https://www.example.com/public-key.asc</span><br><span class="line">Login data .......: <span class="built_in">test</span></span><br><span class="line">Signature PIN ....: forced</span><br><span class="line">Key attributes ...: 4096R 4096R 4096R</span><br><span class="line">Max. PIN lengths .: 127 127 127</span><br><span class="line">PIN retry counter : 3 3 3</span><br><span class="line">Signature counter : 0</span><br><span class="line">Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85</span><br><span class="line"> created ....: 2017-05-29 22:11:07</span><br><span class="line">Encryption key....: 8D17 89A0 5C2F B804 22E5 5C04 8A68 9CC0 D742 1CDF</span><br><span class="line"> created ....: 2017-05-29 22:11:07</span><br><span class="line">Authentication key: 628C 7B5D D284 224A 3321 4369 BC71 9F68 F891 791F</span><br><span class="line"> created ....: 2017-05-29 22:11:07</span><br><span class="line">General key info..: pub 4096R/F891791F 2017-05-29 Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sec> 4096R/F891791F created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb> 4096R/46D4D220 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br><span class="line">ssb> 4096R/C10AE6D4 created: 2017-05-29 expires: never</span><br><span class="line"> card-no: 0006 00000042</span><br></pre></td></tr></table></figure><h2 id="6、在其他电脑上使用"><a href="#6、在其他电脑上使用" class="headerlink" title="6、在其他电脑上使用"></a>6、在其他电脑上使用</h2><p>当你配置好了一个 YubiKey 的 OpenPGP 智能卡后你可以在其他任何支持 PGP 客户端的电脑上插上 YubiKey 使用你是私钥进行签名、加密、认证操作,而不用担心私钥泄露。</p><p>从文件导入公钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --import public-key.asc</span><br></pre></td></tr></table></figure><p>或者从公钥服务器上导入公钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --keyserver keys.gnupg.net --recv 0xF891791F</span><br></pre></td></tr></table></figure><p>插入 YubiKey 查看 OpenPGP 卡信息,这一步会自动映射 YubiKey 里的私钥到 OpenPGP 的配置里。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --card-status</span><br></pre></td></tr></table></figure><p>设置密钥在本系统上的信任状态</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --edit-key F891791F</span><br><span class="line"></span><br><span class="line">gpg (GnuPG) 1.4.21; Copyright (C) 2015 Free Software Foundation, Inc.</span><br><span class="line">This is free software: you are free to change and redistribute it.</span><br><span class="line">There is NO WARRANTY, to the extent permitted by law.</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: ultimate validity: ultimate</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span><br><span class="line">[ unknown] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">gpg> trust</span><br><span class="line">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span><br><span class="line"> trust: unknown validity: unknown</span><br><span class="line">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span><br><span class="line">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span><br><span class="line">[unknown] (1). Test User <<span class="built_in">test</span>@example.com></span><br><span class="line"></span><br><span class="line">Please decide how far you trust this user to correctly verify other users<span class="string">' keys</span></span><br><span class="line"><span class="string">(by looking at passports, checking fingerprints from different sources, etc.)</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> 1 = I don'</span>t know or won<span class="string">'t say</span></span><br><span class="line"><span class="string"> 2 = I do NOT trust</span></span><br><span class="line"><span class="string"> 3 = I trust marginally</span></span><br><span class="line"><span class="string"> 4 = I trust fully</span></span><br><span class="line"><span class="string"> 5 = I trust ultimately</span></span><br><span class="line"><span class="string"> m = back to the main menu</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Your decision? 5 // 输入 5 设置为终极信任</span></span><br><span class="line"><span class="string">Do you really want to set this key to ultimate trust? (y/N) y</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">pub 4096R/F891791F created: 2017-05-29 expires: never usage: SC</span></span><br><span class="line"><span class="string"> trust: ultimate validity: unknown</span></span><br><span class="line"><span class="string">sub 4096R/46D4D220 created: 2017-05-29 expires: never usage: E</span></span><br><span class="line"><span class="string">sub 4096R/C10AE6D4 created: 2017-05-29 expires: never usage: A</span></span><br><span class="line"><span class="string">[unknown] (1). Test User <[email protected]></span></span><br><span class="line"><span class="string">Please note that the shown key validity is not necessarily correct</span></span><br><span class="line"><span class="string">unless you restart the program.</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">gpg> q</span></span><br></pre></td></tr></table></figure><p>查看系统上的密钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">$ gpg -k // 查看所有的公钥</span><br><span class="line"></span><br><span class="line">~/.gnupg/pubring.gpg</span><br><span class="line">-----------------------------------------------</span><br><span class="line">pub 4096R/F891791F 2017-05-29</span><br><span class="line">uid [ultimate] Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">sub 4096R/46D4D220 2017-05-29</span><br><span class="line">sub 4096R/C10AE6D4 2017-05-29</span><br><span class="line"></span><br><span class="line">$ gpg -K // 查看所有的私钥</span><br><span class="line"></span><br><span class="line">~/.gnupg/secring.gpg</span><br><span class="line">-----------------------------------------------</span><br><span class="line">sec> 4096R/F891791F 2017-05-29</span><br><span class="line"> Card serial no. = 0006 00000042 // 这里可以看出这个私钥的位置是指向 OpenPGP 智能卡的</span><br><span class="line">uid Test User <<span class="built_in">test</span>@example.com></span><br><span class="line">ssb> 4096R/46D4D220 2017-05-29</span><br><span class="line">ssb> 4096R/C10AE6D4 2017-05-29</span><br></pre></td></tr></table></figure><p>公钥加密文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -ea -r <span class="built_in">test</span>@example.com msg.txt</span><br></pre></td></tr></table></figure><p>私钥解密文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg msg.txt.asc</span><br></pre></td></tr></table></figure><p>文件签名</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg -o msg.txt.sig -ab msg.txt</span><br></pre></td></tr></table></figure><p>签名验证</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg --verify msg.txt.sig</span><br></pre></td></tr></table></figure><h2 id="7、重置-YubiKey-4-PGP-功能"><a href="#7、重置-YubiKey-4-PGP-功能" class="headerlink" title="7、重置 YubiKey 4 PGP 功能"></a>7、重置 YubiKey 4 PGP 功能</h2><p>新建一个 <code>reset.txt</code> 的文本文件,并写入以下内容</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">/hex</span><br><span class="line">scd serialno</span><br><span class="line">scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40</span><br><span class="line">scd apdu 00 e6 00 00</span><br><span class="line">scd apdu 00 44 00 00</span><br><span class="line">/echo Card has been successfully reset.</span><br></pre></td></tr></table></figure><p>重置 YubiKey 4 的 OpenPGP 卡功能</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gpg-connect-agent -r reset.txt</span><br></pre></td></tr></table></figure><p>重新插拔 YubiKey 并查看 OpenPGP 卡状态信息,如果查看信息遇到错误可能是 OpenPGP 卡功能还没打开,需要通过命令手动启用。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --card-status</span><br><span class="line"></span><br><span class="line">gpg: selecting openpgp failed: Card error // OpenPGP Card 错误</span><br><span class="line">gpg: OpenPGP card not available: Card error</span><br></pre></td></tr></table></figure><p>启用 OpenPGP 卡功能</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">gpg-connect-agent -–hex</span><br><span class="line">> scd apdu 00 44 00 00</span><br><span class="line">D[0000] 90 00 ..</span><br><span class="line">OK</span><br><span class="line">> // 直接回车推出</span><br></pre></td></tr></table></figure><p>手动启用 <code>OK</code> 后你可能还需要重新插拔 YubiKey 再重新查看 OpenPGP 卡状态信息</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">$ gpg --card-status</span><br><span class="line"></span><br><span class="line">Application ID ...: D2760001240102000060000000420000</span><br><span class="line">Version ..........: 2.1</span><br><span class="line">Manufacturer .....: Yubico</span><br><span class="line">Serial number ....: 00000042</span><br><span class="line">Name of cardholder: [not <span class="built_in">set</span>]</span><br><span class="line">Language prefs ...: [not <span class="built_in">set</span>]</span><br><span class="line">Sex ..............: unspecified</span><br><span class="line">URL of public key : [not <span class="built_in">set</span>]</span><br><span class="line">Login data .......: [not <span class="built_in">set</span>]</span><br><span class="line">Signature PIN ....: forced</span><br><span class="line">Key attributes ...: 2048R 2048R 2048R</span><br><span class="line">Max. PIN lengths .: 127 127 127</span><br><span class="line">PIN retry counter : 3 0 3</span><br><span class="line">Signature counter : 0</span><br><span class="line">Signature key ....: [none]</span><br><span class="line">Encryption key....: [none]</span><br><span class="line">Authentication key: [none]</span><br><span class="line">General key info..: [none]</span><br></pre></td></tr></table></figure><p>重置后的 OpenPGP 卡可以重新进行配置。</p><hr><h3 id="链接"><a href="#链接" class="headerlink" title="链接"></a>链接</h3><ul><li><a href="https://www.gnupg.org/gph/en/manual.html" target="_blank" rel="noopener">The GNU Privacy Handbook</a></li><li><a href="https://developers.yubico.com/PGP/" target="_blank" rel="noopener">YubiKey PGP</a></li><li><a href="https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/" target="_blank" rel="noopener">How to Use Your YubiKey With OpenPGP</a></li><li><a href="https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html" target="_blank" rel="noopener">PIN and Management Key</a></li><li><a href="https://www.yubico.com/support/knowledge-base/categories/articles/reset-applet-yubikey/" target="_blank" rel="noopener">How to Reset Your Applet on Your YubiKey</a></li><li><a href="https://developers.yubico.com/ykneo-openpgp/ResetApplet.html" target="_blank" rel="noopener">YubiKey ResetApplet</a></li><li><a href="https://openpgpcard.org/makecard/" target="_blank" rel="noopener">Make OpenPGP Card</a></li><li><a href="https://github.com/drduh/YubiKey-Guide" target="_blank" rel="noopener">Guide to using YubiKey as a SmartCard for GPG and SSH</a></li><li><a href="https://spin.atomicobject.com/2014/02/09/gnupg-openpgp-smartcard/" target="_blank" rel="noopener">Using an OpenPGP Smartcard with GnuPG</a></li><li><a href="https://www.sidorenko.io/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/" target="_blank" rel="noopener">Yubikey/OpenPGP Smartcards for Newbies</a></li><li><a href="https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/" target="_blank" rel="noopener">PGP and SSH keys on a Yubikey NEO</a></li><li><a href="https://www.jfry.me/articles/2015/gpg-smartcard/" target="_blank" rel="noopener">Using GPG with Smart Cards</a></li></ul>]]></content>
<summary type="html">
<p><a href="https://www.yubico.com/" target="_blank" rel="noopener">YubiKey</a> 是一款用于安全认证的硬件工具,其中的 YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey NEO, YubiKey NEO-n,这些产品型号是包含 OpenPGP Card 功能的。</p>
<p>你可将你的私钥移动到 YubiKey 里,在需要使用的时候插上,而不必担心私钥泄露或被恶意程序盗取,并且支持在多种操作系统上使用。</p>
</summary>
<category term="YubiKey" scheme="https://znhocn.github.io/tags/YubiKey/"/>
<category term="PGP" scheme="https://znhocn.github.io/tags/PGP/"/>
</entry>
<entry>
<title>YARD Stick One 使用教程</title>
<link href="https://znhocn.github.io/posts/2017/05/17/YARD-Stick-One-Tutorial/"/>
<id>https://znhocn.github.io/posts/2017/05/17/YARD-Stick-One-Tutorial/</id>
<published>2017-05-17T15:27:28.000Z</published>
<updated>2018-02-21T08:44:23.169Z</updated>
<content type="html"><![CDATA[<p><a href="https://greatscottgadgets.com/yardstickone/" target="_blank" rel="noopener">YARD Stick One</a> 是一款 1 GHz 以下的 USB 无线收发器设备,基于 TI 的 <a href="http://www.ti.com/product/CC1110-CC1111" target="_blank" rel="noopener">CC1111</a> 芯片。你可以将 YARD Stick One 用于进行各种遥控信号的重放,汽车遥控锁的安全研究等。</p><a id="more"></a><ul><li>半双工发送和接收</li><li>工作频率-官方:300 - 348 MHz, 391 - 464 MHz 和 782 - 928 MHz</li><li>工作频率-非官方:281 - 361 MHz, 378 - 481 MHz 和 749 - 962 MHz</li><li>信号调制:ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK</li><li>传输速率:500 kbps</li><li>全速 USB 2.0</li><li>SMA 母头天线连接器(50欧姆)</li><li>软件控制的天线端口功率(3.3 V 时最大为 50 mA)</li><li>低通滤波器,用于在 800 和 900 MHz 频带中工作时消除谐波</li><li>GoodFET 兼容的扩展和编程接口</li><li>GIMME 兼容编程测试点</li><li>开源硬件</li></ul><p>官方的工作频率是德州仪器 (TI) CC1111 芯片所支持的频率。但实际测试发现非官方的范围是可靠的,使用依旧正常。</p><ul><li>注:YARD Stick One 并不支持在 Windows 上使用,虽然有第三方尝试更改固件去支持 Windows 10 的 Linux 子系统,但目前官方并没宣布支持 Windows 系统。</li></ul><h2 id="1-使用"><a href="#1-使用" class="headerlink" title="1. 使用"></a>1. 使用</h2><p>YARD State One 并不与任何通用的 SDR 软件相兼容,你只能使用他指定的客户端 <a href="https://bitbucket.org/atlas0fd00m/rfcat" target="_blank" rel="noopener">RfCat</a>。</p><h3 id="1-1-安装-RfCat"><a href="#1-1-安装-RfCat" class="headerlink" title="1.1 安装 RfCat"></a>1.1 安装 RfCat</h3><p>从源码安装</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">apt-get install python-usb</span><br><span class="line">wget https://bitbucket.org/atlas0fd00m/rfcat/downloads/rfcat_170508.tgz</span><br><span class="line">tar xvzf rfcat_170508.tgz</span><br><span class="line"><span class="built_in">cd</span> rfcat_170508/</span><br><span class="line">python setup.py install</span><br></pre></td></tr></table></figure><p>Kali Linux</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get install rfcat</span><br></pre></td></tr></table></figure><h3 id="1-2-RfCat-帮助"><a href="#1-2-RfCat-帮助" class="headerlink" title="1.2 RfCat 帮助"></a>1.2 RfCat 帮助</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">rfcat -h</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">usage: rfcat [-h] [-r] [-i INDEX] [-s] [-f BASEFREQ] [-c INC] [-n SPECCHANS]</span><br><span class="line"> [--bootloader] [--force]</span><br><span class="line"></span><br><span class="line">optional arguments:</span><br><span class="line"> -h, --help show this help message and exit</span><br><span class="line"> -r, --research Interactive Python and the "d" instance to talk to</span><br><span class="line"> your dongle. melikey longtime.</span><br><span class="line"> -i INDEX, --index INDEX</span><br><span class="line"> -s, --specan start spectrum analyzer</span><br><span class="line"> -f BASEFREQ, --basefreq BASEFREQ</span><br><span class="line"> -c INC, --inc INC</span><br><span class="line"> -n SPECCHANS, --specchans SPECCHANS</span><br><span class="line"> --bootloader trigger the bootloader (use in order to flash the</span><br><span class="line"> dongle)</span><br><span class="line"> --force use this to make sure you want to set bootloader mode</span><br><span class="line"> (you *must* flash after setting --bootloader)</span><br></pre></td></tr></table></figure><h3 id="1-3-频谱分析"><a href="#1-3-频谱分析" class="headerlink" title="1.3 频谱分析"></a>1.3 频谱分析</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">rfcat -s -f 433e6</span><br></pre></td></tr></table></figure><p><img src="//files.hakr.xyz/images/2017-05-17_01-0002.png" alt=""></p><h3 id="1-4-RfCat-命令行"><a href="#1-4-RfCat-命令行" class="headerlink" title="1.4 RfCat 命令行"></a>1.4 RfCat 命令行</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">rfcat -r</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping() // </span><br><span class="line"> >>> d.setFreq(433000000) // 设置信号频段</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK) // 设置信号调制模式</span><br><span class="line"> >>> d.makePktFLEN(250) // </span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>) // 发送数据</span><br><span class="line"> >>> d.RFrecv() // 接收数据</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig() // 打印配置选项</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: <span class="built_in">print</span> d.reprRadioConfig() // 打印配置选项</span><br><span class="line">== Hardware ==</span><br><span class="line">Dongle: YARDSTICKONE</span><br><span class="line">Firmware rev: 0348</span><br><span class="line">Compiler: Not found! Update needed!</span><br><span class="line">Bootloader: CC-Bootloader</span><br><span class="line"></span><br><span class="line">== Software ==</span><br><span class="line">rflib rev: 450</span><br><span class="line"></span><br><span class="line">== Frequency Configuration ==</span><br><span class="line">Frequency: 901999877.929688 hz (0x259555L)</span><br><span class="line">Channel: 0</span><br><span class="line">Intermediate freq: 281250 hz</span><br><span class="line">Frequency Offset: 0 +/-</span><br><span class="line">Est. Freq Offset: 241</span><br><span class="line"></span><br><span class="line">== Modem Configuration ==</span><br><span class="line">Modulation: 2FSK</span><br><span class="line">DRate: 38360.595703 hz</span><br><span class="line">ChanBW: 93750.000000 hz</span><br><span class="line">DEVIATION: 20507.812500 hz</span><br><span class="line">Sync Mode: 15 of 16 bits must match</span><br><span class="line">Min TX Preamble: 4 bytes</span><br><span class="line">Chan Spacing: 199951.171875 hz</span><br><span class="line">BSLimit: No data rate offset compensation performed</span><br><span class="line">DC Filter: enabled</span><br><span class="line">Manchester Encoding: disabled</span><br><span class="line">Fwd Err Correct: disabled</span><br><span class="line"></span><br><span class="line">== Packet Configuration ==</span><br><span class="line">Sync Word: 0x0C4E</span><br><span class="line">Packet Length: 255</span><br><span class="line">Length Config: Fixed Packet Mode</span><br><span class="line">Configured Address: 0x0</span><br><span class="line">Preamble Quality Threshold: 4 * 2</span><br><span class="line">Append Status: No</span><br><span class="line">Rcvd Packet Check: No address check</span><br><span class="line">Data Whitening: off</span><br><span class="line">Packet Format: Normal mode</span><br><span class="line">CRC: disabled</span><br><span class="line"></span><br><span class="line">== AES Crypto Configuration ==</span><br><span class="line">AES Mode: CBC - Cipher Block Chaining</span><br><span class="line">Crypt RF Input: off</span><br><span class="line">Crypt RF Output: off</span><br><span class="line"></span><br><span class="line">== Radio Test Signal Configuration ==</span><br><span class="line">TEST2: 0x88</span><br><span class="line">TEST1: 0x31</span><br><span class="line">TEST0: 0x9</span><br><span class="line">VCO_SEL_CAL_EN: 0x0</span><br><span class="line"></span><br><span class="line">== Radio State ==</span><br><span class="line"> MARCSTATE: MARC_STATE_RX (d)</span><br><span class="line"> DONGLE RESPONDING: mode :c, last error<span class="comment"># 1</span></span><br><span class="line"></span><br><span class="line">== Client State ==</span><br><span class="line">========================================================================================================================</span><br><span class="line"> client thread cycles: 99/14</span><br><span class="line"> client errored cycles: 0</span><br><span class="line"> recv_queue: (0 bytes) <span class="string">''</span></span><br><span class="line"> trash: (3 blobs) <span class="string">"[128, 142, (1495128220.831341, '')]"</span></span><br><span class="line"> recv_mbox (2 keys) <span class="string">"['0x42', '0xff']"</span></span><br><span class="line"> app 0x42 (1 records)</span><br><span class="line"> [0x7] (0 frames) <span class="string">"[]"</span></span><br><span class="line"></span><br><span class="line"> app 0xff (4 records)</span><br><span class="line"> [0x88] (0 frames) <span class="string">"[]"</span></span><br><span class="line"> [0x80] (0 frames) <span class="string">"[]"</span></span><br><span class="line"> [0x82] (0 frames) <span class="string">"[]"</span></span><br><span class="line"> [0x86] (0 frames) <span class="string">"[]"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [2]: d.ping()</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003433 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003278 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003287 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003417 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003243 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003240 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003528 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003263 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003441 seconds)</span><br><span class="line">PING: 26 bytes transmitted, received: <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span> (0.003416 seconds)</span><br><span class="line">Out[2]: (10, 0, 0.03384900093078613)</span><br><span class="line"></span><br><span class="line">In [3]: d.setFreq(433000000) // 设置信号频段为 433 MHz</span><br><span class="line"></span><br><span class="line">In [4]: d.specan(433e6) // 频谱分析界面,433e6 设置的是频段,这里使用的写法是科学计数法等同于 433000000</span><br><span class="line"></span><br><span class="line">In [5]: bin(0x1234f) // 进制转换 十六进制转二进制</span><br><span class="line">Out[5]: <span class="string">'0b10010001101001111'</span></span><br><span class="line"></span><br><span class="line">In [6]: <span class="built_in">help</span>(d) // 查看所有参数的帮助</span><br><span class="line"></span><br><span class="line">In [7]: d. // 按 Tab 键,查看所有参数</span><br><span class="line">Display all 182 possibilities? (y or n)</span><br><span class="line">d.FHSSxmit d.getChannel d.mac_SyncCell d.rf_redirection d.setMdmNumPreamble</span><br><span class="line">d.RESET d.getChannels d.makePktFLEN d.rsema d.setMdmSyncMode</span><br><span class="line">d.RFcapture d.getCompilerInfo d.makePktVLEN d.runEP5_recv d.setMdmSyncWord</span><br><span class="line">d.RFdump d.getDebugCodes d.max_packet_size d.runEP5_send d.setModeIDLE</span><br><span class="line">d.RFlisten d.getEnableMdmDCFilter d.mhz d.run_ctrl d.setModeRX</span><br><span class="line">d.RFrecv d.getEnableMdmFEC d.nextChannel d.scan d.setModeTX</span><br><span class="line">d.RFtestLong d.getEnableMdmManchester d.peek d.send d.setPktAddr</span><br><span class="line">d.RFxmit d.getEnablePktAppendStatus d.ping d.send_thread d.setPktPQT</span><br><span class="line">d.RFxmitLong d.getEnablePktCRC d.poke d.send_threadcounter d.setPower</span><br><span class="line">d.adjustFreqOffset d.getEnablePktDataWhitening d.pokeReg d.setAESiv d.setRFRegister</span><br><span class="line">d.bootloader d.getFHSSstate d.printClientState d.setAESkey d.setRFbits</span><br><span class="line">d.calculateFsIF d.getFreq d.printRadioConfig d.setAESmode d.setRFparameters</span><br><span class="line">d.calculateFsOffset d.getFreqEst d.printRadioState d.setAmpMode d.setRadioConfig</span><br><span class="line">d.calculateMdmDeviatn d.getFsIF d.radiocfg d.setBSLimit d.setRfMode</span><br><span class="line">d.calculatePktChanBW d.getFsOffset d.recv d.setChannel d.setup</span><br><span class="line">d.changeChannel d.getInterruptRegisters d.recvAll d.setChannels d.setup24330MHz</span><br><span class="line">d.checkRepr d.getLQI d.recv_event d.setEnDeCoder d.setup900MHz</span><br><span class="line">d.chipnum d.getMACdata d.recv_mbox d.setEnableCCA d.setup900MHzContTrans</span><br><span class="line">d.chipstr d.getMACthreshold d.recv_queue d.setEnableMdmDCFilter d.setup900MHzHopTrans</span><br><span class="line">d.cleanup d.getMARCSTATE d.recv_thread d.setEnableMdmFEC d.setup_rfstudio_902PktTx</span><br><span class="line">d.clearDebugCodes d.getMdmChanBW d.recv_threadcounter d.setEnableMdmManchester d.specan</span><br><span class="line">d.ctrl_thread d.getMdmChanSpc d.reprAESMode d.setEnablePktAppendStatus d.startHopping</span><br><span class="line">d.debug d.getMdmDRate d.reprClientState d.setEnablePktCRC d.stopHopping</span><br><span class="line">d.devnum d.getMdmDeviatn d.reprDebugCodes d.setEnablePktDataWhitening d.strobeModeCAL</span><br><span class="line">d.discover d.getMdmModulation d.reprFreqConfig d.setFHSSstate d.strobeModeFSTXON</span><br><span class="line">d.endec d.getMdmNumPreamble d.reprHardwareConfig d.setFreq d.strobeModeIDLE</span><br><span class="line">d.ep0GetAddr d.getMdmSyncMode d.reprMACdata d.setFsIF d.strobeModeRX</span><br><span class="line">d.ep0Peek d.getMdmSyncWord d.reprMdmModulation d.setFsOffset d.strobeModeReturn</span><br><span class="line">d.ep0Ping d.getPartNum d.reprModemConfig d.setMACdata d.strobeModeTX</span><br><span class="line">d.ep0Poke d.getPktAddr d.reprPacketConfig d.setMACperiod d.testTX</span><br><span class="line">d.ep0Reset d.getPktLEN d.reprRadioConfig d.setMACthreshold d.trash</span><br><span class="line">d.ep5timeout d.getPktPQT d.reprRadioState d.setMaxPower d.xmit_event</span><br><span class="line">d.freq_offset_accumulator d.getRSSI d.reprRadioTestSignalConfig d.setMdmChanBW d.xmit_queue</span><br><span class="line">d.getAESmode d.getRadioConfig d.reprSoftwareConfig d.setMdmChanSpc d.xsema</span><br><span class="line">d.getAmpMode d.idx d.reset_event d.setMdmDRate</span><br><span class="line">d.getBSLimit d.lowball d.resetup d.setMdmDeviatn</span><br><span class="line">d.getBuildInfo d.lowballRestore d.rf_configure d.setMdmModulation</span><br><span class="line"></span><br><span class="line">In [10]: d.</span><br></pre></td></tr></table></figure><h3 id="1-5-接收信号"><a href="#1-5-接收信号" class="headerlink" title="1.5 接收信号"></a>1.5 接收信号</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping()</span><br><span class="line"> >>> d.setFreq(433000000)</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line"> >>> d.makePktFLEN(250)</span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>)</span><br><span class="line"> >>> d.RFrecv()</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: d.setFreq(433800000) // 设置信号频段为 433.8 MHz</span><br><span class="line"></span><br><span class="line">In [2]: d.setMdmModulation(MOD_ASK_OOK) // 设置信号调制模式为 ASK / OOK</span><br><span class="line"></span><br><span class="line">In [3]: d.setMdmDRate(4800) // </span><br><span class="line"></span><br><span class="line">In [4]: d.setMaxPower()</span><br><span class="line"></span><br><span class="line">In [5]: d.lowball()</span><br><span class="line"></span><br><span class="line">In [6]: d.RFlisten() // 开始监听数据</span><br><span class="line">Entering RFlisten mode... packets arriving will be displayed on the screen</span><br><span class="line">(press Enter to stop)</span><br><span class="line">(1495207873.725) Received: 80004405072024210db80100080041004098760290020241482206c3b000014bc18c000000280360200b0f20281b0f60000000000088490f23d9f2004140969ea0900433f930088290b0118028e48430540183f04010843c800180008c82840004042021000000000004c640020a43c0120ec1c4010010200000606c7c012168295b50084318f00000040a028242c8e428126200481100000031c838004151a000c2080081012800081800001e40000006405c120a00928420c2c8681843040a180000000000000016c000020646c0080000084040400000000000063e0000020200909206ae1000103f68540220e5bd05a06cfa10023616b040 | [email protected]<span class="string">".....K.....(.`....(..`......I.#[email protected]......(..0T...@..<[email protected]...........`l|.!h)[P.C........B..(.b.H....1.8.AQ.......(......@...@\........h.C...............F.....@@@......>............?hT......l...6..@</span></span><br><span class="line"><span class="string">(1495207875.830) Received: 5322e404212004130000202300186020000000bc31842044218000120008410000100800400020000048681fb780010027008000002200002c3c9e0001008002c0c83a164240620ec5c0c61006000000000012044148740840025810c0000040039b043000000000043d8441484008488842000013e8180a6368e90b43000021200400000000000521ac50400140084200000000000014020500c87a04c01200b3c0060000040025150b2aa020000080c20a2212c00000000063e0310f7338290f63565e984840884b0f40d80a0040000002c200000008000202029252824000028604100000f750c200000000382d842003bf8400200056c0d0 | S"</span>..!......<span class="comment">#..`[email protected].....'...."..,<........:[email protected][email protected][email protected][email protected]..!........!.P@[email protected]...........%..*......."......c.1.s8).cV^[email protected].@[email protected][email protected]..</span></span><br><span class="line">(1495207876.325) Received: b1a435883185958430057439c60e10c00001000010f0000000420251400212400040ccc20050000000173d8ea1143983b0f43d8490840040a10c00020000010f20a02b17404c7b0f434801001a2c2100000000004020794f43d8da14c7d1046187258c0000008000041d8e21ec256200040402210c21eda18400400000000f23e83b0f43d87a3c218ba58422000000000c2d87a06c6d0820241d0b631821c7050800000000031763e85b0f73f0c150d610c21ee610c00783b1fcf63ec639be75c2b1fc3c87b9ec2d87b0c01002063010800000000010d63e8790f43d829010118031839d843000000091fc1d83b1f73d85a1ec7d0ce1ec63811f | ..5.1...0.t9.............B.Q@..@[email protected]....=...9...=....@..........+.@L{.CH...,[email protected].%.........!.%b....!.!....@....<span class="comment">#.;.C.z<!...".....-..lm..$..c.!.........c.[.s..P............>.9.u...<...-......0........>...=.....1...0.........=...}...c..</span></span><br><span class="line">(1495207877.241) Received: e0240400212c0004010f3c042000000000187a0b43d8fb1fdfc8fa1ec23387688d60000000000808010004880020244c0120000029210800080000000321e86d17a1ec1d0f21e42000326520000002000020a005010020001020e40000200874802000008000080485e02011036120040021842112908400000000018fa1e43d8fa3f8e3e863087de4204000000000110000000000004f63ffe3ecf90f63a84100490882000000000043d80b998000281042985b08431e2808000000000018fe1ec3c08202c04006004280c0ee820000000000243e8790f6024550361e87b28610f790c20004000000c2d8fa1ec3b1b1fce61ec2100182063000 | .$..!,....<.......z.C........3.h.`............<span class="variable">$L</span>....)!.......!.m.....!...2e....................t.............a...!.!...........=.....c.}[email protected].....(.B.[.C.([email protected].........$>....EP6............................0.</span><br><span class="line">(1495207877.706) Received: ff5f63840c81b09433801085b480000000010004048082a0048080f43fafb18c21ef829800000000060e87d0f63eced8fa1ed3c63ef63182b0b6220290863a8210101080008600a000000000000000acb0100284905000801083bfd6b0000000000650d61ec7c0f21245c01a04c0020020000000040010503c8798f43d87b1f420801007be8630000000013d0f6bf86c7d0fa1fc733f4ba80282f65ac7d0f9100058b81042109614040002000010b2020480801241d082048210c3dec710000000029aed7bfb1fbe1ec2dc4218fbc841000400000047d8721e47f0f43c7b586309690000000000000001092002030120a8e10720040125a10c00 | ._c.....3...................?...!............>......>.1...<span class="string">"...:......................P............P......E.............P<...=.........0....=.k.l}...s?K....Z.....X..B...............A...............{......B...A.....G.r.G..<{Xc.i....................%...</span></span><br></pre></td></tr></table></figure><h3 id="1-5-发送-OOK-信号"><a href="#1-5-发送-OOK-信号" class="headerlink" title="1.5 发送 OOK 信号"></a>1.5 发送 OOK 信号</h3><p>方法一</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping()</span><br><span class="line"> >>> d.setFreq(433000000)</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line"> >>> d.makePktFLEN(250)</span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>)</span><br><span class="line"> >>> d.RFrecv()</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: d.setFreq(433e6) // 设置信号频段为 433 MHz</span><br><span class="line"></span><br><span class="line">In [2]: d.setMdmModulation(MOD_ASK_OOK) // 设置信号调制模式为 ASK / OOK</span><br><span class="line"></span><br><span class="line">In [3]: d.setMdmDRate(int(1.0/0.000550)) // </span><br><span class="line"></span><br><span class="line">In [4]: d.RFxmit(<span class="string">"\x8E\x8E\x88\x88\x8E\x88\x88\x00\x00\x00"</span> * 20) // 发送十六进制编码的信号 <span class="string">"\x8E\x8E\x88\x88\x8E\x88\x88\x00\x00\x00"</span> 20次</span><br></pre></td></tr></table></figure><p>方法二</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping()</span><br><span class="line"> >>> d.setFreq(433000000)</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line"> >>> d.makePktFLEN(250)</span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>)</span><br><span class="line"> >>> d.RFrecv()</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: d.setFreq(433800000) // 设置信号频段为 433.8 MHz</span><br><span class="line"></span><br><span class="line">In [2]: d.setMdmModulation(MOD_ASK_OOK) // 设置信号调制模式为 ASK / OOK</span><br><span class="line"></span><br><span class="line">In [3]: d.makePktFLEN(4) // 设置包长度为 4 以为我们这里只发送 4 bytes</span><br><span class="line"></span><br><span class="line">In [4]: d.setMdmDRate(4800) // 设置波特率</span><br><span class="line"></span><br><span class="line">In [5]: d.setMaxPower()</span><br><span class="line"></span><br><span class="line">In [6]: <span class="keyword">for</span> i <span class="keyword">in</span> range(0,15):d.RFxmit(<span class="string">'\xDE\xAD\xBE\xEF'</span>) // 重复发送 15 次数据</span><br></pre></td></tr></table></figure><h3 id="1-6-使用-Python-脚本"><a href="#1-6-使用-Python-脚本" class="headerlink" title="1.6 使用 Python 脚本"></a>1.6 使用 Python 脚本</h3><p>Python 脚本</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># Ths is a rudimentary implementation of packet reception using YARD Stick One</span></span><br><span class="line"><span class="comment"># with RfCat demonstrated in Rapid Radio Reversing presented at ToorCon 17</span></span><br><span class="line"><span class="comment"># (2015).</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># File Name: sl.py</span></span><br><span class="line"><span class="comment"># usage from rfcat interactive shell:</span></span><br><span class="line"><span class="comment"># %run sl.py</span></span><br><span class="line"><span class="comment"># rxsl(d)</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> rflib <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line"><span class="comment"># This validity check is only verifying certain bytes that are present in all</span></span><br><span class="line"><span class="comment"># packets. It really should be followed up (or replaced) by a checksum</span></span><br><span class="line"><span class="comment"># verification.</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">packet_valid</span><span class="params">(p)</span>:</span></span><br><span class="line"><span class="keyword">if</span> ord(p[<span class="number">0</span>]) != <span class="number">0x6d</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">if</span> ord(p[<span class="number">1</span>]) != <span class="number">0xb6</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">if</span> ord(p[<span class="number">6</span>]) != <span class="number">0x6d</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">if</span> ord(p[<span class="number">7</span>]) != <span class="number">0xb6</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">if</span> (ord(p[<span class="number">29</span>]) & <span class="number">0xfc</span>) != <span class="number">0</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="keyword">False</span></span><br><span class="line"><span class="keyword">return</span> <span class="keyword">True</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># This could probably be simpler and/or easier to read. It extracts every</span></span><br><span class="line"><span class="comment"># third bit in order to decode the pulse width modulation (PWM). The PWM</span></span><br><span class="line"><span class="comment"># implemented by StealthLock is well behaved in that the pulse durations and</span></span><br><span class="line"><span class="comment"># interval durations are all one or two times the length of a time unit and</span></span><br><span class="line"><span class="comment"># data bits are represented by a consistent number (3) of time units. This is</span></span><br><span class="line"><span class="comment"># the time unit I have used in the RfCat symbol rate configuration, so a long</span></span><br><span class="line"><span class="comment"># pulse appears as symbols (1, 1, 0) and a short pulse appears as (1, 0, 0).</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">pwm_decode</span><span class="params">(p)</span>:</span></span><br><span class="line">biginteger = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> byte <span class="keyword">in</span> p:</span><br><span class="line">biginteger <<= <span class="number">8</span></span><br><span class="line">biginteger |= ord(byte)</span><br><span class="line">biginteger >>= <span class="number">12</span></span><br><span class="line">out = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">28</span>, (len(p)*<span class="number">8</span><span class="number">-12</span>)/<span class="number">3</span>, <span class="number">1</span>):</span><br><span class="line">out <<= <span class="number">1</span></span><br><span class="line">out |= ((biginteger & <span class="number">1</span>) ^ <span class="number">1</span>)</span><br><span class="line">biginteger >>=<span class="number">3</span></span><br><span class="line"><span class="keyword">return</span> out</span><br><span class="line"></span><br><span class="line"><span class="comment"># checksum byte is 0xff minus 8-bit addition of previous bytes, like so:</span></span><br><span class="line"><span class="comment"># hex(0xff-(0x02+0x98+0x76+0xff+0xff)&0xff)</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">rxsl</span><span class="params">(device)</span>:</span> <span class="comment"># 函数方法</span></span><br><span class="line">device.setFreq(<span class="number">314980000</span>)</span><br><span class="line">device.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line">device.setMdmDRate(<span class="number">2450</span>)</span><br><span class="line">device.setPktPQT(<span class="number">0</span>)</span><br><span class="line">device.setMdmSyncMode(<span class="number">2</span>)</span><br><span class="line">device.setMdmSyncWord(<span class="number">0x06db</span>)</span><br><span class="line">device.setMdmNumPreamble(<span class="number">0</span>)</span><br><span class="line">device.setMaxPower()</span><br><span class="line">device.lowball()</span><br><span class="line">device.makePktFLEN(<span class="number">30</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="keyword">not</span> keystop():</span><br><span class="line"><span class="keyword">try</span>:</span><br><span class="line">pkt, ts = device.RFrecv()</span><br><span class="line"><span class="keyword">if</span> packet_valid(pkt):</span><br><span class="line"><span class="comment">#print "Received: %s" % pkt.encode('hex')</span></span><br><span class="line"><span class="keyword">print</span> <span class="string">"0x%012x"</span> % pwm_decode(pkt)</span><br><span class="line"><span class="keyword">except</span> ChipconUsbTimeoutException:</span><br><span class="line"><span class="keyword">pass</span></span><br><span class="line">sys.stdin.read(<span class="number">1</span>)</span><br></pre></td></tr></table></figure><p>在 RfCat 命令行内调用</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># rfcat -r</span></span><br><span class="line"><span class="string">'RfCat, the greatest thing since Frequency Hopping!'</span></span><br><span class="line"></span><br><span class="line">Research Mode: enjoy the raw power of rflib</span><br><span class="line"></span><br><span class="line">currently your environment has an object called <span class="string">"d"</span> <span class="keyword">for</span> dongle. this is how</span><br><span class="line">you interact with the rfcat dongle:</span><br><span class="line"> >>> d.ping()</span><br><span class="line"> >>> d.setFreq(433000000)</span><br><span class="line"> >>> d.setMdmModulation(MOD_ASK_OOK)</span><br><span class="line"> >>> d.makePktFLEN(250)</span><br><span class="line"> >>> d.RFxmit(<span class="string">"HALLO"</span>)</span><br><span class="line"> >>> d.RFrecv()</span><br><span class="line"> >>> <span class="built_in">print</span> d.reprRadioConfig()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">In [1]: %run sl.py // 运行 sl.py 脚本</span><br><span class="line"></span><br><span class="line">In [2]: rxsl(d) // 使用脚本内的方法</span><br></pre></td></tr></table></figure><h2 id="2-rfpwnon-信号暴力穷举"><a href="#2-rfpwnon-信号暴力穷举" class="headerlink" title="2. rfpwnon 信号暴力穷举"></a>2. rfpwnon 信号暴力穷举</h2><p><a href="https://github.com/exploitagency/github-rfpwnon" target="_blank" rel="noopener">rfpwnon</a> 是一款基于 rfcat 实现的的无线电信号暴力穷举攻击的 Python 脚本</p><h3 id="2-1-安装"><a href="#2-1-安装" class="headerlink" title="2.1 安装"></a>2.1 安装</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">apt-get install python python-pip rfcat</span><br><span class="line">pip install bitstring</span><br><span class="line">wget https://raw.githubusercontent.com/exploitagency/github-rfpwnon/master/rfpwnon.py</span><br><span class="line">./rfpwnon.py --<span class="built_in">help</span></span><br></pre></td></tr></table></figure><h3 id="2-2-帮助信息"><a href="#2-2-帮助信息" class="headerlink" title="2.2 帮助信息"></a>2.2 帮助信息</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># ./rfpwnon.py -h</span></span><br><span class="line">usage: rfpwnon.py [-h] [-v] [-f BASEFREQ] [-b BAUDRATE] [-l BINLENGTH]</span><br><span class="line"> [-r REPEATTIMES] [--keys] [-p PPAD] [-t TPAD] [--raw]</span><br><span class="line"> [--tri] [--show]</span><br><span class="line"></span><br><span class="line">Application to use a rfcat compatible device to brute force a particular AM</span><br><span class="line">OOK or raw binary signal.</span><br><span class="line"></span><br><span class="line">optional arguments:</span><br><span class="line"> -h, --<span class="built_in">help</span> show this <span class="built_in">help</span> message and <span class="built_in">exit</span> // 显示帮助信息</span><br><span class="line"> -v, --version show program<span class="string">'s version number and exit // 显示软件版本</span></span><br><span class="line"><span class="string"> -f BASEFREQ Specify the target frequency to transmit on, default is // 指定信号频段,默认为 915000000 Hz</span></span><br><span class="line"><span class="string"> 915000000.</span></span><br><span class="line"><span class="string"> -b BAUDRATE Specify the baudrate of the signal, default is 2000. // 指定波特率,默认为 2000</span></span><br><span class="line"><span class="string"> -l BINLENGTH Specify the binary length of the signal to brute force. By // 指定要生成的二进制长度</span></span><br><span class="line"><span class="string"> default this is the binary length before pwm encoding. When</span></span><br><span class="line"><span class="string"> the flag --raw is set this is the binary length of the pwm</span></span><br><span class="line"><span class="string"> encoded signal.</span></span><br><span class="line"><span class="string"> -r REPEATTIMES Specify the number of times to repeat the signal. By default // 指定一个信号重复的次数</span></span><br><span class="line"><span class="string"> this is set to 1 and uses the de bruijn sequence for speed. // 当设为 1 时使用 de bruijn 序列的速度</span></span><br><span class="line"><span class="string"> When set greater than one the script sends each possible // 当设置大于 1 时脚本会花费更多的时间去执行</span></span><br><span class="line"><span class="string"> permutation of the signal individually and takes much longer</span></span><br><span class="line"><span class="string"> to complete. For some applications the signal is required to</span></span><br><span class="line"><span class="string"> be sent multiple times.</span></span><br><span class="line"><span class="string"> --keys Displays the values being transmitted in binary, hex, and // 显示正在传输的二进制,十六进制和十进制值</span></span><br><span class="line"><span class="string"> decimal both before and after pwm encoding.</span></span><br><span class="line"><span class="string"> -p PPAD Specify your own binary padding to be attached before the // 指定要附加在所生成二进制之前的固定二进制值</span></span><br><span class="line"><span class="string"> brute forced binary.</span></span><br><span class="line"><span class="string"> -t TPAD Specify your own binary padding to be attached after the // 指定要附加在所生成二进制之后的固定二进制值</span></span><br><span class="line"><span class="string"> brute forced binary.</span></span><br><span class="line"><span class="string"> --raw This flag disables the script from performing the pwm</span></span><br><span class="line"><span class="string"> encoding of the binary signal. When set you must specify the</span></span><br><span class="line"><span class="string"> full pwm encoded binary length using -l.</span></span><br><span class="line"><span class="string"> --tri This flag sets up the script to brute force a trinary</span></span><br><span class="line"><span class="string"> signal.</span></span><br><span class="line"><span class="string"> --show Prints de Bruijn sequence before transmitting. // 显示 de Bruijn 序列</span></span><br></pre></td></tr></table></figure><h3 id="2-3-使用实例"><a href="#2-3-使用实例" class="headerlink" title="2.3 使用实例"></a>2.3 使用实例</h3><p>指定波特率为 <code>2000</code> 生成 <code>4</code> 位长的所有二进制信号,每个信号重复发送 <code>5</code> 次</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./rfpwnon.py -f 315000000 -b 2000 -l 4 -r 5</span><br></pre></td></tr></table></figure><p>指定波特率为 <code>1818</code> 每个信号的开头的二进制编码为 <code>100101</code> 在其之后生成 <code>10</code> 为长的所有二进制信号,每个信号重复发送 <code>2</code> 次</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./rfpwnon.py -f 315060000 -b 1818 -p 100101 -l 10 -r 2</span><br></pre></td></tr></table></figure><p>指定波特率为 <code>1818</code> 生成 <code>16</code> 为长的所有二进制信号,每个信号重复发送 <code>2</code> 次。这会花费很多时间来发送完所有的信号。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./rfpwnon.py -f 315060000 -b 1818 -l 16 -r 2</span><br></pre></td></tr></table></figure><h2 id="3-ToorChat"><a href="#3-ToorChat" class="headerlink" title="3. ToorChat"></a>3. ToorChat</h2><p><a href="https://github.com/hathcox/ToorChat" target="_blank" rel="noopener">ToorChat</a> 是一款使用 <a href="https://greatscottgadgets.com/tc13badge/" target="_blank" rel="noopener">ToorCon 2013 徽章</a>的聊天应用程序。<br>YARD State One 的硬件设计上与 ToorCon 2013 badge 使用的芯片与固件是一样的,所以这程序也是可以通用的。<br>ToorChat 聊天工具使用时需要至少两个 RfCat 支持的硬件才能通过无线电正常通信。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">git <span class="built_in">clone</span> https://github.com/hak5/ToorChat.git</span><br><span class="line"><span class="built_in">cd</span> ToorChat</span><br><span class="line">./toorchat.py</span><br></pre></td></tr></table></figure><p><img src="//files.hakr.xyz/images/2017-05-17_01-0003.png" alt=""></p><h2 id="4-固件"><a href="#4-固件" class="headerlink" title="4. 固件"></a>4. 固件</h2><p>YARD Stick One 的固件就是 <a href="https://bitbucket.org/atlas0fd00m/rfcat" target="_blank" rel="noopener">rfcat</a> 提供的,Bootloader 使用的是 <a href="https://github.com/AdamLaurie/CC-Bootloader" target="_blank" rel="noopener">CC-Bootloader</a>。固件和硬件是开源的,你可以自己编写固件实现你需要的功能。</p><hr><h2 id="链接"><a href="#链接" class="headerlink" title="链接"></a>链接</h2><ul><li><a href="http://greatscottgadgets.com/yardstickone/" target="_blank" rel="noopener">Great Scott Gadgets - YARD Stick One</a></li><li><a href="https://github.com/greatscottgadgets/yardstick" target="_blank" rel="noopener">GitHub: YARD Stick One</a></li><li><a href="https://bitbucket.org/atlas0fd00m/rfcat" target="_blank" rel="noopener">rfcat project</a></li><li><a href="https://andrewmohawk.com/2012/09/06/hacking-fixed-key-remotes/" target="_blank" rel="noopener">Hacking fixed key remotes</a></li><li><a href="http://andrewmohawk.com/2015/08/31/hacking-fixed-key-remotes-with-only-rfcat/" target="_blank" rel="noopener">Hacking fixed key remotes with (only) RFCat</a></li><li><a href="https://www.youtube.com/watch?v=pkTlTCUeec0" target="_blank" rel="noopener">How to begin hacking with the YARD Stick One - Hak5 1908</a></li><li><a href="https://www.youtube.com/watch?v=F3bISk5t8cA" target="_blank" rel="noopener">How to Hack Wireless Remotes with Radio Replay Attacks - Hak5 1909</a></li><li><a href="https://www.youtube.com/watch?v=EZU2AZtfJbI" target="_blank" rel="noopener">Hacking Wireless Doorbells and Software Defined Radio tips - Hak5 1910</a></li><li><a href="https://www.youtube.com/watch?v=LqmVaf2KHYA" target="_blank" rel="noopener">Hacking Keyless Entry Remotes - Hak5 1911</a></li><li><a href="https://www.youtube.com/watch?v=blpycY5JCm0" target="_blank" rel="noopener">How to Hack Radio with Brute Force Attacks - Hak5 1912</a></li><li><a href="https://www.youtube.com/watch?v=eVqIe3na_Zk" target="_blank" rel="noopener">Radio Hacking: Reverse Engineering Protocols Part 1 - Hak5 1913</a></li><li><a href="https://www.youtube.com/watch?v=vf38-8LbDuw" target="_blank" rel="noopener">Radio Hacking: Reverse Engineering Protocols Part 2 - Hak5 1914</a></li><li><a href="https://pandwarf.com/news/yard-stick-one-vs-rtl-sdr-vs-pandwarf/" target="_blank" rel="noopener">Yard Stick One vs RTL-SDR vs PandwaRF: Fight of the dwarves</a></li><li><a href="http://greatscottgadgets.com/2015/12-29-rapid-radio-reversing-toorcon-2015/" target="_blank" rel="noopener">Rapid Radio Reversing, ToorCon 2015</a></li><li><a href="https://github.com/gyaresu/opensesame-yardstick" target="_blank" rel="noopener">opensesame-yardstick</a></li><li><a href="https://www.hak5.org/episodes/hak5-1908-how-to-begin-hacking-with-the-yard-stick-one" target="_blank" rel="noopener">Hak5 1908 – How to begin hacking with the YARD Stick One</a></li><li><a href="http://leetupload.com/blagosphere/index.php/2014/02/16/you-know-how-to-send-my-signal-setting-up-rfcat-from-scratch/" target="_blank" rel="noopener">You know how to send my signal — Setting up RFCat from scratch</a></li><li><a href="https://www.legacysecuritygroup.com/index.php/categories/13-sdr/22-rfpwnon-py-the-ultimate-rfcat-ask-ook-brute-force-tool" target="_blank" rel="noopener">rfpwnon.py rfcat ASK OOK brute force tool</a></li></ul>]]></content>
<summary type="html">
<p><a href="https://greatscottgadgets.com/yardstickone/" target="_blank" rel="noopener">YARD Stick One</a> 是一款 1 GHz 以下的 USB 无线收发器设备,基于 TI 的 <a href="http://www.ti.com/product/CC1110-CC1111" target="_blank" rel="noopener">CC1111</a> 芯片。你可以将 YARD Stick One 用于进行各种遥控信号的重放,汽车遥控锁的安全研究等。</p>
</summary>
<category term="Hardware" scheme="https://znhocn.github.io/tags/Hardware/"/>
<category term="Radio" scheme="https://znhocn.github.io/tags/Radio/"/>
<category term="YARD Stick One" scheme="https://znhocn.github.io/tags/YARD-Stick-One/"/>
</entry>
<entry>
<title>Annual summary 2016</title>
<link href="https://znhocn.github.io/posts/2016/12/30/Annual-summary-2016/"/>
<id>https://znhocn.github.io/posts/2016/12/30/Annual-summary-2016/</id>
<published>2016-12-30T13:04:25.000Z</published>
<updated>2018-02-21T08:44:18.087Z</updated>
<content type="html"><![CDATA[<script src="/crypto-js.js"></script><script src="/mcommon.js"></script><h3 id="encrypt-message">Please enter the password to read the blog.</h3><link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css"> <link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap-theme.min.css"> <script src="//cdn.bootcss.com/jquery/1.11.3/jquery.min.js"></script> <script src="//cdn.bootcss.com/bootstrap/3.3.5/js/bootstrap.min.js"></script> <div id="security"> <div> <div class="input-group"> <input type="text" class="form-control" aria-label="Enter the password." id="pass"/> <div class="input-group-btn"> <button type="button" class="btn btn-default" onclick="decryptAES()">Decrypt</button> </div> </div> </div> </div> <div id="encrypt-blog" style="display:none"> U2FsdGVkX1/PH6qnzKEs2nwceWjtM1b+816ZbSlyzIxJKB1n0BachJ5YvrfbTK02TPWXwfHwDRCtqOT3vyebPvLKtofywEkj5O+yOliBS4W2j81ttraKHflwy74EZGex6TgSTXbCqGgMbc2sTFCi5QYkERpAaEYPVrRNPrPjFN3v6Ube0eDzLb/uCvNdPPrYKEZFH07TkGPZVd6t8YvUL/V4YTmur0Tsq17vzqIcCazaKWXOVnyEsHj9VGRahOA3IMgTR51IrDiR0WY2rVxYfkc9bN5T/k74E7B8RZt6i8sdYXLimfjmd9ISvM/WNYhZHAe0wpIKHixJ5Hy+CGulTTvABSRONo2fadefF1t+z+wVchzlNQIKt35uX4D8WkTD96pC/fx3uQp0an7RqwX/C0gO9lLGtGCnRL8zdDr0CL7LTowBp2SJLZCaLd+8kewLpKlhW/5WaD5J40Ywi9OdfrHl9K6RyGnqQRxuu5Yrr3SeCp9st2RO15J6uvHryPfSsna/36rluUjW9/d0OPL3N6f3ezHb63xyR4XtNDKxw70jHJ/EfdZ7450ULdJkGycj1FagpRJsdU+/YtauZzbHauUcjqaVbYhJbU48xpF8/5Vrn2w4yg8i1VfvOw1y+7HnIRTvHOY5xE0aCal/rN+DIxeHdinOwvms84RGGYl3PMrC98JmVTZkHP+ksnrAfr4RYsBZY3I4CZNaQNkCozhRd7vg9yduhRO6MCxNu/KOXS+32Kbhx0De5uskUCCGh9lh1ALmFoKxFtqfPpwZ11zW9wKrrvVQ1iURjymIJve51XoEcqIXMmHgQZeaWQAy5DuMtfu3/inItj2+aE0kVA3oz/fgUunZ3vS9H4C26bAUSrqeTVuCE+XfK+6y6pPW4JPpZC3d+gkRpdEbuN3UTAjX+bzdDfd+e8G7B+unIv8DPNyOvR/muKWB8sooXgfTtOqxzMBWMc8xGQSe8mkeSSHK+NiHaSrHxmYVVPRljIYY9Ty2CRM7mDFjIn1gE94pFnSViirzUmcPKD2/cCYn+tc/Bo+GSjB2/du8k8s8MUSbbuQiAOPrBtr/owqeHmZXpMviOxhVCl/SQrvkU7rCOIRjnGhl+dEffMC1oYvs9PpU2z/IyTTg+tZ0RsT+ujsFMBywwisOP8x/1bhBbddwmzfCel2gxcZ1hDwhDRHaQ5sryClV3TvweLANrpDYdp7FVC8YxxMxxd/+ErHdX9ZMNHAmhZ6rlLyq6aMpcfow+5Q2HB61Y+cIg8pVjP1r6A+p0ibvK7hcEA++2f1/UYX131GMuSc73SAPimDp3vPhmoqvam/joYC0TmiV5jDII1rCSr3R3zVLAx9XQwzLS8VbLrPae+xIXqRMbhtc0nkxFBSstk2eq7jZrI5OQd/nHh5WtamI8+KwATkRvw4x5S0ImGEPxVeswg6ap3Nl8A8kNwMG8LoWOeS+bIFg+KkXqzteUiHQGax2tLDnB4PpS4aavRSW7GQUmb0wSVRYLU4Y42FAAEyr2VJpbvvPeiDDj4uQ5M38nXMvcs+Sk6RmbmtJfR93ed8HBafyr/xd7UEfvfXlz9YitZYDlrmIbQKC/UgK32FNT3tGyhfkQmudo53ocnChVxH6AymSuFNwyZrXV9BdO59jFg9Xmiz6Z3Hk8In+33a9KEtidDh+gEeAbg9tBScKbY4LtXncSdiICGD3QpTKTvsJhDNLJdzMyT8G/m6ryr5Bp5Xbzt6ylxsBZ00hQOxyBzWltmvTMfHwKS88FWzPOf/YQ74ap845ykTz8rJVxvpbcSegG5HFXhpsvE/jtiBXp7C/EkSuyPlT3sBlPuaHpH68HXV/QiYLGpi4BoT5o2yMd6MVR+Lrezyw3ltuY8xknGJPklgNsF+n7K+vOqVnz95rgrNf53KePHHb42cBdBALECeemZsuGTKlRrxeiFpgaYg8NIpoRY/TPV+tvjsuppg1uJ87kLAN61AtW5Qmb3ZfozksSjEHdVUUtSClSsUTpjQsoXJ5Pd1strDbJAzrLE3kWYnEAJB3Wl1DpoVzx1CodmD1n3hm6zOlPr0afdmtNLlkuKohnKjFmgQ2NvsOcK02lb6dVuVBi7POn4C7zAHAFIYOFu/RgqtCGYhiIYD+uCX6emN2ISERzix9OYyQR0tsWM57E0uMX0qfjT7WovPHcSIsoNdXe+if8OADuiWCK39OQBIkyurKbh2EyQ4Zu1JCU7h9zicg1YtAwH4l5erkTcLJ7TfgURwbXHP0OLtZaMGmJVIXcI2m0RMWVZjhm+KC8vtUI3Zoz6OnJ6MQNHBcDhn2jkBXxLB9MaspKozfqCsPcEa3rSL/J+RtlsoT8upun6E+DFHb7PAxCSYNY7/84JohDZ+EImkEuRL1aEmchZAFYh01abRyX95PIyj1hbTxE/tOw7rA96b2KEA/SnXafBFLEPrescTeErJHscTCt3qHifoKxteuQDjUuEPoBtlKWauZ8QwuuoyLhyg+DMxPggq4x9jIj+c55F9C979uwd5Dz+MM0HsIEjvIZ4WyBzYZXqKG8Sz+LNaslsS/h0MTSDcP+CV9n3MSp+1yKUpTDdr4mhhccm4p3sAG6W6PApwI0boNbXA3WIDnRYxrdDBDOX6lQo4cLwdvllx1tB8iS8vgCMFXGleYidK+t8zllrOdWZ4uGPM5zDgLsQsLH16VxSDJEJ967WbNa0rNDPVISZnn2y77eQ+CeDat+egQPfAoaNcSCOF418ADmBGSfwZaetcJVJhm6+KS5NO3AzHniXH4r5ZpHo8hEZ0k3aUpP0c2uEUYm//BFfYmMFuCFR5C1G7P4VoaZPzo1Blq3M3jwlEYdUZ6xERGiOQsGrn9Iq1iNfeQ+CxbvKtiHD6+J5290rMc3i/S9ID1uksrORpCHRCkwBvfClg2niYsL4272C9aJYprxNl/WOD3LfVDZmFQqS+PUAs0bVWrymRs/n/wwGJUk7np6sUyocDeERftevj0bqA/zAmSQvTrxCoxsBBdt6uO+2U1a6vBxZD3xWq2ztYaLAlhRjFpDjpgQcq0ii+erGtx/AHllBsOf1NHRLWteh0EwSGuRth2pb5t5MLC0/+lnzVyJnqGWCSYA9yMyQNgRJIrvcirtXzg5OHuVpLcECkiFF1ewjQFRpLQN9/QMXwCLB+l8//0QwygxNe1ANZ0KXwD3ikbgOwHWVaIn7ejuT72sQDBpGC8YmGxZP8ySTlxHJIRtQ0CGwM6ocapZqucGXpSHvc+1pFwIzI/vpXkLSkfJvs73YZsa1h12r/gQkogplmDMmPzkdAJLuwR+R7mNKD2KBl92m801jiNikq2vWy9E+K6kOb1jF21A/bIdZh+7w1vKKOxTjhdZOR12Cni1rKoweMZITjPBPh6JCtxNeu7HIgEg5jXnVFlpAs0myeiT7PspLtBa9CzPr2M3JuzMLNvGFUAmFUGe3678jQTIExHarWqBVUMmQFTVoZfcRpvqdBgneWEj1bpNbepLPbSdeJP5kSMjq0c0O/ogIqgbTpB5oteKeZo+VNOT+exq6vjj81nOi5D6Lwar/EI5pXr6ndHih05MQ9HLIw5htwwnwPOB9l9KK08c+KMZgQjrVk/4ngR7v2INb7ELh3HpzhhMNpKvJEZA7NVlj2OkgsCyuW3dSGssq2rtdfnon0LCEMyKEzX00GYlntghc0RWv16pgR5SpSE6NqHbBdb1qeABV8LurYfVaNWMHoipj9NfQ== </div>]]></content>
<summary type="html">
The article has been encrypted, please enter your password to view.<br>
</summary>
<category term="Annual summary" scheme="https://znhocn.github.io/tags/Annual-summary/"/>
</entry>
<entry>
<title>Hello World</title>
<link href="https://znhocn.github.io/posts/2016/12/01/hello-world/"/>
<id>https://znhocn.github.io/posts/2016/12/01/hello-world/</id>
<published>2016-11-30T17:01:01.000Z</published>
<updated>2018-03-18T10:21:32.983Z</updated>
<content type="html"><![CDATA[<p>Welcome to <a href="https://hexo.io/" target="_blank" rel="noopener">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/" target="_blank" rel="noopener">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a href="https://hexo.io/docs/troubleshooting.html" target="_blank" rel="noopener">troubleshooting</a> or you can ask me on <a href="https://github.com/hexojs/hexo/issues" target="_blank" rel="noopener">GitHub</a>.<br><a id="more"></a></p><h2 id="Quick-Start"><a href="#Quick-Start" class="headerlink" title="Quick Start"></a>Quick Start</h2><h3 id="Create-a-new-post"><a href="#Create-a-new-post" class="headerlink" title="Create a new post"></a>Create a new post</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo new <span class="string">"My New Post"</span></span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/writing.html" target="_blank" rel="noopener">Writing</a></p><h3 id="Run-server"><a href="#Run-server" class="headerlink" title="Run server"></a>Run server</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo server</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/server.html" target="_blank" rel="noopener">Server</a></p><h3 id="Generate-static-files"><a href="#Generate-static-files" class="headerlink" title="Generate static files"></a>Generate static files</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo generate</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/generating.html" target="_blank" rel="noopener">Generating</a></p><h3 id="Deploy-to-remote-sites"><a href="#Deploy-to-remote-sites" class="headerlink" title="Deploy to remote sites"></a>Deploy to remote sites</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo deploy</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/deployment.html" target="_blank" rel="noopener">Deployment</a></p>]]></content>
<summary type="html">
<p>Welcome to <a href="https://hexo.io/" target="_blank" rel="noopener">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/" target="_blank" rel="noopener">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a href="https://hexo.io/docs/troubleshooting.html" target="_blank" rel="noopener">troubleshooting</a> or you can ask me on <a href="https://github.com/hexojs/hexo/issues" target="_blank" rel="noopener">GitHub</a>.<br>
</summary>
</entry>
</feed>