├── .dockerignore ├── .gitattributes ├── .gitignore ├── Dockerfile-emux ├── Dockerfile-vol ├── LICENSE.TXT ├── README.md ├── TODO.TXT ├── build-emux-docker ├── build-emux-volume ├── clean-emux-files ├── docker-entrypoint.sh ├── docs ├── back2workshops-debugging-with-emux.md ├── debugging-with-emux.md ├── emulating-archer-c9.md ├── emulating-dlink-dcs935.md ├── emulating-tenda-ac15.md ├── extracting-tenda-ac15-firmware.md ├── img │ ├── 00-emux-docker.png │ ├── 01-emux-docker-launcher.png │ ├── 01-emux-launcher.png │ ├── 02-emux-kernel-boot-up.png │ ├── 03-emux-trivision-init.png │ ├── 04-emux-trivision-started.png │ ├── 05-armx-cpuinfo.png │ ├── 06-emux-trivision-browser.png │ ├── ARMX-EMUX.png │ ├── armx-on-kali.png │ ├── armx-tenda-emulation.png │ ├── b2w-launcher.png │ ├── b2w-userspace.png │ ├── dcs935-camera.png │ ├── dlink-dcs935.png │ ├── emux-architecture.png │ ├── emux-banner.png │ ├── emux-dirstructure.png │ ├── emux-docker-banner.png │ ├── emux-docker-whale.jpg │ ├── emux-docker-whale2.jpg │ ├── emux-docker.png │ ├── emux-ipcam-launcher.png │ ├── emux-newdevice.png │ ├── emux-operations.png │ ├── emux-tenda-launcher.png │ ├── emux-tenda-start.png │ ├── emuxgdb-01.png │ ├── emuxgdb-04.png │ ├── emuxps-02.png │ ├── emuxps-03.png │ ├── inside_tenda_ac15.jpg │ ├── launcher-command.png │ ├── tenda_01_setup_wizard.png │ ├── tenda_02_connect_wan.png │ ├── tenda_03_password.png │ ├── tenda_04_login.png │ ├── tenda_05_running.png │ ├── tenda_chip_removed.jpg │ ├── tenda_firmware_download.png │ ├── tenda_first_run.png │ ├── tenda_flash_chip.jpg │ ├── tenda_flash_programmer.jpg │ ├── tenda_hot_air_gun.jpg │ ├── tenda_init_scripts.png │ ├── tenda_reading_chip.png │ ├── tenda_reversing_with_ghidra1.png │ ├── tenda_sop8_socket.jpg │ ├── tenda_spi_chip.jpg │ ├── tenda_spi_resurrected.jpg │ ├── tenda_uart_console.jpg │ └── userspace-command.png ├── install-armx-kali.md └── tenda_minicom.txt ├── emux-docker-shell ├── files ├── emux │ ├── AC15 │ │ ├── config │ │ ├── flashmem │ │ │ └── flash.tar.bz2 │ │ ├── kernel │ │ │ └── zImage-2.6.39.4-vexpress │ │ ├── mtdparts │ │ ├── nvram_AC15.ini │ │ ├── preload │ │ │ ├── .tenda_hooks_verbose.so │ │ │ ├── libnvram-armx.so │ │ │ └── tenda_hooks.so │ │ ├── squashfs-root.tar.bz2 │ │ └── tenda-crc32 │ ├── ARCHERC9 │ │ ├── config │ │ ├── kernel │ │ │ └── zImage-2.6.39.4-vexpress │ │ ├── nvram_C9.ini │ │ ├── preload │ │ │ └── libnvram-armx.so │ │ └── rootfs.tar.bz2 │ ├── DCS935L │ │ ├── config │ │ ├── kernel │ │ │ └── vmlinux-2.6.30.9-malta-be │ │ └── squashfs-root.tar.bz2 │ ├── DIR615C │ │ ├── config │ │ ├── kernel │ │ │ └── vmlinux-2.6.30.9-malta-be │ │ └── squashfs-root.tar.bz2 │ ├── DV-ARM │ │ ├── config │ │ ├── kernel │ │ │ └── zImage-3.18.109-realview │ │ └── rootfs-arm.tar.bz2 │ ├── DV-MIPSEB │ │ ├── config │ │ ├── kernel │ │ │ └── vmlinux-3.18.109-malta-be │ │ └── rootfs-mips.tar.bz2 │ ├── DV-MIPSEL │ │ ├── config │ │ ├── kernel │ │ │ └── vmlinux-3.18.109-malta-le │ │ └── rootfs-mipsel.tar.bz2 │ ├── LICENSE.TXT │ ├── PH0WNCTF │ │ ├── config │ │ ├── kernel │ │ │ └── vmlinux-3.18.109-malta-le │ │ └── rootfs-mipsel.tar.bz2 │ ├── TRI227WF │ │ ├── config │ │ ├── kernel │ │ │ └── zImage-2.6.28-versatile-nothumb │ │ └── rootfs.tar.bz2 │ ├── debuglogs │ ├── devices │ ├── hostfs │ │ ├── hostfs-aarch64.ext2.bz2 │ │ ├── hostfs-arm.ext2.bz2 │ │ ├── hostfs-mips.ext2.bz2 │ │ └── hostfs-mipsel.ext2.bz2 │ ├── qemuopts │ ├── run │ │ ├── checkemux │ │ ├── concat-mtd │ │ ├── emuxgdb │ │ ├── emuxhalt │ │ ├── emuxkill │ │ ├── emuxmaps │ │ ├── emuxnetstat │ │ ├── emuxps │ │ ├── hide │ │ ├── launcher │ │ ├── loadnvram │ │ ├── monitor │ │ ├── parsedevices │ │ ├── parseini │ │ ├── run-binsh-template │ │ ├── run-chroot │ │ ├── run-init-template │ │ ├── split-mtd │ │ ├── unhide │ │ ├── userspace │ │ └── utils │ └── template │ │ ├── config │ │ ├── kernel │ │ ├── gzImage-4.4.60-arm64 │ │ ├── gzImage-5.10.25-arm64 │ │ ├── vmlinux-2.6.30.9-malta-be │ │ ├── vmlinux-2.6.32.5-malta-mips │ │ ├── vmlinux-2.6.32.5-malta-mipsel │ │ ├── vmlinux-3.18.109-malta-be │ │ ├── vmlinux-3.18.109-malta-le │ │ ├── zImage-2.6.28-versatile-nothumb │ │ ├── zImage-2.6.29.6-versatile │ │ ├── zImage-2.6.31.14-realview-rv130-nothumb │ │ ├── zImage-2.6.39.4-vexpress │ │ ├── zImage-3.16.57-vexpress │ │ └── zImage-3.18.109-realview │ │ ├── mtdparts │ │ ├── nvram.ini │ │ └── preload │ │ └── libnvram-armx.so ├── etc │ ├── exports │ ├── local.d │ │ └── 10-tun-network.start │ └── tinyproxy │ │ └── tinyproxy.conf └── home │ └── r0 │ ├── bash_profile │ ├── bashrc │ ├── config │ └── pip │ │ └── pip.conf │ ├── dircolors │ ├── dircolors-solarized │ ├── dircolors.256dark │ ├── dircolors.ansi-dark │ ├── dircolors.ansi-light │ └── dircolors.ansi-universal │ ├── gdbinit │ ├── gdbinit-gef.py │ ├── gef.rc │ ├── ssh │ ├── config │ ├── id_rsa │ ├── id_rsa.pub │ └── known_hosts │ └── tmux.conf ├── run-binwalk-docker ├── run-emux-docker └── workspace └── WORKSPACE_README.TXT /.dockerignore: -------------------------------------------------------------------------------- 1 | workspace 2 | removed-files 3 | overlay-* 4 | docs 5 | images 6 | extras 7 | hostutils 8 | *.txt 9 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.ext2 filter=lfs diff=lfs merge=lfs -text 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | notes.txt 2 | *_notes.txt 3 | images 4 | *.html 5 | *.sh 6 | !docker-entrypoint.sh 7 | css 8 | overlay* 9 | workspace/* 10 | removed-files 11 | !workspace/WORKSPACE_README.TXT 12 | .gitignore-* 13 | 14 | # EMUX Images only for private distribution # 15 | ############################################## 16 | files/emux/[A-Z0-9]* 17 | files/emux/devices-extra 18 | !files/emux/devices 19 | !files/emux/qemuopts 20 | !files/emux/run 21 | !files/emux/template 22 | !files/emux/hostfs 23 | !files/emux/*.TXT 24 | !files/emux/AC15 25 | !files/emux/ARCHERC9 26 | !files/emux/DV-ARM 27 | !files/emux/DV-MIPSEB 28 | !files/emux/DV-MIPSEL 29 | !files/emux/PH0WNCTF 30 | !files/emux/TRI227WF 31 | !files/emux/DIR615C 32 | !files/emux/DCS935L 33 | !files/emux/debuglogs 34 | !files/emux/logs 35 | !files/emux/dtb 36 | 37 | *.swp 38 | *.psd 39 | 40 | # Backups # 41 | ########### 42 | *.bak 43 | *.old 44 | 45 | # Compiled source # 46 | ################### 47 | *.com 48 | *.class 49 | *.dll 50 | *.exe 51 | *.o 52 | #*.so 53 | 54 | # Packages # 55 | ############ 56 | # it's better to unpack these files and commit the raw source 57 | # git has its own built in compression methods 58 | *.7z 59 | *.dmg 60 | *.gz 61 | *.iso 62 | *.jar 63 | *.rar 64 | *.tar 65 | *.zip 66 | *.ova 67 | 68 | # Logs and databases # 69 | ###################### 70 | *.log 71 | *.sql 72 | *.sqlite 73 | 74 | # OS generated files # 75 | ###################### 76 | .DS_Store 77 | .DS_Store? 78 | ._* 79 | .Spotlight-V100 80 | .Trashes 81 | ehthumbs.db 82 | Thumbs.db 83 | -------------------------------------------------------------------------------- /Dockerfile-emux: -------------------------------------------------------------------------------- 1 | # Dockerfile for EMUX-Docker 2 | # by Saumil Shah 3 | 4 | # This Source Code Form is subject to the terms of the Mozilla Public 5 | # License, v. 2.0. If a copy of the MPL was not distributed with this 6 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 7 | 8 | # EMUX by Saumil Shah 9 | # https://emux.exploitlab.net/ 10 | 11 | #FROM alpine:latest 12 | FROM alpine:3.21.3 13 | 14 | # Install packages 15 | RUN apk update 16 | RUN apk add \ 17 | qemu-system-arm \ 18 | qemu-system-mips \ 19 | qemu-system-mipsel \ 20 | qemu-system-aarch64 \ 21 | bash sudo pv tar dialog iptables curl wget tmux git \ 22 | vim nano asciinema \ 23 | coreutils util-linux \ 24 | iputils iproute2 \ 25 | build-base \ 26 | python3 python3-dev py3-pip \ 27 | openssh-client openssl openssl-dev \ 28 | libffi-dev \ 29 | xz-dev \ 30 | openrc \ 31 | gdb-multiarch \ 32 | nfs-utils \ 33 | dnsmasq \ 34 | tinyproxy \ 35 | socat \ 36 | netcat-openbsd \ 37 | busybox-extras \ 38 | cmake \ 39 | --no-cache 40 | 41 | # Install Python packages 42 | ENV PIP_BREAK_SYSTEM_PACKAGES=1 43 | RUN pip install --upgrade pip 44 | RUN pip install wheel 45 | RUN pip install cstruct 46 | RUN pip install ropper 47 | 48 | # Uncomment if you want to install pwntools 49 | # NOTE: *** It will take a very long time to build *** 50 | # *** but it works *** 51 | # 52 | #RUN pip install pwntools 53 | 54 | # Install packages/repos from Github 55 | WORKDIR /tmp 56 | 57 | # Copy network tunnel startup script, NFS exports, tinyproxy config and tinyproxy startup script 58 | COPY files/etc/local.d/* /etc/local.d/ 59 | COPY files/etc/exports /etc/exports 60 | COPY files/etc/tinyproxy/* /etc/tinyproxy/ 61 | 62 | # Create an r0 user for all userland work 63 | RUN adduser --disabled-password --gecos "" r0 64 | RUN echo 'r0 ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 65 | 66 | # Set r0's shell to bash 67 | RUN sed -i 's!/bin/ash!/bin/bash!g' /etc/passwd 68 | 69 | # Set up the home directory of r0 user 70 | WORKDIR /home/r0 71 | 72 | # Add bashrc, ssh configs, etc 73 | COPY --chown=r0 files/home/r0/bashrc .bashrc 74 | COPY --chown=r0 files/home/r0/bash_profile .bash_profile 75 | COPY --chown=r0 files/home/r0/tmux.conf .tmux.conf 76 | COPY --chown=r0 files/home/r0/ssh .ssh 77 | COPY --chown=r0 files/home/r0/dircolors .dircolors 78 | COPY --chown=r0 files/home/r0/gdbinit .gdbinit 79 | COPY --chown=r0 files/home/r0/gdbinit-gef.py .gdbinit-gef.py 80 | COPY --chown=r0 files/home/r0/gef.rc .gef.rc 81 | COPY --chown=r0 files/home/r0/config .config 82 | 83 | COPY --chown=root files/home/r0/bashrc /root/.bashrc 84 | COPY --chown=root files/home/r0/bash_profile /root/.bash_profile 85 | COPY --chown=root files/home/r0/tmux.conf /root/.tmux.conf 86 | COPY --chown=root files/home/r0/ssh /root/.ssh 87 | COPY --chown=root files/home/r0/dircolors /root/.dircolors 88 | 89 | RUN chmod 600 /home/r0/.ssh/id_rsa /home/r0/.ssh/config 90 | RUN chmod 600 /root/.ssh/id_rsa 91 | 92 | # Set up the docker entrypoint script 93 | COPY ./docker-entrypoint.sh /usr/local/bin 94 | 95 | USER r0 96 | 97 | ENV TERM=xterm-256color 98 | ENV LANG=C.UTF-8 99 | ENV CHARSET=UTF-8 100 | ENV LC_COLLATE=C 101 | 102 | ENTRYPOINT ["docker-entrypoint.sh"] 103 | CMD ["/bin/bash"] 104 | -------------------------------------------------------------------------------- /Dockerfile-vol: -------------------------------------------------------------------------------- 1 | # 🦍 Harambe be praised 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | FROM scratch 11 | CMD [""] 12 | -------------------------------------------------------------------------------- /LICENSE.TXT: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | 375 | -------------------------------------------------------------------------------- /TODO.TXT: -------------------------------------------------------------------------------- 1 | * NAND Flash support for QEMU Malta 2 | * Migrate hostfs from ext2 image to a file system served over NFS, and booted with root=/dev/nfs from within QEMU 3 | * Mute socat errors from flooding the ARMX DOCKER console 4 | -------------------------------------------------------------------------------- /build-emux-docker: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | OWNERNAME="therealsaumil" 11 | IMAGENAME="emux" 12 | TAGNAME="04-2025" 13 | VOL="harambe" 14 | 15 | # check if the volume exists, otherwise refuse to build. It doesn't 16 | # matter really, but nice to ensure that the volume is built, to prevent 17 | # later errors. 18 | 19 | CHECKVOL=$(docker volume inspect ${VOL} -f '{{.Name}}') 20 | if [ "$CHECKVOL" != "$VOL" ] 21 | then 22 | echo "Docker volume $VOL needs to be created." 23 | echo "Please run ./build-emux-volume first." 24 | exit 25 | fi 26 | 27 | DOCKER_BUILDKIT=1 docker build -t $OWNERNAME/$IMAGENAME:$TAGNAME \ 28 | -f Dockerfile-emux . 29 | -------------------------------------------------------------------------------- /build-emux-volume: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | VOL="harambe" 11 | SRC="files/emux" 12 | DEST="/emux" 13 | 14 | # remove volumes if they exist 15 | echo "Removing ${VOL}" 16 | docker volume rm ${VOL} 17 | 18 | echo "Removing null image" 19 | docker rmi null 20 | 21 | echo "Creating ${VOL} afresh" 22 | docker volume create --name ${VOL} 23 | 24 | echo "Making a new null image" 25 | docker build -t null -f Dockerfile-vol . 26 | docker container create --name empty -v ${VOL}:${DEST} null 27 | 28 | echo "Copying from ${SRC} to ${DEST}" 29 | for s in ${SRC}/* 30 | do 31 | echo "$s -> ${DEST}" 32 | docker cp $s empty:${DEST} 33 | done 34 | 35 | echo "Done..cleaning up containers" 36 | docker rm empty 37 | -------------------------------------------------------------------------------- /clean-emux-files: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | cd files/ 11 | echo "Cleaning files/emux/share/qemu" 12 | rm -Rf emux/share/qemu 13 | echo "Cleaning files/emux/hostfs/hostfs-[a-z]*.ext2" 14 | rm -f emux/hostfs/hostfs.ext2 15 | echo "Cleaning files/emux/debuglogs" 16 | rm -f emux/debuglogs 17 | echo "Cleaning files/emux/logs/*.log" 18 | rm -f emux/logs/*.log 19 | echo "Cleaning up flash[01].bin files" 20 | find . -name "flash[01].bin" -print -exec rm {} \; 21 | echo "Cleaning up run-binsh/run-init files" 22 | find . -name "run-binsh" -print -exec rm {} \; 23 | find . -name "run-init" -print -exec rm {} \; 24 | echo "Cleaning up extracted rootfs" 25 | for i in $(find emux -name "config" -print) 26 | do 27 | path=$(dirname $i) 28 | rootfs=$(cat $i | grep rootfs | cut -d'=' -f2) 29 | if [ -d ${path}/${rootfs} ] 30 | then 31 | echo "removing ${path}/${rootfs}" 32 | rm -Rf "${path}/${rootfs}" 33 | fi 34 | done 35 | -------------------------------------------------------------------------------- /docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | set -e 11 | 12 | echo [+] Starting tun0 13 | sudo /etc/local.d/10-tun-network.start 2>&1 >/dev/null 14 | 15 | echo [+] Starting NFS 16 | sudo rpcbind -w 17 | sudo rpcinfo 18 | #sudo rpc.nfsd --no-nfs-version 2 --no-nfs-version 3 --nfs-version 4 --debug 4 19 | sudo rpc.nfsd --debug 8 20 | sudo rpc.nfsd --debug 8 21 | sudo exportfs -rv 22 | sudo exportfs 23 | #sudo rpc.mountd --debug all --no-nfs-version 2 --no-nfs-version 3 --nfs-version 4 24 | sudo rpc.mountd --debug all 25 | 26 | #echo [+] Starting tinyproxy 27 | #sudo tinyproxy 28 | echo "[+] Setting up forwarded ports ${PORTFWD}" 29 | 30 | IFS=',' read -ra PORTLIST <<< "${PORTFWD}" 31 | for PORTPAIR in "${PORTLIST[@]}" 32 | do 33 | SPORT=$(echo ${PORTPAIR} | cut -d':' -f1) 34 | DPORT=$(echo ${PORTPAIR} | cut -d':' -f2) 35 | echo "[+] mapping port ${SPORT} -> 192.168.100.2:${DPORT}" 36 | socat TCP-LISTEN:${SPORT},fork,reuseaddr TCP:192.168.100.2:${DPORT} & 37 | done 38 | 39 | echo ' ___ __ __ _ __ __' 40 | echo ' / __| \/ | | |\ \/ / by Saumil Shah | The Exploit Laboratory' 41 | echo ' | __| |\/| | |_| ) ( @therealsaumil | emux.exploitlab.net' 42 | echo ' \___|_| |__\___/_/\_\' 43 | echo 44 | 45 | exec "$@" 46 | -------------------------------------------------------------------------------- /docs/back2workshops-debugging-with-emux.md: -------------------------------------------------------------------------------- 1 | # Ringzer0 BACK2WORKSHOPS - Debugging with EMUX 2 | 3 | by Saumil Shah [@therealsaumil][saumil] 4 | 5 | [saumil]: https://twitter.com/therealsaumil 6 | 7 | 7 July 2022 8 | 9 | ## Summary 10 | 11 | Emulating the [D-Link DCS-935L WiFi Camera](https://www.dlink.com.au/home-solutions/DCS-935L-hd-wireless-AC600-day-night-cube-cloud-network-camera) with EMUX was fairly straightforward. 12 | 13 | ![D-Link DCS-935L WiFi Camera](img/dcs935-camera.png) 14 | 15 | Follow these simple steps to get a virtual instance of the DCS-935L Camera working in EMUX: 16 | 17 | * Download the firmware from D-Link's site 18 | * Extract the `rootfs` and `kernel` partitions 19 | * Choose a matching kernel for use with QEMU's Malta MIPS Big Endian board 20 | * Putting it all together in EMUX 21 | * Starting up the DCS-935L 22 | 23 | In the end, you should have a working emulated instance of D-Link DCS-935L WiFi Camera! 24 | 25 | 26 | ## Starting EMUX 27 | 28 | If you haven't installed EMUX already, please follow the steps outlined at https://emux.exploitlab.net/ 29 | 30 | First, start the EMUX docker instance: 31 | 32 | ``` 33 | ./run-emux-docker 34 | 35 | : 36 | : 37 | [+] Setting up forwarded ports 20080:80,20443:443,28080:8080,24433:4433,9999:9999 38 | [+] mapping port 20080 -> 192.168.100.2:80 39 | [+] mapping port 20443 -> 192.168.100.2:443 40 | [+] mapping port 28080 -> 192.168.100.2:8080 41 | [+] mapping port 24433 -> 192.168.100.2:4433 42 | [+] mapping port 9999 -> 192.168.100.2:9999 43 | ___ __ __ _ __ __ 44 | / __| \/ | | |\ \/ / by Saumil Shah | The Exploit Laboratory 45 | | __| |\/| | |_| ) ( @therealsaumil | emux.exploitlab.net 46 | \___|_| |__\___/_/\_\ 47 | 48 | [EMUX-DOCKER 🐳] ~$ 49 | ``` 50 | We will leave this terminal as-is, for now. 51 | 52 | Next, open another terminal and attach to the EMUX docker container: 53 | 54 | ``` 55 | ./emux-docker-shell 56 | 57 | [emux-docker 🐚] ~$ 58 | ``` 59 | 60 | You may have multiple shells open, for convenience. You are ready for the next step. 61 | 62 | ## Launching the target Damn Vulnerable ARM Router 63 | 64 | In the `EMUX-DOCKER` terminal, run `launcher` and select "Damn Vulnerable ARM Router" 65 | 66 | ![launcher](img/b2w-launcher.png) 67 | 68 | In the `emux-docker-shell` terminal, run `userspace` and select the last option to "Enter Damn Vulnerable ARM Router CONSOLE (exec /bin/sh)". Make sure you do not accidentally start the Damn Vulnerable ARM Router! 69 | 70 | ![userspace](img/b2w-userspace.png) 71 | 72 | ## Running the target webserver - nweb 73 | 74 | 75 | 76 | 77 | ## Obtaining the Firmware 78 | 79 | Download the firmware from [D-Link's website](https://files.dlink.com.au/products/DCS-935L/REV_A/Firmware/DCS-935L_FW_1.06.02/DCS-935L_A1_FW_1.06.02_20150717_r3108.bin). Note, the product is discontinued. It is uncertain how long these firmware files will be available on the support site. 80 | 81 | ``` 82 | [emux-docker 🐚] ~$ cd /tmp 83 | [emux-docker 🐚] /tmp$ wget "https://files.dlink.com.au/products/DCS-935L/REV_A/Firmware/DCS-935L_FW_1.06.02/DCS-935L_A1_FW_1.06.02_20150717_r3108.bin" 84 | ``` 85 | 86 | ## Extracting the firmware - kernel and rootfs 87 | 88 | Use `binwalk` to extract the firmware in the `/tmp` directory. 89 | ``` 90 | [emux-docker 🐚] /tmp$ sudo binwalk --extract --preserve-symlinks --run-as=root DCS-935L_A1_FW_1.06.02_20150717_r3108.bin 91 | 92 | DECIMAL HEXADECIMAL DESCRIPTION 93 | -------------------------------------------------------------------------------- 94 | 10264 0x2818 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 4633120 bytes 95 | 1431586 0x15D822 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5886558 bytes, 1401 inodes, blocksize: 131072 bytes, created: 2038-07-06 00:44:48 96 | 97 | ``` 98 | 99 | The extracted contents will be in the `_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted` directory. 100 | 101 | ``` 102 | [emux-docker 🐚] /tmp$ cd _DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted/ 103 | [emux-docker 🐚] /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted$ ls 104 | ``` 105 | 106 | This is what we get: 107 | 108 | * `2818.7z` - kernel partition 109 | * `15D822.squashfs` - rootfs partition (SquashFS compressed file system) 110 | * `2818` - uncompressed kernel 111 | * `squashfs-root/` - unsquashfs'ed rootfs file system 112 | 113 | Let us check the contents of `squashfs-root`. 114 | 115 | ``` 116 | [emux-docker 🐚] /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted$ ls -la squashfs-root 117 | 118 | drwxr-xr-x 18 root root 4096 Jul 17 2015 ./ 119 | drwxr-xr-x 3 root root 4096 Apr 29 07:19 ../ 120 | drwxr-xr-x 2 root root 4096 Jul 17 2015 bin/ 121 | drwxr-xr-x 3 root root 12288 Jul 17 2015 dev/ 122 | drwxr-xr-x 7 root root 4096 Jul 17 2015 etc/ 123 | drwxr-xr-x 2 root root 4096 Jul 7 2015 home/ 124 | drwxr-xr-x 3 root root 4096 Jul 17 2015 lib/ 125 | drwxr-xr-x 6 root root 4096 Oct 8 2014 mnt/ 126 | drwxr-xr-x 2 root root 4096 Oct 8 2014 mydlink/ 127 | drwxr-xr-x 2 root root 4096 Oct 8 2014 proc/ 128 | drwxr-xr-x 2 root root 4096 Oct 8 2014 root/ 129 | drwxr-xr-x 2 root root 4096 Jul 17 2015 sbin/ 130 | drwxr-xr-x 2 root root 4096 Jul 17 2015 server/ 131 | drwxr-xr-x 2 root root 4096 Oct 8 2014 share/ 132 | drwxr-xr-x 2 root root 4096 Oct 8 2014 sys/ 133 | lrwxrwxrwx 1 root root 7 Jul 17 2015 tmp -> var/tmp 134 | drwxr-xr-x 6 root root 4096 Oct 8 2014 usr/ 135 | drwxr-xr-x 2 root root 4096 Oct 8 2014 var/ 136 | drwxr-xr-x 3 root root 4096 Jul 17 2015 web/ 137 | ``` 138 | 139 | The camera's file system seems to be successfully extracted. Next, we shall inspect the kernel, mainly to identify the version and CPU architecture. 140 | 141 | ``` 142 | [emux-docker 🐚] /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted$ strings 2818 | grep -i version 143 | 144 | Linux version 2.6.30.9 (root@localhost.localdomain) (gcc version 4.4.5-1.5.5p4 (GCC) ) #42 Fri Jul 17 17:19:53 CST 2015 145 | : 146 | : 147 | 148 | ``` 149 | The DCS-935L uses Linux Kernel 2.6.30.9. Next, we need to inspect one of the binaries to infer the CPU, endianness and any other details we can find. We will select the `bin/busybox` binary: 150 | 151 | ``` 152 | [emux-docker 🐚] /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted$ readelf -e squashfs-root/bin/busybox 153 | 154 | ELF Header: 155 | Magic: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 156 | Class: ELF32 157 | Data: 2's complement, big endian 158 | Version: 1 (current) 159 | OS/ABI: UNIX - System V 160 | ABI Version: 0 161 | Type: EXEC (Executable file) 162 | Machine: MIPS R3000 163 | Version: 0x1 164 | Entry point address: 0x4001a0 165 | Start of program headers: 52 (bytes into file) 166 | Start of section headers: 586892 (bytes into file) 167 | Flags: 0x1007, noreorder, pic, cpic, o32, mips1 168 | Size of this header: 52 (bytes) 169 | Size of program headers: 32 (bytes) 170 | Number of program headers: 3 171 | Size of section headers: 40 (bytes) 172 | Number of section headers: 19 173 | Section header string table index: 18 174 | 175 | Section Headers: 176 | [Nr] Name Type Addr Off Size ES Flg Lk Inf Al 177 | [ 0] NULL 00000000 000000 000000 00 0 0 0 178 | [ 1] .rel.dyn REL 00400094 000094 000098 08 A 0 0 4 179 | [ 2] .init PROGBITS 0040012c 00012c 00006c 00 AX 0 0 4 180 | [ 3] .text PROGBITS 004001a0 0001a0 080548 00 AX 0 0 16 181 | [ 4] .fini PROGBITS 004806e8 0806e8 00004c 00 AX 0 0 4 182 | [ 5] .rodata PROGBITS 00480740 080740 00d7d0 00 A 0 0 16 183 | [ 6] .eh_frame PROGBITS 0049e000 08e000 000024 00 WA 0 0 4 184 | [ 7] .ctors PROGBITS 0049e024 08e024 000008 00 WA 0 0 4 185 | [ 8] .dtors PROGBITS 0049e02c 08e02c 000008 00 WA 0 0 4 186 | [ 9] .jcr PROGBITS 0049e034 08e034 000004 00 WA 0 0 4 187 | [10] .data.rel.ro PROGBITS 0049e038 08e038 0009dc 00 WA 0 0 4 188 | [11] .data PROGBITS 0049ea20 08ea20 0003b6 00 WA 0 0 16 189 | [12] .got PROGBITS 0049ede0 08ede0 000604 04 WAp 0 0 16 190 | [13] .sdata PROGBITS 0049f3e4 08f3e4 000004 00 WAp 0 0 4 191 | [14] .sbss NOBITS 0049f3e8 08f3e8 000063 00 WAp 0 0 4 192 | [15] .bss NOBITS 0049f450 08f3e8 0044d4 00 WA 0 0 16 193 | [16] .gnu.attributes GNU_ATTRIBUTES 00000000 08f3e8 000010 00 0 0 1 194 | [17] .mdebug.abi32 PROGBITS 00002870 08f3f8 000000 00 0 0 1 195 | [18] .shstrtab STRTAB 00000000 08f3f8 000093 00 0 0 1 196 | Key to Flags: 197 | W (write), A (alloc), X (execute), M (merge), S (strings), I (info), 198 | L (link order), O (extra OS processing required), G (group), T (TLS), 199 | C (compressed), x (unknown), o (OS specific), E (exclude), 200 | D (mbind), p (processor specific) 201 | 202 | Program Headers: 203 | Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align 204 | LOAD 0x000000 0x00400000 0x00400000 0x8df10 0x8df10 R E 0x10000 205 | LOAD 0x08e000 0x0049e000 0x0049e000 0x013e8 0x05924 RW 0x10000 206 | GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 207 | 208 | Section to Segment mapping: 209 | Segment Sections... 210 | 00 .rel.dyn .init .text .fini .rodata 211 | 01 .eh_frame .ctors .dtors .jcr .data.rel.ro .data .got .sdata .sbss .bss 212 | 02 213 | ``` 214 | Here are the important bits of information that we need: 215 | 216 | ``` 217 | Data: 2's complement, big endian 218 | Machine: MIPS R3000 219 | ``` 220 | The DCS-935L is a MIPS system, running in Big Endian mode. Let us check if data execution prevention is enabled. The following line tells us that the stack memory is read, write and executable (RWE) and therefore data execution prevention shall not be a hurdle when it comes to exploit development. 221 | ``` 222 | GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 223 | ``` 224 | 225 | ## Choose a matching kernel for use with QEMU 226 | 227 | Emulating and IoT device under QEMU has certain tradeoffs. EMUX uses the following predefined boards that come bundled with QEMU for MIPS: 228 | 229 | ``` 230 | [emux-docker 🐚] ~$ qemu-system-mips-7.0.0 -machine help 231 | Supported machines are: 232 | malta MIPS Malta Core LV (default) 233 | mipssim MIPS MIPSsim platform 234 | none empty machine 235 | ``` 236 | 237 | We will be using the `MIPS Malta` board. EMUX comes with a few prebuilt kernels that support QEMU's Malta board. 238 | 239 | ``` 240 | [emux-docker 🐚] ~$ ls /emux/template/kernel/ | grep malta 241 | vmlinux-2.6.30.9-malta-be* 242 | vmlinux-2.6.32.5-malta-mips* 243 | vmlinux-2.6.32.5-malta-mipsel* 244 | vmlinux-3.18.109-malta-be* 245 | vmlinux-3.18.109-malta-le* 246 | ``` 247 | 248 | The `vmlinux-2.6.30.9-malta-be` fits our bill perfectly. We shall use this one for now. Compiling a custom kernel shall be discussed in another document. 249 | 250 | ## Putting it all together 251 | 252 | ### Copy the `template` and make a new device 253 | 254 | We shall choose `DCS935L` as the EMUX device ID for the D-Link DCS-935L Camera. 255 | 256 | ``` 257 | [emux-docker 🐚] ~$ cd /emux/ 258 | [emux-docker 🐚] /emux$ cp -r template DCS935L 259 | ``` 260 | 261 | ### Remove unnecessary contents from the `DCS935L` directory: 262 | 263 | ``` 264 | [emux-docker 🐚] /emux$ cd DCS935L/ 265 | [emux-docker 🐚] /emux/DCS935L$ rm -r mtdparts nvram.ini preload 266 | [emux-docker 🐚] /emux/DCS935L$ cd kernel/ 267 | [emux-docker 🐚] /emux/DCS935L/kernel$ rm -f zImage-* vmlinux-2.6.32.5-* vmlinux-3.18.109-* 268 | [emux-docker 🐚] /emux/DCS935L/kernel$ ls 269 | vmlinux-2.6.30.9-malta-be* 270 | [emux-docker 🐚] /emux/DCS935L/kernel$ cd .. 271 | ``` 272 | 273 | We are now left with `config` and `kernel/vmlinux-2.6.30.9-malta-be` in the `DCS935L` directory. Next, we shall move the extracted `squashfs-root` into the `DCS935L` directory. Be sure to run these commands with `sudo` as they require root privileges. 274 | 275 | ``` 276 | [emux-docker 🐚] /emux/DCS935L$ sudo mv /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted/squashfs-root . 277 | [emux-docker 🐚] /emux/DCS935L$ sudo chown -R r0:r0 squashfs-root/ 278 | ``` 279 | 280 | ### The `config` file 281 | 282 | Now that the kernel and the rootfs are in place, edit the `config` file as follows: 283 | 284 | ``` 285 | # DLINK DCS-935L WiFi Camera 286 | # With major contributions by @bl4ckh0l3z 287 | # 288 | id=DCS935L 289 | rootfs=squashfs-root 290 | randomize_va_space=0 291 | initcommands="/bin/sh" 292 | ``` 293 | 294 | Explanation: 295 | 296 | * `id=DCS935L` - This should be the same as the directory name in `/emux/`. 297 | * `rootfs=squashfs-root` - directory that holds the `rootfs`. Ensure it is owned by `r0:r0`. 298 | * `randomize_va_space=0` - disable ASLR. 299 | * `initcommands="/bin/sh"` - Initially, only invoke `/bin/sh` after starting `userspace`. 300 | 301 | ### Create an entry in `/emux/devices` 302 | 303 | Add the following entry to the EMUX devices list in `/emux/devices`: 304 | 305 | ``` 306 | DCS935L,qemu-system-mips-7.0.0,malta,,,128M,vmlinux-2.6.30.9-malta-be,MALTA2,D-Link DCS-935L Camera 307 | ``` 308 | 309 | ## `launcher` - First attempt 310 | 311 | ``` 312 | [EMUX-DOCKER 🐳] ~$ launcher 313 | ``` 314 | 315 | Select the `D-Link DCS-935L Camera` from the list. The kernel should boot up and you should see the following message: 316 | 317 | ``` 318 | Starting EMUX OK 319 | 320 | ____ __ __ _ __ __ 321 | / ___| \/ | | |\ \/ / by Saumil Shah | The Exploit Laboratory 322 | | ___| |\/| | |_| ) ( @therealsaumil | emux.exploitlab.net 323 | \____|_| |__\___/_/\_\ Linux 2.6.30.9 [mips] 324 | 325 | Architecture: mips 326 | Byte Order: Big Endian 327 | CPU(s): 1 328 | On-line CPU(s) list: 0 329 | Thread(s) per core: 1 330 | Core(s) per socket: 1 331 | Socket(s): 1 332 | Model: MIPS 24Kc V0.0 FPU V0.0 333 | BogoMIPS: 1127.21 334 | Flags: mips16 335 | 336 | EMUX DEVICE CONSOLE 337 | ``` 338 | 339 | At this point, run `userspace` from an EMUX docker shell: 340 | 341 | ``` 342 | [emux-docker 🐚] ~$ userspace 343 | ``` 344 | 345 | Select `Start D-Link DCS-935L Camera` 346 | 347 | You should see a `busybox` shell and be able to run commands in the context of the DCS-935L Camera. Note that none of the camera's processes and services are running yet. We still have to figure out the starting point of all userland code. `init` is the first process that is typically executed once the kernel passes control to the userland. The processes to be kicked off are usually found in `/etc/inittab`. 348 | 349 | ### Inspecting `/etc/inittab` 350 | 351 | ``` 352 | # cat /etc/inittab 353 | 354 | # Boot-time system configuration/initialization script. 355 | ::sysinit:/etc/rc.d/rcS 356 | 357 | # Start an "askfirst" shell on the console (whatever that may be) 358 | #::askfirst:-/bin/sh 359 | ::respawn:-/bin/sh 360 | 361 | # Start an "askfirst" shell on /dev/tty2-4 362 | #tty2::askfirst:-/bin/sh 363 | #tty3::askfirst:-/bin/sh 364 | #tty4::askfirst:-/bin/sh 365 | ``` 366 | 367 | `/etc/rc.d/rcS` is the main start up script. We will invoke it manually. At this point, it is a process of trial and error. Sometimes everything runs smoothly, and in other instances, a few things may need to be tweaked/patched/fixed. There is no standard one-size-fits-all process. Be prepared to spend a week when working with an entirely new device! 368 | 369 | If everything succeeds, you should see the following messages: 370 | 371 | ``` 372 | Starting https... 373 | httpd: Authentication Mode: Normal 374 | Starting schboot ... . 375 | Starting eventd ... . 376 | [schboot] start checking... 377 | [event] Found Local Mac: 52:54:00:12:34:56 378 | Starting httpd ... httpd: Authentication Mode: Normal 379 | . 380 | Starting hnap_push_service ... . 381 | Starting ipfind ... . 382 | [hnap_push_service][create_hnap_login_info] 383 | [hnap_push_service][loadDeviceList] begin 384 | [event] eventrecord idle! 385 | [event] eventrecaudio idle! 386 | [event] eventsnapshot idle! 387 | [event] Set IOT Snapshot Enable: 0 388 | [event] Set IOT Video clip Enable: 0 389 | Starting rtsp... 390 | [event] Set IOT Notification Enable: 0 391 | Starting ddp ... . 392 | ``` 393 | 394 | Running `emuxps` from another EMUX docker shell confirms that `httpd` is running. 395 | 396 | ``` 397 | [emux-docker 🐚] ~$ emuxps | grep httpd 398 | 2968 pts/1 S 0:00 /usr/sbin/httpd-manager 399 | 3040 pts/1 S 0:00 ./ssl-httpd 8088 1 0 0 400 | 3082 pts/1 S 0:00 ./httpd 80 1 1 1 401 | ``` 402 | 403 | Open a browser and navigate to `https://localhost:20080`. The username is `admin` and the password is blank. 404 | 405 | ![Emulated D-Link DCS-935L Web Interface](img/dlink-dcs935.png) 406 | 407 | ## Final version 408 | 409 | To automate the start up, we shall add `/etc/rc.d/rcS` in the `initcommands` in the `config` file. Hat tip to [@bl4ckh0l3z][blackholes] for getting UPnP to work properly! 410 | 411 | ``` 412 | # DLINK DCS-935L WiFi Camera 413 | # With major contributions by @bl4ckh0l3z 414 | # 415 | id=DCS935L 416 | rootfs=squashfs-root 417 | randomize_va_space=0 418 | initcommands="/etc/rc.d/rcS;touch /tmp/.hnap_device_list_tmp.xml;/bin/sh" 419 | ``` 420 | 421 | ## Concluding thoughts 422 | 423 | This article was intended to familiarise you with what it takes to emulate a new MIPS device from scratch. 424 | 425 | For those of you who want to learn about IoT exploitation, take this as a challenge and discover vulnerabilities on the DCS-935L. Try to reproduce some existing CVE's against the emulated DCS-935L, or find 0-days on your own! 426 | 427 | Follow me on Twitter *[@therealsaumil][saumil]* for updates on [EMUX][emux], new articles, talks and [trainings][R0ARM]! 428 | 429 | ## END 430 | 431 | [R0ARM]: https://ringzer0.training/arm-iot-exploitlab.html 432 | [emux]: https://emux.exploitlab.net/ 433 | -------------------------------------------------------------------------------- /docs/debugging-with-emux.md: -------------------------------------------------------------------------------- 1 | # Debugging With EMUX 2 | 3 | by Saumil Shah [@therealsaumil][saumil] 4 | 5 | [saumil]: https://twitter.com/therealsaumil 6 | 7 | October 2021 8 | 9 | ## TL;DR: 10 | 11 | The EMUX Docker image contains updated tools and scripts to make debugging emulated IoT processes easy. No more fiddling around with `gdbserver` and GDB's `target remote`, `set sysroot` commands! One command to debug them all. 12 | 13 | ![emuxgdb](img/emuxgdb-04.png) 14 | 15 | ## An EMUX Debugging Tutorial 16 | 17 | The EMUX Firmware Emulation Framework contains essential tools and utilities to statically and dynamically analyse emulated IoT targets. Here, we shall see how to use `gdb` to debug a process running on an emulated IoT target. We shall use the **EMUX Docker image** and debug the web server running on the **Trivision NC-227-WF IP Camera** as an example. 18 | 19 | ## 1. Start the EMUX Docker Container 20 | 21 | ``` 22 | ./run-emux-docker 23 | ``` 24 | 25 | ![Docker](img/00-emux-docker.png "EMUX Virtual Machine") 26 | 27 | ## 2. Start the Trivision IP Camera 28 | 29 | Click the EMUX Launcher icon on the top toolbar and select the **Trivision NC-227-WF IP Camera**: 30 | 31 | ![Launcher](img/01-emux-docker-launcher.png "EMUX Launcher") 32 | 33 | The EMUX launcher invokes QEMU and boots the kernel registered with the IP Camera, mounts `hostfs-arm.ext2` and shows the EMUX console. 34 | 35 | ![Console](img/02-emux-kernel-boot-up.png "EMUX Console") 36 | 37 | ## 3. "Boot up" the IP Camera in EMUX 38 | 39 | Attach to a new shell in the EMUX Docker container by invoking `./emux-docker-shell`. Once you are in the shell, run the `userspace` command to access the userspace menu: 40 | 41 | ``` 42 | ./emux-docker-shell 43 | [emux-docker 🐚] ~$ userspace 44 | ``` 45 | 46 | Select the option **Start Trivision NC-227-WF IP Camera**. 47 | 48 | ![init](img/03-emux-trivision-init.png "EMUX Terminal") 49 | 50 | The IP Camera's `init` scripts will now be started and eventually all its system and application services will be running. 51 | 52 | ![init](img/04-emux-trivision-started.png "IP Camera started") 53 | 54 | ## 4. Start the EMUX HOSTFS Debug Shell (Optional) 55 | 56 | Attaching to a new shell and running `userspace` again invoke the **EMUX HOSTFS DEBUG Shell**. This shell allows you to run commands to view running processes, inspect a process' virtual memory map, run utilities like `objdump`, `strace`, `ltrace`, etc. 57 | 58 | At this point, the emulated IP Camera is ready to be analysed. 59 | 60 | ![Ready](img/emuxgdb-01.png) 61 | 62 | ## 5. Enumerating processes on the emulated device 63 | 64 | The `/emux/run` directory contains a few scripts to enable easy enumeration of the device's processes and also attach a debugger to a device process. `/emux/run` is present in the `$PATH` on the EMUX Docker container. 65 | 66 | Attach to a new docker shell using `./emux-docker-shell` and run `emuxps`: 67 | 68 | ![emuxps](img/emuxps-02.png) 69 | 70 | ``` 71 | emux~$ emuxps 72 | PID TTY STAT TIME COMMAND 73 | 1 ? Ss 0:00 init 74 | 2 ? S< 0:00 [kthreadd] 75 | 3 ? S< 0:00 [ksoftirqd/0] 76 | 4 ? S< 0:00 [watchdog/0] 77 | 5 ? S< 0:00 [events/0] 78 | 6 ? S< 0:00 [khelper] 79 | 9 ? S< 0:00 [async/mgr] 80 | 105 ? S< 0:00 [kblockd/0] 81 | 112 ? S< 0:00 [kseriod] 82 | 118 ? S< 0:00 [kmmcd] 83 | 143 ? S 0:00 [khungtaskd] 84 | 144 ? S 0:00 [pdflush] 85 | 145 ? S 0:00 [pdflush] 86 | 146 ? S< 0:00 [kswapd0] 87 | 147 ? S< 0:00 [aio/0] 88 | 148 ? S< 0:00 [nfsiod] 89 | 300 ? S< 0:00 [scsi_eh_0] 90 | 324 ? S< 0:00 [mtdblockd] 91 | 332 ? S< 0:00 [kpsmoused] 92 | 367 ? S< 0:00 [rpciod/0] 93 | 385 ? Ss 0:00 /sbin/syslogd -m 0 94 | 387 ? Ss 0:00 /sbin/klogd 95 | 409 ? Ss 0:00 /usr/sbin/dropbear 96 | 413 ttyAMA0 Ss+ 0:00 /sbin/agetty -p -L ttyAMA0 115200 vt100 97 | 414 ? Ss 0:01 /usr/sbin/dropbear 98 | 415 pts/0 Ss 0:00 -sh 99 | 430 pts/0 S 0:00 /bin/bash ./run-init 100 | 441 pts/0 S 0:00 /bin/sh /etc/emuxinit 101 | 465 ? Ss 0:00 syslogd 102 | 467 ? Ss 0:00 klogd 103 | 480 pts/0 S 0:00 nvctl 104 | 482 pts/0 S 0:00 inetd_tcp 105 | 493 pts/0 S 0:00 netmgr 106 | 498 pts/0 S 0:00 storage 107 | 501 pts/0 S 0:00 nvrd 108 | 507 pts/0 S 0:00 httpclient -c /var/config/httpclient_task15.conf 109 | 510 pts/0 S 0:00 taskmgr 110 | 511 pts/0 S+ 0:00 /bin/sh 111 | 538 pts/0 S 0:00 ndcpd 112 | 540 pts/0 S 0:00 ndcpd2 113 | 542 pts/0 S 0:00 ndcpd3 114 | 547 pts/0 S 0:00 upnpd eth0 115 | 550 pts/0 S 0:00 upnpd eth0 116 | 551 pts/0 S 0:00 upnpd eth0 117 | 552 pts/0 S 0:00 upnpd eth0 118 | 554 pts/0 S 0:00 upnpd eth0 119 | 556 pts/0 S 0:00 webs 120 | 557 pts/0 S 0:00 upnpd eth0 121 | 559 pts/0 S 0:00 upnpd eth0 122 | 560 pts/0 S 0:00 upnpd eth0 123 | 562 pts/0 S 0:00 onvifn 124 | 564 pts/0 S 0:00 onvifd 125 | 567 pts/0 S 0:00 ipcamd 126 | 569 pts/0 S 0:00 ipcamd 127 | 571 pts/0 S 0:00 ipcamd 128 | 572 ? Ss 0:01 /usr/sbin/dropbear 129 | 575 ? R 0:00 ps ax 130 | ``` 131 | 132 | Internally, `emuxps` invokes `ssh` and runs a process enumeration command on the emulated device accessible at `192.168.100.2`. You can perform the same task by invoking the EMUX HOSTFS Debug Shell and running the `ps` command within it, however `emuxps` makes the task easier. 133 | 134 | ![emuxps](img/emuxps-03.png) 135 | 136 | ## 6. Debugging the Web Server 137 | 138 | We will now invoke `gdb` and attach it to the `webs` process running in QEMU. We need a cross platform GDB that runs on an x86 host and is capable of debugging ARM targets. The EMUX Docker container has `gdb-multiarch` installed in it. 139 | 140 | The typical process would involve invoking the EMUX HOSTFS Debug Shell, running `gdbserver :5000 --attach $(pidof webs)` and then invoking `gdb-multiarch` and connecting to the remot target using: 141 | 142 | ``` 143 | target remote 192.168.100.2:5000 144 | set sysroot target:/emux/TRI227WF/rootfs 145 | ``` 146 | 147 | The `set sysroot` command is important for GDB to find the proper binaries for symbol resolution, since the IP Camera's binaries are running inside a `chroot` jail. 148 | 149 | However, all this is made easy using `/emux/run/emuxgdb`. `emuxgdb` launches `gdb-multiarch`, and internally invokes `ssh` to launch `gdbserver` on `192.168.100.2`. The remote debugging is enabled using STDIN to the SSH connection! 150 | 151 | ![emuxgdb](img/emuxgdb-04.png) 152 | 153 | ``` 154 | emux:~$ emuxgdb webs 155 | Remote debugging using | ssh -T root@192.168.100.2 gdbserver - --attach \`pidof webs\` 156 | Attached; pid = 556 157 | Remote debugging using stdio 158 | Reading /emux/TRI227WF/rootfs/usr/bin/webs from remote target... 159 | warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead. 160 | Reading /emux/TRI227WF/rootfs/usr/bin/webs from remote target... 161 | Reading symbols from target:/emux/TRI227WF/rootfs/usr/bin/webs...(no debugging symbols found)...done. 162 | Reading /lib/libgcc_s.so.1 from remote target... 163 | warning: .dynamic section for "target:/lib/libgcc_s.so.1" is not at the expected address (wrong library or version mismatch?) 164 | Reading /lib/libc.so.0 from remote target... 165 | warning: .dynamic section for "target:/lib/libc.so.0" is not at the expected address (wrong library or version mismatch?) 166 | Reading /lib/ld-linux.so.3 from remote target... 167 | Error while mapping shared library sections: 168 | Could not open `target:/lib/ld-linux.so.3' as an executable file: No such file or directory 169 | Reading symbols from target:/lib/libgcc_s.so.1...(no debugging symbols found)...done. 170 | Reading symbols from target:/lib/libc.so.0...(no debugging symbols found)...done. 171 | Reading /lib/ld-linux.so.3 from remote target... 172 | warning: Unable to find dynamic linker breakpoint function. 173 | GDB will be unable to debug shared library initializers 174 | and track explicitly loaded dynamic code. 175 | 0x4002f8c4 in ?? () from target:/lib/libc.so.0 176 | Reading /emux/TRI227WF/rootfs/lib/libgcc_s.so.1 from remote target... 177 | Reading /emux/TRI227WF/rootfs/lib/libgcc_s.so.1 from remote target... 178 | Reading symbols from target:/emux/TRI227WF/rootfs/lib/libgcc_s.so.1...done. 179 | Reading /emux/TRI227WF/rootfs/lib/libc.so.0 from remote target... 180 | Reading /emux/TRI227WF/rootfs/lib/libc.so.0 from remote target... 181 | Reading symbols from target:/emux/TRI227WF/rootfs/lib/libc.so.0...done. 182 | Reading /emux/TRI227WF/rootfs/lib/ld-linux.so.3 from remote target... 183 | Reading /emux/TRI227WF/rootfs/lib/ld-linux.so.3 from remote target... 184 | Reading symbols from target:/emux/TRI227WF/rootfs/lib/ld-linux.so.3...(no debugging symbols found)...done. 185 | Reading /emux/TRI227WF/rootfs/lib/ld-linux.so.3 from remote target... 186 | (gdb) 187 | ``` 188 | 189 | Now, you can go about debugging `webs` as you wish. 190 | 191 | ``` 192 | (gdb) info registers 193 | r0 0xfffffdfe 4294966782 194 | r1 0x40083c88 1074281608 195 | r2 0x40083ca0 1074281632 196 | r3 0x40083cb8 1074281656 197 | r4 0xbefffa68 3204446824 198 | r5 0x1 1 199 | r6 0x40083ca0 1074281632 200 | r7 0x8e 142 201 | r8 0x40083cb8 1074281656 202 | r9 0x4007a7a0 1074243488 203 | r10 0x0 0 204 | r11 0x4 4 205 | r12 0x61068 397416 206 | sp 0xbefffa38 0xbefffa38 207 | lr 0x43cf0 277744 208 | pc 0x4002f8c4 0x4002f8c4 209 | cpsr 0x60000010 1610612752 210 | ``` 211 | 212 | ``` 213 | (gdb) info proc mappings 214 | process 556 215 | Mapped address spaces: 216 | 217 | Start Addr End Addr Size Offset objfile 218 | 0x8000 0x59000 0x51000 0x0 /emux/TRI227WF/rootfs/usr/bin/webs 219 | 0x60000 0x61000 0x1000 0x50000 /emux/TRI227WF/rootfs/usr/bin/webs 220 | 0x61000 0x65000 0x4000 0x51000 /emux/TRI227WF/rootfs/usr/bin/webs 221 | 0x65000 0x78000 0x13000 0x0 [heap] 222 | 0x40000000 0x40005000 0x5000 0x0 /emux/TRI227WF/rootfs/lib/ld-uClibc-0.9.30.2.so 223 | 0x40005000 0x40006000 0x1000 0x0 224 | 0x4000c000 0x4000d000 0x1000 0x4000 /emux/TRI227WF/rootfs/lib/ld-uClibc-0.9.30.2.so 225 | 0x4000d000 0x4000e000 0x1000 0x5000 /emux/TRI227WF/rootfs/lib/ld-uClibc-0.9.30.2.so 226 | 0x4000e000 0x40018000 0xa000 0x0 /emux/TRI227WF/rootfs/lib/libgcc_s.so.1 227 | 0x40018000 0x4001f000 0x7000 0x0 228 | 0x4001f000 0x40020000 0x1000 0x9000 /emux/TRI227WF/rootfs/lib/libgcc_s.so.1 229 | 0x40020000 0x40021000 0x1000 0xa000 /emux/TRI227WF/rootfs/lib/libgcc_s.so.1 230 | 0x40021000 0x4006b000 0x4a000 0x0 /emux/TRI227WF/rootfs/lib/libuClibc-0.9.30.2.so 231 | 0x4006b000 0x40072000 0x7000 0x0 232 | 0x40072000 0x40073000 0x1000 0x49000 /emux/TRI227WF/rootfs/lib/libuClibc-0.9.30.2.so 233 | 0x40073000 0x40074000 0x1000 0x4a000 /emux/TRI227WF/rootfs/lib/libuClibc-0.9.30.2.so 234 | 0x40074000 0x400f9000 0x85000 0x0 235 | 0xbefeb000 0xbf000000 0x15000 0x0 [stack] 236 | ``` 237 | 238 | ## Links 239 | 240 | EMUX Home Page: https://emux.exploitlab.net/ 241 | 242 | Github: https://github.com/therealsaumil/emux/ 243 | 244 | *[@therealsaumil][saumil]* 245 | 246 | [saumil]: https://twitter.com/therealsaumil 247 | -------------------------------------------------------------------------------- /docs/emulating-dlink-dcs935.md: -------------------------------------------------------------------------------- 1 | # Tutorial - Emulating the DLINK DCS-935L IP Camera with EMUX 2 | 3 | by Saumil Shah [@therealsaumil][saumil] 4 | with major contributions from [@bl4ckh0l3z][blackholes] 5 | 6 | [saumil]: https://twitter.com/therealsaumil 7 | [blackholes]: https://twitter.com/bl4ckh0l3z 8 | 9 | April 2022 10 | 11 | ## Summary 12 | 13 | Emulating the [D-Link DCS-935L WiFi Camera](https://www.dlink.com.au/home-solutions/DCS-935L-hd-wireless-AC600-day-night-cube-cloud-network-camera) with EMUX was fairly straightforward. 14 | 15 | ![D-Link DCS-935L WiFi Camera](img/dcs935-camera.png) 16 | 17 | Follow these simple steps to get a virtual instance of the DCS-935L Camera working in EMUX: 18 | 19 | * Download the firmware from D-Link's site 20 | * Extract the `rootfs` and `kernel` partitions 21 | * Choose a matching kernel for use with QEMU's Malta MIPS Big Endian board 22 | * Putting it all together in EMUX 23 | * Starting up the DCS-935L 24 | 25 | In the end, you should have a working emulated instance of D-Link DCS-935L WiFi Camera! 26 | 27 | If you haven't installed EMUX already, please follow the steps outlined at https://emux.exploitlab.net/ 28 | 29 | ## Starting EMUX 30 | 31 | First, start the EMUX docker instance: 32 | 33 | ``` 34 | ./run-emux-docker 35 | 36 | : 37 | : 38 | [+] Setting up forwarded ports 20080:80,20443:443,28080:8080,24433:4433,9999:9999 39 | [+] mapping port 20080 -> 192.168.100.2:80 40 | [+] mapping port 20443 -> 192.168.100.2:443 41 | [+] mapping port 28080 -> 192.168.100.2:8080 42 | [+] mapping port 24433 -> 192.168.100.2:4433 43 | [+] mapping port 9999 -> 192.168.100.2:9999 44 | ___ __ __ _ __ __ 45 | / __| \/ | | |\ \/ / by Saumil Shah | The Exploit Laboratory 46 | | __| |\/| | |_| ) ( @therealsaumil | emux.exploitlab.net 47 | \___|_| |__\___/_/\_\ 48 | 49 | [EMUX-DOCKER 🐳] ~$ 50 | ``` 51 | We will leave this terminal as-is, for now. 52 | 53 | Next, open another terminal and attach to the EMUX docker container: 54 | 55 | ``` 56 | ./emux-docker-shell 57 | 58 | [emux-docker 🐚] ~$ 59 | ``` 60 | 61 | You may have multiple shells open, for convenience. You are ready for the next step. 62 | 63 | ## Obtaining the Firmware 64 | 65 | Download the firmware from [D-Link's website](https://files.dlink.com.au/products/DCS-935L/REV_A/Firmware/DCS-935L_FW_1.06.02/DCS-935L_A1_FW_1.06.02_20150717_r3108.bin). Note, the product is discontinued. It is uncertain how long these firmware files will be available on the support site. 66 | 67 | ``` 68 | [emux-docker 🐚] ~$ cd /tmp 69 | [emux-docker 🐚] /tmp$ wget "https://files.dlink.com.au/products/DCS-935L/REV_A/Firmware/DCS-935L_FW_1.06.02/DCS-935L_A1_FW_1.06.02_20150717_r3108.bin" 70 | ``` 71 | 72 | ## Extracting the firmware - kernel and rootfs 73 | 74 | Use `binwalk` to extract the firmware in the `/tmp` directory. 75 | ``` 76 | [emux-docker 🐚] /tmp$ sudo binwalk --extract --preserve-symlinks --run-as=root DCS-935L_A1_FW_1.06.02_20150717_r3108.bin 77 | 78 | DECIMAL HEXADECIMAL DESCRIPTION 79 | -------------------------------------------------------------------------------- 80 | 10264 0x2818 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 4633120 bytes 81 | 1431586 0x15D822 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5886558 bytes, 1401 inodes, blocksize: 131072 bytes, created: 2038-07-06 00:44:48 82 | 83 | ``` 84 | 85 | The extracted contents will be in the `_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted` directory. 86 | 87 | ``` 88 | [emux-docker 🐚] /tmp$ cd _DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted/ 89 | [emux-docker 🐚] /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted$ ls 90 | ``` 91 | 92 | This is what we get: 93 | 94 | * `2818.7z` - kernel partition 95 | * `15D822.squashfs` - rootfs partition (SquashFS compressed file system) 96 | * `2818` - uncompressed kernel 97 | * `squashfs-root/` - unsquashfs'ed rootfs file system 98 | 99 | Let us check the contents of `squashfs-root`. 100 | 101 | ``` 102 | [emux-docker 🐚] /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted$ ls -la squashfs-root 103 | 104 | drwxr-xr-x 18 root root 4096 Jul 17 2015 ./ 105 | drwxr-xr-x 3 root root 4096 Apr 29 07:19 ../ 106 | drwxr-xr-x 2 root root 4096 Jul 17 2015 bin/ 107 | drwxr-xr-x 3 root root 12288 Jul 17 2015 dev/ 108 | drwxr-xr-x 7 root root 4096 Jul 17 2015 etc/ 109 | drwxr-xr-x 2 root root 4096 Jul 7 2015 home/ 110 | drwxr-xr-x 3 root root 4096 Jul 17 2015 lib/ 111 | drwxr-xr-x 6 root root 4096 Oct 8 2014 mnt/ 112 | drwxr-xr-x 2 root root 4096 Oct 8 2014 mydlink/ 113 | drwxr-xr-x 2 root root 4096 Oct 8 2014 proc/ 114 | drwxr-xr-x 2 root root 4096 Oct 8 2014 root/ 115 | drwxr-xr-x 2 root root 4096 Jul 17 2015 sbin/ 116 | drwxr-xr-x 2 root root 4096 Jul 17 2015 server/ 117 | drwxr-xr-x 2 root root 4096 Oct 8 2014 share/ 118 | drwxr-xr-x 2 root root 4096 Oct 8 2014 sys/ 119 | lrwxrwxrwx 1 root root 7 Jul 17 2015 tmp -> var/tmp 120 | drwxr-xr-x 6 root root 4096 Oct 8 2014 usr/ 121 | drwxr-xr-x 2 root root 4096 Oct 8 2014 var/ 122 | drwxr-xr-x 3 root root 4096 Jul 17 2015 web/ 123 | ``` 124 | 125 | The camera's file system seems to be successfully extracted. Next, we shall inspect the kernel, mainly to identify the version and CPU architecture. 126 | 127 | ``` 128 | [emux-docker 🐚] /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted$ strings 2818 | grep -i version 129 | 130 | Linux version 2.6.30.9 (root@localhost.localdomain) (gcc version 4.4.5-1.5.5p4 (GCC) ) #42 Fri Jul 17 17:19:53 CST 2015 131 | : 132 | : 133 | 134 | ``` 135 | The DCS-935L uses Linux Kernel 2.6.30.9. Next, we need to inspect one of the binaries to infer the CPU, endianness and any other details we can find. We will select the `bin/busybox` binary: 136 | 137 | ``` 138 | [emux-docker 🐚] /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted$ readelf -e squashfs-root/bin/busybox 139 | 140 | ELF Header: 141 | Magic: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 142 | Class: ELF32 143 | Data: 2's complement, big endian 144 | Version: 1 (current) 145 | OS/ABI: UNIX - System V 146 | ABI Version: 0 147 | Type: EXEC (Executable file) 148 | Machine: MIPS R3000 149 | Version: 0x1 150 | Entry point address: 0x4001a0 151 | Start of program headers: 52 (bytes into file) 152 | Start of section headers: 586892 (bytes into file) 153 | Flags: 0x1007, noreorder, pic, cpic, o32, mips1 154 | Size of this header: 52 (bytes) 155 | Size of program headers: 32 (bytes) 156 | Number of program headers: 3 157 | Size of section headers: 40 (bytes) 158 | Number of section headers: 19 159 | Section header string table index: 18 160 | 161 | Section Headers: 162 | [Nr] Name Type Addr Off Size ES Flg Lk Inf Al 163 | [ 0] NULL 00000000 000000 000000 00 0 0 0 164 | [ 1] .rel.dyn REL 00400094 000094 000098 08 A 0 0 4 165 | [ 2] .init PROGBITS 0040012c 00012c 00006c 00 AX 0 0 4 166 | [ 3] .text PROGBITS 004001a0 0001a0 080548 00 AX 0 0 16 167 | [ 4] .fini PROGBITS 004806e8 0806e8 00004c 00 AX 0 0 4 168 | [ 5] .rodata PROGBITS 00480740 080740 00d7d0 00 A 0 0 16 169 | [ 6] .eh_frame PROGBITS 0049e000 08e000 000024 00 WA 0 0 4 170 | [ 7] .ctors PROGBITS 0049e024 08e024 000008 00 WA 0 0 4 171 | [ 8] .dtors PROGBITS 0049e02c 08e02c 000008 00 WA 0 0 4 172 | [ 9] .jcr PROGBITS 0049e034 08e034 000004 00 WA 0 0 4 173 | [10] .data.rel.ro PROGBITS 0049e038 08e038 0009dc 00 WA 0 0 4 174 | [11] .data PROGBITS 0049ea20 08ea20 0003b6 00 WA 0 0 16 175 | [12] .got PROGBITS 0049ede0 08ede0 000604 04 WAp 0 0 16 176 | [13] .sdata PROGBITS 0049f3e4 08f3e4 000004 00 WAp 0 0 4 177 | [14] .sbss NOBITS 0049f3e8 08f3e8 000063 00 WAp 0 0 4 178 | [15] .bss NOBITS 0049f450 08f3e8 0044d4 00 WA 0 0 16 179 | [16] .gnu.attributes GNU_ATTRIBUTES 00000000 08f3e8 000010 00 0 0 1 180 | [17] .mdebug.abi32 PROGBITS 00002870 08f3f8 000000 00 0 0 1 181 | [18] .shstrtab STRTAB 00000000 08f3f8 000093 00 0 0 1 182 | Key to Flags: 183 | W (write), A (alloc), X (execute), M (merge), S (strings), I (info), 184 | L (link order), O (extra OS processing required), G (group), T (TLS), 185 | C (compressed), x (unknown), o (OS specific), E (exclude), 186 | D (mbind), p (processor specific) 187 | 188 | Program Headers: 189 | Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align 190 | LOAD 0x000000 0x00400000 0x00400000 0x8df10 0x8df10 R E 0x10000 191 | LOAD 0x08e000 0x0049e000 0x0049e000 0x013e8 0x05924 RW 0x10000 192 | GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 193 | 194 | Section to Segment mapping: 195 | Segment Sections... 196 | 00 .rel.dyn .init .text .fini .rodata 197 | 01 .eh_frame .ctors .dtors .jcr .data.rel.ro .data .got .sdata .sbss .bss 198 | 02 199 | ``` 200 | Here are the important bits of information that we need: 201 | 202 | ``` 203 | Data: 2's complement, big endian 204 | Machine: MIPS R3000 205 | ``` 206 | The DCS-935L is a MIPS system, running in Big Endian mode. Let us check if data execution prevention is enabled. The following line tells us that the stack memory is read, write and executable (RWE) and therefore data execution prevention shall not be a hurdle when it comes to exploit development. 207 | ``` 208 | GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 209 | ``` 210 | 211 | ## Choose a matching kernel for use with QEMU 212 | 213 | Emulating and IoT device under QEMU has certain tradeoffs. EMUX uses the following predefined boards that come bundled with QEMU for MIPS: 214 | 215 | ``` 216 | [emux-docker 🐚] ~$ qemu-system-mips-7.0.0 -machine help 217 | Supported machines are: 218 | malta MIPS Malta Core LV (default) 219 | mipssim MIPS MIPSsim platform 220 | none empty machine 221 | ``` 222 | 223 | We will be using the `MIPS Malta` board. EMUX comes with a few prebuilt kernels that support QEMU's Malta board. 224 | 225 | ``` 226 | [emux-docker 🐚] ~$ ls /emux/template/kernel/ | grep malta 227 | vmlinux-2.6.30.9-malta-be* 228 | vmlinux-2.6.32.5-malta-mips* 229 | vmlinux-2.6.32.5-malta-mipsel* 230 | vmlinux-3.18.109-malta-be* 231 | vmlinux-3.18.109-malta-le* 232 | ``` 233 | 234 | The `vmlinux-2.6.30.9-malta-be` fits our bill perfectly. We shall use this one for now. Compiling a custom kernel shall be discussed in another document. 235 | 236 | ## Putting it all together 237 | 238 | ### Copy the `template` and make a new device 239 | 240 | We shall choose `DCS935L` as the EMUX device ID for the D-Link DCS-935L Camera. 241 | 242 | ``` 243 | [emux-docker 🐚] ~$ cd /emux/ 244 | [emux-docker 🐚] /emux$ cp -r template DCS935L 245 | ``` 246 | 247 | ### Remove unnecessary contents from the `DCS935L` directory: 248 | 249 | ``` 250 | [emux-docker 🐚] /emux$ cd DCS935L/ 251 | [emux-docker 🐚] /emux/DCS935L$ rm -r mtdparts nvram.ini preload 252 | [emux-docker 🐚] /emux/DCS935L$ cd kernel/ 253 | [emux-docker 🐚] /emux/DCS935L/kernel$ rm -f zImage-* vmlinux-2.6.32.5-* vmlinux-3.18.109-* 254 | [emux-docker 🐚] /emux/DCS935L/kernel$ ls 255 | vmlinux-2.6.30.9-malta-be* 256 | [emux-docker 🐚] /emux/DCS935L/kernel$ cd .. 257 | ``` 258 | 259 | We are now left with `config` and `kernel/vmlinux-2.6.30.9-malta-be` in the `DCS935L` directory. Next, we shall move the extracted `squashfs-root` into the `DCS935L` directory. Be sure to run these commands with `sudo` as they require root privileges. 260 | 261 | ``` 262 | [emux-docker 🐚] /emux/DCS935L$ sudo mv /tmp/_DCS-935L_A1_FW_1.06.02_20150717_r3108.bin.extracted/squashfs-root . 263 | [emux-docker 🐚] /emux/DCS935L$ sudo chown -R r0:r0 squashfs-root/ 264 | ``` 265 | 266 | ### The `config` file 267 | 268 | Now that the kernel and the rootfs are in place, edit the `config` file as follows: 269 | 270 | ``` 271 | # DLINK DCS-935L WiFi Camera 272 | # With major contributions by @bl4ckh0l3z 273 | # 274 | id=DCS935L 275 | rootfs=squashfs-root 276 | randomize_va_space=0 277 | initcommands="/bin/sh" 278 | ``` 279 | 280 | Explanation: 281 | 282 | * `id=DCS935L` - This should be the same as the directory name in `/emux/`. 283 | * `rootfs=squashfs-root` - directory that holds the `rootfs`. Ensure it is owned by `r0:r0`. 284 | * `randomize_va_space=0` - disable ASLR. 285 | * `initcommands="/bin/sh"` - Initially, only invoke `/bin/sh` after starting `userspace`. 286 | 287 | ### Create an entry in `/emux/devices` 288 | 289 | Add the following entry to the EMUX devices list in `/emux/devices`: 290 | 291 | ``` 292 | DCS935L,qemu-system-mips-7.0.0,malta,,,128M,vmlinux-2.6.30.9-malta-be,MALTA2,D-Link DCS-935L Camera 293 | ``` 294 | 295 | ## `launcher` - First attempt 296 | 297 | ``` 298 | [EMUX-DOCKER 🐳] ~$ launcher 299 | ``` 300 | 301 | Select the `D-Link DCS-935L Camera` from the list. The kernel should boot up and you should see the following message: 302 | 303 | ``` 304 | Starting EMUX OK 305 | 306 | ____ __ __ _ __ __ 307 | / ___| \/ | | |\ \/ / by Saumil Shah | The Exploit Laboratory 308 | | ___| |\/| | |_| ) ( @therealsaumil | emux.exploitlab.net 309 | \____|_| |__\___/_/\_\ Linux 2.6.30.9 [mips] 310 | 311 | Architecture: mips 312 | Byte Order: Big Endian 313 | CPU(s): 1 314 | On-line CPU(s) list: 0 315 | Thread(s) per core: 1 316 | Core(s) per socket: 1 317 | Socket(s): 1 318 | Model: MIPS 24Kc V0.0 FPU V0.0 319 | BogoMIPS: 1127.21 320 | Flags: mips16 321 | 322 | EMUX DEVICE CONSOLE 323 | ``` 324 | 325 | At this point, run `userspace` from an EMUX docker shell: 326 | 327 | ``` 328 | [emux-docker 🐚] ~$ userspace 329 | ``` 330 | 331 | Select `Start D-Link DCS-935L Camera` 332 | 333 | You should see a `busybox` shell and be able to run commands in the context of the DCS-935L Camera. Note that none of the camera's processes and services are running yet. We still have to figure out the starting point of all userland code. `init` is the first process that is typically executed once the kernel passes control to the userland. The processes to be kicked off are usually found in `/etc/inittab`. 334 | 335 | ### Inspecting `/etc/inittab` 336 | 337 | ``` 338 | # cat /etc/inittab 339 | 340 | # Boot-time system configuration/initialization script. 341 | ::sysinit:/etc/rc.d/rcS 342 | 343 | # Start an "askfirst" shell on the console (whatever that may be) 344 | #::askfirst:-/bin/sh 345 | ::respawn:-/bin/sh 346 | 347 | # Start an "askfirst" shell on /dev/tty2-4 348 | #tty2::askfirst:-/bin/sh 349 | #tty3::askfirst:-/bin/sh 350 | #tty4::askfirst:-/bin/sh 351 | ``` 352 | 353 | `/etc/rc.d/rcS` is the main start up script. We will invoke it manually. At this point, it is a process of trial and error. Sometimes everything runs smoothly, and in other instances, a few things may need to be tweaked/patched/fixed. There is no standard one-size-fits-all process. Be prepared to spend a week when working with an entirely new device! 354 | 355 | If everything succeeds, you should see the following messages: 356 | 357 | ``` 358 | Starting https... 359 | httpd: Authentication Mode: Normal 360 | Starting schboot ... . 361 | Starting eventd ... . 362 | [schboot] start checking... 363 | [event] Found Local Mac: 52:54:00:12:34:56 364 | Starting httpd ... httpd: Authentication Mode: Normal 365 | . 366 | Starting hnap_push_service ... . 367 | Starting ipfind ... . 368 | [hnap_push_service][create_hnap_login_info] 369 | [hnap_push_service][loadDeviceList] begin 370 | [event] eventrecord idle! 371 | [event] eventrecaudio idle! 372 | [event] eventsnapshot idle! 373 | [event] Set IOT Snapshot Enable: 0 374 | [event] Set IOT Video clip Enable: 0 375 | Starting rtsp... 376 | [event] Set IOT Notification Enable: 0 377 | Starting ddp ... . 378 | ``` 379 | 380 | Running `emuxps` from another EMUX docker shell confirms that `httpd` is running. 381 | 382 | ``` 383 | [emux-docker 🐚] ~$ emuxps | grep httpd 384 | 2968 pts/1 S 0:00 /usr/sbin/httpd-manager 385 | 3040 pts/1 S 0:00 ./ssl-httpd 8088 1 0 0 386 | 3082 pts/1 S 0:00 ./httpd 80 1 1 1 387 | ``` 388 | 389 | Open a browser and navigate to `https://localhost:20080`. The username is `admin` and the password is blank. 390 | 391 | ![Emulated D-Link DCS-935L Web Interface](img/dlink-dcs935.png) 392 | 393 | ## Final version 394 | 395 | To automate the start up, we shall add `/etc/rc.d/rcS` in the `initcommands` in the `config` file. Hat tip to [@bl4ckh0l3z][blackholes] for getting UPnP to work properly! 396 | 397 | ``` 398 | # DLINK DCS-935L WiFi Camera 399 | # With major contributions by @bl4ckh0l3z 400 | # 401 | id=DCS935L 402 | rootfs=squashfs-root 403 | randomize_va_space=0 404 | initcommands="/etc/rc.d/rcS;touch /tmp/.hnap_device_list_tmp.xml;/bin/sh" 405 | ``` 406 | 407 | ## Concluding thoughts 408 | 409 | This article was intended to familiarise you with what it takes to emulate a new MIPS device from scratch. 410 | 411 | For those of you who want to learn about IoT exploitation, take this as a challenge and discover vulnerabilities on the DCS-935L. Try to reproduce some existing CVE's against the emulated DCS-935L, or find 0-days on your own! 412 | 413 | Follow me on Twitter *[@therealsaumil][saumil]* for updates on [EMUX][emux], new articles, talks and [trainings][R0ARM]! 414 | 415 | ## END 416 | 417 | [R0ARM]: https://ringzer0.training/arm-iot-exploitlab.html 418 | [emux]: https://emux.exploitlab.net/ 419 | -------------------------------------------------------------------------------- /docs/img/00-emux-docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/00-emux-docker.png -------------------------------------------------------------------------------- /docs/img/01-emux-docker-launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/01-emux-docker-launcher.png -------------------------------------------------------------------------------- /docs/img/01-emux-launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/01-emux-launcher.png -------------------------------------------------------------------------------- /docs/img/02-emux-kernel-boot-up.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/02-emux-kernel-boot-up.png -------------------------------------------------------------------------------- /docs/img/03-emux-trivision-init.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/03-emux-trivision-init.png -------------------------------------------------------------------------------- /docs/img/04-emux-trivision-started.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/04-emux-trivision-started.png -------------------------------------------------------------------------------- /docs/img/05-armx-cpuinfo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/05-armx-cpuinfo.png -------------------------------------------------------------------------------- /docs/img/06-emux-trivision-browser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/06-emux-trivision-browser.png -------------------------------------------------------------------------------- /docs/img/ARMX-EMUX.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/ARMX-EMUX.png -------------------------------------------------------------------------------- /docs/img/armx-on-kali.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/armx-on-kali.png -------------------------------------------------------------------------------- /docs/img/armx-tenda-emulation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/armx-tenda-emulation.png -------------------------------------------------------------------------------- /docs/img/b2w-launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/b2w-launcher.png -------------------------------------------------------------------------------- /docs/img/b2w-userspace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/b2w-userspace.png -------------------------------------------------------------------------------- /docs/img/dcs935-camera.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/dcs935-camera.png -------------------------------------------------------------------------------- /docs/img/dlink-dcs935.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/dlink-dcs935.png -------------------------------------------------------------------------------- /docs/img/emux-architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-architecture.png -------------------------------------------------------------------------------- /docs/img/emux-banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-banner.png -------------------------------------------------------------------------------- /docs/img/emux-dirstructure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-dirstructure.png -------------------------------------------------------------------------------- /docs/img/emux-docker-banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-docker-banner.png -------------------------------------------------------------------------------- /docs/img/emux-docker-whale.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-docker-whale.jpg -------------------------------------------------------------------------------- /docs/img/emux-docker-whale2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-docker-whale2.jpg -------------------------------------------------------------------------------- /docs/img/emux-docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-docker.png -------------------------------------------------------------------------------- /docs/img/emux-ipcam-launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-ipcam-launcher.png -------------------------------------------------------------------------------- /docs/img/emux-newdevice.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-newdevice.png -------------------------------------------------------------------------------- /docs/img/emux-operations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-operations.png -------------------------------------------------------------------------------- /docs/img/emux-tenda-launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-tenda-launcher.png -------------------------------------------------------------------------------- /docs/img/emux-tenda-start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emux-tenda-start.png -------------------------------------------------------------------------------- /docs/img/emuxgdb-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emuxgdb-01.png -------------------------------------------------------------------------------- /docs/img/emuxgdb-04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emuxgdb-04.png -------------------------------------------------------------------------------- /docs/img/emuxps-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emuxps-02.png -------------------------------------------------------------------------------- /docs/img/emuxps-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/emuxps-03.png -------------------------------------------------------------------------------- /docs/img/inside_tenda_ac15.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/inside_tenda_ac15.jpg -------------------------------------------------------------------------------- /docs/img/launcher-command.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/launcher-command.png -------------------------------------------------------------------------------- /docs/img/tenda_01_setup_wizard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_01_setup_wizard.png -------------------------------------------------------------------------------- /docs/img/tenda_02_connect_wan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_02_connect_wan.png -------------------------------------------------------------------------------- /docs/img/tenda_03_password.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_03_password.png -------------------------------------------------------------------------------- /docs/img/tenda_04_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_04_login.png -------------------------------------------------------------------------------- /docs/img/tenda_05_running.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_05_running.png -------------------------------------------------------------------------------- /docs/img/tenda_chip_removed.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_chip_removed.jpg -------------------------------------------------------------------------------- /docs/img/tenda_firmware_download.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_firmware_download.png -------------------------------------------------------------------------------- /docs/img/tenda_first_run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_first_run.png -------------------------------------------------------------------------------- /docs/img/tenda_flash_chip.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_flash_chip.jpg -------------------------------------------------------------------------------- /docs/img/tenda_flash_programmer.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_flash_programmer.jpg -------------------------------------------------------------------------------- /docs/img/tenda_hot_air_gun.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_hot_air_gun.jpg -------------------------------------------------------------------------------- /docs/img/tenda_init_scripts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_init_scripts.png -------------------------------------------------------------------------------- /docs/img/tenda_reading_chip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_reading_chip.png -------------------------------------------------------------------------------- /docs/img/tenda_reversing_with_ghidra1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_reversing_with_ghidra1.png -------------------------------------------------------------------------------- /docs/img/tenda_sop8_socket.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_sop8_socket.jpg -------------------------------------------------------------------------------- /docs/img/tenda_spi_chip.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_spi_chip.jpg -------------------------------------------------------------------------------- /docs/img/tenda_spi_resurrected.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_spi_resurrected.jpg -------------------------------------------------------------------------------- /docs/img/tenda_uart_console.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/tenda_uart_console.jpg -------------------------------------------------------------------------------- /docs/img/userspace-command.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/docs/img/userspace-command.png -------------------------------------------------------------------------------- /docs/install-armx-kali.md: -------------------------------------------------------------------------------- 1 | ## ARM-X installation instructions - tested on Kali Linux 2 | 3 | Contributed by [@zh4ck][zh4ck] 4 | 5 | [zh4ck]: https://twitter.com/zh4ck 6 | 7 | ![ARMX-ON-KALI](img/armx-on-kali.png) 8 | 9 | > **TL;DR:** 10 | > 11 | > **A quick installation guide to setting up [ARM-X][ARM-X] on Kali Linux. Thanks to [Z. Balasz][zh4ck] for his efforts in testing and writing these notes.** 12 | 13 | [ARM-X]: https://armx.exploitlab.net 14 | 15 | ### 1. Set up some pre-requisites 16 | 17 | ``` 18 | sudo apt install -y qemu dialog bridge-utils uml-utilities nfs-kernel-server gdb-multiarch 19 | 20 | sudo sh -c 'echo "\n\n/armx 192.168.100.0/24(rw,sync,no_root_squash,no_subtree_check)\n" >> /etc/exports' 21 | sudo systemctl enable nfs-kernel-server 22 | ``` 23 | 24 | ### 2. Clone ARM-X 25 | 26 | ``` 27 | git clone https://github.com/therealsaumil/armx 28 | cd armx/hostfs 29 | unzip hostfs.ext2.zip 30 | cd .. 31 | ``` 32 | 33 | ### 3. Create bridge interface 34 | 35 | ``` 36 | sudo sh -c 'echo "auto br0\niface br0 inet dhcp\npre-up brctl addbr br0\npost-down brctl delbr br0" > /etc/network/interfaces.d/br0' 37 | sudo etc/local.d/10-tun-network.start 38 | sudo networking restart 39 | ``` 40 | 41 | ### 4. TODO check /etc/local.d exists and executes on Kali 42 | 43 | ``` 44 | sudo sh -c 'cat etc/local.d/10-tun-network.start >> /etc/rc.local' 45 | sudo cp usr/local/bin/restart-taps /usr/local/bin/restart-taps 46 | cp home/kali/.ssh/id_rsa.armx* /home/kali/.ssh/ 47 | 48 | wget -O ~/.gdbinit-gef.py -q http://gef.blah.cat/py 49 | echo source ~/.gdbinit-gef.py >> ~/.gdbinit 50 | 51 | cd .. 52 | sudo mv armx/ / 53 | sudo chown -R kali /armx 54 | export PATH=$PATH:/armx/run # It is best to add your shell profile this path 55 | ``` 56 | 57 | ### 5. Create your first test device 58 | 59 | You can extract the following files from Damn Vulnerable Arm Router: https://app.box.com/s/g2k7vo45ctn5lh0enrwg6i83abwindte 60 | 61 | ``` 62 | mkdir -p /armx/DVAR/kernel 63 | cp zImage-3.16.57-vexpress /armx/DVAR/kernel/ 64 | cp config /armx/DVAR/ 65 | cp rootfs /armx/DVAR/ 66 | ``` 67 | 68 | ### 6. Start the ARM-X framework 69 | 70 | Run: 71 | 72 | ``` 73 | launcher 74 | ``` 75 | Choose Damn Vulnerable Arm Router. Once it boots: 76 | ``` 77 | ssh -i /home/kali/.ssh/id_rsa.armx root@192.168.100.2 78 | Choose option 1 - this will start the init scripts 79 | ``` 80 | 81 | ### 7. Make armxgdb Kali compatible 82 | 83 | By default, `armxgdb` uses `arm-linux-gnueabi-gdb`. On Kali, it is `gdb-multiarch` and add the following line to the end of `armxgdb`: 84 | 85 | ``` 86 | -ex="set architecture arm" 87 | ``` 88 | 89 | - [Home][Home] 90 | - [Github][Github] 91 | 92 | [Home]: https://armx.exploitlab.net/ 93 | [Github]: https://github.com/therealsaumil/armx 94 | -------------------------------------------------------------------------------- /emux-docker-shell: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | CNAME="emux-docker" 11 | 12 | # check if container is running 13 | RUNNING=$(docker ps --format '{{.Names}}' | grep ${CNAME}) 14 | if [ "${RUNNING}" != "${CNAME}" ] 15 | then 16 | echo "${CNAME}: container not running" 17 | exit 18 | fi 19 | 20 | if [ "$1" = "" ] 21 | then 22 | docker exec -e EMUXDOCKERSHELL=1 -it ${CNAME} /bin/bash 23 | else 24 | docker exec -it ${CNAME} $@ 25 | fi 26 | -------------------------------------------------------------------------------- /files/emux/AC15/config: -------------------------------------------------------------------------------- 1 | # Tenda AC15 EMUX config file 2 | # 3 | id=AC15 4 | nvram=nvram_AC15.ini 5 | rootfs=squashfs-root 6 | randomize_va_space=0 7 | ld_preload=preload 8 | initcommands="/etc_ro/init.d/rcS;/bin/sh" 9 | -------------------------------------------------------------------------------- /files/emux/AC15/flashmem/flash.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/AC15/flashmem/flash.tar.bz2 -------------------------------------------------------------------------------- /files/emux/AC15/kernel/zImage-2.6.39.4-vexpress: -------------------------------------------------------------------------------- 1 | ../../template/kernel/zImage-2.6.39.4-vexpress -------------------------------------------------------------------------------- /files/emux/AC15/mtdparts: -------------------------------------------------------------------------------- 1 | mtdparts=armflash:0x1000000(All),0x40000@0(Bootloader),0xf70000@0x40000(KernelFS),0xda632c@0x209cd4(RootFS),0x10000@0xfb0000(crash),0x10000@0xfc0000(Policy),0x10000@0xfd0000(CFM_BACKUP),0x10000@0xfe0000(CFM),0x10000@0xff0000(nvram) 2 | -------------------------------------------------------------------------------- /files/emux/AC15/preload/.tenda_hooks_verbose.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/AC15/preload/.tenda_hooks_verbose.so -------------------------------------------------------------------------------- /files/emux/AC15/preload/libnvram-armx.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/AC15/preload/libnvram-armx.so -------------------------------------------------------------------------------- /files/emux/AC15/preload/tenda_hooks.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/AC15/preload/tenda_hooks.so -------------------------------------------------------------------------------- /files/emux/AC15/squashfs-root.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/AC15/squashfs-root.tar.bz2 -------------------------------------------------------------------------------- /files/emux/AC15/tenda-crc32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/AC15/tenda-crc32 -------------------------------------------------------------------------------- /files/emux/ARCHERC9/config: -------------------------------------------------------------------------------- 1 | # Archer C9 EMUX config file 2 | # 3 | id=ARCHERC9 4 | nvram=nvram_C9.ini 5 | rootfs=rootfs 6 | randomize_va_space=0 7 | ld_preload=preload 8 | initcommands="/etc/preinit;/bin/sh" 9 | -------------------------------------------------------------------------------- /files/emux/ARCHERC9/kernel/zImage-2.6.39.4-vexpress: -------------------------------------------------------------------------------- 1 | ../../template/kernel/zImage-2.6.39.4-vexpress -------------------------------------------------------------------------------- /files/emux/ARCHERC9/preload/libnvram-armx.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/ARCHERC9/preload/libnvram-armx.so -------------------------------------------------------------------------------- /files/emux/ARCHERC9/rootfs.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/ARCHERC9/rootfs.tar.bz2 -------------------------------------------------------------------------------- /files/emux/DCS935L/config: -------------------------------------------------------------------------------- 1 | # DLink DCS-935L Camera 2 | # Contributed by blackh0l3z 3 | # 4 | id=DCS935L 5 | rootfs=squashfs-root 6 | randomize_va_space=0 7 | initcommands="/etc/rc.d/rcS;touch /tmp/.hnap_device_list_tmp.xml;/bin/sh" 8 | -------------------------------------------------------------------------------- /files/emux/DCS935L/kernel/vmlinux-2.6.30.9-malta-be: -------------------------------------------------------------------------------- 1 | ../../template/kernel/vmlinux-2.6.30.9-malta-be -------------------------------------------------------------------------------- /files/emux/DCS935L/squashfs-root.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/DCS935L/squashfs-root.tar.bz2 -------------------------------------------------------------------------------- /files/emux/DIR615C/config: -------------------------------------------------------------------------------- 1 | # DLink DIR-615C 2 | # 3 | id=DIR615C 4 | rootfs=squashfs-root 5 | randomize_va_space=0 6 | initcommands="/etc/rc.d/rcS;/bin/sh" 7 | 8 | -------------------------------------------------------------------------------- /files/emux/DIR615C/kernel/vmlinux-2.6.30.9-malta-be: -------------------------------------------------------------------------------- 1 | ../../template/kernel/vmlinux-2.6.30.9-malta-be -------------------------------------------------------------------------------- /files/emux/DIR615C/squashfs-root.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/DIR615C/squashfs-root.tar.bz2 -------------------------------------------------------------------------------- /files/emux/DV-ARM/config: -------------------------------------------------------------------------------- 1 | # Tinysploit ARM 2 | # 3 | id=DV-ARM 4 | nvram= 5 | rootfs=rootfs-arm 6 | randomize_va_space=0 7 | legacy_va_layout=1 8 | mount_dev_tree=1 9 | initcommands="/etc/rc.local;/bin/sh" 10 | -------------------------------------------------------------------------------- /files/emux/DV-ARM/kernel/zImage-3.18.109-realview: -------------------------------------------------------------------------------- 1 | ../../template/kernel/zImage-3.18.109-realview -------------------------------------------------------------------------------- /files/emux/DV-ARM/rootfs-arm.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/DV-ARM/rootfs-arm.tar.bz2 -------------------------------------------------------------------------------- /files/emux/DV-MIPSEB/config: -------------------------------------------------------------------------------- 1 | # Tinysploit MIPS 2 | # 3 | id=DV-MIPSEB 4 | nvram= 5 | rootfs=rootfs-mips 6 | randomize_va_space=0 7 | legacy_va_layout=1 8 | mount_dev_tree=1 9 | initcommands="/etc/rc.local;/bin/sh" 10 | -------------------------------------------------------------------------------- /files/emux/DV-MIPSEB/kernel/vmlinux-3.18.109-malta-be: -------------------------------------------------------------------------------- 1 | ../../template/kernel/vmlinux-3.18.109-malta-be -------------------------------------------------------------------------------- /files/emux/DV-MIPSEB/rootfs-mips.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/DV-MIPSEB/rootfs-mips.tar.bz2 -------------------------------------------------------------------------------- /files/emux/DV-MIPSEL/config: -------------------------------------------------------------------------------- 1 | # Tinysploit MIPSEL 2 | # 3 | id=DV-MIPSEL 4 | nvram= 5 | rootfs=rootfs-mipsel 6 | randomize_va_space=0 7 | legacy_va_layout=1 8 | mount_dev_tree=1 9 | initcommands="/etc/rc.local;/bin/sh" 10 | -------------------------------------------------------------------------------- /files/emux/DV-MIPSEL/kernel/vmlinux-3.18.109-malta-le: -------------------------------------------------------------------------------- 1 | ../../template/kernel/vmlinux-3.18.109-malta-le -------------------------------------------------------------------------------- /files/emux/DV-MIPSEL/rootfs-mipsel.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/DV-MIPSEL/rootfs-mipsel.tar.bz2 -------------------------------------------------------------------------------- /files/emux/LICENSE.TXT: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | 375 | -------------------------------------------------------------------------------- /files/emux/PH0WNCTF/config: -------------------------------------------------------------------------------- 1 | # R0 8-PORT CONTROLLER 2 | # CTF Challenge for ph0wn 2021 3 | # by Saumil Shah 4 | # 5 | id=PH0WNCTF 6 | rootfs=rootfs-mipsel 7 | randomize_va_space=0 8 | legacy_va_layout=1 9 | mount_dev_tree=1 10 | initcommands="/etc/rc.local;/bin/sh" 11 | -------------------------------------------------------------------------------- /files/emux/PH0WNCTF/kernel/vmlinux-3.18.109-malta-le: -------------------------------------------------------------------------------- 1 | ../../template/kernel/vmlinux-3.18.109-malta-le -------------------------------------------------------------------------------- /files/emux/PH0WNCTF/rootfs-mipsel.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/PH0WNCTF/rootfs-mipsel.tar.bz2 -------------------------------------------------------------------------------- /files/emux/TRI227WF/config: -------------------------------------------------------------------------------- 1 | # Trivision 227WF IP Camera EMUX config file 2 | 3 | id=TRI227WF 4 | nvram= 5 | rootfs=rootfs 6 | randomize_va_space=0 7 | initcommands="rm -f /dev/abs628;touch /dev/abs628;/etc/init.d/rc.sysinit;/etc/init.d/rc 3;/bin/sh" 8 | -------------------------------------------------------------------------------- /files/emux/TRI227WF/kernel/zImage-2.6.28-versatile-nothumb: -------------------------------------------------------------------------------- 1 | ../../template/kernel/zImage-2.6.28-versatile-nothumb -------------------------------------------------------------------------------- /files/emux/TRI227WF/rootfs.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/TRI227WF/rootfs.tar.bz2 -------------------------------------------------------------------------------- /files/emux/debuglogs: -------------------------------------------------------------------------------- 1 | # Uncomment logpath= to enable EMUX and QEMU console output logging. 2 | # Only one logpath= should be uncommented. 3 | # 4 | logpath=/home/r0/workspace/logs/ 5 | #logpath=/emux/logs/ 6 | # 7 | -------------------------------------------------------------------------------- /files/emux/devices: -------------------------------------------------------------------------------- 1 | #ID,qemu-binary,machine-type,cpu-type,dtb,memory,kernel-image,qemuopts,description 2 | DV-ARM,qemu-system-arm,realview-eb-mpcore,,,256M,zImage-3.18.109-realview,REALVIEW-EB,Damn Vulnerable ARM Router 3 | DV-MIPSEL,qemu-system-mipsel,malta,,,128M,vmlinux-3.18.109-malta-le,MALTA3,Damn Vulnerable MIPS Router (Little Endian) 4 | DV-MIPSEB,qemu-system-mips,malta,,,128M,vmlinux-3.18.109-malta-be,MALTA3,Damn Vulnerable MIPS Router (Big Endian) 5 | PH0WNCTF,qemu-system-mipsel,malta,,,128M,vmlinux-3.18.109-malta-le,MALTA3,R0 Port Controller - Ph0wn 2021 CTF Challenge 6 | TRI227WF,qemu-system-arm,versatilepb,,,128M,zImage-2.6.28-versatile-nothumb,VERSATILEPB,Trivision NC-227-WF IP Camera 7 | AC15,qemu-system-arm,vexpress-a9,,,256M,zImage-2.6.39.4-vexpress,VEXPRESS2,Tenda AC15 Wi-Fi Router 8 | ARCHERC9,qemu-system-arm,vexpress-a9,,,256M,zImage-2.6.39.4-vexpress,VEXPRESS2,Archer C9 Wi-Fi Router 9 | DIR615C,qemu-system-mips,malta,,,128M,vmlinux-2.6.30.9-malta-be,MALTA2,D-Link DIR615C Wi-Fi Router 10 | DCS935L,qemu-system-mips,malta,,,128M,vmlinux-2.6.30.9-malta-be,MALTA2,D-Link DCS-935L Camera 11 | -------------------------------------------------------------------------------- /files/emux/hostfs/hostfs-aarch64.ext2.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/hostfs/hostfs-aarch64.ext2.bz2 -------------------------------------------------------------------------------- /files/emux/hostfs/hostfs-arm.ext2.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/hostfs/hostfs-arm.ext2.bz2 -------------------------------------------------------------------------------- /files/emux/hostfs/hostfs-mips.ext2.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/hostfs/hostfs-mips.ext2.bz2 -------------------------------------------------------------------------------- /files/emux/hostfs/hostfs-mipsel.ext2.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/hostfs/hostfs-mipsel.ext2.bz2 -------------------------------------------------------------------------------- /files/emux/qemuopts: -------------------------------------------------------------------------------- 1 | #MACHINE,drive,bootcmd,nic,net,custom 2 | VEXPRESS1,if=sd\,format=raw\,index=0,console=ttyAMA0 rw rootwait root=/dev/mmcblk0,nic 3 | VEXPRESS2,if=sd\,format=raw,pty.legacy_count=16 console=ttyAMA0 rw root=/dev/mmcblk0 rootwait rootfstype=ext2,nic\,model=lan9118 4 | REALVIEW-EB,if=sd\,format=raw,root=/dev/mmcblk0 rw rootwait console=ttyAMA0,nic 5 | VERSATILEPB,if=scsi,root=/dev/sda rw rootwait console=ttyAMA0\,115200,nic 6 | MALTA2,format=raw,root=/dev/hda rw rootwait console=ttyS0\,115200,nic\,model=pcnet,,-object rng-random\,filename=/dev/urandom\,id=rng0 -device virtio-rng-pci\,rng=rng0 7 | MALTA3,format=raw,root=/dev/sda rw rootwait console=ttyS0\,115200,nic\,model=pcnet,,-object rng-random\,filename=/dev/urandom\,id=rng0 -device virtio-rng-pci\,rng=rng0 8 | VIRTARM64,if=none\,format=raw\,id=hd0,rootwait root=/dev/vda console=ttyAMA0,nic,,-device virtio-blk-device\,drive=hd0 -object rng-random\,filename=/dev/urandom\,id=rng0 -device virtio-rng-pci\,rng=rng0 9 | -------------------------------------------------------------------------------- /files/emux/run/checkemux: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Script to check if we can access the EMUX instance 4 | # 5 | # include in other scripts using "source /emux/run/checkemux" 6 | 7 | # This Source Code Form is subject to the terms of the Mozilla Public 8 | # License, v. 2.0. If a copy of the MPL was not distributed with this 9 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 10 | 11 | # EMUX by Saumil Shah 12 | # https://emux.exploitlab.net/ 13 | 14 | ping -W 1 -c 1 192.168.100.2 > /dev/null 15 | if [ $? -ne 0 ] 16 | then 17 | echo "EMUX instance not running / reachable" 18 | exit 19 | fi 20 | -------------------------------------------------------------------------------- /files/emux/run/concat-mtd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Utility script to process the output of /proc/mtd 4 | # and join any mtdblocks found into a contiguous flash bin file 5 | 6 | # This Source Code Form is subject to the terms of the Mozilla Public 7 | # License, v. 2.0. If a copy of the MPL was not distributed with this 8 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 9 | 10 | # EMUX by Saumil Shah 11 | # https://emux.exploitlab.net/ 12 | 13 | if [ "$1" = "" ] 14 | then 15 | echo "Usage: $0 " 16 | exit 17 | fi 18 | 19 | total_bytes=0 20 | output="flashmem.bin" 21 | rm -f ${output} 22 | 23 | while IFS=' ' read MTD SIZE ERASEBLOCK NAME 24 | do 25 | id=$(echo $MTD | sed -e 's/mtd//' | tr -d ':') 26 | size=$(( 16#${SIZE} )) 27 | remainder=$(( ${size} % 4096 )) 28 | name=$(echo $NAME | tr -d '"') 29 | 30 | if [ ${remainder} -eq 0 ] 31 | then 32 | total_bytes=$(( ${total_bytes} + ${size} )) 33 | echo "mtd${id} $name $size" 34 | 35 | if [ -f mtd${id} ] 36 | then 37 | cat mtd${id} >> ${output} 38 | fi 39 | 40 | if [ -f mtdblock${id} ] 41 | then 42 | cat mtdblock${id} >> ${output} 43 | fi 44 | 45 | if [ -f mtd${id}.bin ] 46 | then 47 | cat mtd${id}.bin >> ${output} 48 | fi 49 | 50 | if [ -f mtdblock${id}.bin ] 51 | then 52 | cat mtdblock${id}.bin >> ${output} 53 | fi 54 | else 55 | echo "[-] mtd${id} $name $size (offset)" 56 | fi 57 | done <<< "$(cat $1 | grep -v '#' | grep 'mtd')" 58 | echo "Total bytes: ${total_bytes}" 59 | 60 | if [ ${total_bytes} -le 134217728 ] 61 | then 62 | difference=$(( 134217728 - ${total_bytes} )) 63 | pad_blocks=$(( $difference / 4096 )) 64 | echo "Appending ${difference} bytes as padding" 65 | dd if=/dev/zero of=padding bs=4096 count=${pad_blocks} 66 | cat padding >> ${output} 67 | rm -f padding 68 | fi 69 | 70 | echo "Creating 2 x 64MB flash memory files" 71 | split -a 1 -b 64m ${output} flash 72 | mv flasha flash0.bin 73 | mv flashb flash1.bin 74 | rm -f ${output} 75 | echo "Done" 76 | ls -s flash*.bin 77 | -------------------------------------------------------------------------------- /files/emux/run/emuxgdb: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Script to invoke gdbserver on the EMUX instance and attach 4 | # multi-arch gdb to the remote gdbserver 5 | # 6 | # Requires a parameter - pid or process name 7 | 8 | # This Source Code Form is subject to the terms of the Mozilla Public 9 | # License, v. 2.0. If a copy of the MPL was not distributed with this 10 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 11 | 12 | # EMUX by Saumil Shah 13 | # https://emux.exploitlab.net/ 14 | 15 | gdb="gdb-multiarch" 16 | pscmd="pgrep -x" 17 | 18 | if [ "$1" = "" ] 19 | then 20 | echo "Usage: $0 remote |" 21 | echo "Use emuxps to obtain remote processes" 22 | exit 23 | fi 24 | 25 | if [[ "$1" =~ ^[0-9]+$ ]] 26 | then 27 | attach="--attach $1" 28 | else 29 | attach="--attach \\\`${pscmd} $1\\\`" 30 | fi 31 | 32 | source /emux/run/checkemux 33 | EMUXDEVICE=$(|" 17 | echo "Use emuxps to obtain remote processes" 18 | exit 19 | fi 20 | 21 | if [[ "$1" =~ ^[0-9]+$ ]] 22 | then 23 | cmd="kill -9 $1" 24 | else 25 | cmd="killall -9 $1" 26 | fi 27 | 28 | source /emux/run/checkemux 29 | ssh -p 22222 -T root@192.168.100.2 "$cmd" 30 | -------------------------------------------------------------------------------- /files/emux/run/emuxmaps: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Script to show /proc//maps 4 | # 5 | # Requires a parameter - pid or process name 6 | 7 | # This Source Code Form is subject to the terms of the Mozilla Public 8 | # License, v. 2.0. If a copy of the MPL was not distributed with this 9 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 10 | 11 | # EMUX by Saumil Shah 12 | # https://emux.exploitlab.net/ 13 | 14 | pscmd="pgrep -x" 15 | 16 | if [ "$1" = "" ] 17 | then 18 | echo "Usage: $0 remote |" 19 | echo "Use emuxps to obtain remote processes" 20 | exit 21 | fi 22 | 23 | if [[ "$1" =~ ^[0-9]+$ ]] 24 | then 25 | pid="$1" 26 | else 27 | pid="\`${pscmd} $1\`" 28 | fi 29 | 30 | source /emux/run/checkemux 31 | ssh -p 22222 -T root@192.168.100.2 "cat /proc/${pid}/maps" 32 | -------------------------------------------------------------------------------- /files/emux/run/emuxnetstat: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Script to run netstat 4 | 5 | # This Source Code Form is subject to the terms of the Mozilla Public 6 | # License, v. 2.0. If a copy of the MPL was not distributed with this 7 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 8 | 9 | # EMUX by Saumil Shah 10 | # https://emux.exploitlab.net/ 11 | 12 | source /emux/run/checkemux 13 | ssh -p 22222 -T root@192.168.100.2 "netstat -n $@" 14 | -------------------------------------------------------------------------------- /files/emux/run/emuxps: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Script to dump remote processes from a running EMUX instance 4 | 5 | # check if we can access the remote system 6 | 7 | # This Source Code Form is subject to the terms of the Mozilla Public 8 | # License, v. 2.0. If a copy of the MPL was not distributed with this 9 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 10 | 11 | # EMUX by Saumil Shah 12 | # https://emux.exploitlab.net/ 13 | 14 | source /emux/run/checkemux 15 | ssh -p 22222 -T root@192.168.100.2 "ps ax" 16 | -------------------------------------------------------------------------------- /files/emux/run/hide: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # utility to quickly hide files by prepending a leading dot 4 | # to their names. 5 | 6 | # This Source Code Form is subject to the terms of the Mozilla Public 7 | # License, v. 2.0. If a copy of the MPL was not distributed with this 8 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 9 | 10 | # EMUX by Saumil Shah 11 | # https://emux.exploitlab.net/ 12 | 13 | if [ "$1" = "" ] 14 | then 15 | echo "Usage: $0 [file2] ..." 16 | exit 17 | fi 18 | 19 | while [ "$1" != "" ] 20 | do 21 | FILENAME=$(basename $1) 22 | FILEDIR=$(dirname $1) 23 | OUTFILE=$(echo "${FILENAME}" | sed -e 's/^\([^\.].*\)$/\.\1/') 24 | 25 | if [ "${FILENAME}" = "${OUTFILE}" ] 26 | then 27 | echo "skipping $FILEDIR/$FILENAME = $FILEDIR/$OUTFILE" 28 | else 29 | echo "hide $FILEDIR/$FILENAME -> $FILEDIR/$OUTFILE" 30 | mv "$FILEDIR/$FILENAME" "$FILEDIR/$OUTFILE" 31 | fi 32 | shift 33 | done 34 | -------------------------------------------------------------------------------- /files/emux/run/launcher: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # EMUX QEMU Launcher 4 | # 5 | # By Saumil Shah 6 | # The Exploit Laboratory 7 | # 8 | # requires dialog to be installed 9 | 10 | # This Source Code Form is subject to the terms of the Mozilla Public 11 | # License, v. 2.0. If a copy of the MPL was not distributed with this 12 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 13 | 14 | # EMUX by Saumil Shah 15 | # https://emux.exploitlab.net/ 16 | 17 | EXTRAQEMUOPTS="-no-reboot -nographic -serial mon:stdio -monitor tcp:127.0.0.1:55555,server,nowait" 18 | 19 | source /emux/run/utils 20 | check_emux_volume_permissions 21 | 22 | # After moving to Alpine's QEMU packages we don't need to 23 | # uncompress the QEMU ROMs 24 | #uncompress_qemu_roms 25 | uncompress_hostfs 26 | check_if_logging_required 27 | new_log 28 | 29 | source /emux/run/parsedevices 30 | 31 | hostfs_prefix=/emux/hostfs/hostfs 32 | 33 | fundialog=${fundialog=dialog} 34 | 35 | declare -a choices 36 | 37 | j=0 38 | 39 | for i in $(seq 0 $((count - 1))) 40 | do 41 | choices[$j]=$i 42 | choices[$((j + 1))]=${descs[$i]} 43 | j=$((j + 2)) 44 | done 45 | 46 | x=`$fundialog --stdout --clear --cancel-label "Quit" \ 47 | --backtitle "EMUX - The Versatile IoT Device Emulator" \ 48 | --menu "EMUX Launcher" 0 0 0 "${choices[@]}"` 49 | 50 | status=$? 51 | clear 52 | 53 | if [ $status -ne 0 ] 54 | then 55 | exit 56 | fi 57 | 58 | cpu="" 59 | dtb="" 60 | 61 | if [ "${cpus[$x]}" != "" ] 62 | then 63 | cpu="-cpu ${cpus[$x]}" 64 | fi 65 | 66 | if [ "${dtbs[$x]}" != "" ] 67 | then 68 | dtb="-dtb /emux/dtb/${dtbs[$x]}" 69 | fi 70 | 71 | append=${bootargs[$x]} 72 | hostfs=${hostfs_prefix}-${archs[$x]}.ext2 73 | SYSTEMARCH=$(uname -m) 74 | 75 | # After moving to Alpine's QEMU packages, we don't need to 76 | # use our statically built QEMU binaries. 77 | #qemucmd="/emux/run/qemu-bin-${SYSTEMARCH}/${qemus[$x]} -M ${machines[$x]} ${cpu} -m ${mems[$x]} -kernel /emux/${ids[$x]}/kernel/${kernels[$x]} ${dtb} -drive file=${hostfs},${drives[$x]} ${flashargs[$x]} -append \"$append\" -net ${nics[$x]} -net ${nets[$x]} ${customs[$x]} ${EXTRAQEMUOPTS}" 78 | qemucmd="${qemus[$x]} -M ${machines[$x]} ${cpu} -m ${mems[$x]} -kernel /emux/${ids[$x]}/kernel/${kernels[$x]} ${dtb} -drive file=${hostfs},${drives[$x]} ${flashargs[$x]} -append \"$append\" -net ${nics[$x]} -net ${nets[$x]} ${customs[$x]} ${EXTRAQEMUOPTS}" 79 | log "[+] QEMU Launch Command" 80 | log "${qemucmd}" 81 | 82 | # if the emulated device uses flash memory files and they don't exist, 83 | # check for the presence of a compressed .tar.bz2 file which contains them. 84 | # If the .tar.bz2 doesn't exist, the flash memory files need to be created, 85 | # otherwise QEMU won't run 86 | 87 | log "[+] Checking if flash memory files need to be created for ${ids[$x]}" 88 | if [ "${flashfile[$x]}" != "" ] 89 | then 90 | flashfile0="${flashfile[$x]}0.bin" 91 | flashfile1="${flashfile[$x]}1.bin" 92 | if [ ! -f ${flashfile0} ] || [ ! -f ${flashfile1} ] 93 | then 94 | log "[+] flash memory files not found" 95 | log "[+] checking for compressed flash memory files" 96 | flashtar="${flashfile[$x]}.tar.bz2" 97 | if [ -f ${flashtar} ] 98 | then 99 | flashdir=$(dirname ${flashtar}) 100 | log "[+] extracting ${flashtar}" 101 | pv ${flashtar} | tar -C ${flashdir} -jxf - 102 | else 103 | log "Creating empty ${flashfile0}" 104 | mkdir -p $(dirname ${flashfile0}) 105 | dd if=/dev/zero of=${flashfile0} bs=1M count=64 106 | log "Creating empty ${flashfile1}" 107 | dd if=/dev/zero of=${flashfile1} bs=1M count=64 108 | fi 109 | else 110 | log "[+] ${flashfile0} found" 111 | log "[+] ${flashfile1} found" 112 | fi 113 | else 114 | log "[+] mtdparts not present" 115 | fi 116 | 117 | log "[+] Checking if rootfs needs to be extracted for ${ids[$x]}" 118 | rootfs=$(cat /emux/${ids[$x]}/config | grep 'rootfs=' | cut -d'=' -f2) 119 | rootfsprefix="/emux/${ids[$x]}" 120 | rootfsdir="${rootfsprefix}/${rootfs}" 121 | if [ ! -d ${rootfsdir} ] 122 | then 123 | rootfstar="${rootfsdir}.tar.bz2" 124 | if [ ! -f ${rootfstar} ] 125 | then 126 | fatalerror "${rootfstar} not present. Cannot continue." 127 | fi 128 | log "[+] Extracting ${rootfstar}" 129 | echo "First run ... extracting ${rootfstar}" 130 | mkdir -p ${rootfsdir} 131 | pv ${rootfstar} | sudo tar -C ${rootfsprefix} -jxf - 132 | log "[+] Done extracting" 133 | fi 134 | 135 | # Ensure that the permissions on /emux/ID are set properly 136 | if [ "$(stat -c '%U:%G' /emux/${ids[$x]})" != "r0:r0" ] 137 | then 138 | echo "Setting permissions for /emux/${ids[$x]}" 139 | sudo chown -R r0:r0 /emux/${ids[$x]} 140 | fi 141 | 142 | cp /emux/run/run-init-template /emux/${ids[$x]}/run-init 143 | cp /emux/run/run-binsh-template /emux/${ids[$x]}/run-binsh 144 | 145 | echo ${ids[$x]} > /tmp/emuxrunning 146 | 147 | if [ "$CONSOLELOGFILE" ] 148 | then 149 | script -a -f -c "${qemucmd}" ${CONSOLELOGFILE} 150 | else 151 | eval "$qemucmd" 152 | fi 153 | -------------------------------------------------------------------------------- /files/emux/run/loadnvram: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Loads the key, value pairs from the nvram.ini file into 4 | # the emulated nvram 5 | 6 | # This Source Code Form is subject to the terms of the Mozilla Public 7 | # License, v. 2.0. If a copy of the MPL was not distributed with this 8 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 9 | 10 | # EMUX by Saumil Shah 11 | # https://emux.exploitlab.net/ 12 | 13 | if [ "$1" = "" ] 14 | then 15 | echo "Syntax: loadnvram " 16 | else 17 | echo "Loading nvram from $1" 18 | while IFS='=' read key value 19 | do 20 | echo "${key}='${value}'" 21 | nvram set ${key}="${value}" 22 | done <<< "$(cat "$1" | sed -e 's/#.*//g')" 23 | fi 24 | -------------------------------------------------------------------------------- /files/emux/run/monitor: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | socat -,echo=0,icanon=0 TCP:127.0.0.1:55555 11 | -------------------------------------------------------------------------------- /files/emux/run/parsedevices: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Parses the devices file 4 | # If devices-extra is present, it is appended to 5 | # the devices file. 6 | 7 | # This Source Code Form is subject to the terms of the Mozilla Public 8 | # License, v. 2.0. If a copy of the MPL was not distributed with this 9 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 10 | 11 | # EMUX by Saumil Shah 12 | # https://emux.exploitlab.net/ 13 | 14 | source /emux/run/utils 15 | 16 | declare -a ids qemus machines cpus dtbs mems kernels qemuopts mtdparts flashfile flashargs drives bootargs nics nets customs descs archs 17 | declare -A qmachine qdrives qbootargs qnics qnet qcustoms 18 | 19 | EMUXROOT="/emux" 20 | DEVICES="${EMUXROOT}/devices" 21 | 22 | if [ ! -f ${DEVICES} ] 23 | then 24 | fatalerror "${DEVICES} not present. Cannot continue" 25 | fi 26 | 27 | DEVICESEXTRA="" 28 | if [ -f "${EMUXROOT}/devices-extra" ] 29 | then 30 | log "[+] devices-extra found" 31 | DEVICESEXTRA="${EMUXROOT}/devices-extra" 32 | fi 33 | QEMUOPTS="${EMUXROOT}/qemuopts" 34 | DEFAULT_NET="tap,ifname=tap0,script=no,downscript=no" 35 | 36 | log "[+] Parsing ${QEMUOPTS}" 37 | 38 | while IFS=',' read QMACHINE QDRIVE QBOOTCMD QNIC QNET QCUSTOM 39 | do 40 | if [ "$QMACHINE" != "" ] 41 | then 42 | qmachine[$QMACHINE]=$QMACHINE 43 | qdrives[$QMACHINE]=$QDRIVE 44 | qbootargs[$QMACHINE]=$QBOOTCMD 45 | qnics[$QMACHINE]=$QNIC 46 | if [ "$QNET" == "" ] 47 | then 48 | QNET=$DEFAULT_NET 49 | fi 50 | qnet[$QMACHINE]=$QNET 51 | qcustoms[$QMACHINE]=$QCUSTOM 52 | 53 | log "$QMACHINE|${qbootargs[$QMACHINE]}|${qdrives[$QMACHINE]}|${qbootargs[$QMACHINE]}|${qnics[$QMACHINE]}|${qnet[$QMACHINE]}|${qcustoms[$QMACHINE]}#" 54 | fi 55 | done <<< "$(cat "${QEMUOPTS}" | sed -e 's/#.*//g')" 56 | 57 | log "[+] Parsing ${DEVICES}" 58 | 59 | count=0 60 | while IFS=',' read ID QEMU MACHINE CPU DTB MEM KERNEL QOPTS DESC 61 | do 62 | if [ "$ID" != "" ] 63 | then 64 | ids[$count]=$ID 65 | qemus[$count]=$QEMU 66 | machines[$count]=$MACHINE 67 | cpus[$count]=$CPU 68 | dtbs[$count]=$DTB 69 | mems[$count]=$MEM 70 | kernels[$count]=$KERNEL 71 | drives[$count]=${qdrives[$QOPTS]} 72 | 73 | # After moving to Alpine's own QEMU packages, we don't need to include 74 | # the QEMU version number in /emux/devices 75 | #archs[$count]=$(echo $QEMU | sed 's/qemu-system-\([a-z]*\)-.*/\1/') 76 | archs[$count]=$(echo $QEMU | sed 's/qemu-system-\([a-z]*\)/\1/') 77 | 78 | # check if the device has an mtdparts file, in which case 79 | # we need to set up QEMU options for enabling VEXPRESS' NOR flash memory 80 | # 81 | # two files will be designated, to hold 64MB of contents each: 82 | # /emux/DEVICE/flash0.bin 83 | # /emux/DEVICE/flash1.bin 84 | mtdfile="${EMUXROOT}/${ID}/mtdparts" 85 | if [ -r "${mtdfile}" ] 86 | then 87 | mtdparts[$count]="$(cat ${mtdfile} | grep -v '#' | tr -s '\n' ' ')" 88 | flashfile[$count]="${EMUXROOT}/${ID}/flashmem/flash" 89 | flashargs[$count]="-drive file=${flashfile[$count]}0.bin,if=pflash -drive file=${flashfile[$count]}1.bin,if=pflash" 90 | bootargs[$count]="${qbootargs[$QOPTS]} ${mtdparts[$count]} EMUX=$ID" 91 | else 92 | bootargs[$count]="${qbootargs[$QOPTS]} EMUX=$ID" 93 | fi 94 | nics[$count]=${qnics[$QOPTS]} 95 | nets[$count]=${qnet[$QOPTS]} 96 | descs[$count]=$DESC 97 | customs[$count]=${qcustoms[$QOPTS]} 98 | 99 | log "${ids[$count]}|${archs[$count]}|${qemus[$count]}|${machines[$count]}|${cpus[$count]}|${dtbs[$count]}|${mems[$count]}|${kernels[$count]}|${drives[$count]}|${bootargs[$count]}|${flashargs[$count]}|${nics[$count]}|${nets[$count]}|${customs[$count]}|${descs[$count]}#" 100 | 101 | count=$((count + 1)) 102 | fi 103 | done <<< "$(cat ${DEVICES} ${DEVICESEXTRA} | sed -e 's/#.*//g')" 104 | -------------------------------------------------------------------------------- /files/emux/run/parseini: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Parses the config file and extracts 4 | # variables of importance. Could write this 5 | # in a much better manner. 6 | 7 | # This Source Code Form is subject to the terms of the Mozilla Public 8 | # License, v. 2.0. If a copy of the MPL was not distributed with this 9 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 10 | 11 | # EMUX by Saumil Shah 12 | # https://emux.exploitlab.net/ 13 | 14 | source /emux/run/utils 15 | 16 | if [ "$1" = "" ] 17 | then 18 | echo "Usage: $0 " 19 | exit 20 | fi 21 | 22 | log "[+] Parsing INI file $1" 23 | 24 | # change to the directory containing the ini file 25 | # and then perform all the actions 26 | 27 | CWD=$(pwd) 28 | cd $(dirname "$1") 29 | 30 | while IFS='=' read key value 31 | do 32 | case ${key} in 33 | id) 34 | ID="${value}" 35 | log "ID=${ID}" 36 | ;; 37 | nvram) 38 | NVRAM="${value}" 39 | log "NVRAM=${NVRAM}" 40 | ;; 41 | randomize_va_space) 42 | RANDOMIZE_VA_SPACE="${value}" 43 | log "RANDOMIZE_VA_SPACE=${RANDOMIZE_VA_SPACE}" 44 | ;; 45 | legacy_va_layout) 46 | LEGACY_VA_LAYOUT="${value}" 47 | log "LEGACY_VA_LAYOUT=${LEGACY_VA_LAYOUT}" 48 | ;; 49 | rootfs) 50 | ROOTFS="${value}" 51 | log "ROOTFS=${ROOTFS}" 52 | # check if rootfs needs to be tar bunzipped 53 | # 54 | # Note: This process happens inside the QEMU'ed kernel and 55 | # the hostfs. It is extremely slow, because the emulated 56 | # environment gets translated to the host, the host's 57 | # directory is mounted over NFS, and that too inside a 58 | # docker volume. 59 | # 60 | # We shall therefore attempt extracting the rootfs in the 61 | # launcher itself, as a speed-up measure. So ideally this 62 | # code shall never be reached. 63 | if [ ! -d ${ROOTFS} ] 64 | then 65 | log "${ROOTFS} not detected" 66 | ROOTFSTAR="${ROOTFS}.tar.bz2" 67 | if [ ! -f ${ROOTFSTAR} ] 68 | then 69 | fatalerror "${ROOTFSTAR} not present. Cannot continue." 70 | fi 71 | log "Extracting ${ROOTFSTAR}" 72 | echo "First run ... extracting ${ROOTFSTAR}" 73 | pv ${ROOTFSTAR} | tar -jxf - 74 | log "Done" 75 | fi 76 | ;; 77 | mount_dev_tree) 78 | MOUNTDEVTREE="${value}" 79 | log "MOUNTDEVTREE=${MOUNTDEVTREE}" 80 | ;; 81 | ld_preload) 82 | PRELOADDIR="${value}" 83 | log "PRELOADDIR=${PRELOADDIR}" 84 | ;; 85 | initcommands) 86 | if [ "${value}" = "" ] 87 | then 88 | INITCOMMANDS="/bin/sh" 89 | else 90 | INITCOMMANDS="${value}" 91 | fi 92 | log "INITCOMMANDS=${INITCOMMANDS}" 93 | ;; 94 | esac 95 | done <<< "$(cat "$1" | sed -e 's/#.*//g')" 96 | 97 | cd ${CWD} 98 | -------------------------------------------------------------------------------- /files/emux/run/run-binsh-template: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | emuxdir=$(dirname $0) 11 | source ${emuxdir}/../run/utils 12 | check_if_logging_required 13 | 14 | log "[+] ${EMUX} parseini config" 15 | source ${emuxdir}/../run/parseini config 16 | 17 | log "[+] ${EMUX} run-chroot shell" 18 | source ${emuxdir}/../run/run-chroot shell 19 | -------------------------------------------------------------------------------- /files/emux/run/run-chroot: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Starts up the chroot'ed environment after mount binding 4 | # /proc, /sys and /dev 5 | 6 | # This Source Code Form is subject to the terms of the Mozilla Public 7 | # License, v. 2.0. If a copy of the MPL was not distributed with this 8 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 9 | 10 | # EMUX by Saumil Shah 11 | # https://emux.exploitlab.net/ 12 | 13 | echo ${RANDOMIZE_VA_SPACE} > /proc/sys/kernel/randomize_va_space 14 | 15 | if [ "$LEGACY_VA_LAYOUT" != "" ] 16 | then 17 | echo ${LEGACY_VA_LAYOUT} > /proc/sys/vm/legacy_va_layout 18 | fi 19 | 20 | if [ "$ID" = "" ] 21 | then 22 | echo "Environment variables not set" 23 | exit 24 | fi 25 | 26 | NEWROOT="/emux/${ID}/${ROOTFS}" 27 | 28 | mount --bind /proc ${NEWROOT}/proc 29 | mount --bind /sys ${NEWROOT}/sys 30 | 31 | # Mount the /dev tree only if the 32 | # flag mount_dev_tree=1 is set 33 | if [ "$MOUNTDEVTREE" = "1" ] 34 | then 35 | mount --bind /dev ${NEWROOT}/dev 36 | fi 37 | 38 | # copy the libs to be LD_PRELOADed into ${NEWROOT}/.emux 39 | 40 | DOTEMUX="${NEWROOT}/.emux" 41 | 42 | if [ ! -x ${DOTEMUX} ] 43 | then 44 | mkdir -p ${DOTEMUX} 45 | chmod 755 ${DOTEMUX} 46 | fi 47 | rm -f ${DOTEMUX}/*.so 48 | 49 | if [ "$PRELOADDIR" != "" ] 50 | then 51 | PRELOADLIBS="" 52 | for lib in ${PRELOADDIR}/*.so 53 | do 54 | cp ${lib} ${DOTEMUX} 55 | libfile=$(basename ${lib}) 56 | PRELOADLIBS="/.emux/${libfile}:${PRELOADLIBS}" 57 | done 58 | fi 59 | 60 | # if invoked as a shell, don't overwrite 61 | # /.emux/emuxinit. instead use /.emux/emuxshell 62 | 63 | if [ "$1" != "shell" ] 64 | then 65 | INITPATH="/.emux/emuxinit" 66 | else 67 | INITPATH="/.emux/emuxshell" 68 | fi 69 | 70 | # If run-chroot is invoked with "shell" as a command line argument 71 | # then simply drop to /bin/sh after chroot. Don't run the initcommands 72 | 73 | echo "#!/bin/sh" > ${NEWROOT}${INITPATH} 74 | if [ "$PRELOADDIR" != "" ] 75 | then 76 | echo "export LD_PRELOAD=${PRELOADLIBS}" >> ${NEWROOT}${INITPATH} 77 | fi 78 | 79 | if [ "$1" != "shell" ] 80 | then 81 | echo "${INITCOMMANDS}" | sed -e 's/^"//' -e 's/"$//' -e 's/;/\n/g' >> ${NEWROOT}${INITPATH} 82 | echo ">>> Starting ${ID}" 83 | log ">>> Starting ${ID}" 84 | else 85 | echo "/bin/sh" >> ${NEWROOT}${INITPATH} 86 | fi 87 | 88 | chmod 755 ${NEWROOT}${INITPATH} 89 | log "[+] Contents of $INITPATH\n$(cat ${NEWROOT}${INITPATH})" 90 | 91 | echo "[+] chroot $NEWROOT $INITPATH" 92 | log "[+] chroot $NEWROOT $INITPATH" 93 | 94 | if [ "$EMUXLOGFILE" ] 95 | then 96 | script -a -f -c "chroot ${NEWROOT} ${INITPATH}" ${EMUXLOGFILE} 97 | else 98 | chroot ${NEWROOT} ${INITPATH} 99 | fi 100 | -------------------------------------------------------------------------------- /files/emux/run/run-init-template: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | emuxdir=$(dirname $0) 11 | source ${emuxdir}/../run/utils 12 | check_if_logging_required 13 | 14 | echo $$ > /tmp/emuxstarted 15 | 16 | log "[+] ${EMUX} parseini config" 17 | source ${emuxdir}/../run/parseini config 18 | 19 | log "[+] ${EMUX} loadnvram $NVRAM" 20 | source ${emuxdir}/../run/loadnvram "$NVRAM" 21 | 22 | log "[+] ${EMUX} run-chroot" 23 | source ${emuxdir}/../run/run-chroot 24 | -------------------------------------------------------------------------------- /files/emux/run/split-mtd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Utility script to take a flashmem.bin file, pad it up to 128MB 4 | # and split it into 2 x 64MB files flash0.bin and flash1.bin 5 | 6 | # This Source Code Form is subject to the terms of the Mozilla Public 7 | # License, v. 2.0. If a copy of the MPL was not distributed with this 8 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 9 | 10 | # EMUX by Saumil Shah 11 | # https://emux.exploitlab.net/ 12 | 13 | if [ "$1" = "" ] 14 | then 15 | echo "Usage: $0 flashmem.bin" 16 | exit 17 | fi 18 | 19 | output="flashmem.bin" 20 | total_bytes=$(wc -c < ${output}) 21 | echo "Total bytes: ${total_bytes}" 22 | 23 | if [ ${total_bytes} -le 134217728 ] 24 | then 25 | difference=$(( 134217728 - ${total_bytes} )) 26 | pad_blocks=$(( $difference / 4096 )) 27 | echo "Appending ${difference} bytes as padding" 28 | dd if=/dev/zero of=padding bs=4096 count=${pad_blocks} 29 | cat padding >> ${output} 30 | rm -f padding 31 | fi 32 | 33 | echo "Creating 2 x 64MB flash memory files" 34 | split -a 1 -b 64m ${output} flash 35 | mv flasha flash0.bin 36 | mv flashb flash1.bin 37 | rm -f ${output} 38 | echo "Done" 39 | ls -s flash*.bin 40 | -------------------------------------------------------------------------------- /files/emux/run/unhide: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # utility to quickly unhide files by stripping a leading dot 4 | # from their names. 5 | 6 | # This Source Code Form is subject to the terms of the Mozilla Public 7 | # License, v. 2.0. If a copy of the MPL was not distributed with this 8 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 9 | 10 | # EMUX by Saumil Shah 11 | # https://emux.exploitlab.net/ 12 | 13 | if [ "$1" = "" ] 14 | then 15 | echo "Usage: $0 [file2] ..." 16 | exit 17 | fi 18 | 19 | while [ "$1" != "" ] 20 | do 21 | FILENAME=$(basename $1) 22 | FILEDIR=$(dirname $1) 23 | OUTFILE=$(echo "${FILENAME}" | sed -e 's/^\.\(.*\)$/\1/') 24 | 25 | if [ "${FILENAME}" = "${OUTFILE}" ] 26 | then 27 | echo "skipping $FILEDIR/$FILENAME = $FILEDIR/$OUTFILE" 28 | else 29 | echo "unhide $FILEDIR/$FILENAME -> $FILEDIR/$OUTFILE" 30 | mv "$FILEDIR/$FILENAME" "$FILEDIR/$OUTFILE" 31 | fi 32 | shift 33 | done 34 | -------------------------------------------------------------------------------- /files/emux/run/userspace: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | if [ -f /tmp/emuxrunning ] 11 | then 12 | ssh -p 22222 root@192.168.100.2 13 | # Sometimes the terminal goes insane 14 | stty sane 15 | else 16 | echo "EMUX doesn't seem to be running. Have you run the 'launcher' yet?" 17 | fi 18 | -------------------------------------------------------------------------------- /files/emux/run/utils: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Support functions for EMUX 4 | 5 | # This Source Code Form is subject to the terms of the Mozilla Public 6 | # License, v. 2.0. If a copy of the MPL was not distributed with this 7 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 8 | 9 | # EMUX by Saumil Shah 10 | # https://emux.exploitlab.net/ 11 | 12 | EMUXDEBUGLOG="emuxdebug.log" 13 | QEMUCONSOLELOG="qemuconsole.log" 14 | DEBUGINDICATOR="/emux/debuglogs" 15 | 16 | log () { 17 | if [ "$EMUXLOGFILE" ] 18 | then 19 | echo "$*" >> $EMUXLOGFILE 20 | fi 21 | } 22 | 23 | fatalerror () { 24 | echo "Fatal Error: $*" 25 | if [ "$EMUXLOGFILE" ] 26 | then 27 | echo "Fatal Error: $*" 28 | fi 29 | /emux/run/emuxhalt 30 | exit 31 | } 32 | 33 | check_if_logging_required () { 34 | if [ -f ${DEBUGINDICATOR} ] 35 | then 36 | DEBUGLOGS=$(cat ${DEBUGINDICATOR} | grep '=' | grep -v '#' | head -1 \ 37 | | sed -e 's/^ *//' -e 's/ *$//' -e 's/ *= */=/' -e 's/\/$//') 38 | if [ "${DEBUGLOGS}" != "" ] 39 | then 40 | echo "[+] Logging enabled" 41 | LOGPATH=$(echo ${DEBUGLOGS} | cut -d'=' -f2) 42 | if [ ! -d ${LOGPATH} ] 43 | then 44 | echo "[+] Creating log directory ${LOGPATH}" 45 | mkdir -p "${LOGPATH}" 46 | fi 47 | export EMUXLOGFILE="${LOGPATH}/${EMUXDEBUGLOG}" 48 | export CONSOLELOGFILE="${LOGPATH}/${QEMUCONSOLELOG}" 49 | echo "[+] EMUX Debug log - ${EMUXLOGFILE}" 50 | echo "[+] QEMU Console log - ${QEMUCONSOLELOG}" 51 | fi 52 | fi 53 | } 54 | 55 | new_log () { 56 | if [ -f "${EMUXLOGFILE}" ] 57 | then 58 | rm -f "${EMUXLOGFILE}" 59 | touch "${EMUXLOGFILE}" 60 | fi 61 | 62 | if [ -f "${CONSOLELOGFILE}" ] 63 | then 64 | rm -f "${CONSOLELOGFILE}" 65 | touch "${CONSOLELOGFILE}" 66 | fi 67 | } 68 | 69 | check_emux_volume_permissions() { 70 | if [ "$(stat -c '%U:%G' /emux/devices)" != "r0:r0" ] 71 | then 72 | echo "Setting permissions for /emux" 73 | sudo chown -R r0:r0 /emux 74 | fi 75 | } 76 | 77 | uncompress_qemu_roms () { 78 | # uncompress /emux/run/share/qemu.tar.bz2 79 | # when we are running for the first time 80 | # 81 | # This function will become useless after 82 | # finalising the move to Alpine's QEMU packages 83 | echo "Uncompressing ROMs" 84 | if [ ! -d /emux/run/share/qemu/ ] 85 | then 86 | pv /emux/run/share/qemu.tar.bz2 | tar -C /emux/run/share -jxf - 87 | fi 88 | } 89 | 90 | uncompress_hostfs () { 91 | # uncompress /emux/hostfs/hostfs-.ext2.bz2 92 | # when we are running for the first time 93 | for hostfs in /emux/hostfs/hostfs-*.ext2.bz2 94 | do 95 | ext2file="$(basename ${hostfs} | cut -d'.' -f1,2)" 96 | if [ ! -f /emux/hostfs/${ext2file} ] 97 | then 98 | echo "Uncompressing ${hostfs}" 99 | pv ${hostfs} | bunzip2 > /emux/hostfs/${ext2file} 100 | fi 101 | done 102 | } 103 | -------------------------------------------------------------------------------- /files/emux/template/config: -------------------------------------------------------------------------------- 1 | # Sample device configuration file 2 | # 3 | id=MYNEWDEVICE 4 | nvram=nvram.ini 5 | rootfs=rootfs 6 | randomize_va_space=0 7 | #ld_preload=preload 8 | initcommands="/etc/init.d/rcS;/bin/sh" 9 | -------------------------------------------------------------------------------- /files/emux/template/kernel/gzImage-4.4.60-arm64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/gzImage-4.4.60-arm64 -------------------------------------------------------------------------------- /files/emux/template/kernel/gzImage-5.10.25-arm64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/gzImage-5.10.25-arm64 -------------------------------------------------------------------------------- /files/emux/template/kernel/vmlinux-2.6.30.9-malta-be: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/vmlinux-2.6.30.9-malta-be -------------------------------------------------------------------------------- /files/emux/template/kernel/vmlinux-2.6.32.5-malta-mips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/vmlinux-2.6.32.5-malta-mips -------------------------------------------------------------------------------- /files/emux/template/kernel/vmlinux-2.6.32.5-malta-mipsel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/vmlinux-2.6.32.5-malta-mipsel -------------------------------------------------------------------------------- /files/emux/template/kernel/vmlinux-3.18.109-malta-be: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/vmlinux-3.18.109-malta-be -------------------------------------------------------------------------------- /files/emux/template/kernel/vmlinux-3.18.109-malta-le: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/vmlinux-3.18.109-malta-le -------------------------------------------------------------------------------- /files/emux/template/kernel/zImage-2.6.28-versatile-nothumb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/zImage-2.6.28-versatile-nothumb -------------------------------------------------------------------------------- /files/emux/template/kernel/zImage-2.6.29.6-versatile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/zImage-2.6.29.6-versatile -------------------------------------------------------------------------------- /files/emux/template/kernel/zImage-2.6.31.14-realview-rv130-nothumb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/zImage-2.6.31.14-realview-rv130-nothumb -------------------------------------------------------------------------------- /files/emux/template/kernel/zImage-2.6.39.4-vexpress: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/zImage-2.6.39.4-vexpress -------------------------------------------------------------------------------- /files/emux/template/kernel/zImage-3.16.57-vexpress: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/zImage-3.16.57-vexpress -------------------------------------------------------------------------------- /files/emux/template/kernel/zImage-3.18.109-realview: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/kernel/zImage-3.18.109-realview -------------------------------------------------------------------------------- /files/emux/template/mtdparts: -------------------------------------------------------------------------------- 1 | # 16MiB, 512 bytes page 2 | #nandsim.first_id_byte=0x20 3 | #nandsim.second_id_byte=0x33 4 | 5 | # 32MiB, 512 bytes page; 6 | #nandsim.first_id_byte=0x20 7 | #nandsim.second_id_byte=0x35 8 | 9 | # 64MiB, 512 bytes page; 10 | #nandsim.first_id_byte=0x20 11 | #nandsim.second_id_byte=0x36 12 | 13 | # 128MiB, 512 bytes page; 14 | #nandsim.first_id_byte=0x20 15 | #nandsim.second_id_byte=0x78 16 | 17 | # 256MiB, 512 bytes page; 18 | #nandsim.first_id_byte=0x20 19 | #nandsim.second_id_byte=0x71 20 | 21 | # 64MiB, 2048 bytes page; 22 | #nandsim.first_id_byte=0x20 23 | #nandsim.second_id_byte=0xa2 24 | #nandsim.third_id_byte=0x00 25 | #nandsim.fourth_id_byte=0x15 26 | 27 | # 128MiB, 2048 bytes page; 28 | #nandsim.first_id_byte=0xec 29 | #nandsim.second_id_byte=0xa1 30 | #nandsim.third_id_byte=0x00 31 | #nandsim.fourth_id_byte=0x15 32 | 33 | # 256MiB, 2048 bytes page; 34 | #nandsim.first_id_byte=0x20 35 | #nandsim.second_id_byte=0xaa 36 | #nandsim.third_id_byte=0x00 37 | #nandsim.fourth_id_byte=0x15 38 | 39 | # 512MiB, 2048 bytes page; 40 | #nandsim.first_id_byte=0x20 41 | #nandsim.second_id_byte=0xac 42 | #nandsim.third_id_byte=0x00 43 | #nandsim.fourth_id_byte=0x15 44 | 45 | # 1GiB, 2048 bytes page; 46 | #nandsim.first_id_byte=0xec 47 | #nandsim.second_id_byte=0xd3 48 | #nandsim.third_id_byte=0x51 49 | #nandsim.fourth_id_byte=0x95 50 | -------------------------------------------------------------------------------- /files/emux/template/nvram.ini: -------------------------------------------------------------------------------- 1 | key1=value1 2 | key2=value2 3 | key3=value3 4 | key4=value4 5 | key5=value5 6 | key6=value6 7 | key7=value7 8 | key8=value8 9 | key9=value9 10 | key10=value10 11 | -------------------------------------------------------------------------------- /files/emux/template/preload/libnvram-armx.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/emux/template/preload/libnvram-armx.so -------------------------------------------------------------------------------- /files/etc/exports: -------------------------------------------------------------------------------- 1 | /emux 192.168.100.0/24(rw,sync,fsid=0,no_auth_nlm,insecure,no_root_squash,no_subtree_check) 2 | -------------------------------------------------------------------------------- /files/etc/local.d/10-tun-network.start: -------------------------------------------------------------------------------- 1 | chown root:r0 /dev/net/tun 2 | chmod g+rw /dev/net/tun 3 | tunctl -t tap0 -u r0 4 | ifconfig tap0 192.168.100.1 up 5 | #echo 1 > /proc/sys/net/ipv4/ip_forward 6 | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 7 | iptables -I FORWARD 1 -i tap0 -j ACCEPT 8 | iptables -I FORWARD 1 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT 9 | dnsmasq 10 | -------------------------------------------------------------------------------- /files/etc/tinyproxy/tinyproxy.conf: -------------------------------------------------------------------------------- 1 | User tinyproxy 2 | Group tinyproxy 3 | Port 8000 4 | Timeout 600 5 | DefaultErrorFile "/usr/share/tinyproxy/default.html" 6 | StatFile "/usr/share/tinyproxy/stats.html" 7 | #LogLevel Info 8 | MaxClients 100 9 | MinSpareServers 5 10 | MaxSpareServers 20 11 | StartServers 5 12 | MaxRequestsPerChild 0 13 | ViaProxyName "tinyproxy" 14 | ConnectPort 443 15 | ConnectPort 563 16 | ReversePath "/" "http://192.168.100.2:80/" 17 | ReverseOnly Yes 18 | ReverseMagic Yes 19 | -------------------------------------------------------------------------------- /files/home/r0/bash_profile: -------------------------------------------------------------------------------- 1 | source ~/.bashrc 2 | -------------------------------------------------------------------------------- /files/home/r0/bashrc: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Ignore case during tab completion. 4 | bind 'set completion-ignore-case on' 5 | 6 | if [ "${EMUXDOCKERSHELL}" = "1" ] 7 | then 8 | export PS1="\[\033[97;44m\][emux-docker 🐚]\[\033[0m\] \w\\$ " 9 | else 10 | export PS1="\[\033[97;105m\][EMUX-DOCKER 🐳]\[\033[0m\] \w\\$ " 11 | fi 12 | 13 | alias ls="ls -F --color=auto" 14 | eval $(dircolors -b ~/.dircolors/dircolors.256dark) 15 | export PATH="$PATH:/emux/run:/emux/run/qemu-bin" 16 | -------------------------------------------------------------------------------- /files/home/r0/config/pip/pip.conf: -------------------------------------------------------------------------------- 1 | [global] 2 | break-system-packages = true 3 | -------------------------------------------------------------------------------- /files/home/r0/dircolors/dircolors-solarized: -------------------------------------------------------------------------------- 1 | # 2 | # Heavily customized version of Sebastian Tramp's dircolors-solarized 3 | # https://github.com/seebi/dircolors-solarized 4 | # 5 | 6 | # Below, there should be one TERM entry for each termtype that is colorizable 7 | TERM ansi 8 | TERM color_xterm 9 | TERM color-xterm 10 | TERM con132x25 11 | TERM con132x30 12 | TERM con132x43 13 | TERM con132x60 14 | TERM con80x25 15 | TERM con80x28 16 | TERM con80x30 17 | TERM con80x43 18 | TERM con80x50 19 | TERM con80x60 20 | TERM cons25 21 | TERM console 22 | TERM cygwin 23 | TERM dtterm 24 | TERM Eterm 25 | TERM eterm-color 26 | TERM gnome 27 | TERM gnome-256color 28 | TERM jfbterm 29 | TERM konsole 30 | TERM kterm 31 | TERM linux 32 | TERM linux-c 33 | TERM mach-color 34 | TERM mlterm 35 | TERM nxterm 36 | TERM putty 37 | TERM rxvt 38 | TERM rxvt-256color 39 | TERM rxvt-cygwin 40 | TERM rxvt-cygwin-native 41 | TERM rxvt-unicode 42 | TERM rxvt-unicode256 43 | TERM rxvt-unicode-256color 44 | TERM screen 45 | TERM screen-256color 46 | TERM screen-256color-bce 47 | TERM screen-256color-s 48 | TERM screen-bce 49 | TERM screen-w 50 | TERM screen.linux 51 | TERM screen.xterm-new 52 | TERM vt100 53 | TERM xterm 54 | TERM xterm-new 55 | TERM xterm-16color 56 | TERM xterm-256color 57 | TERM xterm-88color 58 | TERM xterm-color 59 | TERM xterm-debian 60 | 61 | # EIGHTBIT, followed by '1' for on, '0' for off. (8-bit output) 62 | EIGHTBIT 1 63 | 64 | ###### By file type 65 | 66 | # global default 67 | NORMAL 00 68 | 69 | # normal file 70 | FILE 00 71 | 72 | # directory 73 | DIR 34 74 | 75 | # symbolic link 76 | LINK 01;36 77 | 78 | # pipe, socket, block device, character device (blue bg) 79 | FIFO 30;44 80 | SOCK 35;44 81 | BLK 33;44 82 | CHR 37;44 83 | 84 | ###### By file attributes 85 | 86 | # Orphaned symlinks (blinking white on red) 87 | ORPHAN 05;37;41 88 | 89 | # The files that orphaned symlinks point to (blinking white on red) 90 | MISSING 05;37;41 91 | 92 | # Files with execute permission 93 | EXEC 32 # Unix -------------------------------------------------------------------------------- /files/home/r0/dircolors/dircolors.256dark: -------------------------------------------------------------------------------- 1 | 2 | # Dark 256 color solarized theme for the color GNU ls utility. 3 | # Used and tested with dircolors (GNU coreutils) 8.5 4 | # 5 | # @author {@link http://sebastian.tramp.name Sebastian Tramp} 6 | # @license http://sam.zoy.org/wtfpl/ Do What The Fuck You Want To Public License (WTFPL) 7 | # 8 | # More Information at 9 | # https://github.com/seebi/dircolors-solarized 10 | 11 | # Term Section 12 | TERM Eterm 13 | TERM ansi 14 | TERM color-xterm 15 | TERM con132x25 16 | TERM con132x30 17 | TERM con132x43 18 | TERM con132x60 19 | TERM con80x25 20 | TERM con80x28 21 | TERM con80x30 22 | TERM con80x43 23 | TERM con80x50 24 | TERM con80x60 25 | TERM cons25 26 | TERM console 27 | TERM cygwin 28 | TERM dtterm 29 | TERM dvtm 30 | TERM dvtm-256color 31 | TERM eterm-color 32 | TERM fbterm 33 | TERM gnome 34 | TERM gnome-256color 35 | TERM jfbterm 36 | TERM konsole 37 | TERM konsole-256color 38 | TERM kterm 39 | TERM linux 40 | TERM linux-c 41 | TERM mach-color 42 | TERM mlterm 43 | TERM putty 44 | TERM putty-256color 45 | TERM rxvt 46 | TERM rxvt-256color 47 | TERM rxvt-cygwin 48 | TERM rxvt-cygwin-native 49 | TERM rxvt-unicode 50 | TERM rxvt-unicode256 51 | TERM rxvt-unicode-256color 52 | TERM screen 53 | TERM screen-16color 54 | TERM screen-16color-bce 55 | TERM screen-16color-s 56 | TERM screen-16color-bce-s 57 | TERM screen-256color 58 | TERM screen-256color-bce 59 | TERM screen-256color-s 60 | TERM screen-256color-bce-s 61 | TERM screen-256color-italic 62 | TERM screen-bce 63 | TERM screen-w 64 | TERM screen.linux 65 | TERM screen.xterm-256color 66 | TERM st 67 | TERM st-meta 68 | TERM st-256color 69 | TERM st-meta-256color 70 | TERM tmux 71 | TERM tmux-256color 72 | TERM vt100 73 | TERM xterm 74 | TERM xterm-16color 75 | TERM xterm-256color 76 | TERM xterm-256color-italic 77 | TERM xterm-88color 78 | TERM xterm-color 79 | TERM xterm-debian 80 | TERM xterm-termite 81 | 82 | ## Documentation 83 | # 84 | # standard colors 85 | # 86 | # Below are the color init strings for the basic file types. A color init 87 | # string consists of one or more of the following numeric codes: 88 | # Attribute codes: 89 | # 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed 90 | # Text color codes: 91 | # 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white 92 | # Background color codes: 93 | # 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white 94 | # 95 | # 96 | # 256 color support 97 | # see here: http://www.mail-archive.com/bug-coreutils@gnu.org/msg11030.html) 98 | # 99 | # Text 256 color coding: 100 | # 38;5;COLOR_NUMBER 101 | # Background 256 color coding: 102 | # 48;5;COLOR_NUMBER 103 | 104 | ## Special files 105 | 106 | #NORMAL 00;38;5;244 # no color code at all 107 | NORMAL 00 108 | #FILE 00 # regular file: use no color at all 109 | FILE 00 110 | RESET 0 # reset to "normal" color 111 | DIR 00;38;5;33 # directory 01;34 112 | LINK 00;38;5;37 # symbolic link. (If you set this to 'target' instead of a 113 | # numerical value, the color is as for the file pointed to.) 114 | MULTIHARDLINK 00 # regular file with more than one link 115 | FIFO 48;5;230;38;5;136;01 # pipe 116 | SOCK 48;5;230;38;5;136;01 # socket 117 | DOOR 48;5;230;38;5;136;01 # door 118 | BLK 48;5;230;38;5;244;01 # block device driver 119 | CHR 48;5;230;38;5;244;01 # character device driver 120 | ORPHAN 48;5;235;38;5;160 # symlink to nonexistent file, or non-stat'able file 121 | SETUID 48;5;160;38;5;230 # file that is setuid (u+s) 122 | SETGID 48;5;136;38;5;230 # file that is setgid (g+s) 123 | CAPABILITY 30;41 # file with capability 124 | STICKY_OTHER_WRITABLE 48;5;64;38;5;230 # dir that is sticky and other-writable (+t,o+w) 125 | OTHER_WRITABLE 48;5;235;38;5;33 # dir that is other-writable (o+w) and not sticky 126 | STICKY 48;5;33;38;5;230 # dir with the sticky bit set (+t) and not other-writable 127 | # This is for files with execute permission: 128 | EXEC 00;38;5;64 129 | 130 | ## Archives or compressed (violet + bold for compression) 131 | .tar 00;38;5;61 132 | .tgz 00;38;5;61 133 | .arj 00;38;5;61 134 | .taz 00;38;5;61 135 | .lzh 00;38;5;61 136 | .lzma 00;38;5;61 137 | .tlz 00;38;5;61 138 | .txz 00;38;5;61 139 | .zip 00;38;5;61 140 | .z 00;38;5;61 141 | .Z 00;38;5;61 142 | .dz 00;38;5;61 143 | .gz 00;38;5;61 144 | .lz 00;38;5;61 145 | .xz 00;38;5;61 146 | .bz2 00;38;5;61 147 | .bz 00;38;5;61 148 | .tbz 00;38;5;61 149 | .tbz2 00;38;5;61 150 | .tz 00;38;5;61 151 | .deb 00;38;5;61 152 | .rpm 00;38;5;61 153 | .jar 00;38;5;61 154 | .rar 00;38;5;61 155 | .ace 00;38;5;61 156 | .zoo 00;38;5;61 157 | .cpio 00;38;5;61 158 | .7z 00;38;5;61 159 | .rz 00;38;5;61 160 | .apk 00;38;5;61 161 | .gem 00;38;5;61 162 | 163 | # Image formats (yellow) 164 | .jpg 00;38;5;136 165 | .JPG 00;38;5;136 #stupid but needed 166 | .jpeg 00;38;5;136 167 | .gif 00;38;5;136 168 | .bmp 00;38;5;136 169 | .pbm 00;38;5;136 170 | .pgm 00;38;5;136 171 | .ppm 00;38;5;136 172 | .tga 00;38;5;136 173 | .xbm 00;38;5;136 174 | .xpm 00;38;5;136 175 | .tif 00;38;5;136 176 | .tiff 00;38;5;136 177 | .png 00;38;5;136 178 | .PNG 00;38;5;136 179 | .svg 00;38;5;136 180 | .svgz 00;38;5;136 181 | .mng 00;38;5;136 182 | .pcx 00;38;5;136 183 | .dl 00;38;5;136 184 | .xcf 00;38;5;136 185 | .xwd 00;38;5;136 186 | .yuv 00;38;5;136 187 | .cgm 00;38;5;136 188 | .emf 00;38;5;136 189 | .eps 00;38;5;136 190 | .CR2 00;38;5;136 191 | .ico 00;38;5;136 192 | 193 | # Files of special interest (base1) 194 | .tex 00;38;5;245 195 | .rdf 00;38;5;245 196 | .owl 00;38;5;245 197 | .n3 00;38;5;245 198 | .ttl 00;38;5;245 199 | .nt 00;38;5;245 200 | .torrent 00;38;5;245 201 | .xml 00;38;5;245 202 | *Makefile 00;38;5;245 203 | *Rakefile 00;38;5;245 204 | *Dockerfile 00;38;5;245 205 | *build.xml 00;38;5;245 206 | *rc 00;38;5;245 207 | *1 00;38;5;245 208 | .nfo 00;38;5;245 209 | *README 00;38;5;245 210 | *README.txt 00;38;5;245 211 | *readme.txt 00;38;5;245 212 | .md 00;38;5;245 213 | *README.markdown 00;38;5;245 214 | .ini 00;38;5;245 215 | .yml 00;38;5;245 216 | .cfg 00;38;5;245 217 | .conf 00;38;5;245 218 | .h 00;38;5;245 219 | .hpp 00;38;5;245 220 | .c 00;38;5;245 221 | .cpp 00;38;5;245 222 | .cxx 00;38;5;245 223 | .cc 00;38;5;245 224 | .objc 00;38;5;245 225 | .sqlite 00;38;5;245 226 | .go 00;38;5;245 227 | .sql 00;38;5;245 228 | .csv 00;38;5;245 229 | 230 | # "unimportant" files as logs and backups (base01) 231 | .log 00;38;5;240 232 | .bak 00;38;5;240 233 | .aux 00;38;5;240 234 | .lof 00;38;5;240 235 | .lol 00;38;5;240 236 | .lot 00;38;5;240 237 | .out 00;38;5;240 238 | .toc 00;38;5;240 239 | .bbl 00;38;5;240 240 | .blg 00;38;5;240 241 | *~ 00;38;5;240 242 | *# 00;38;5;240 243 | .part 00;38;5;240 244 | .incomplete 00;38;5;240 245 | .swp 00;38;5;240 246 | .tmp 00;38;5;240 247 | .temp 00;38;5;240 248 | .o 00;38;5;240 249 | .pyc 00;38;5;240 250 | .class 00;38;5;240 251 | .cache 00;38;5;240 252 | 253 | # Audio formats (orange) 254 | .aac 00;38;5;166 255 | .au 00;38;5;166 256 | .flac 00;38;5;166 257 | .mid 00;38;5;166 258 | .midi 00;38;5;166 259 | .mka 00;38;5;166 260 | .mp3 00;38;5;166 261 | .mpc 00;38;5;166 262 | .ogg 00;38;5;166 263 | .opus 00;38;5;166 264 | .ra 00;38;5;166 265 | .wav 00;38;5;166 266 | .m4a 00;38;5;166 267 | # http://wiki.xiph.org/index.php/MIME_Types_and_File_Extensions 268 | .axa 00;38;5;166 269 | .oga 00;38;5;166 270 | .spx 00;38;5;166 271 | .xspf 00;38;5;166 272 | 273 | # Video formats (as audio + bold) 274 | .mov 00;38;5;166 275 | .MOV 00;38;5;166 276 | .mpg 00;38;5;166 277 | .mpeg 00;38;5;166 278 | .m2v 00;38;5;166 279 | .mkv 00;38;5;166 280 | .ogm 00;38;5;166 281 | .mp4 00;38;5;166 282 | .m4v 00;38;5;166 283 | .mp4v 00;38;5;166 284 | .vob 00;38;5;166 285 | .qt 00;38;5;166 286 | .nuv 00;38;5;166 287 | .wmv 00;38;5;166 288 | .asf 00;38;5;166 289 | .rm 00;38;5;166 290 | .rmvb 00;38;5;166 291 | .flc 00;38;5;166 292 | .avi 00;38;5;166 293 | .fli 00;38;5;166 294 | .flv 00;38;5;166 295 | .gl 00;38;5;166 296 | .m2ts 00;38;5;166 297 | .divx 00;38;5;166 298 | .webm 00;38;5;166 299 | # http://wiki.xiph.org/index.php/MIME_Types_and_File_Extensions 300 | .axv 00;38;5;166 301 | .anx 00;38;5;166 302 | .ogv 00;38;5;166 303 | .ogx 00;38;5;166 304 | 305 | 306 | -------------------------------------------------------------------------------- /files/home/r0/dircolors/dircolors.ansi-dark: -------------------------------------------------------------------------------- 1 | # Exact Solarized Dark color theme for the color GNU ls utility. 2 | # Designed for dircolors (GNU coreutils) 5.97 3 | # 4 | # This simple theme was simultaneously designed for these terminal color schemes: 5 | # - Solarized dark (best) 6 | # - Solarized light 7 | # - default dark 8 | # - default light 9 | # with a slight optimization for Solarized Dark. 10 | # 11 | # How the colors were selected: 12 | # - Terminal emulators often have an option typically enabled by default that makes 13 | # bold a different color. It is important to leave this option enabled so that 14 | # you can access the entire 16-color Solarized palette, and not just 8 colors. 15 | # - We favor universality over a greater number of colors. So we limit the number 16 | # of colors so that this theme will work out of the box in all terminals, 17 | # Solarized or not, dark or light. 18 | # - We choose to have the following category of files: 19 | # NORMAL & FILE, DIR, LINK, EXEC and 20 | # editable text including source, unimportant text, binary docs & multimedia source 21 | # files, viewable multimedia, archived/compressed, and unimportant non-text 22 | # - For uniqueness, we stay away from the Solarized foreground colors are -- either 23 | # base00 (brightyellow) or base0 (brightblue). However, they can be used if 24 | # you know what the bg/fg colors of your terminal are, in order to optimize the display. 25 | # - 3 different options are provided: universal, solarized dark, and solarized light. 26 | # The only difference between the universal scheme and one that's optimized for 27 | # dark/light is the color of "unimportant" files, which should blend more with the 28 | # background 29 | # - We note that blue is the hardest color to see on dark bg and yellow is the hardest 30 | # color to see on light bg (with blue being particularly bad). So we choose yellow 31 | # for multimedia files which are usually accessed in a GUI folder browser anyway. 32 | # And blue is kept for custom use of this scheme's user. 33 | # - See table below to see the assignments. 34 | 35 | 36 | # Installation instructions: 37 | # This file goes in the /etc directory, and must be world readable. 38 | # You can copy this file to .dir_colors in your $HOME directory to override 39 | # the system defaults. 40 | 41 | # COLOR needs one of these arguments: 'tty' colorizes output to ttys, but not 42 | # pipes. 'all' adds color characters to all output. 'none' shuts colorization 43 | # off. 44 | COLOR tty 45 | 46 | # Below, there should be one TERM entry for each termtype that is colorizable 47 | TERM ansi 48 | TERM color_xterm 49 | TERM color-xterm 50 | TERM con132x25 51 | TERM con132x30 52 | TERM con132x43 53 | TERM con132x60 54 | TERM con80x25 55 | TERM con80x28 56 | TERM con80x30 57 | TERM con80x43 58 | TERM con80x50 59 | TERM con80x60 60 | TERM cons25 61 | TERM console 62 | TERM cygwin 63 | TERM dtterm 64 | TERM dvtm 65 | TERM dvtm-256color 66 | TERM Eterm 67 | TERM eterm-color 68 | TERM fbterm 69 | TERM gnome 70 | TERM gnome-256color 71 | TERM jfbterm 72 | TERM konsole 73 | TERM konsole-256color 74 | TERM kterm 75 | TERM linux 76 | TERM linux-c 77 | TERM mach-color 78 | TERM mlterm 79 | TERM nxterm 80 | TERM putty 81 | TERM putty-256color 82 | TERM rxvt 83 | TERM rxvt-256color 84 | TERM rxvt-cygwin 85 | TERM rxvt-cygwin-native 86 | TERM rxvt-unicode 87 | TERM rxvt-unicode256 88 | TERM rxvt-unicode-256color 89 | TERM screen 90 | TERM screen-16color 91 | TERM screen-16color-bce 92 | TERM screen-16color-s 93 | TERM screen-16color-bce-s 94 | TERM screen-256color 95 | TERM screen-256color-bce 96 | TERM screen-256color-s 97 | TERM screen-256color-bce-s 98 | TERM screen-256color-italic 99 | TERM screen-bce 100 | TERM screen-w 101 | TERM screen.linux 102 | TERM screen.xterm-256color 103 | TERM screen.xterm-new 104 | TERM st 105 | TERM st-meta 106 | TERM st-256color 107 | TERM st-meta-256color 108 | TERM tmux 109 | TERM tmux-256color 110 | TERM vt100 111 | TERM xterm 112 | TERM xterm-new 113 | TERM xterm-16color 114 | TERM xterm-256color 115 | TERM xterm-256color-italic 116 | TERM xterm-88color 117 | TERM xterm-color 118 | TERM xterm-debian 119 | TERM xterm-termite 120 | 121 | # EIGHTBIT, followed by '1' for on, '0' for off. (8-bit output) 122 | EIGHTBIT 1 123 | 124 | ############################################################################# 125 | # Below are the color init strings for the basic file types. A color init 126 | # string consists of one or more of the following numeric codes: 127 | # 128 | # Attribute codes: 129 | # 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed 130 | # Text color codes: 131 | # 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white 132 | # Background color codes: 133 | # 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white 134 | # 135 | # NOTES: 136 | # - See http://www.oreilly.com/catalog/wdnut/excerpt/color_names.html 137 | # - Color combinations 138 | # ANSI Color code Solarized Notes Universal SolDark SolLight 139 | # ~~~~~~~~~~~~~~~ ~~~~~~~~~ ~~~~~ ~~~~~~~~~ ~~~~~~~ ~~~~~~~~ 140 | # 00 none NORMAL, FILE 141 | # 30 black base02 142 | # 01;30 bright black base03 bg of SolDark 143 | # 31 red red docs & mm src 144 | # 01;31 bright red orange EXEC 145 | # 32 green green editable text 146 | # 01;32 bright green base01 unimportant text 147 | # 33 yellow yellow unclear in light bg multimedia 148 | # 01;33 bright yellow base00 fg of SolLight unimportant non-text 149 | # 34 blue blue unclear in dark bg user customized 150 | # 01;34 bright blue base0 fg in SolDark unimportant text 151 | # 35 magenta magenta LINK 152 | # 01;35 bright magenta violet archive/compressed 153 | # 36 cyan cyan DIR 154 | # 01;36 bright cyan base1 unimportant non-text 155 | # 37 white base2 156 | # 01;37 bright white base3 bg in SolLight 157 | # 05;37;41 unclear in Putty dark 158 | 159 | 160 | ### By file type 161 | 162 | # global default 163 | NORMAL 00 164 | # normal file 165 | FILE 00 166 | # directory 167 | DIR 34 168 | # 777 directory 169 | OTHER_WRITABLE 34;40 170 | # symbolic link 171 | LINK 35 172 | 173 | # pipe, socket, block device, character device (blue bg) 174 | FIFO 30;44 175 | SOCK 35;44 176 | DOOR 35;44 # Solaris 2.5 and later 177 | BLK 33;44 178 | CHR 37;44 179 | 180 | 181 | ############################################################################# 182 | ### By file attributes 183 | 184 | # Orphaned symlinks (blinking white on red) 185 | # Blink may or may not work (works on iTerm dark or light, and Putty dark) 186 | ORPHAN 05;37;41 187 | # ... and the files that orphaned symlinks point to (blinking white on red) 188 | MISSING 05;37;41 189 | 190 | # files with execute permission 191 | EXEC 01;31 # Unix 192 | .cmd 01;31 # Win 193 | .exe 01;31 # Win 194 | .com 01;31 # Win 195 | .bat 01;31 # Win 196 | .reg 01;31 # Win 197 | .app 01;31 # OSX 198 | 199 | ############################################################################# 200 | ### By extension 201 | 202 | # List any file extensions like '.gz' or '.tar' that you would like ls 203 | # to colorize below. Put the extension, a space, and the color init string. 204 | # (and any comments you want to add after a '#') 205 | 206 | ### Text formats 207 | 208 | # Text that we can edit with a regular editor 209 | .txt 32 210 | .org 32 211 | .md 32 212 | .mkd 32 213 | 214 | # Source text 215 | .h 32 216 | .hpp 32 217 | .c 32 218 | .C 32 219 | .cc 32 220 | .cpp 32 221 | .cxx 32 222 | .objc 32 223 | .cl 32 224 | .sh 32 225 | .bash 32 226 | .csh 32 227 | .zsh 32 228 | .el 32 229 | .vim 32 230 | .java 32 231 | .pl 32 232 | .pm 32 233 | .py 32 234 | .rb 32 235 | .hs 32 236 | .php 32 237 | .htm 32 238 | .html 32 239 | .shtml 32 240 | .erb 32 241 | .haml 32 242 | .xml 32 243 | .rdf 32 244 | .css 32 245 | .sass 32 246 | .scss 32 247 | .less 32 248 | .js 32 249 | .coffee 32 250 | .man 32 251 | .0 32 252 | .1 32 253 | .2 32 254 | .3 32 255 | .4 32 256 | .5 32 257 | .6 32 258 | .7 32 259 | .8 32 260 | .9 32 261 | .l 32 262 | .n 32 263 | .p 32 264 | .pod 32 265 | .tex 32 266 | .go 32 267 | .sql 32 268 | .csv 32 269 | .sv 32 270 | .svh 32 271 | .v 32 272 | .vh 32 273 | .vhd 32 274 | 275 | ### Multimedia formats 276 | 277 | # Image 278 | .bmp 33 279 | .cgm 33 280 | .dl 33 281 | .dvi 33 282 | .emf 33 283 | .eps 33 284 | .gif 33 285 | .jpeg 33 286 | .jpg 33 287 | .JPG 33 288 | .mng 33 289 | .pbm 33 290 | .pcx 33 291 | .pdf 33 292 | .pgm 33 293 | .png 33 294 | .PNG 33 295 | .ppm 33 296 | .pps 33 297 | .ppsx 33 298 | .ps 33 299 | .svg 33 300 | .svgz 33 301 | .tga 33 302 | .tif 33 303 | .tiff 33 304 | .xbm 33 305 | .xcf 33 306 | .xpm 33 307 | .xwd 33 308 | .xwd 33 309 | .yuv 33 310 | 311 | # Audio 312 | .aac 33 313 | .au 33 314 | .flac 33 315 | .m4a 33 316 | .mid 33 317 | .midi 33 318 | .mka 33 319 | .mp3 33 320 | .mpa 33 321 | .mpeg 33 322 | .mpg 33 323 | .ogg 33 324 | .opus 33 325 | .ra 33 326 | .wav 33 327 | 328 | # Video 329 | .anx 33 330 | .asf 33 331 | .avi 33 332 | .axv 33 333 | .flc 33 334 | .fli 33 335 | .flv 33 336 | .gl 33 337 | .m2v 33 338 | .m4v 33 339 | .mkv 33 340 | .mov 33 341 | .MOV 33 342 | .mp4 33 343 | .mp4v 33 344 | .mpeg 33 345 | .mpg 33 346 | .nuv 33 347 | .ogm 33 348 | .ogv 33 349 | .ogx 33 350 | .qt 33 351 | .rm 33 352 | .rmvb 33 353 | .swf 33 354 | .vob 33 355 | .webm 33 356 | .wmv 33 357 | 358 | ### Misc 359 | 360 | # Binary document formats and multimedia source 361 | .doc 31 362 | .docx 31 363 | .rtf 31 364 | .odt 31 365 | .dot 31 366 | .dotx 31 367 | .ott 31 368 | .xls 31 369 | .xlsx 31 370 | .ods 31 371 | .ots 31 372 | .ppt 31 373 | .pptx 31 374 | .odp 31 375 | .otp 31 376 | .fla 31 377 | .psd 31 378 | 379 | # Archives, compressed 380 | .7z 1;35 381 | .apk 1;35 382 | .arj 1;35 383 | .bin 1;35 384 | .bz 1;35 385 | .bz2 1;35 386 | .cab 1;35 # Win 387 | .deb 1;35 388 | .dmg 1;35 # OSX 389 | .gem 1;35 390 | .gz 1;35 391 | .iso 1;35 392 | .jar 1;35 393 | .msi 1;35 # Win 394 | .rar 1;35 395 | .rpm 1;35 396 | .tar 1;35 397 | .tbz 1;35 398 | .tbz2 1;35 399 | .tgz 1;35 400 | .tx 1;35 401 | .war 1;35 402 | .xpi 1;35 403 | .xz 1;35 404 | .z 1;35 405 | .Z 1;35 406 | .zip 1;35 407 | 408 | # For testing 409 | .ANSI-30-black 30 410 | .ANSI-01;30-brblack 01;30 411 | .ANSI-31-red 31 412 | .ANSI-01;31-brred 01;31 413 | .ANSI-32-green 32 414 | .ANSI-01;32-brgreen 01;32 415 | .ANSI-33-yellow 33 416 | .ANSI-01;33-bryellow 01;33 417 | .ANSI-34-blue 34 418 | .ANSI-01;34-brblue 01;34 419 | .ANSI-35-magenta 35 420 | .ANSI-01;35-brmagenta 01;35 421 | .ANSI-36-cyan 36 422 | .ANSI-01;36-brcyan 01;36 423 | .ANSI-37-white 37 424 | .ANSI-01;37-brwhite 01;37 425 | 426 | ############################################################################# 427 | # Your customizations 428 | 429 | # Unimportant text files 430 | # For universal scheme, use brightgreen 01;32 431 | # For optimal on light bg (but too prominent on dark bg), use white 01;34 432 | .log 01;32 433 | *~ 01;32 434 | *# 01;32 435 | #.log 01;34 436 | #*~ 01;34 437 | #*# 01;34 438 | 439 | # Unimportant non-text files 440 | # For universal scheme, use brightcyan 01;36 441 | # For optimal on dark bg (but too prominent on light bg), change to 01;33 442 | #.bak 01;36 443 | #.BAK 01;36 444 | #.old 01;36 445 | #.OLD 01;36 446 | #.org_archive 01;36 447 | #.off 01;36 448 | #.OFF 01;36 449 | #.dist 01;36 450 | #.DIST 01;36 451 | #.orig 01;36 452 | #.ORIG 01;36 453 | #.swp 01;36 454 | #.swo 01;36 455 | #*,v 01;36 456 | .bak 01;33 457 | .BAK 01;33 458 | .old 01;33 459 | .OLD 01;33 460 | .org_archive 01;33 461 | .off 01;33 462 | .OFF 01;33 463 | .dist 01;33 464 | .DIST 01;33 465 | .orig 01;33 466 | .ORIG 01;33 467 | .swp 01;33 468 | .swo 01;33 469 | *,v 01;33 470 | 471 | # The brightmagenta (Solarized: purple) color is free for you to use for your 472 | # custom file type 473 | .gpg 34 474 | .gpg 34 475 | .pgp 34 476 | .asc 34 477 | .3des 34 478 | .aes 34 479 | .enc 34 480 | .sqlite 34 481 | -------------------------------------------------------------------------------- /files/home/r0/dircolors/dircolors.ansi-light: -------------------------------------------------------------------------------- 1 | # Exact Solarized Light color theme for the color GNU ls utility. 2 | # Designed for dircolors (GNU coreutils) 5.97 3 | # 4 | # This simple theme was simultaneously designed for these terminal color schemes: 5 | # - Solarized dark 6 | # - Solarized light (best) 7 | # - default dark 8 | # - default light 9 | # with a slight optimization for Solarized Light. 10 | # 11 | # How the colors were selected: 12 | # - Terminal emulators often have an option typically enabled by default that makes 13 | # bold a different color. It is important to leave this option enabled so that 14 | # you can access the entire 16-color Solarized palette, and not just 8 colors. 15 | # - We favor universality over a greater number of colors. So we limit the number 16 | # of colors so that this theme will work out of the box in all terminals, 17 | # Solarized or not, dark or light. 18 | # - We choose to have the following category of files: 19 | # NORMAL & FILE, DIR, LINK, EXEC and 20 | # editable text including source, unimportant text, binary docs & multimedia source 21 | # files, viewable multimedia, archived/compressed, and unimportant non-text 22 | # - For uniqueness, we stay away from the Solarized foreground colors are -- either 23 | # base00 (brightyellow) or base0 (brightblue). However, they can be used if 24 | # you know what the bg/fg colors of your terminal are, in order to optimize the display. 25 | # - 3 different options are provided: universal, solarized dark, and solarized light. 26 | # The only difference between the universal scheme and one that's optimized for 27 | # dark/light is the color of "unimportant" files, which should blend more with the 28 | # background 29 | # - We note that blue is the hardest color to see on dark bg and yellow is the hardest 30 | # color to see on light bg (with blue being particularly bad). So we choose yellow 31 | # for multimedia files which are usually accessed in a GUI folder browser anyway. 32 | # And blue is kept for custom use of this scheme's user. 33 | # - See table below to see the assignments. 34 | 35 | 36 | # Installation instructions: 37 | # This file goes in the /etc directory, and must be world readable. 38 | # You can copy this file to .dir_colors in your $HOME directory to override 39 | # the system defaults. 40 | 41 | # COLOR needs one of these arguments: 'tty' colorizes output to ttys, but not 42 | # pipes. 'all' adds color characters to all output. 'none' shuts colorization 43 | # off. 44 | COLOR tty 45 | 46 | # Below, there should be one TERM entry for each termtype that is colorizable 47 | TERM ansi 48 | TERM color_xterm 49 | TERM color-xterm 50 | TERM con132x25 51 | TERM con132x30 52 | TERM con132x43 53 | TERM con132x60 54 | TERM con80x25 55 | TERM con80x28 56 | TERM con80x30 57 | TERM con80x43 58 | TERM con80x50 59 | TERM con80x60 60 | TERM cons25 61 | TERM console 62 | TERM cygwin 63 | TERM dtterm 64 | TERM dvtm 65 | TERM dvtm-256color 66 | TERM Eterm 67 | TERM eterm-color 68 | TERM fbterm 69 | TERM gnome 70 | TERM gnome-256color 71 | TERM jfbterm 72 | TERM konsole 73 | TERM konsole-256color 74 | TERM kterm 75 | TERM linux 76 | TERM linux-c 77 | TERM mach-color 78 | TERM mlterm 79 | TERM nxterm 80 | TERM putty 81 | TERM putty-256color 82 | TERM rxvt 83 | TERM rxvt-256color 84 | TERM rxvt-cygwin 85 | TERM rxvt-cygwin-native 86 | TERM rxvt-unicode 87 | TERM rxvt-unicode256 88 | TERM rxvt-unicode-256color 89 | TERM screen 90 | TERM screen-16color 91 | TERM screen-16color-bce 92 | TERM screen-16color-s 93 | TERM screen-16color-bce-s 94 | TERM screen-256color 95 | TERM screen-256color-bce 96 | TERM screen-256color-s 97 | TERM screen-256color-bce-s 98 | TERM screen-256color-italic 99 | TERM screen-bce 100 | TERM screen-w 101 | TERM screen.linux 102 | TERM screen.xterm-256color 103 | TERM screen.xterm-new 104 | TERM st 105 | TERM st-meta 106 | TERM st-256color 107 | TERM st-meta-256color 108 | TERM tmux 109 | TERM tmux-256color 110 | TERM vt100 111 | TERM xterm 112 | TERM xterm-new 113 | TERM xterm-16color 114 | TERM xterm-256color 115 | TERM xterm-256color-italic 116 | TERM xterm-88color 117 | TERM xterm-color 118 | TERM xterm-debian 119 | TERM xterm-termite 120 | 121 | # EIGHTBIT, followed by '1' for on, '0' for off. (8-bit output) 122 | EIGHTBIT 1 123 | 124 | ############################################################################# 125 | # Below are the color init strings for the basic file types. A color init 126 | # string consists of one or more of the following numeric codes: 127 | # 128 | # Attribute codes: 129 | # 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed 130 | # Text color codes: 131 | # 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white 132 | # Background color codes: 133 | # 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white 134 | # 135 | # NOTES: 136 | # - See http://www.oreilly.com/catalog/wdnut/excerpt/color_names.html 137 | # - Color combinations 138 | # ANSI Color code Solarized Notes Universal SolDark SolLight 139 | # ~~~~~~~~~~~~~~~ ~~~~~~~~~ ~~~~~ ~~~~~~~~~ ~~~~~~~ ~~~~~~~~ 140 | # 00 none NORMAL, FILE 141 | # 30 black base02 142 | # 01;30 bright black base03 bg of SolDark 143 | # 31 red red docs & mm src 144 | # 01;31 bright red orange EXEC 145 | # 32 green green editable text 146 | # 01;32 bright green base01 unimportant text 147 | # 33 yellow yellow unclear in light bg multimedia 148 | # 01;33 bright yellow base00 fg of SolLight unimportant non-text 149 | # 34 blue blue unclear in dark bg user customized 150 | # 01;34 bright blue base0 fg in SolDark unimportant text 151 | # 35 magenta magenta LINK 152 | # 01;35 bright magenta violet archive/compressed 153 | # 36 cyan cyan DIR 154 | # 01;36 bright cyan base1 unimportant non-text 155 | # 37 white base2 156 | # 01;37 bright white base3 bg in SolLight 157 | # 05;37;41 unclear in Putty dark 158 | 159 | 160 | ### By file type 161 | 162 | # global default 163 | NORMAL 00 164 | # normal file 165 | FILE 00 166 | # directory 167 | DIR 36 168 | # XX2, XX3, XX6, and XX7 directories 169 | OTHER_WRITABLE 34;47 170 | # symbolic link 171 | LINK 35 172 | 173 | # pipe, socket, block device, character device (blue bg) 174 | FIFO 30;44 175 | SOCK 35;44 176 | DOOR 35;44 # Solaris 2.5 and later 177 | BLK 33;44 178 | CHR 37;44 179 | 180 | 181 | ############################################################################# 182 | ### By file attributes 183 | 184 | # Orphaned symlinks (blinking white on red) 185 | # Blink may or may not work (works on iTerm dark or light, and Putty dark) 186 | ORPHAN 05;37;41 187 | # ... and the files that orphaned symlinks point to (blinking white on red) 188 | MISSING 05;37;41 189 | 190 | # files with execute permission 191 | EXEC 01;31 # Unix 192 | .cmd 01;31 # Win 193 | .exe 01;31 # Win 194 | .com 01;31 # Win 195 | .bat 01;31 # Win 196 | .reg 01;31 # Win 197 | .app 01;31 # OSX 198 | 199 | ############################################################################# 200 | ### By extension 201 | 202 | # List any file extensions like '.gz' or '.tar' that you would like ls 203 | # to colorize below. Put the extension, a space, and the color init string. 204 | # (and any comments you want to add after a '#') 205 | 206 | ### Text formats 207 | 208 | # Text that we can edit with a regular editor 209 | .txt 32 210 | .org 32 211 | .md 32 212 | .mkd 32 213 | 214 | # Source text 215 | .h 32 216 | .hpp 32 217 | .c 32 218 | .C 32 219 | .cc 32 220 | .cpp 32 221 | .cxx 32 222 | .objc 32 223 | .cl 32 224 | .sh 32 225 | .bash 32 226 | .csh 32 227 | .zsh 32 228 | .el 32 229 | .vim 32 230 | .java 32 231 | .pl 32 232 | .pm 32 233 | .py 32 234 | .rb 32 235 | .hs 32 236 | .php 32 237 | .htm 32 238 | .html 32 239 | .shtml 32 240 | .erb 32 241 | .haml 32 242 | .xml 32 243 | .rdf 32 244 | .css 32 245 | .sass 32 246 | .scss 32 247 | .less 32 248 | .js 32 249 | .coffee 32 250 | .man 32 251 | .0 32 252 | .1 32 253 | .2 32 254 | .3 32 255 | .4 32 256 | .5 32 257 | .6 32 258 | .7 32 259 | .8 32 260 | .9 32 261 | .l 32 262 | .n 32 263 | .p 32 264 | .pod 32 265 | .tex 32 266 | .go 32 267 | .sql 32 268 | .csv 32 269 | .sv 32 270 | .svh 32 271 | .v 32 272 | .vh 32 273 | .vhd 32 274 | 275 | ### Multimedia formats 276 | 277 | # Image 278 | .bmp 33 279 | .cgm 33 280 | .dl 33 281 | .dvi 33 282 | .emf 33 283 | .eps 33 284 | .gif 33 285 | .jpeg 33 286 | .jpg 33 287 | .JPG 33 288 | .mng 33 289 | .pbm 33 290 | .pcx 33 291 | .pdf 33 292 | .pgm 33 293 | .png 33 294 | .PNG 33 295 | .ppm 33 296 | .pps 33 297 | .ppsx 33 298 | .ps 33 299 | .svg 33 300 | .svgz 33 301 | .tga 33 302 | .tif 33 303 | .tiff 33 304 | .xbm 33 305 | .xcf 33 306 | .xpm 33 307 | .xwd 33 308 | .xwd 33 309 | .yuv 33 310 | 311 | # Audio 312 | .aac 33 313 | .au 33 314 | .flac 33 315 | .m4a 33 316 | .mid 33 317 | .midi 33 318 | .mka 33 319 | .mp3 33 320 | .mpa 33 321 | .mpeg 33 322 | .mpg 33 323 | .ogg 33 324 | .opus 33 325 | .ra 33 326 | .wav 33 327 | 328 | # Video 329 | .anx 33 330 | .asf 33 331 | .avi 33 332 | .axv 33 333 | .flc 33 334 | .fli 33 335 | .flv 33 336 | .gl 33 337 | .m2v 33 338 | .m4v 33 339 | .mkv 33 340 | .mov 33 341 | .MOV 33 342 | .mp4 33 343 | .mp4v 33 344 | .mpeg 33 345 | .mpg 33 346 | .nuv 33 347 | .ogm 33 348 | .ogv 33 349 | .ogx 33 350 | .qt 33 351 | .rm 33 352 | .rmvb 33 353 | .swf 33 354 | .vob 33 355 | .webm 33 356 | .wmv 33 357 | 358 | ### Misc 359 | 360 | # Binary document formats and multimedia source 361 | .doc 31 362 | .docx 31 363 | .rtf 31 364 | .odt 31 365 | .dot 31 366 | .dotx 31 367 | .ott 31 368 | .xls 31 369 | .xlsx 31 370 | .ods 31 371 | .ots 31 372 | .ppt 31 373 | .pptx 31 374 | .odp 31 375 | .otp 31 376 | .fla 31 377 | .psd 31 378 | 379 | # Archives, compressed 380 | .7z 1;35 381 | .apk 1;35 382 | .arj 1;35 383 | .bin 1;35 384 | .bz 1;35 385 | .bz2 1;35 386 | .cab 1;35 # Win 387 | .deb 1;35 388 | .dmg 1;35 # OSX 389 | .gem 1;35 390 | .gz 1;35 391 | .iso 1;35 392 | .jar 1;35 393 | .msi 1;35 # Win 394 | .rar 1;35 395 | .rpm 1;35 396 | .tar 1;35 397 | .tbz 1;35 398 | .tbz2 1;35 399 | .tgz 1;35 400 | .tx 1;35 401 | .war 1;35 402 | .xpi 1;35 403 | .xz 1;35 404 | .z 1;35 405 | .Z 1;35 406 | .zip 1;35 407 | 408 | # For testing 409 | .ANSI-30-black 30 410 | .ANSI-01;30-brblack 01;30 411 | .ANSI-31-red 31 412 | .ANSI-01;31-brred 01;31 413 | .ANSI-32-green 32 414 | .ANSI-01;32-brgreen 01;32 415 | .ANSI-33-yellow 33 416 | .ANSI-01;33-bryellow 01;33 417 | .ANSI-34-blue 34 418 | .ANSI-01;34-brblue 01;34 419 | .ANSI-35-magenta 35 420 | .ANSI-01;35-brmagenta 01;35 421 | .ANSI-36-cyan 36 422 | .ANSI-01;36-brcyan 01;36 423 | .ANSI-37-white 37 424 | .ANSI-01;37-brwhite 01;37 425 | 426 | ############################################################################# 427 | # Your customizations 428 | 429 | # Unimportant text files 430 | # For universal scheme, use brightgreen 01;32 431 | # For optimal on light bg (but too prominent on dark bg), use white 01;34 432 | #.log 01;32 433 | #*~ 01;32 434 | #*# 01;32 435 | .log 01;34 436 | *~ 01;34 437 | *# 01;34 438 | 439 | # Unimportant non-text files 440 | # For universal scheme, use brightcyan 01;36 441 | # For optimal on dark bg (but too prominent on light bg), change to 01;33 442 | .bak 01;36 443 | .BAK 01;36 444 | .old 01;36 445 | .OLD 01;36 446 | .org_archive 01;36 447 | .off 01;36 448 | .OFF 01;36 449 | .dist 01;36 450 | .DIST 01;36 451 | .orig 01;36 452 | .ORIG 01;36 453 | .swp 01;36 454 | .swo 01;36 455 | *,v 01;36 456 | #.bak 01;33 457 | #.BAK 01;33 458 | #.old 01;33 459 | #.OLD 01;33 460 | #.org_archive 01;33 461 | #.off 01;33 462 | #.OFF 01;33 463 | #.dist 01;33 464 | #.DIST 01;33 465 | #.orig 01;33 466 | #.ORIG 01;33 467 | #.swp 01;33 468 | #.swo 01;33 469 | #*,v 01;33 470 | 471 | # The brightmagenta (Solarized: purple) color is free for you to use for your 472 | # custom file type 473 | .gpg 34 474 | .gpg 34 475 | .pgp 34 476 | .asc 34 477 | .3des 34 478 | .aes 34 479 | .enc 34 480 | .sqlite 34 481 | -------------------------------------------------------------------------------- /files/home/r0/dircolors/dircolors.ansi-universal: -------------------------------------------------------------------------------- 1 | # Exact Solarized color theme for the color GNU ls utility. 2 | # Designed for dircolors (GNU coreutils) 5.97 3 | # 4 | # This simple theme was simultaneously designed for these terminal color schemes: 5 | # - Solarized dark (best) 6 | # - Solarized light (best) 7 | # - default dark 8 | # - default light 9 | # 10 | # How the colors were selected: 11 | # - Terminal emulators often have an option typically enabled by default that makes 12 | # bold a different color. It is important to leave this option enabled so that 13 | # you can access the entire 16-color Solarized palette, and not just 8 colors. 14 | # - We favor universality over a greater number of colors. So we limit the number 15 | # of colors so that this theme will work out of the box in all terminals, 16 | # Solarized or not, dark or light. 17 | # - We choose to have the following category of files: 18 | # NORMAL & FILE, DIR, LINK, EXEC and 19 | # editable text including source, unimportant text, binary docs & multimedia source 20 | # files, viewable multimedia, archived/compressed, and unimportant non-text 21 | # - For uniqueness, we stay away from the Solarized foreground colors are -- either 22 | # base00 (brightyellow) or base0 (brightblue). However, they can be used if 23 | # you know what the bg/fg colors of your terminal are, in order to optimize the display. 24 | # - 3 different options are provided: universal, solarized dark, and solarized light. 25 | # The only difference between the universal scheme and one that's optimized for 26 | # dark/light is the color of "unimportant" files, which should blend more with the 27 | # background 28 | # - We note that blue is the hardest color to see on dark bg and yellow is the hardest 29 | # color to see on light bg (with blue being particularly bad). So we choose yellow 30 | # for multimedia files which are usually accessed in a GUI folder browser anyway. 31 | # And blue is kept for custom use of this scheme's user. 32 | # - See table below to see the assignments. 33 | 34 | 35 | # Installation instructions: 36 | # This file goes in the /etc directory, and must be world readable. 37 | # You can copy this file to .dir_colors in your $HOME directory to override 38 | # the system defaults. 39 | 40 | # COLOR needs one of these arguments: 'tty' colorizes output to ttys, but not 41 | # pipes. 'all' adds color characters to all output. 'none' shuts colorization 42 | # off. 43 | COLOR tty 44 | 45 | # Below, there should be one TERM entry for each termtype that is colorizable 46 | TERM ansi 47 | TERM color_xterm 48 | TERM color-xterm 49 | TERM con132x25 50 | TERM con132x30 51 | TERM con132x43 52 | TERM con132x60 53 | TERM con80x25 54 | TERM con80x28 55 | TERM con80x30 56 | TERM con80x43 57 | TERM con80x50 58 | TERM con80x60 59 | TERM cons25 60 | TERM console 61 | TERM cygwin 62 | TERM dtterm 63 | TERM dvtm 64 | TERM dvtm-256color 65 | TERM Eterm 66 | TERM eterm-color 67 | TERM fbterm 68 | TERM gnome 69 | TERM gnome-256color 70 | TERM jfbterm 71 | TERM konsole 72 | TERM konsole-256color 73 | TERM kterm 74 | TERM linux 75 | TERM linux-c 76 | TERM mach-color 77 | TERM mlterm 78 | TERM nxterm 79 | TERM putty 80 | TERM putty-256color 81 | TERM rxvt 82 | TERM rxvt-256color 83 | TERM rxvt-cygwin 84 | TERM rxvt-cygwin-native 85 | TERM rxvt-unicode 86 | TERM rxvt-unicode256 87 | TERM rxvt-unicode-256color 88 | TERM screen 89 | TERM screen-16color 90 | TERM screen-16color-bce 91 | TERM screen-16color-s 92 | TERM screen-16color-bce-s 93 | TERM screen-256color 94 | TERM screen-256color-bce 95 | TERM screen-256color-s 96 | TERM screen-256color-bce-s 97 | TERM screen-256color-italic 98 | TERM screen-bce 99 | TERM screen-w 100 | TERM screen.xterm-256color 101 | TERM screen.linux 102 | TERM screen.xterm-new 103 | TERM st 104 | TERM st-meta 105 | TERM st-256color 106 | TERM st-meta-256color 107 | TERM tmux 108 | TERM tmux-256color 109 | TERM vt100 110 | TERM xterm 111 | TERM xterm-new 112 | TERM xterm-16color 113 | TERM xterm-256color 114 | TERM xterm-256color-italic 115 | TERM xterm-88color 116 | TERM xterm-color 117 | TERM xterm-debian 118 | TERM xterm-termite 119 | 120 | # EIGHTBIT, followed by '1' for on, '0' for off. (8-bit output) 121 | EIGHTBIT 1 122 | 123 | ############################################################################# 124 | # Below are the color init strings for the basic file types. A color init 125 | # string consists of one or more of the following numeric codes: 126 | # 127 | # Attribute codes: 128 | # 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed 129 | # Text color codes: 130 | # 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white 131 | # Background color codes: 132 | # 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white 133 | # 134 | # NOTES: 135 | # - See http://www.oreilly.com/catalog/wdnut/excerpt/color_names.html 136 | # - Color combinations 137 | # ANSI Color code Solarized Notes Universal SolDark SolLight 138 | # ~~~~~~~~~~~~~~~ ~~~~~~~~~ ~~~~~ ~~~~~~~~~ ~~~~~~~ ~~~~~~~~ 139 | # 00 none NORMAL, FILE 140 | # 30 black base02 141 | # 01;30 bright black base03 bg of SolDark 142 | # 31 red red docs & mm src 143 | # 01;31 bright red orange EXEC 144 | # 32 green green editable text 145 | # 01;32 bright green base01 unimportant text 146 | # 33 yellow yellow unclear in light bg multimedia 147 | # 01;33 bright yellow base00 fg of SolLight unimportant non-text 148 | # 34 blue blue unclear in dark bg user customized 149 | # 01;34 bright blue base0 fg in SolDark unimportant text 150 | # 35 magenta magenta LINK 151 | # 01;35 bright magenta violet archive/compressed 152 | # 36 cyan cyan DIR 153 | # 01;36 bright cyan base1 unimportant non-text 154 | # 37 white base2 155 | # 01;37 bright white base3 bg in SolLight 156 | # 05;37;41 unclear in Putty dark 157 | 158 | 159 | ### By file type 160 | 161 | # global default 162 | NORMAL 00 163 | # normal file 164 | FILE 00 165 | # directory 166 | DIR 36 167 | # symbolic link 168 | LINK 35 169 | 170 | # pipe, socket, block device, character device (blue bg) 171 | FIFO 30;44 172 | SOCK 35;44 173 | DOOR 35;44 # Solaris 2.5 and later 174 | BLK 33;44 175 | CHR 37;44 176 | 177 | 178 | ############################################################################# 179 | ### By file attributes 180 | 181 | # Orphaned symlinks (blinking white on red) 182 | # Blink may or may not work (works on iTerm dark or light, and Putty dark) 183 | ORPHAN 05;37;41 184 | # ... and the files that orphaned symlinks point to (blinking white on red) 185 | MISSING 05;37;41 186 | 187 | # files with execute permission 188 | EXEC 01;31 # Unix 189 | .cmd 01;31 # Win 190 | .exe 01;31 # Win 191 | .com 01;31 # Win 192 | .bat 01;31 # Win 193 | .reg 01;31 # Win 194 | .app 01;31 # OSX 195 | 196 | ############################################################################# 197 | ### By extension 198 | 199 | # List any file extensions like '.gz' or '.tar' that you would like ls 200 | # to colorize below. Put the extension, a space, and the color init string. 201 | # (and any comments you want to add after a '#') 202 | 203 | ### Text formats 204 | 205 | # Text that we can edit with a regular editor 206 | .txt 32 207 | .org 32 208 | .md 32 209 | .mkd 32 210 | 211 | # Source text 212 | .h 32 213 | .hpp 32 214 | .c 32 215 | .C 32 216 | .cc 32 217 | .cpp 32 218 | .cxx 32 219 | .objc 32 220 | .cl 32 221 | .sh 32 222 | .bash 32 223 | .csh 32 224 | .zsh 32 225 | .el 32 226 | .vim 32 227 | .java 32 228 | .pl 32 229 | .pm 32 230 | .py 32 231 | .rb 32 232 | .hs 32 233 | .php 32 234 | .htm 32 235 | .html 32 236 | .shtml 32 237 | .erb 32 238 | .haml 32 239 | .xml 32 240 | .rdf 32 241 | .css 32 242 | .sass 32 243 | .scss 32 244 | .less 32 245 | .js 32 246 | .coffee 32 247 | .man 32 248 | .0 32 249 | .1 32 250 | .2 32 251 | .3 32 252 | .4 32 253 | .5 32 254 | .6 32 255 | .7 32 256 | .8 32 257 | .9 32 258 | .l 32 259 | .n 32 260 | .p 32 261 | .pod 32 262 | .tex 32 263 | .go 32 264 | .sql 32 265 | .csv 32 266 | .sv 32 267 | .svh 32 268 | .v 32 269 | .vh 32 270 | .vhd 32 271 | 272 | ### Multimedia formats 273 | 274 | # Image 275 | .bmp 33 276 | .cgm 33 277 | .dl 33 278 | .dvi 33 279 | .emf 33 280 | .eps 33 281 | .gif 33 282 | .jpeg 33 283 | .jpg 33 284 | .JPG 33 285 | .mng 33 286 | .pbm 33 287 | .pcx 33 288 | .pdf 33 289 | .pgm 33 290 | .png 33 291 | .PNG 33 292 | .ppm 33 293 | .pps 33 294 | .ppsx 33 295 | .ps 33 296 | .svg 33 297 | .svgz 33 298 | .tga 33 299 | .tif 33 300 | .tiff 33 301 | .xbm 33 302 | .xcf 33 303 | .xpm 33 304 | .xwd 33 305 | .xwd 33 306 | .yuv 33 307 | 308 | # Audio 309 | .aac 33 310 | .au 33 311 | .flac 33 312 | .m4a 33 313 | .mid 33 314 | .midi 33 315 | .mka 33 316 | .mp3 33 317 | .mpa 33 318 | .mpeg 33 319 | .mpg 33 320 | .ogg 33 321 | .opus 33 322 | .ra 33 323 | .wav 33 324 | 325 | # Video 326 | .anx 33 327 | .asf 33 328 | .avi 33 329 | .axv 33 330 | .flc 33 331 | .fli 33 332 | .flv 33 333 | .gl 33 334 | .m2v 33 335 | .m4v 33 336 | .mkv 33 337 | .mov 33 338 | .MOV 33 339 | .mp4 33 340 | .mp4v 33 341 | .mpeg 33 342 | .mpg 33 343 | .nuv 33 344 | .ogm 33 345 | .ogv 33 346 | .ogx 33 347 | .qt 33 348 | .rm 33 349 | .rmvb 33 350 | .swf 33 351 | .vob 33 352 | .webm 33 353 | .wmv 33 354 | 355 | ### Misc 356 | 357 | # Binary document formats and multimedia source 358 | .doc 31 359 | .docx 31 360 | .rtf 31 361 | .odt 31 362 | .dot 31 363 | .dotx 31 364 | .ott 31 365 | .xls 31 366 | .xlsx 31 367 | .ods 31 368 | .ots 31 369 | .ppt 31 370 | .pptx 31 371 | .odp 31 372 | .otp 31 373 | .fla 31 374 | .psd 31 375 | 376 | # Archives, compressed 377 | .7z 1;35 378 | .apk 1;35 379 | .arj 1;35 380 | .bin 1;35 381 | .bz 1;35 382 | .bz2 1;35 383 | .cab 1;35 # Win 384 | .deb 1;35 385 | .dmg 1;35 # OSX 386 | .gem 1;35 387 | .gz 1;35 388 | .iso 1;35 389 | .jar 1;35 390 | .msi 1;35 # Win 391 | .rar 1;35 392 | .rpm 1;35 393 | .tar 1;35 394 | .tbz 1;35 395 | .tbz2 1;35 396 | .tgz 1;35 397 | .tx 1;35 398 | .war 1;35 399 | .xpi 1;35 400 | .xz 1;35 401 | .z 1;35 402 | .Z 1;35 403 | .zip 1;35 404 | 405 | # For testing 406 | .ANSI-30-black 30 407 | .ANSI-01;30-brblack 01;30 408 | .ANSI-31-red 31 409 | .ANSI-01;31-brred 01;31 410 | .ANSI-32-green 32 411 | .ANSI-01;32-brgreen 01;32 412 | .ANSI-33-yellow 33 413 | .ANSI-01;33-bryellow 01;33 414 | .ANSI-34-blue 34 415 | .ANSI-01;34-brblue 01;34 416 | .ANSI-35-magenta 35 417 | .ANSI-01;35-brmagenta 01;35 418 | .ANSI-36-cyan 36 419 | .ANSI-01;36-brcyan 01;36 420 | .ANSI-37-white 37 421 | .ANSI-01;37-brwhite 01;37 422 | 423 | ############################################################################# 424 | # Your customizations 425 | 426 | # Unimportant text files 427 | # For universal scheme, use brightgreen 01;32 428 | # For optimal on light bg (but too prominent on dark bg), use white 01;34 429 | .log 01;32 430 | *~ 01;32 431 | *# 01;32 432 | #.log 01;34 433 | #*~ 01;34 434 | #*# 01;34 435 | 436 | # Unimportant non-text files 437 | # For universal scheme, use brightcyan 01;36 438 | # For optimal on dark bg (but too prominent on light bg), change to 01;33 439 | .bak 01;36 440 | .BAK 01;36 441 | .old 01;36 442 | .OLD 01;36 443 | .org_archive 01;36 444 | .off 01;36 445 | .OFF 01;36 446 | .dist 01;36 447 | .DIST 01;36 448 | .orig 01;36 449 | .ORIG 01;36 450 | .swp 01;36 451 | .swo 01;36 452 | *,v 01;36 453 | #.bak 01;33 454 | #.BAK 01;33 455 | #.old 01;33 456 | #.OLD 01;33 457 | #.org_archive 01;33 458 | #.off 01;33 459 | #.OFF 01;33 460 | #.dist 01;33 461 | #.DIST 01;33 462 | #.orig 01;33 463 | #.ORIG 01;33 464 | #.swp 01;33 465 | #.swo 01;33 466 | #*,v 01;33 467 | 468 | # The brightmagenta (Solarized: purple) color is free for you to use for your 469 | # custom file type 470 | .gpg 34 471 | .gpg 34 472 | .pgp 34 473 | .asc 34 474 | .3des 34 475 | .aes 34 476 | .enc 34 477 | .sqlite 34 478 | -------------------------------------------------------------------------------- /files/home/r0/gdbinit: -------------------------------------------------------------------------------- 1 | set follow-fork-mode child 2 | set input-radix 0x10 3 | set output-radix 0x10 4 | set remotetimeout 100 5 | source ~/.gdbinit-gef.py 6 | -------------------------------------------------------------------------------- /files/home/r0/gef.rc: -------------------------------------------------------------------------------- 1 | [context] 2 | clear_screen = False 3 | enable = True 4 | grow_stack_down = False 5 | ignore_registers = 6 | layout = regs stack code args source memory threads trace extra 7 | libc_args = False 8 | libc_args_path = 9 | nb_lines_backtrace = 10 10 | nb_lines_code = 6 11 | nb_lines_code_prev = 3 12 | nb_lines_stack = 8 13 | nb_lines_threads = -1 14 | peek_calls = True 15 | peek_ret = True 16 | redirect = 17 | show_opcodes_size = 0 18 | show_registers_raw = False 19 | show_source_code_variable_values = True 20 | show_stack_raw = False 21 | use_capstone = False 22 | 23 | [dereference] 24 | max_recursion = 7 25 | 26 | [entry-break] 27 | entrypoint_symbols = main _main __libc_start_main __uClibc_main start _start 28 | 29 | [gef-remote] 30 | clean_on_exit = False 31 | 32 | [gef] 33 | autosave_breakpoints_file = 34 | debug = False 35 | disable_color = False 36 | extra_plugins_dir = 37 | follow_child = True 38 | readline_compat = False 39 | tempdir = /tmp/gef 40 | 41 | [got] 42 | function_not_resolved = yellow 43 | function_resolved = green 44 | 45 | [heap-analysis-helper] 46 | check_double_free = True 47 | check_free_null = False 48 | check_heap_overlap = True 49 | check_uaf = True 50 | check_weird_free = True 51 | 52 | [heap-chunks] 53 | peek_nb_byte = 16 54 | 55 | [hexdump] 56 | always_show_ascii = False 57 | 58 | [highlight] 59 | regex = False 60 | 61 | [ida-interact] 62 | host = 127.0.0.1 63 | port = 1337 64 | sync_cursor = False 65 | 66 | [pattern] 67 | length = 1024 68 | 69 | [pcustom] 70 | max_depth = 4 71 | struct_path = /tmp/gef/structs 72 | structure_name = bold blue 73 | structure_size = green 74 | structure_type = bold red 75 | 76 | [process-search] 77 | ps_command = /bin/ps auxww 78 | 79 | [syscall-args] 80 | path = /tmp/gef/syscall-tables 81 | 82 | [theme] 83 | address_code = red 84 | address_heap = green 85 | address_stack = pink 86 | context_title_line = gray 87 | context_title_message = cyan 88 | default_title_line = gray 89 | default_title_message = cyan 90 | dereference_base_address = cyan 91 | dereference_code = gray 92 | dereference_register_value = bold blue 93 | dereference_string = yellow 94 | disassemble_current_instruction = green 95 | old_context = gray 96 | registers_register_name = blue 97 | registers_value_changed = bold red 98 | source_current_line = green 99 | table_heading = blue 100 | 101 | [trace-run] 102 | max_tracing_recursion = 1 103 | tracefile_prefix = ./gef-trace- 104 | 105 | [unicorn-emulate] 106 | show_disassembly = False 107 | verbose = False 108 | 109 | [aliases] 110 | pf = print-format 111 | status = process-status 112 | binaryninja-interact = ida-interact 113 | bn = ida-interact 114 | binja = ida-interact 115 | lookup = scan 116 | grep = search-pattern 117 | xref = search-pattern 118 | flags = edit-flags 119 | emulate = unicorn-emulate 120 | cs-dis = capstone-disassemble 121 | sc-search = shellcode search 122 | sc-get = shellcode get 123 | ps = process-search 124 | start = entry-break 125 | nb = name-break 126 | ctx = context 127 | telescope = dereference 128 | pattern offset = pattern search 129 | hl = highlight 130 | highlight ls = highlight list 131 | hll = highlight list 132 | hlc = highlight clear 133 | highlight set = highlight add 134 | hla = highlight add 135 | highlight delete = highlight remove 136 | highlight del = highlight remove 137 | highlight unset = highlight remove 138 | highlight rm = highlight remove 139 | hlr = highlight remove 140 | fmtstr-helper = format-string-helper 141 | screen-setup = tmux-setup 142 | 143 | -------------------------------------------------------------------------------- /files/home/r0/ssh/config: -------------------------------------------------------------------------------- 1 | Host 192.168.100.2 2 | StrictHostKeyChecking no 3 | UserKnownHostsFile=/dev/null 4 | KexAlgorithms +diffie-hellman-group1-sha1 5 | LogLevel ERROR 6 | -------------------------------------------------------------------------------- /files/home/r0/ssh/id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEogIBAAKCAQEA2lLj9QTeU8qGFJlJdBh3vzFLd1+GhS0XAP0UwGudj9fbHKli 3 | uBL/UjhH7xPictnP26sRDXeERI9wyu8TvYy1jDdQIABdqSN1zG53BGfV3sQUUJab 4 | 62Ig26vK/yct36uLy+/TCYwbyzBAQPhb97krs2iwAL4AY9rjBjaILBC8eNYyRFOG 5 | YWjSkebMExXzkZRQFFig2PPl92HlPTDfuYWO9R644sLZpxslU7htXn4nkVb1BNiD 6 | sNn5i0UMBKxcgMGmkPhJszXYEoxuUDhtcu1ssW5oMQ1AB8AEeNPMLQVV4obpxWIW 7 | heTz6mNjzin5R4s0ON9dHgkOe4bpkpuI40udUQIDAQABAoIBACCGBqWCkyhCXFUH 8 | PNUJrBUUX9ypo12FiQ7BpOzBW1iJXH/Zj/ZCBj0WW0j3Wl2nqvpbco/iBRc9kxz4 9 | HqW3J3h66PnLdCh1OuA4eIx0d3zXEvuqZBHdrW1sGzKFgKT4Zjv8PyEF+UH8ryW+ 10 | mdy+fg8dAlMp+t7lRbqwNvrxh1IsuBgSdtf5KpOvjiu+ssCHaKyqO7Y6ERH/wk9N 11 | iEJ/QD6ZmJsmqUvSJrXa7M0y2fCWW38ddfTvxAZP9gW5eb9pzRaMMddbKkOL04KR 12 | aewKMXzeEZ5/SkvMpjJQqnMpJBMcHV+74QPRdJrVcNVLUkcc2KRqKM3C0kFaRDzs 13 | +QuPDq0CgYEA9IJ43OOep/Dhk+SgtofvafvDkbRV7yFytQ4TV2tKAyw8I6tGbcPs 14 | 9869NKyiicPRKD1syxVnkFGMTDj2+ANe9KlzEv547jqG65+MbBfVp9CLATXCLWjx 15 | CRPcphVVpEhcYPMAtvViTi6B3QlBBJ6oI060VSNAPMJJUN03gDocGkcCgYEA5JVk 16 | 51zNiN9siSU7P/E6TaSAmLcEZ1LvuxPSroJtFcrG917I8zraaZ5s+qbNMOTF9iuW 17 | fIYBSvAKLyqd/ZmIcNBH3xynQ7ZZz50PbJb0EV1mPArRmByD/SA+HDYqlmdsNN1c 18 | Sv0UvgHkGtlA91Kq5/nn+im7DXOVL9gMy7wJP6cCgYBUwf2fpI/U651mpPRJEeoe 19 | NRXgJkE7ub6HoK93uEtZujXGr5Kkbixw4ouX/NgDJYwVhOV3qJ3T21DlA0IpSxHZ 20 | gfvP88J74nHur8n/lmuL1rC45KfBEgWr/eSY9gBQCH1tZg8zXPCM5XZC5vhQ36at 21 | RpUghi24YikEDQs2Oe6P9QKBgDVqn/jdG/7XT1LBS5ZGtfw86/xEEJhgrjsGh95W 22 | Bk3oZBScptMINtAlwIvWfO7nF0fOqc0Rt62eaJLbH66KuXK7iYAe/wt4yoYUyuzy 23 | XbjNHb38PTyRtVpqtXj8Q3mAU64K6K1xdO5uHLMVf/QL8nphUQ+JvveGwh87Gspl 24 | d7fTAoGAL479fUCy/zAvYNU7MWRD1pt20i3PyfPAEVy59BaG17nW+W1rhme19trk 25 | xenIzSOfdmCulf1iP7lHGQnf+UfJMtLTaDQ2tT8Bq4Co4Bw2j7sxOsFgN+UuVUg9 26 | 1Kdv94D+cOtpAa/vPPaQASPSEUDhniWBEy1x7SUg3KSpWD0YkXs= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /files/home/r0/ssh/id_rsa.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaUuP1BN5TyoYUmUl0GHe/MUt3X4aFLRcA/RTAa52P19scqWK4Ev9SOEfvE+Jy2c/bqxENd4REj3DK7xO9jLWMN1AgAF2pI3XMbncEZ9XexBRQlpvrYiDbq8r/Jy3fq4vL79MJjBvLMEBA+Fv3uSuzaLAAvgBj2uMGNogsELx41jJEU4ZhaNKR5swTFfORlFAUWKDY8+X3YeU9MN+5hY71HrjiwtmnGyVTuG1efieRVvUE2IOw2fmLRQwErFyAwaaQ+EmzNdgSjG5QOG1y7WyxbmgxDUAHwAR408wtBVXihunFYhaF5PPqY2POKflHizQ4310eCQ57humSm4jjS51R r0@localhost 2 | -------------------------------------------------------------------------------- /files/home/r0/ssh/known_hosts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/therealsaumil/emux/484e5b34f7bc133892065227613f34845d3fa6ac/files/home/r0/ssh/known_hosts -------------------------------------------------------------------------------- /files/home/r0/tmux.conf: -------------------------------------------------------------------------------- 1 | set-window-option -g xterm-keys on 2 | 3 | # remap prefix from 'C-b' to 'M-a' 4 | # (avoiding C-a because it messes up QEMU's Ctrl-A+X) 5 | set-window-option -g prefix M-a 6 | bind-key M-a send-prefix 7 | 8 | # split panes using | and - 9 | 10 | bind | split-window -h 11 | bind - split-window -v 12 | 13 | unbind '"' 14 | unbind '%' 15 | 16 | # Fast window switching bindings 17 | 18 | bind-key -n C-Up choose-tree -Z -w 19 | bind-key -n C-Right next 20 | bind-key -n C-Left prev 21 | bind-key -n C-Down last 22 | 23 | bind -n M-Left select-pane -L 24 | bind -n M-Right select-pane -R 25 | bind -n M-Up select-pane -U 26 | bind -n M-Down select-pane -D 27 | 28 | set-window-option -g mouse on 29 | 30 | # Some generic stuff you always find on the Internet when reading everyone's TMUX configurations 31 | #bind-key -T copy-mode-vi MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "xclip -in -selection clipboard" 32 | -------------------------------------------------------------------------------- /run-binwalk-docker: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | VOL="harambe" 11 | 12 | docker run \ 13 | -it \ 14 | --name binwalk-emux \ 15 | -h binwalk-emux \ 16 | --rm \ 17 | --user root \ 18 | --cap-add=NET_ADMIN \ 19 | --cap-add=SYS_ADMIN \ 20 | --security-opt apparmor=unconfined \ 21 | --mount "type=volume,src=${VOL},dst=/analysis" \ 22 | --mount "type=bind,src=$(pwd)/workspace,dst=/root/workspace" \ 23 | --entrypoint "/bin/bash" \ 24 | binwalkv3 25 | -------------------------------------------------------------------------------- /run-emux-docker: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This Source Code Form is subject to the terms of the Mozilla Public 4 | # License, v. 2.0. If a copy of the MPL was not distributed with this 5 | # file, You can obtain one at https://mozilla.org/MPL/2.0/. 6 | 7 | # EMUX by Saumil Shah 8 | # https://emux.exploitlab.net/ 9 | 10 | OWNERNAME="therealsaumil" 11 | IMAGENAME="emux" 12 | TAGNAME="04-2025" 13 | VOL="harambe" 14 | PORTSTRING="" 15 | 16 | if [ "${PORTFWD}" = "" ] 17 | then 18 | PORTFWD="20080:80,20443:443,28080:8080,24433:4433,9999:9999" 19 | fi 20 | 21 | PORTFWD=$(echo ${PORTFWD} | tr -cd [0-9,:]) 22 | 23 | IFS=',' read -ra PORTLIST <<< "${PORTFWD}" 24 | for PORTPAIR in "${PORTLIST[@]}" 25 | do 26 | SPORT=$(echo ${PORTPAIR} | cut -d':' -f1) 27 | PORTSTRING="${PORTSTRING} -p ${SPORT}:${SPORT}" 28 | done 29 | 30 | docker run \ 31 | -it \ 32 | ${PORTSTRING} \ 33 | -e PORTFWD="${PORTFWD}" \ 34 | --rm \ 35 | --cap-add=NET_ADMIN \ 36 | --cap-add=SYS_ADMIN \ 37 | --security-opt apparmor=unconfined \ 38 | --device=/dev/net/tun \ 39 | --name emux-docker \ 40 | --mount "type=volume,src=${VOL},dst=/emux" \ 41 | --mount "type=bind,src=$(pwd)/workspace,dst=/home/r0/workspace" \ 42 | $OWNERNAME/$IMAGENAME:$TAGNAME $* 43 | -------------------------------------------------------------------------------- /workspace/WORKSPACE_README.TXT: -------------------------------------------------------------------------------- 1 | This "workspace" directory will be shared between the host and the armx-docker container. Inside the container, this directory is mapped to /home/r0/workspace. 2 | 3 | --------------------------------------------------------------------------------