If someone creates a reverse tcp forwarding channel by ssh into an openwrt dropbear server, bad things are happening.
the dropbear process will crash on connecting to the binded port. Even worse, a connection with reverse tcp reverse forwarding cannot be created if GatewayPorts is set to 1 in /etc/config/dropbear.

Surely, there are bugs in dropbear.

Using gdb to find out whre the bugs are is not an easy job as there is no enough space left out on my router, but eventually I beat it.

This is the patch:

--- dropbear_1/svr-tcpfwd.c     2011-03-02 21:23:36.000000000 +0800
+++ dropbear-0.53.1/svr-tcpfwd.c        2011-08-11 01:45:17.000000000 +0800
@@ -211,7 +211,7 @@
        tcpinfo->tcp_type = forwarded;
 
        if (!opts.listen_fwd_all 
-                       || (strcmp(tcpinfo->listenaddr, "localhost") == 0) ) {
+                       || (strcmp(bindaddr, "localhost") == 0) ) {
         // NULL means "localhost only"
         tcpinfo->listenaddr = NULL;
        }
@@ -221,6 +221,7 @@
     }
 
        ret = listen_tcpfwd(tcpinfo);
+       tcpinfo->listenaddr = NULL;
 
 out:
        if (ret == DROPBEAR_FAILURE) {
diff -ur dropbear_1/tcp-accept.c dropbear-0.53.1/tcp-accept.c
--- dropbear_1/tcp-accept.c     2011-03-02 21:23:36.000000000 +0800
+++ dropbear-0.53.1/tcp-accept.c        2011-08-11 01:45:37.000000000 +0800
@@ -80,6 +80,7 @@
                        addr = tcpinfo->listenaddr;
                        port = tcpinfo->listenport;
                }
+               if (!addr) addr = "";
 
                buf_putstring(ses.writepayload, addr, strlen(addr));
                buf_putint(ses.writepayload, port);

There are three modifications.
1st. tcpinfo->listenaddr is used without inited. this might be typo. Use bindaddr , obviously.
2nd. to avoid double free, set tcpinfo->listenaddr to NULL after use as there are codes like free(tcpinfo->listenaddr) somewhere. this might take no effect but won’t take any disadvantage.
3rd. protect null string usage in tcp-accept.c

make shows:

 make[1] world
 make[2] target/compile
 make[3] -C target/linux compile
 make[2] package/cleanup
 make[2] package/compile
 make[3] -C package/opkg host-compile
 make[3] -C package/base-files compile
 make[3] -C package/busybox compile
 make[3] -C package/button-hotplug compile
 make[3] -C package/libnl-tiny compile
 make[3] -C package/iw compile
 make[3] -C package/wireless-tools compile
 make[3] -C package/mac80211 compile
 make[3] -C package/crda compile
 make[3] -C package/dnsmasq compile
 make[3] -C package/dropbear compile
 make[3] -C package/iptables compile
 make[3] -C package/firewall compile
 make[3] -C package/libreadline compile
 make[3] -C package/ncurses compile
 make[3] -C package/ncurses compile
 make[3] -C package/gdb compile
 make[3] -C package/hostapd compile
 make[3] -C package/hotplug2 compile
 make[3] -C package/kernel compile
 make[3] -C package/mtd compile
 make[3] -C package/opkg compile
 make[3] -C package/libpcap compile
 make[3] -C package/linux-atm compile
 make[3] -C package/ppp compile
 make[3] -C package/resolveip compile
 make[3] -C package/pptp compile
 make[3] -C package/lua compile
 make[3] -C package/uci compile
 make[3] -C package/swconfig compile
 make[3] -C package/uboot-ar71xx compile
 make[2] package/install
 make[3] -C package/busybox install
 make[3] -C package/button-hotplug install
 make[3] -C package/crda install
 make[3] -C package/dnsmasq install
 make[3] -C package/dropbear install
 make[3] -C package/firewall install
 make[3] -C package/hostapd install
 make[3] -C package/hotplug2 install
 make[3] -C package/iptables install
 make[3] -C package/iw install
 make[3] -C package/kernel install
 make[3] -C package/libnl-tiny install
 make[3] -C package/mac80211 install
 make[3] -C package/mtd install
 make[3] -C package/opkg install
 make[3] -C package/ppp install
 make[3] -C package/pptp install
 make[3] -C package/resolveip install
 make[3] -C package/swconfig install
 make[3] -C package/uboot-ar71xx install
 make[3] -C package/uci install
 make[3] -C package/wireless-tools install
 make[3] -C package/base-files install
 make[2] package/rootfs-prepare
 make[3] package/preconfig
 make[2] target/install
 make[3] -C target/linux install
 make[3] -C target/sdk install
 make[3] -C target/toolchain install
 make[2] package/index

to build a single package:
make package/xxx/compile

these are steps that generate binary for my router:
vmlinux:

mips-openwrt-linux-uclibc-objcopy -O binary -R .reginfo -R .notes -R .note -R .comment -R .mdebug -R .note.gnu.build-id -S /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/linux-2.6.39.2/vmlinux /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/vmlinux
 
cp /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/vmlinux /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/vmlinux-tl-wr841nd-v7
/ow/openwrt/trunk/staging_dir/host/bin/patch-cmdline /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/vmlinux-tl-wr841nd-v7 'board=TL-WR741ND console=ttyS0,115200'
gzip -9 -c /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/vmlinux-tl-wr841nd-v7 > /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/vmlinux-tl-wr841nd-v7.bin.gz

root filesystem:

/ow/openwrt/trunk/staging_dir/host/bin/mksquashfs4 /ow/openwrt/trunk/build_dir/target-mips_r2_uClibc-0.9.32/root-ar71xx /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/root.squashfs -nopad -noappend -root-owned -comp xz -Xpreset 9 -Xe -Xlc 0 -Xlp 2 -Xpb 2 -processors 1
 
cp /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/root.squashfs /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/root.squashfs-64k
 
/ow/openwrt/trunk/staging_dir/host/bin/padjffs2 /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/root.squashfs-64k 4 8 64
padding image to 00164000
padding image to 00170000
 
cp /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/root.squashfs-64k /ow/openwrt/trunk/bin/ar71xx/openwrt-ar71xx-generic-root.squashfs-64k

generates final binary:

/ow/openwrt/trunk/staging_dir/host/bin/mktplinkfw -B TL-WR841NDv7 -N OpenWrt -V r27929    -k /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/vmlinux-tl-wr841nd-v7.bin.gz -r /ow/openwrt/trunk/bin/ar71xx/openwrt-ar71xx-generic-root.squashfs-64k -o /ow/openwrt/trunk/bin/ar71xx/openwrt-ar71xx-generic-tl-wr841nd-v7-squashfs-factory.bin
/ow/openwrt/trunk/staging_dir/host/bin/mktplinkfw -B TL-WR841NDv7 -N OpenWrt -V r27929 -s -k /ow/openwrt/trunk/build_dir/linux-ar71xx_generic/vmlinux-tl-wr841nd-v7.bin.gz -r /ow/openwrt/trunk/bin/ar71xx/openwrt-ar71xx-generic-root.squashfs-64k -o /ow/openwrt/trunk/bin/ar71xx/openwrt-ar71xx-generic-tl-wr841nd-v7-squashfs-sysupgrade.bin

just edit ~/.subversion/servers

add these two lines under [global]
http-proxy-host = xxx.xxx.com
http-proxy-port = 8080

there is no way to set a socks proxy for svn.
svn is using apr for socket IO. there is no code supporting socks proxy seen in svn’s source.
However, tsocks is a workaround for this case.

One can ssh into his iphone/ipad by ssh once jailbroked and installed openssh in cydia. But the shell is /bin/sh by default.

Today I tried to change the shell to /bin/bash by modifying /etc/passwd, but then I found this didn’t help.

I got nothing useful after a bit of googling.

Finally  by analysis strings in pam_unix.so I found /etc/master.passwd in it. So this is the answer: modifying /etc/master.passwd changes the shell.

Enjoy bash on ios!

from mac 10.5 on, task_for_pid fails if the calling process has no root privilege.

today I wrote a small app that needs this function, so I decided to make it run.

Finding out the web , I found the result.

There are something wrong or outdated on sites talk about it, so I wrote this article to helper those meet this problem.

Just follow these steps:

1. Find your .plist file in XCode and add a new entry “SecTaskAccess” and set it to string value “allowed”. Make sure the Info.plist file generated in your bundle actually has this value in it.

2. You need get a real code signing certificate NOT a self made one. Some websites are still talking making a self-signed certificate. This is outdated. An iphone certificate is OK while I think a MAC dev center certificate is better.

3. Make XCode sign the executable during the build process, or sign it yourself manually using the codesign command line utility.

4.Call the following method before making calls to task_for_pid()

 
#include <Security/Authorization.h>
 
int acquireTaskportRight()
{
OSStatus status;
AuthorizationItem taskport_item = {"system.privilege.taskport"};
AuthorizationRights rights = {1, &taskport_item}, *out_rights = NULL;
AuthorizationRef author;
AuthorizationFlags authorizationFlags = kAuthorizationFlagExtendRights | kAuthorizationFlagPreAuthorize	|
kAuthorizationFlagInteractionAllowed | (1 << 5);
status = AuthorizationCreate(NULL,   kAuthorizationEmptyEnvironment, authorizationFlags, &author);
if (status != errAuthorizationSuccess) {  return -1;  }
status = AuthorizationCopyRights(author, &rights, kAuthorizationEmptyEnvironment,
authorizationFlags, &out_rights);
if (status != errAuthorizationSuccess) {  return -2;  }
return 0;
}

NOTE:

If you’re writing a command-line tool which has no info.plist file, you should make one and add the following arguments to your link command:

-sectcreate __TEXT   __info_plist  Info.plist.file.path

以下文字为转载：

以上文字为转载，再记一下自己的发现过程：

在ipad上下载一个软件，在网关抓包，发现它是通过a623.phobos.apple.com下载的ipa。然后搜索phobos.apple.com，找到该文，

不过文中的IP　173.223.52.163　速度并不好。于是找来一堆香港台湾的dns服务器：

202.60.252.8
202.45.84.58
168.95.1.1
139.175.252.16
61.10.1.130
203.80.96.10
210.200.211.225
208.67.220.220
61.10.0.130
61.56.211.185
168.95.192.1
168.95.192.2
139.175.10.20
139.175.55.244
139.175.150.20
202.45.84.59
211.78.130.2
202.14.67.14
202.14.67.4
208.67.222.222
210.200.211.193

用这堆服务器来解析a1.phobos.apple.com

得到一堆这样的结果IP和ping值：

选中最快的　203.186.47.56

大功告成。

一个偶然的机会，发现我从一台电脑的虚拟机中的ssh可以直接连到我的另一台服务器。

而我并没有在这个虚拟机中配置ssh key。另一台电脑就不行。

它是如何连上去的？

ssh-v查到一段：

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Offering public key:

debug1: Server accepts key: pkalg ssh-rsa blen 279debug1: Authentication succeeded (publickey).

而不行的电脑，信息是这样的：

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Trying private key: /home/swigger/.ssh/id_rsa

debug1: Trying private key: /home/swigger/.ssh/id_dsa

debug1: Trying private key: /home/swigger/.ssh/id_ecdsa

debug1: Next authentication method: password

显然，这个Offering public key:后面又没有东西是最可疑的。找到ssh源代码一看，原来这里本来是要显示一个文件名，但可惜是个空串，再花了点时间查了一下，看代码看的，原来这里有个identity没有文件名，不是从文件加载的，来自一个叫agent的东西

然后就查ssh-agent的相关东西，查这个agent的数据来自哪里，从unix socket查到相关的sshd进程。

然后就搜到了相关的信息，原来：

securecrt 支持ssh agent forwarding, 不过要在global options中选ssh2打开。

打开后，如果为某个server启用了public key登录，那么相关的key就被securecrt 记录到agent里去了。

通过相关的agent协议，securecrt可以把这个数据提交到在里面运行的ssh, scp等命令，于是啥也没有配置的虚拟机也能直接登到我的目标server了。

不过，我是为server a启用的public key登录，但server b(虚拟机)里也有这个public key的agent记录，这算是bug还是feature呢？

整个www目录被hostmonster清空了，所有的附件没有了。值得庆幸的是数据库没有丢，所以文章还在。

十分的气愤，2月19号左右没的。23号我发现。

hm有三个自动备份，每月，每周，每天，但是呢，每月的备份在20号，每周的备份赶在21号，每天的备份在22号。所以三个备份里都没有我的文件。这什么狗屎的备份策略啊。

气愤之余，发现好像也没什么可做的，告它们？跨洋搞这种事我可没精力，所以唯一做了的就是发了封email，说I will never trust you。然后要求把款给退了。退款倒是还算快，两三个邮件来回就搞定了。

搬到了 photonVPS上，后面打算等yardVPS有货了再搬过去。再也不用虚拟主机了，直接上VPS。不过备份得自己来搞了。

when I tried to forward x11 to my windows by securecrt, I found the DISPLAY variable is not set. x11 forwarding is not working even if I set the DISPLAY variable manually. I googled and finally solved this problem:

need install xauth:

apt-get install xauth

need set sshd_config with “AllowTcpForwarding yes” ?? not sure.

As far as I knnow, gcc accpets utf-8 with bom files from v 4.4.

On some machines, people use a stable linux distr such as debian lenny which only has gcc 4.3.

Yes, we can build a whole new gcc to work on lenny. However the products built by this new gcc won’t work on others.

An idea is build gcc with bom support. there is a patch file for this at http://gcc.gnu.org/ml/gcc-patches/2008-04/msg01371.html .

So the work can be done by these steps:

[code]

##download the patch to ~/bom.patch
apt-get source gcc-4.3
cd gcc-4.3-4.3.2
debian/rules unpack
cd src/libcpp
patch -p1 < ~/bom.patch
cd build
##from gcc -v
../src/configure -v --with-pkgversion='Debian 4.3.2-1.1' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-targets=all --enable-cld --enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu
make

[/code]

after all, replace  /usr/lib/gcc/i486-linux-gnu/4.3/cc1plus  and /usr/lib/gcc/i486-linux-gnu/4.3/cc1 with the ones which we just made in directory ’build/gcc’. Don’t make install to keep the system clean.