Offensive Thinking

Atom feed

2011-07-14 Installing a Debian chroot on the Asus Eee Pad Transformer

I bought an Asus Eee Pad Transformer these days. It has a keyboard dock, so I could finally convince myself why I’d need a tablet and that this one could also be used for creating stuff (like e.g. developing), not only consuming.

Of course, having Android (Honeycomb 3.1) running on the tablet is nice for couch surfing, but not for creating anything useful. So before buying the tablet, I at least made sure that it is possible to run Linux in any form on it.

Debian chroot

Fortunately, it is possible to run Linux (e.g. Debian) in a chroot environment. There’s also people working (and succeeding) in running Linux natively over at xda-developers, but that’s for another post if I ever go for the dual boot option (and those guys get all the kinks worked out).

This blog post will therefore describe how I run Debian in a chroot on my Transformer. I do own the keyboard dock, so if you want to follow this using only the tablet, I recommend installing Hacker’s Keyboard. Also, this is written for people with a modicum of Linux knowledge, so don’t expect me to explain what a chroot is.

Root your device

For the chroot to work, you first have to root your Transformer. I’m not going to describe this, as others have already done so, have a look at the xda-developer pages. I did it by first downgrading to a vulnerable Android 3.0 version and then using gingerbreak. After that, I upgraded to 3.1 and later flashed Prime! 1.5. YMMV.

Install a Terminal Emulator

This is easy. I’m using Terminal Emulator, but you may also try e.g. ConnectBot.

Optional: Map the dock’s “Back” key to Escape

This is not a requirement, but for me as a vi(m) user it’s an absolute must: The Transformer’s keyboard dock is not a full keyboard as on your normal netbook, but specifically designed for Android. Fortunately, this post describes how to remap the keys on the dock, so you can have the “back” key on the dock remapped to good ol’ “Escape”:

1. Open the Terminal Emulator
2. Become root by typing “su”
3. Remount the read-only filesystem to be writable:

        mount -o rw,remount -t yaffs2 \
              /dev/block/mtdblock3 /system
        

4. Edit the file with the dock’s keymappings:

        vi /system/usr/keylayout/asusec.kl
        

5. Search for “BACK” and change it to “ESCAPE” (should be key 158)

Add a script to start your chroot environment

This is where all the neat stuff happens. I’ve based my script on the one that comes with Debdroid, as I originally tinkered with it. No need for all the additional stuff that comes with Debdroid though, and on the Transformer, their scripts do not work out of the box, so I had to rewrite them quite a bit to suit me.

Long story short, you can download the full script here.

1. Put it under /system/bin/ to have it in your path. See the optional section about mapping Escape above on how to make the system partition writable.
2. Set the permissions:

        chmod 700 /system/bin/debdroid
        

You also need the Debian image to mount. I just took one from the Debdroid website, but can of course use any other image prepared for being used in a chroot, or you can even prepare your own. In its default state, the script mounts it from /sdcard/debian/debian.img. Edit the config variables at the beginning to whatever you need.

First run of the chroot

Now it’s time to run the script for the first time. It will complain about the script ‘mnt_home’ which it can’t find, but that’s ok for now. If everything went well, you’ll now have a root bash prompt before you. Welcome to your new Debian chroot :).

Next, we want to add a new user, as it is dangerous to always work as root, don’t we all know it:

        adduser username
        addgroup --gid 3003 inet
        usermod -G inet -a username
        

Why the new group? Well, Android seems to allow socket access only to users in the inet (gid 3003) group. As we don’t have that group in our chroot yet, we have to add it manually. Then we need to add our user to it. ICMP (i.e., ping) will still not work, as you need raw sockets for that. But normal TCP connections should work now. I found out about this by reading this blog post. Root will of course still be able to do everything.

Optional but recommended: Encrypted home for your user

Honeycomb allows you to encrypt your tablet (see Settings → Location and security → Encrypt tablet). That functionality is currently broken, but as it uses dm-crypt, the kernel modules are there and fortunately functional. As I did not want my GPG and SSH keys I’m using in my chroot to lie around on an unencrypted hard drive, I worked around it by mounting an encrypted file as my home directory. Not very good performance-wise, but I gladly accept that for the added security.

Creating the encrypted file

First, we need a file that will hold the home dir. We start by creating a new file with dd. I recommend creating the file on another system, as it seems awfully slow on the Transformer, especially if you want to create a file not only containing zeroes, but with arbitrary content from /dev/urandom (for the really paranoid):

        dd if=/dev/zero of=/home/home.img bs=1M count=500
        

The command above will create a 500MB file containing only zeroes under /home. Put the file where you want to, I think /home is fitting. Next, we mount this file to a loopback device:

        mknod /dev/loop21 b 7 21
        losetup /dev/loop21 /home/home.img
        

We need to create the loopback device first with “mknod”. Choose whatever number you want to, it doesn’t have to be 21. Just don’t try to recreate 255, that’s what we already use for the Debian image. Now we want to create a new crypted device with cryptsetup. First, install cryptsetup:

        aptitude install cryptsetup
        

Let’s format our new device:

        cryptsetup luksFormat /dev/loop21
        cryptsetup luksOpen /dev/loop21 home-crypto
        mkfs.ext4 /dev/mapper/home-crypto
        

Now you should have a new crypted device that you can mount on /home/username. My script mnt_home can do that for you automatically. Put it under /usr/local/bin to work out of the box with the debdroid-script from earlier (this is what caused the error message in the beginning, as we didn’t have that script yet). It’ll also unmount your home directory when you exit the chroot. Please edit the variables at the top of the script to suit your needs.

You should now be able to exit the chroot with everything being cleanly unmounted, and to enter it again by opening your terminal emulator and running “debdroid”. To use your new user, just do a “su username”.

Optional: Install tmux and tweak its config to allow usage of normal user

I’m a huge tmux fan, so I use it in my chroot. The only problem is, once I su to my new user, tmux won’t start in the su environment. There may be a better solution to this, but my current workaround is to start tmux as root and use the following extra directive in my .tmux.conf:

        set -g default-command "su username"
        

This’ll automatically su to my user in every new window I create. Please contact me if you have a better way and I’ll add it to this blog post.

Optional: Add inputrc

I also had the very odd bug that after su’ing to my user, I couldn’t type the numbers ‘2’ and ‘0’ anymore. What fixed the problem was to add my favourite .inputrc (see the dotfiles section. Don’t ask me why, but it helped.

Conclusion

I hope the instructions I gave helped you to set up your own chroot environment. If you find any mistakes, please contact me so I can fix them.

2011-06-06 Minor site cleanups

I finally did some minor cleanups on the site. The following things
changed:

• As I use tmux now instead of screen wherever possible, I’ve added my tmux.conf to the dotfiles section.
• I orphaned all my AUR packages due to lack of time. So there’s a new project category now, Discontinued, for all the projects I might abandon at some point.
• There’s a new project, rem2jorte. Please see the project page for further details.
• Removed the identi.ca link because I don’t really use it. Twitter has won. Instead, I added my github page where all my public projects reside.

2011-04-17 New project: remparser

Without further ado: a new project on github, remparser.

The remparser Treetop parser parses the output of remind -s into a (hopefully useful) data structure. An example script outputting YAML code is included.

Some more details are in the README.

2010-08-08 Website Updates

It’s been a while, I know. Busy as ever. So to prove that I’ve not entirely dismissed this website, some minor updates in Projects:

• I’ve updated some dotfiles and added two new: My elinks.conf for elinks and taskrc for task.
• The Various section now mentions the Metasploit JBoss AS exploit modules I contributed and updated recently.

The JBoss modules would’ve been worth their own blog post I guess, but I was too busy. I’ve mentioned them in this RedTeam blog post where I announced a new JBoss paper. They are in the official main branch now, so you if you have a recent revision, they should be available. I’ll give a lightning talk at BruCON about some of the ideas behind them.

2010-05-20 New project: http2code

A new repository has been added to my github account: http2code.

It was inspired by w3af’s ability to export a raw request to a template source code file for different languages (as a matter of fact, I once wrote the Ruby export). The idea is simple: I have a raw HTTP GET or POST request, e.g. from my favourite HTTP (attack) proxy. Now quite often, I want to write a little script revolving around that request, for example for fuzzing. Previously, I always manually added the request’s content to some template code for the HTTP library du jour I hopefully still found lying around somewhere on my hard drive. Then, I started to adapt the code to my liking.

The whole “copy the raw request, insert it into source code template (if any) and reformat until it fits into what the HTTP library expects (like parsing the raw body of a POST into an associative array, for example)” is a rather dull and repetitive task better done by a script. w3af already does it quite nicely, but I wanted a simple command line tool for this.

So I wrote http2code:

        
        Usage: http2code [options]
         -n, --newlines            Use \n as line delimiter when parsing the
                                   POST request instead of \r\n
         -t, --template TEMPLATE   Use template TEMPLATE
         -b, --header-blacklist    Use header blacklist to automatically
                                   remove common headers not needed
         -h, --help                Show this help
        
        Available Templates:
        --------------------
        typhoeus.rb
        
        

It takes a raw request from stdin and parses it into JSON data structures for headers, body and the first line containing the HTTP verb and URL. If you supply a template name, it’ll just put the JSON data into the template where some placeholders are defined. Then it writes the result to stdout. Pretty simple, but it saves me a lot of time. You will still have to manually adapt the code though, it may not work right out of the box.

At the moment there’s only a typhoeus template, I plan on adding them as I need / write them.

« previous