如果说黑群晖的难度是1,黑苹果的难度是5,黑威联通大概是3这样吧。
威联通使用的是QTS系统,黑威联通关键的地方,除了需要了解嵌入式linux逆向工程之外,还需要针对不同的硬件设备或者不同的虚拟化平台做出Model文件里面的硬件定义内容。
由于Model的资料比较少,把自行记录的笔记整理一下,本文为黑威联通QTS Model硬件定义笔记(不完整版)。
本文案例设备:PVE宿主机、创建Q35虚拟机用作黑威联通系统,直通两个sata控制器(每控制器分别接入2个物理硬盘共4个硬盘)和一个物理网卡,引导盘使用虚拟硬盘
进入tc系统,使用lspci -vtnn查询PCI设备,提取硬盘控制器、引导、网卡等设备IO号
tc@box:~$ lspci -vtnn -[0000:00]-+-00.0 Intel Corporation 82G33/G31/P35/P31 Express DRAM Controller [8086:29c0] +-01.0 Device [1234:1111] +-1a.0 Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #4 [8086:2937] +-1a.1 Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #5 [8086:2938] +-1a.2 Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #6 [8086:2939] +-1a.7 Intel Corporation 82801I (ICH9 Family) USB2 EHCI Controller #2 [8086:293c] +-1b.0 Intel Corporation 82801I (ICH9 Family) HD Audio Controller [8086:293e] +-1c.0-[01]----00.0 Intel Corporation Device [8086:31e3] +-1c.1-[02]----00.0 ASMedia Technology Inc. ASM1062 Serial ATA Controller [1b21:0612] +-1c.2-[03]----00.0 Realtek Semiconductor Co., Ltd. Device [10ec:8125] +-1c.3-[04]-- +-1d.0 Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #1 [8086:2934] +-1d.1 Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #2 [8086:2935] +-1d.2 Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #3 [8086:2936] +-1d.7 Intel Corporation 82801I (ICH9 Family) USB2 EHCI Controller #1 [8086:293a] +-1e.0-[05-09]--+-01.0-[06]--+-03.0 Red Hat, Inc Virtio memory balloon [1af4:1002] | | +-07.0 Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] [8086:2922] | | \-12.0 Red Hat, Inc Virtio network device [1af4:1000] | +-02.0-[07]-- | +-03.0-[08]-- | \-04.0-[09]-- +-1f.0 Intel Corporation 82801IB (ICH9) LPC Interface Controller [8086:2918] +-1f.2 Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] [8086:2922] \-1f.3 Intel Corporation 82801I (ICH9 Family) SMBus Controller [8086:2930] tc@box:~$
经过上述信息可得出以下信息:
#以上信息均补全硬件定义的开头 -[0000:00]- #硬盘控制器有三个,01是主板板载sata控制器,02是ASM1062 sata控制器(个别主板可能是板载,也可能是扩展卡),第三个是虚拟sata控制器(注意最后的设备ID,lspci内出现了两次) #前两个是物理控制器、第三个是虚拟控制器 -[0000:00]-+-1c.0-[01]----00.0 Intel Corporation Device [8086:31e3] -[0000:00]-+-1c.1-[02]----00.0 ASMedia Technology Inc. ASM1062 Serial ATA Controller [1b21:0612] -[0000:00]-+-1f.2 Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] [8086:2922] #网卡有两个,第一个是物理网卡,第二个是Virtio虚拟网卡(类似的虚拟网卡还有常见的E1000、E1000e、RTL8139、vmxnet3等等) -[0000:00]-+-1c.2-[03]----00.0 Realtek Semiconductor Co., Ltd. Device [10ec:8125] -[0000:00]-+-1e.0-[05-09]--+-01.0-[06]--\-12.0 Red Hat, Inc Virtio network device [1af4:1000] #启动盘,这里要根据实际的情况来提取,启动盘有USB、SATA硬盘等,本文的案例是虚拟硬盘作为引导,所以这里提取的虚拟硬盘控制器地址 -[0000:00]-+-1f.2 Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] [8086:2922]
重点来了,把提取出来的硬盘控制器、网卡、启动盘的IO地址转换为QTS可识别的地址
#硬盘控制器,每控制器最大可接入6个硬盘,本文的案例是每个物理控制器只接入2个硬盘共4个硬盘 #第一个控制器-板载sata控制器的硬盘定义,根据上述提取的“-[0000:00]-+-1c.0-[01]----00.0”转换而来,这里面要拆成两个信息 总线地址:[0000:00]-+-1c.0 子地址:[01]----00.0 #进制转换(16进制 -> 10进制),定义QTS能识别的地址 00.1c.0 -> B00:D28:F0 01.00.0 -> B01:D00:F0 #最终,注意个别序号从0/1开始,别搞混 [System Disk 1] #该sata控制器接入两个硬盘,这里是物理机的第一个硬盘 DEV_BUS=B00:D28:F0 #总线地址 DEV_PORT = 0 #每sata有0-5号,0是该控制器的第一个硬盘,最大支持6个硬盘 DEV_BRIDGE_BUS = B01:D00:F0 #子地址 [System Disk 2] #该sata控制器的第二个硬盘,这里是物理机的第二个硬盘 DEV_BUS=B00:D28:F0 #总线地址,由于同一个sata控制器故和上述一致 DEV_PORT = 1 #注意这里是1,因为从0开始计算 DEV_BRIDGE_BUS = B01:D00:F0 #子地址,由于同一个sata控制器故和上述一致 #后续的控制器、网卡、启动盘等定义方法,均参考上述第一个控制器的硬盘定义即可,不再啰嗦 #第二个控制器-ASM1062 sata控制器的硬盘定义,根据上述提取的“-[0000:00]-+-1c.1-[02]----00.0”转换而来 [System Disk 3] DEV_BUS=B00:D28:F1 DEV_PORT = 0 DEV_BRIDGE_BUS = B02:D00:F0 [System Disk 4] DEV_BUS=B00:D28:F1 DEV_PORT = 1 DEV_BRIDGE_BUS = B02:D00:F0 #网卡定义,,根据上述提取的“-[0000:00]-+-1c.2-[03]----00.0”转换而来 [System Network 1] DEV_BUS=B00:D28:F2 DEV_PORT = 0 DEV_BRIDGE_BUS = B03:D00:F0 #启动盘定义,根据上述提取的“-[0000:00]-+-1f.2”转换而来 #进制转换(16进制 -> 10进制) 00.1f.2 -> B00:D31:F2 [Boot Disk 1] 第一个启动盘 DISK_DRV_TYPE = ATA #定义启动盘为sata引导的类型 DEV_BUS = B00:D31:F2 DEV_PORT = 0
题外话,新手可忽略这段:总线地址、子地址只有两层,还有子子地址这种三层的PCI设备
-[0000:00]-+-1f.2 Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] [8086:2922] -[0000:00]-+-1c.2-[03]----00.0 Realtek Semiconductor Co., Ltd. Device [10ec:8125] -[0000:00]-+-1e.0-[05-09]--+-01.0-[06]--\-12.0 Red Hat, Inc Virtio network device [1af4:1000] #第一行:总线地址 #第二行:总线地址-子地址 #第三行:总线地址-子地址-子子地址(为了便于理解……你也可以理解为:爷爷-父亲-孙子……) #前两个,在上一段已经给出定义方法,但是带有孙子……额……口误,带有子子地址这种的定义方法还未知如何定义 #第三行这种情况,出现在amd个别设备或者pve分配pci设备时不含“pcie=1”时会出现,pve可通过给pcie设备增加“pcie=1”参数解决,其余平台自行研究
完整版model.conf - 已移除LED、FAN等参数
[System Enclosure] VENDOR = QNAP MODEL = TS-653B CAP=0x161cdb9c MAX_DISK_NUM = 6 MAX_TEMP_NUM = 2 MAX_NET_PORT_NUM = 10 INTERNAL_NET_PORT_NUM = 3 MAX_PCIE_SLOT = 1 CPU_TEMP_UNIT = DTS:1 SYSTEM_TEMP_UNIT=EC SIO_DEVICE = IT8528 PWR_RECOVERY_UNIT = EC PWR_RECOVERY_CMOS_STORE = 0x70,0x61 BUZZER_CMOS_STORE = 0x70,0x63 BOARD_SN_DEVICE = VPD:BP ETH_MAC_DEVICE = NET DISK_DRV_TYPE = ATA DISK_DEFAULT_MAX_LINK_SPEED = PD_SATA_SAS_6G SYSTEM_DISK_CACHEABLE_BITMAP = 0x7E SS_MAX_CHANNELS = 40 SS_FREE_CHANNELS = 4 EUP_STATUS = EC QA_PORT_SUPPORT = 1 LCM_BAUDRATE = 115200 HEAT_SOURCE = SYS, CPU, DISK [System I2C] DEV_BUS = B00:D31:F1 DEV_PORT = 0 [System EDID 1] DEV_BUS = B00:D02:F0 DEV_PORT = 1 [System EDID 2] DEV_BUS = B00:D02:F0 DEV_PORT = 0 [System IO] RESET_BUTTON = EC USB_COPY_BUTTON = EC VPD_MB = EC VPD_BP = EC EDID_COUNT=2 VOICE_ALERT_SUPPORT = 1 [System Disk 1] DEV_BUS=B00:D28:F0 DEV_PORT = 0 DEV_BRIDGE_BUS = B01:D00:F0 [System Disk 2] DEV_BUS=B00:D28:F0 DEV_PORT = 1 DEV_BRIDGE_BUS = B01:D00:F0 [System Disk 3] DEV_BUS=B00:D28:F1 DEV_PORT = 0 DEV_BRIDGE_BUS = B02:D00:F0 [System Disk 4] DEV_BUS=B00:D28:F1 DEV_PORT = 1 DEV_BRIDGE_BUS = B02:D00:F0 [System Network 1] DEV_BUS = B00:D19:F2 PCI_SWITCH_PORT = 7 DEV_PORT = 0 [System Network 2] DEV_BUS = B00:D19:F2 PCI_SWITCH_PORT = 3 DEV_PORT = 0 [System Network 3] DEV_BUS = B00:D19:F3 DEV_PORT = 0 QA_PORT = YES [System PCIE SLOT 1] DEV_BUS = B00:D20:F0 MAX_PCIE_LINK_WIDTH = 2 [Usb Enclosure] VENDOR = QNAP MODEL = USB MAX_PORT_NUM = 7 USB3_PORT_BITMAP = 0xFE EXT_PORT_NUM = 2 [Usb Port 1] DEV_BUS = B00:D21:F0 DEV_PORT = 1 [Usb Port 2] DEV_BUS = B00:D21:F0 IN_HUB = 1 DEV_PORT = 4 HUB_PORT = 2 [Usb Port 3] DEV_BUS = B00:D21:F0 IN_HUB = 1 DEV_PORT = 3 HUB_PORT = 2 [Usb Port 4] DEV_BUS = B00:D21:F0 IN_HUB = 1 DEV_PORT = 2 HUB_PORT = 2 [Usb Port 5] DEV_BUS = B00:D21:F0 IN_HUB = 1 DEV_PORT = 1 HUB_PORT = 2 [Usb Port 6] DEV_BUS = B00:D20:F0 DEV_PORT_SS = 2 [Usb Port 7] DEV_BUS = B00:D20:F0 DEV_PORT_SS = 1 [MMC Port 1] DEV_BUS = B00:D27:F0 [Boot Enclosure] VENDOR = QNAP MODEL = BOOT MAX_DISK_NUM = 1 [Boot Disk 1] DISK_DRV_TYPE = MMC DEV_BUS = B00:D28:F0 [System Memory] MAX_CHANNEL_NUM = 2 MAX_SLOT_NUM = 2 SLOT1_ADDR = 1, 0x50 SLOT2_ADDR = 2, 0x52
精简版model.conf - 只提取我们需要的部分和修正部分关键硬件IO号:系统定义、磁盘定义、网络定义、启动盘定义
[System Enclosure] VENDOR = QNAP MODEL = TS-653B CAP=0x161cdb9c MAX_DISK_NUM = 6 MAX_TEMP_NUM = 2 DISK_DRV_TYPE = ATA [System Disk 1] DEV_BUS=B00:D28:F0 DEV_PORT = 0 DEV_BRIDGE_BUS = B01:D00:F0 [System Disk 2] DEV_BUS=B00:D28:F0 DEV_PORT = 1 DEV_BRIDGE_BUS = B01:D00:F0 [System Disk 3] DEV_BUS=B00:D28:F1 DEV_PORT = 0 DEV_BRIDGE_BUS = B02:D00:F0 [System Disk 4] DEV_BUS=B00:D28:F1 DEV_PORT = 1 DEV_BRIDGE_BUS = B02:D00:F0 [System Network 1] DEV_BUS=B00:D28:F2 DEV_PORT = 0 DEV_BRIDGE_BUS = B03:D00:F0 [Boot Enclosure] VENDOR = QNAP MODEL = BOOT MAX_DISK_NUM = 1 [Boot Disk 1] DISK_DRV_TYPE = ATA DEV_BUS = B00:D31:F2 DEV_PORT = 0
把制作好的model.conf文件上传至tc内的mymodel目录覆盖后,执行命令重新编译后重启进入查看即可
sudo cp -f ./mymodel/* ./initrd/etc/ && sudo ./re_packing && sudo reboot
本文只解决QTS的Model硬件定义部分,其余可参考老骥伏枥的黑威联通帖子
【老骥伏枥-狗年大礼包】嵌入式linux逆向工程,手把手教你作黑Q:http://www.nasyun.com/thread-39736-1-1.html