Running Solaris 2.6 (sparc) on qemu-system-sparc in Linux x86

Next chapter in our Computer Archeology articles. This time it will be about emulating the legendary Sun Solaris 2.6 that dates back to July 1997 and which included Kerberos 5, PAM, TrueType fonts, WebNFS, large file support and enhanced procfs. It was also known as SunOS 5.6

Qemu can emulate many CPU architectures, we will be concerned only with Sparc (qemu-system-sparc). I usually build qemu from source ( https://github.com/qemu/qemu.git ) so with this exercise Im using the below qemu version compiled on Linux Mint 19 :

QEMU emulator version 3.0.50 (v3.0.0-614-g19b599f766-dirty)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

The compilation is pretty straightforward and takes some time if we decide to compile all the emulation platforms supported by Qemu.

Also what I found very handy is the Linux build for RealVNC viewer from here ( https://www.realvnc.com/en/connect/download/viewer/ ) and use it as a VNCviewer with Qemu since the SDL support seems flaky sometimes and breaks some character display in Solaris 2.6 in Qemu.

Next we need to get our hands on the Installer CD ISO for Sun Solaris 2.6 and the ss5.bin (SUN Station 5 PROM ) I have uploaded the gzipped tarball of the ISO and the bin here

https://drop.me/omV3jb

Once we download the archive we extract it to a working directory where we will hold our Solaris 2.6 environment

user@panasonic ~/SOLARIS $ gunzip sol26.tar.gz 
user@panasonic ~/SOLARIS $ tar -xvf sol26.tar 
Sun-Solaris-2.6-sparc/
Sun-Solaris-2.6-sparc/solaris-2.6-sparc.iso
Sun-Solaris-2.6-sparc/ss5.bin
user@panasonic ~/SOLARIS $ cd Sun-Solaris-2.6-sparc/
user@panasonic ~/SOLARIS/Sun-Solaris-2.6-sparc $ ls -la
total 552868
drwxr-xr-x 2 user user 4096 Sep 21 10:51 .
drwxr-xr-x 3 user user 4096 Sep 21 23:52 ..
-rw-r--r-- 1 user user 565862400 Sep 21 10:51 solaris-2.6-sparc.iso
-rw-r--r-- 1 user user 262144 Sep 21 10:51 ss5.bin

So we end up with 2 files in Sun-Solaris-2.6-sparc directory (Installation ISO and PROM image) Next we will create a QCOW image for the HDD and setup some networking per-requisites. Following will create a 36GB QCOW image v3

$ qemu-img create -f qcow2 disk.img 36G
Formatting 'disk.img', fmt=qcow2 size=38654705664 cluster_size=65536 lazy_refcounts=off refcount_bits=16
$ file disk.img 
disk.img: QEMU QCOW Image (v3), 38654705664 bytes

Next we will configure the networking and the /etc/qemu-ifup script. Networking script can be saved in the emulation directory and needs to be executed with root privileges prior running qemu (you should adjust to your needs here -> enp0s25 is eth0 and wlp9s0 is wlan0 ) lets call this network.sh

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 enp0s25 vboxnet0 
brctl setfd br0 0
ifconfig enp0s25 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface enp0s25 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlp9s0 -j MASQUERADE

Next we replace the /etc/qemu-ifup script with the below

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)

if [ -n "$ip" ]; then
ip link set "$1" up
else
brctl=$(which brctl)
if [ ! "$ip" -o ! "$brctl" ]; then
echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
exit 0
fi
ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls |
awk '/^default / {
for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
}'
)

switch=br0

# only add the interface to default-route bridge if we
# have such interface (with default route) and if that
# interface is actually a bridge.
# It is possible to have several default routes too
for br in $switch; do
if [ -d /sys/class/net/$br/bridge/. ]; then
if [ -n "$ip" ]; then
ip link set "$1" master "$br"
else
brctl addif $br "$1"
fi
exit # exit with status of the previous command
fi
done

echo "W: $0: no bridge for guest interface found" >&2

So once we are ready we will launch the network.sh and move on to prepare the newly created disk.img to be ready for Solaris 2.6 installation. We will be running a simulated Sparc machine with 128 MB RAM and and disguise as SPARCstation5

You need to run this as root

# qemu-system-sparc -L . -m 128 -M SS-5 -bios ss5.bin -drive file=disk.img,bus=0,unit=0,media=disk -drive file=solaris-2.6-sparc.iso,bus=0,unit=6,media=cdrom -net nic -net tap -display vnc=:1

Next we must load the TightVNC viewer to connect to the console ( 127.0.0.1:5901 or :1)

We add the boot cdrom:d -vs (boot in single user mode from the ISO )

Next we need to load the disk labeling/formatting by entering format in the root shell

Next we select 16 Other

We enter the 24620 as number of cylinders

Enter 27 as number of heads

Number of data sectors/track 107

Hit default values on the rest until you reach the disk name Qemu36GB

Next we get thrown to format prompt we finally run label on it

Once we see the below message about the corrupt label we run l

Now we are finally done, we can quit and reboot

So once we are in the SPARC boot prompt again we issue boot cdrom:d

Next the installer X11 screen should pop up

So we choose whatever suites us – this part is pretty straightforward

!!! Selet Manual Reboot option here since we need to make some changes to the system before we reboot it !!!

Finally the installation will start; it will take some time to finish so we can grab a cup of coffee

After the installer finishes we are left with a root shell in which we need to do a few things

We need to edit /a/etc/system and add to the end of it value as seen in the screenshot below set scsi_options=0x58

Add default route to the network config file in /a/etc/defaultrouter 10.0.2.2

Add the following to /a/etc/nsswitch.conf hosts: file dns via vi

We define nameserver (google) in /a/etc/resolv.conf nameserver 8.8.8.8

Finally we add the aliases to /a/etc/hosts

Now we are ready to reboot the installer so just type reboot in the root shell

Yet again we are back at the SPARC boot prompt, however this time we boot the disk with Solaris

Next we define the root password

We will be given a choice to run either CDE or OpenDesktop environment next. I choose CDE (I love the design, but hate the insecurity of it )

So by now we should have a fully working, networked Sun Solaris 2.6 environment. Reachable by 10.0.2.10 from the Linux Mint system (thanks to the br0 and tun0) and able to communicate with the internet via the HotJava browser (very limited nowadays)

And finally an Nmap scan of the default Sun Solaris 2.6 installation

# nmap -sS -sV -vv 10.0.2.10

Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-09-21 22:45 CEST
NSE: Loaded 44 scripts for scanning.
Initiating ARP Ping Scan at 22:45
Scanning 10.0.2.10 [1 port]
Completed ARP Ping Scan at 22:45, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:45
Completed Parallel DNS resolution of 1 host. at 22:45, 0.02s elapsed
Initiating SYN Stealth Scan at 22:45
Scanning 10.0.2.10 [1000 ports]
Discovered open port 25/tcp on 10.0.2.10
Discovered open port 111/tcp on 10.0.2.10
Discovered open port 21/tcp on 10.0.2.10
Discovered open port 23/tcp on 10.0.2.10
Discovered open port 13/tcp on 10.0.2.10
Discovered open port 512/tcp on 10.0.2.10
Discovered open port 514/tcp on 10.0.2.10
Discovered open port 79/tcp on 10.0.2.10
Discovered open port 32775/tcp on 10.0.2.10
Discovered open port 32773/tcp on 10.0.2.10
Discovered open port 515/tcp on 10.0.2.10
Discovered open port 6000/tcp on 10.0.2.10
Discovered open port 32772/tcp on 10.0.2.10
Increasing send delay for 10.0.2.10 from 0 to 5 due to 144 out of 479 dropped probes since last increase.
Discovered open port 32777/tcp on 10.0.2.10
Discovered open port 6112/tcp on 10.0.2.10
Increasing send delay for 10.0.2.10 from 5 to 10 due to 30 out of 99 dropped probes since last increase.
Increasing send delay for 10.0.2.10 from 10 to 20 due to 13 out of 41 dropped probes since last increase.
Discovered open port 32774/tcp on 10.0.2.10
Increasing send delay for 10.0.2.10 from 20 to 40 due to 11 out of 33 dropped probes since last increase.
Discovered open port 4045/tcp on 10.0.2.10
Increasing send delay for 10.0.2.10 from 40 to 80 due to 11 out of 33 dropped probes since last increase.
Discovered open port 32771/tcp on 10.0.2.10
Discovered open port 9/tcp on 10.0.2.10
Discovered open port 1099/tcp on 10.0.2.10
Discovered open port 7100/tcp on 10.0.2.10
Discovered open port 19/tcp on 10.0.2.10
Discovered open port 37/tcp on 10.0.2.10
Discovered open port 32776/tcp on 10.0.2.10
Discovered open port 513/tcp on 10.0.2.10
Discovered open port 7/tcp on 10.0.2.10
Discovered open port 32779/tcp on 10.0.2.10
Discovered open port 32778/tcp on 10.0.2.10
Completed SYN Stealth Scan at 22:46, 57.78s elapsed (1000 total ports)
Initiating Service scan at 22:46
Scanning 28 services on 10.0.2.10
Completed Service scan at 22:49, 151.13s elapsed (28 services on 1 host)
NSE: Script scanning 10.0.2.10.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 22:49
Completed NSE at 22:49, 1.07s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 22:49
Completed NSE at 22:49, 1.07s elapsed
Nmap scan report for 10.0.2.10
Host is up, received arp-response (0.00031s latency).
Scanned at 2018-09-21 22:45:33 CEST for 211s
Not shown: 972 closed ports
Reason: 972 resets
PORT      STATE SERVICE          REASON          VERSION
7/tcp     open  echo             syn-ack ttl 255
9/tcp     open  discard?         syn-ack ttl 255
13/tcp    open  daytime          syn-ack ttl 255 Sun Solaris daytime
19/tcp    open  chargen          syn-ack ttl 255
21/tcp    open  ftp              syn-ack ttl 255 Sun SunOS ftpd 5.6
23/tcp    open  telnet           syn-ack ttl 255 Sun Solaris telnetd
25/tcp    open  smtp             syn-ack ttl 255 Sendmail SMI-8.6/SMI-SVR4
37/tcp    open  time             syn-ack ttl 255 (32 bits)
79/tcp    open  finger           syn-ack ttl 255 Sun Solaris fingerd
111/tcp   open  rpcbind          syn-ack ttl 255 2-4 (RPC #100000)
512/tcp   open  exec             syn-ack ttl 255
513/tcp   open  login            syn-ack ttl 255
514/tcp   open  tcpwrapped       syn-ack ttl 255
515/tcp   open  printer          syn-ack ttl 255 Sun Solaris lpd
1099/tcp  open  rmiregistry      syn-ack ttl 255 Java RMI
4045/tcp  open  nlockmgr         syn-ack ttl 255 1-4 (RPC #100021)
6000/tcp  open  X11              syn-ack ttl 255 (access denied)
6112/tcp  open  dtspc?           syn-ack ttl 255
7100/tcp  open  font-service     syn-ack ttl 255 Sun Solaris fs.auto
32771/tcp open  rpcbind          syn-ack ttl 255
32772/tcp open  kcms_server      syn-ack ttl 255 1 (RPC #100221)
32773/tcp open  cachefsd         syn-ack ttl 255 1 (RPC #100235)
32774/tcp open  status           syn-ack ttl 255 1 (RPC #100024)
32775/tcp open  ttdbserverd      syn-ack ttl 255 1 (RPC #100083)
32776/tcp open  sometimes-rpc15? syn-ack ttl 255
32777/tcp open  dmispd           syn-ack ttl 255 1 (RPC #300598)
32778/tcp open  snmpXdmid        syn-ack ttl 255 1 (RPC #100249)
32779/tcp open  ttsession        syn-ack ttl 255 1-4 (RPC #1342177279)
MAC Address: 52:54:00:12:34:56 (QEMU virtual NIC)
Service Info: Hosts: solaris, solaris.; OSs: Solaris, Unix; CPE: cpe:/o:sun:sunos, cpe:/o:sun:sunos:5.6

Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 211.79 seconds
           Raw packets sent: 1984 (87.280KB) | Rcvd: 1320 (52.932KB)

Solaris is pretty much dead now it seems … and I leave it as it is (its dead ass by the road …)