定制Chromebook镜像

针对开发者,如下的文档描述我们创建个性化的Kali Linux Samsung chromebook ARM镜像的方法.如果你想安装预发的Kali image,查阅我们的文档在三星Chromebook安装Kali.

本文档中,我们创建一个镜像(包含两种引导分区) – 一种分区包含了强制从SD卡引导的内核,另一种包含了强制从USB引导的内核.根据你的USB存储媒介的类型,确保你在用dd把镜像克隆到USB设备后(本指南最后的命令),用更高的优先权标志相关的引导分区.

01. 创建Kali rootfs

开始创建我们文档中描述的Kali rootfs使用armhf架构.到文档的最后,在~/arm-stuff/rootfs/kali-armhf目录里应该有一个里面包含很多文件的rootfs目录.

02. 创建镜像文件

下一步,我们创建用于存放我们Chromebook rootfs和引导镜像的物理镜像文件.

apt-get install kpartx xz-utils gdisk uboot-mkimage u-boot-tools vboot-kernel-utils vboot-utils cgpt
cd ~
mkdir -p arm-stuff
cd arm-stuff/
mkdir -p images
cd images
dd if=/dev/zero of=kali-custom-chrome.img bs=1MB count=5000

03. 分区和挂载镜像文件

parted kali-custom-chrome.img --script -- mklabel msdos
parted kali-custom-chrome.img --script -- mktable gpt
gdisk kali-custom-chrome.img << EOF
x
l
8192
m
n
1

+16M
7f00
n
2

+16M
7f00
n
3

w
y
EOF
loopdevice=`losetup -f --show kali-custom-chrome.img`
device=`kpartx -va $loopdevice| sed -E 's/.*(loop[0-9])p.*/1/g' | head -1`
device="/dev/mapper/${device}"
bootp1=${device}p1
bootp2=${device}p2
rootp=${device}p3

mkfs.ext4 $rootp
mkdir -p root
mount $rootp root

04. 复制和修改Kali rootfs

rsync递归复制先前挂载的Kali rootfs镜像.

cd ~/arm-stuff/images/
rsync -HPavz ~/arm-stuff/rootfs/kali-armhf/ root

echo nameserver 8.8.8.8 > root/etc/resolv.conf

mkdir -p root/etc/X11/xorg.conf.d/
cat << EOF > root/etc/X11/xorg.conf.d/50-touchpad.conf
Section "InputClass"
  Identifier "touchpad"
  MatchIsTouchpad "on"
  Option "FingerHigh" "5"
  Option "FingerLow" "5"
EndSection
EOF

05. 编译三星Chromium内核和模块

如果你不是使用ARM硬件作为开发环境,为了编译ARM内核和模块你应该先建立ARM交叉编译环境.完成后,用如下命令继续.

获取Chromium内核源代码并放到我们的开发树结构中:

cd ~/arm-stuff
mkdir -p kernel
cd kernel
git clone http://git.chromium.org/chromiumos/third_party/kernel.git -b chromeos-3.4 chromeos
cd chromeos
cat << EOF > kernel.its
/dts-v1/;

/ {
    description = "Chrome OS kernel image with one or more FDT blobs";
    #address-cells = <1>;
    images {
        kernel@1{
   description = "kernel";
            data = /incbin/("arch/arm/boot/zImage");
            type = "kernel_noload";
            arch = "arm";
            os = "linux";
            compression = "none";
            load = <0>;
            entry = <0>;
        };
        fdt@1{
            description = "exynos5250-snow.dtb";
            data = /incbin/("arch/arm/boot/exynos5250-snow.dtb");
            type = "flat_dt";
            arch = "arm";
            compression = "none";
            hash@1{
                algo = "sha1";
            };
        };
    };
    configurations {
        default = "conf@1";
        conf@1{
            kernel = "kernel@1";
            fdt = "fdt@1";
        };
    };
};
EOF

为内核打补丁,我们以打无线注入补丁为例.

mkdir -p ../patches
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch -O ../patches/mac80211.patch
wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch -O ../patches/negative.patch
patch -p1 < ../patches/negative.patch
patch -p1 < ../patches/mac80211.patch

配置,然后像下面一样交叉编译Chromium内核.

export ARCH=arm
export CROSS_COMPILE=~/arm-stuff/kernel/toolchains/arm-eabi-linaro-4.6.2/bin/arm-eabi-

./chromeos/scripts/prepareconfig chromeos-exynos5
# Disable LSM
sed -i 's/CONFIG_SECURITY_CHROMIUMOS=y/# CONFIG_SECURITY_CHROMIUMOS is not set/g' .config 
# If cross compiling, do this once:
sed -i 's/if defined(__linux__)/if defined(__linux__) ||defined(__KERNEL__) /g' include/drm/drm.h

make menuconfig
make -j$(cat /proc/cpuinfo|grep processor|wc -l)
make dtbs
cp ./scripts/dtc/dtc /usr/bin/
mkimage -f kernel.its kernel.itb
make modules_install INSTALL_MOD_PATH=~/arm-stuff/images/root/

# copy over firmware. Ideally use the original firmware (/lib/firmware) from the Chromebook.
git clone git://git.kernel.org/pub/scm/linux/kernel/git/dwmw2/linux-firmware.git 
cp -rf linux-firmware/* ~/arm-stuff/images/root/lib/firmware/
rm -rf linux-firmware
echo "console=tty1 debug verbose root=/dev/mmcblk1p3 rootwait rw rootfstype=ext4" > /tmp/config-sd
echo "console=tty1 debug verbose root=/dev/sda3 rootwait rw rootfstype=ext4" > /tmp/config-usb

vbutil_kernel --pack /tmp/newkern-sd --keyblock /usr/share/vboot/devkeys/kernel.keyblock --version 1 --signprivate /usr/share/vboot/devkeys/kernel_data_key.vbprivk --config=/tmp/config-sd --vmlinuz kernel.itb --arch arm
vbutil_kernel --pack /tmp/newkern-usb --keyblock /usr/share/vboot/devkeys/kernel.keyblock --version 1 --signprivate /usr/share/vboot/devkeys/kernel_data_key.vbprivk --config=/tmp/config-usb --vmlinuz kernel.itb --arch arm

06. 准备引导分区

dd if=/tmp/newkern-sd of=$bootp1 # first boot partition for SD
dd if=/tmp/newkern-usb of=$bootp2 # second boot partition for USB

umount $rootp

kpartx -dv $loopdevice
losetup -d $loopdevice

07. 用dd克隆镜像然后标记USB为可引导

dd if=kali-custom-chrome.img of=/dev/sdb bs=512k
cgpt repair /dev/sdb

这里,你要给分区1还是分区2标记更高的优先权.数字大则有更高的优先权.如下的例子将把第一个分区(用-i参数)的优先权设置成10,因为我们要从SD卡引导.

cgpt add -i 1 -S 1 -T 5 -P 10 -l KERN-A /dev/sdb
cgpt add -i 2 -S 1 -T 5 -P 5 -l KERN-B  /dev/sdb

使用cgpt show命令查看分区的列表和引导顺序.

root@kali:~# cgpt show /dev/sdb
       start        size    part  contents
           0           1          PMBR
           1           1          Pri GPT header
           2          32          Pri GPT table
        8192       32768       1  Label: "KERN-A"
                                  Type: ChromeOS kernel
                                  UUID: 63AD6EC9-AD94-4B42-80E4-798BBE6BE46C
                                  Attr: priority=10 tries=5 successful=1
       40960       32768       2  Label: "KERN-B"
                                  Type: ChromeOS kernel
                                  UUID: 37CE46C9-0A7A-4994-80FC-9C0FFCB4FDC1
                                  Attr: priority=5 tries=5 successful=1
       73728     3832490       3  Label: "Linux filesystem"
                                  Type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
                                  UUID: E9E67EE1-C02E-481C-BA3F-18E721515DBB
   125045391          32          Sec GPT table
   125045423           1          Sec GPT header
root@kali:~#

这个操作完成后,插入SD卡/U盘启动Chromebook(不要插在蓝色的USB口!).在开发者引导提示里按CTRL + ALT + U引导进入到Kali Linux.用(root / toor)登录到Kali,然后运行startx.