Yukimasa Sugizaki Terminus-IMRC

## add-arch-2-new-sources.sh
# To prevent unsuppoorted architecture error messages from apt on Ubuntu 24.04 (Noble Numbat)
# with the new apt sources format

# Example error messages on `apt update` after a fresh install:
# N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'https://packages.microsoft.com/repos/edge stable InRelease' doesn't support architecture 'i386'
# N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'https://dl.google.com/linux/chrome/deb stable InRelease' doesn't support architecture 'i386'

#################################################
### SINGLE-ARCH (i.e. fix arch-related error) ###
#################################################

## hashes.txt
0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'

## xz-backdoor.md

      
              1 file
            
          
              62 forks
            
          
              568 comments
            
          
              1323 stars
            
          
                thesamesam
                / xz-backdoor.md
            
            
              Last active
              July 21, 2024 05:59
            
              
                xz-utils backdoor situation (CVE-2024-3094)
              
          
    FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good
faith of being accurate, but like I just said; we don't yet know everything
about what's going on.
Background

On March 29th, 2024, a backdoor was discovered in
xz-utils, a suite of software that

  
## mul53.c
#if 0
Apple A11 (H10) introduces 2 propietary instructions called mul53lo.2d and mul53hi.2d. All of which belongs to Mul53 extensions.

Defintions:
- mul53lo.2d Vd, Vm: Multiplies 2 53-bit doublewords in the Vn vector with 2 53-bit doublewords in Vm vector and store 53 lowest bits in the Vn vector.
- mul53hi.2d Vd, Vm: Multiplies 2 53-bit doublewords in the Vn vector with 2 53-bit doublewords in Vm vector and store the result shifted 53 bits in the Vn vector.

Encodings:
- mul53lo.2d Vd, Vm: 0x00200000 | (m << 5) | (d << 0)
- mul53hi.2d Vd, Vm: 0x00200400 | (m << 5) | (d << 0)

## m1cat.c
/*
 * m1cat: a proof of concept for the M1RACLES vulnerability in the Apple M1.
 *
 * This program implements a covert channel that can be used to transmit data
 * between two processes when run on the Apple Silicon "M1" CPUs.
 *
 * The channel is slightly lossy due to (presumably) the scheduler sometimes
 * scheduling us on the wrong CPU cluster, so this PoC sends every byte twice
 * together with some metadata/framing bits, which is usually good enough.
 * A better approach would be to use proper FEC or something like that.

## m1racles-poc.c
/*
 * m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1.
 *
 * This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register.
 *
 * Please visit m1racles.com for more information.
 *
 * Licensed under the MIT license.
 */

## aarch64_amx.py
# IDA (disassembler) and Hex-Rays (decompiler) plugin for Apple AMX
#
# WIP research. (This was edited to add more info after someone posted it to
# Hacker News. Click "Revisions" to see full changes.)
#
# Copyright (c) 2020 dougallj


# Based on Python port of VMX intrinsics plugin:
# Copyright (c) 2019 w4kfu - Synacktiv

## float-commutativity.c
#include <stdio.h>
#include <math.h>
#include <inttypes.h>

#if defined(__GNUC__)
#define NOINLINE __attribute__((noinline))
#else
#define NOINLINE
#endif

## pallas.sh
#!/usr/bin/env zsh

set -e;
set +m; # Job control would've been nice, but manual round robin it is, sigh.

if [ -z "${ZSH_VERSION+x}" ]; then
    echo 'Try again with zsh.';
    exit 1;
fi;

## make_current_arm64_rpi_kernel_debs.sh
#!/bin/bash -x
# make_arm64_rpi_kernel_debs.sh
# Builds arm64 debian packages from the CURRENT rpi firmware repository kernel which is installed by:
# sudo rpi-update
# This runs on an arm64 host with arm64 compilation tools...
# or with some sort of cross-compilation setup.
# Debs are put in $workdir/build
#
# This will NOT work in Raspbian unless you have an arm64 compilation
# environment setup. Appears to work on
	# To prevent unsuppoorted architecture error messages from apt on Ubuntu 24.04 (Noble Numbat)
	# with the new apt sources format

	# Example error messages on `apt update` after a fresh install:
	# N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'https://packages.microsoft.com/repos/edge stable InRelease' doesn't support architecture 'i386'
	# N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'https://dl.google.com/linux/chrome/deb stable InRelease' doesn't support architecture 'i386'

	#################################################
	### SINGLE-ARCH (i.e. fix arch-related error) ###
	#################################################
	0810 b' from '
	0678 b' ssh2'
	00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
	0708 b'%s'
	0108 b'/usr/sbin/sshd\x00'
	0870 b'Accepted password for '
	01a0 b'Accepted publickey for '
	0c40 b'BN_bin2bn\x00'
	06d0 b'BN_bn2bin\x00'
	0958 b'BN_dup\x00'
	#if 0
	Apple A11 (H10) introduces 2 propietary instructions called mul53lo.2d and mul53hi.2d. All of which belongs to Mul53 extensions.

	Defintions:
	- mul53lo.2d Vd, Vm: Multiplies 2 53-bit doublewords in the Vn vector with 2 53-bit doublewords in Vm vector and store 53 lowest bits in the Vn vector.
	- mul53hi.2d Vd, Vm: Multiplies 2 53-bit doublewords in the Vn vector with 2 53-bit doublewords in Vm vector and store the result shifted 53 bits in the Vn vector.

	Encodings:
	- mul53lo.2d Vd, Vm: 0x00200000 \| (m << 5) \| (d << 0)
	- mul53hi.2d Vd, Vm: 0x00200400 \| (m << 5) \| (d << 0)
	/*
	* m1cat: a proof of concept for the M1RACLES vulnerability in the Apple M1.
	*
	* This program implements a covert channel that can be used to transmit data
	* between two processes when run on the Apple Silicon "M1" CPUs.
	*
	* The channel is slightly lossy due to (presumably) the scheduler sometimes
	* scheduling us on the wrong CPU cluster, so this PoC sends every byte twice
	* together with some metadata/framing bits, which is usually good enough.
	* A better approach would be to use proper FEC or something like that.
	/*
	* m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1.
	*
	* This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register.
	*
	* Please visit m1racles.com for more information.
	*
	* Licensed under the MIT license.
	*/
	# IDA (disassembler) and Hex-Rays (decompiler) plugin for Apple AMX
	#
	# WIP research. (This was edited to add more info after someone posted it to
	# Hacker News. Click "Revisions" to see full changes.)
	#
	# Copyright (c) 2020 dougallj


	# Based on Python port of VMX intrinsics plugin:
	# Copyright (c) 2019 w4kfu - Synacktiv
	#include <stdio.h>
	#include <math.h>
	#include <inttypes.h>

	#if defined(__GNUC__)
	#define NOINLINE __attribute__((noinline))
	#else
	#define NOINLINE
	#endif
	#!/usr/bin/env zsh

	set -e;
	set +m; # Job control would've been nice, but manual round robin it is, sigh.

	if [ -z "${ZSH_VERSION+x}" ]; then
	echo 'Try again with zsh.';
	exit 1;
	fi;
	#!/bin/bash -x
	# make_arm64_rpi_kernel_debs.sh
	# Builds arm64 debian packages from the CURRENT rpi firmware repository kernel which is installed by:
	# sudo rpi-update
	# This runs on an arm64 host with arm64 compilation tools...
	# or with some sort of cross-compilation setup.
	# Debs are put in $workdir/build
	#
	# This will NOT work in Raspbian unless you have an arm64 compilation
	# environment setup. Appears to work on