Skip to content

Instantly share code, notes, and snippets.

View marcan's full-sized avatar

Hector Martin marcan

View GitHub Profile
# Automatically generated file; DO NOT EDIT.
# Linux/arm64 6.6.0 Kernel Configuration
CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.1 20231011 (Red Hat 13.2.1-4)"
import struct, time
## This experiment demonstrates that the claimed "hash" (that is not a hash) used
## by the L2 cache ECC debug feature used by Operation Triangulation is not secure,
## and can be trivially reverse engineered by anyone who owns one of the machines
## with the hardware (such as any M1 Mac), in seconds to days. Therefore, this proves
## that no "insider" access or leak is necessary to obtain this table, and that the
## attackers most likely did exactly the same thing.
## This is the "black box", i.e. the hardware: The table is not exposed to the caller.
class BlackBox:
marcan /
Created September 10, 2023 11:35
Apple TSO

ARM defines ACTLR_EL[321] as implementation defined.

Apple adds an IMPDEF ACTLR_EL12 as s3_6_c15_c14_6 and effectively implements VHE semantics. This does not seem to violate the architecture, since the register contents are IMPDEF anyway so nothing says they can't alias ACTLR_EL1 and ACTLR_EL2 together in EL2.

ACTLR_EL1 is trapped by HCR_EL2.TACR. It is also trapped by HACR_EL2<0> (which has all the controls for fine-grained Apple IMPDEF stuff).

In addition, AIDR_EL1 contains feature bits for Apple IMPDEF functionality. It is identical in EL1 and EL2 and is trapped by HCR_EL2.TID1 and HACR_EL2<4>.


0x000 1 isTiled
0x001 1 isTearingAllowed
0x002 1 isPremultiplied
0x003 4 planeCount
0x007 4 planeCount2
0x00b 4 pixelFormat
0x00f 4 YCbCrMatrix
0x013 1 transferFunctionIndex
13 == SDR
16 == HDR


Tested with 10-bit mode on KDE on an M1 Pro.

  • 12:
    • 10-bit mode: 0..1023
    • 8-bit mode: 0..255
    • Likely native primaries
      • Actually seems to be P3?
import tweepy, json, time, sys
auth = tweepy.OAuth1UserHandler(
<api keys here>
api = tweepy.API(auth)
d = json.loads(open(sys.argv[1]).read().split("=", 1)[1])
marcan /
Last active October 24, 2022 12:25
Asahi Linux patch stats
set -e
for i in $(git for-each-ref --format="%(refname:short)" refs/$ROOT/bits/); do
if git rev-parse --verify "$ROOT/bases/$name" &>/dev/null; then
marcan /
Last active August 21, 2022 11:17
Using systemd-boot with asahi

This is all preliminary and for experimentation only. You're on your own.

Make sure you're on asahi-dev and have your packages updated.

umount /boot/efi
mv /boot /boot.old
sed -i 's,/boot/efi,/boot,g' /etc/fstab
systemctl daemon-reload
mount /boot
marcan / CRCH35U31CIS_FP
Last active July 31, 2022 14:54
CRCH35U31CIS_FP HDD cage logs

Topology: VL822 hub + 4x ASM235CM (?) USB Gen2 - SATA bridges.

Tested with 4x WDC WD80EAZZ-00BKLB0 on an AMD X399 chipset.

~200MB/s from a single drive (this is about what the drive can do).

On a Gen1 port, I get ~400MB/s across all 4 drives. On a Gen2 port, ~800MB/s, give or take.

Power buttons power cycle the individual ASMedia controllers.

var katescript = {
"author": "Hector Martin <>",
"license": "BSD",
"revision": 1,
"kate-version": "5.1",
"functions": ["furiTool"],
"actions": [
{ "function": "furiTool",
"name": "Insert Furigana",
"category": "Quick Coding",