Skip to content

Instantly share code, notes, and snippets.

View marcan's full-sized avatar

Hector Martin marcan

View GitHub Profile
marcan /
Last active February 19, 2024 13:35
Canon EF protocol notes

Testing done using a Canon EOS 600D and a Canon EF-S18-55mm f/3.5-5.6 IS II.


  1. VBAT
  2. DET (common with P-GND on lens side)
  3. P-GND
  4. VDD
  5. DCL
  6. DLC
import struct, time
## This experiment demonstrates that the claimed "hash" (that is not a hash) used
## by the L2 cache ECC debug feature used by Operation Triangulation is not secure,
## and can be trivially reverse engineered by anyone who owns one of the machines
## with the hardware (such as any M1 Mac), in seconds to days. Therefore, this proves
## that no "insider" access or leak is necessary to obtain this table, and that the
## attackers most likely did exactly the same thing.
## This is the "black box", i.e. the hardware: The table is not exposed to the caller.
class BlackBox:
marcan / wiipointer.c
Last active February 11, 2024 14:43
Wiimote sensor bar tracking and pointer control algorithm
View wiipointer.c
* Algorithm to process Wiimote IR tracking data into a usable pointer position
* by tracking the sensor bar.
* Copyright (c) 2008-2011 Hector Martin "marcan" <>
* All rights reserved.
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
View config-20240112
# Automatically generated file; DO NOT EDIT.
# Linux/arm64 6.6.0 Kernel Configuration
CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.1 20231011 (Red Hat 13.2.1-4)"
marcan /
Last active December 10, 2023 22:06
Two images in one using the PNG gamma header trick.
# PNG Gamma trick (by @marcan42 /
# This script implements an improved version of the gamma trick used to make
# thumbnail images on reddit/4chan look different from the full-size image.
# Sample output (SFW; images by @Miluda):
# (click for fullsize)
marcan /
Created September 10, 2023 11:35
Apple TSO

ARM defines ACTLR_EL[321] as implementation defined.

Apple adds an IMPDEF ACTLR_EL12 as s3_6_c15_c14_6 and effectively implements VHE semantics. This does not seem to violate the architecture, since the register contents are IMPDEF anyway so nothing says they can't alias ACTLR_EL1 and ACTLR_EL2 together in EL2.

ACTLR_EL1 is trapped by HCR_EL2.TACR. It is also trapped by HACR_EL2<0> (which has all the controls for fine-grained Apple IMPDEF stuff).

In addition, AIDR_EL1 contains feature bits for Apple IMPDEF functionality. It is identical in EL1 and EL2 and is trapped by HCR_EL2.TID1 and HACR_EL2<4>.


marcan /
Last active December 1, 2023 15:18
Linux kernel initialization, translated to bash
# Linux kernel userspace initialization code, translated to bash
# (Minus floppy disk handling, because seriously, it's 2017.)
# Not 100% accurate, but gives you a good idea of how kernel init works
# GPLv2, Copyright 2017 Hector Martin <>
# Based on Linux 4.10-rc2.
# Note: pretend chroot is a builtin and affects the current process
# Note: kernel actually uses major/minor device numbers instead of device name
marcan / m1cat.c
Last active October 26, 2023 15:42
m1cat: a PoC for the M1RACLES covert channel vulnerability in the Apple M1
View m1cat.c
* m1cat: a proof of concept for the M1RACLES vulnerability in the Apple M1.
* This program implements a covert channel that can be used to transmit data
* between two processes when run on the Apple Silicon "M1" CPUs.
* The channel is slightly lossy due to (presumably) the scheduler sometimes
* scheduling us on the wrong CPU cluster, so this PoC sends every byte twice
* together with some metadata/framing bits, which is usually good enough.
* A better approach would be to use proper FEC or something like that.
import mido, sys
mid = mido.MidiFile(sys.argv[1])
new_track = mido.MidiTrack()
sustain = 0
last = 0
t = 0
for ev in mido.merge_tracks(mid.tracks):
marcan /
Last active August 21, 2023 03:27
Simple Bloom filter implementation in Python 3 (for use with the HIBP password list)
# Simple Bloom filter implementation in Python 3
# Copyright 2017 Hector Martin "marcan" <>
# Licensed under the terms of the MIT license
# Written to be used with the Have I been pwned? password list:
# Download the pre-computed filter here (968MB, k=11, false positive p=0.0005):