Skip to content

Instantly share code, notes, and snippets.


Hector Martin marcan

View GitHub Profile
marcan /
Last active Aug 3, 2022
Two images in one using the PNG gamma header trick.
# PNG Gamma trick (by @marcan42 /
# This script implements an improved version of the gamma trick used to make
# thumbnail images on reddit/4chan look different from the full-size image.
# Sample output (SFW; images by @Miluda):
# (click for fullsize)
marcan /
Last active Aug 1, 2022
Linux kernel initialization, translated to bash
# Linux kernel userspace initialization code, translated to bash
# (Minus floppy disk handling, because seriously, it's 2017.)
# Not 100% accurate, but gives you a good idea of how kernel init works
# GPLv2, Copyright 2017 Hector Martin <>
# Based on Linux 4.10-rc2.
# Note: pretend chroot is a builtin and affects the current process
# Note: kernel actually uses major/minor device numbers instead of device name
marcan / CRCH35U31CIS_FP
Last active Jul 31, 2022
CRCH35U31CIS_FP HDD cage logs

Topology: VL822 hub + 4x ASM235CM (?) USB Gen2 - SATA bridges.

Tested with 4x WDC WD80EAZZ-00BKLB0 on an AMD X399 chipset.

~200MB/s from a single drive (this is about what the drive can do).

On a Gen1 port, I get ~400MB/s across all 4 drives. On a Gen2 port, ~800MB/s, give or take.

Power buttons power cycle the individual ASMedia controllers.

View m1racles-poc.c
* m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1.
* This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register.
* Please visit for more information.
* Licensed under the MIT license.
marcan /
Last active Jul 1, 2022
Canon EF protocol notes

Testing done using a Canon EOS 600D and a Canon EF-S18-55mm f/3.5-5.6 IS II.


  1. VBAT
  2. DET (common with P-GND on lens side)
  3. P-GND
  4. VDD
  5. DCL
  6. DLC
marcan /
Last active Jun 20, 2022
Non-obfuscated version of the ROCA Infineon RSA key test
import sys
# Credit:
generators = [
(2, 11), (6, 13), (8, 17), (9, 19), (3, 37), (26, 53), (20, 61), (35, 71),
(24, 73), (13, 79), (6, 97), (51, 103), (53, 107), (54, 109), (42, 127),
(50, 151), (78, 157),
marcan / m1cat.c
Last active Jun 1, 2022
m1cat: a PoC for the M1RACLES covert channel vulnerability in the Apple M1
View m1cat.c
* m1cat: a proof of concept for the M1RACLES vulnerability in the Apple M1.
* This program implements a covert channel that can be used to transmit data
* between two processes when run on the Apple Silicon "M1" CPUs.
* The channel is slightly lossy due to (presumably) the scheduler sometimes
* scheduling us on the wrong CPU cluster, so this PoC sends every byte twice
* together with some metadata/framing bits, which is usually good enough.
* A better approach would be to use proper FEC or something like that.
View furitool.js
var katescript = {
"author": "Hector Martin <>",
"license": "BSD",
"revision": 1,
"kate-version": "5.1",
"functions": ["furiTool"],
"actions": [
{ "function": "furiTool",
"name": "Insert Furigana",
"category": "Quick Coding",
marcan /
Created Dec 22, 2018
Python module to assemble snippets of code
#!/usr/bin/env python
import os, tempfile, shutil, subprocess
class AsmException(Exception):
class BaseAsm(object):
def __init__(self, source, addr = 0):
self.source = source
self._tmp = tempfile.mkdtemp() + os.sep
marcan /
Last active Mar 11, 2022
Image to xterm-256 Unicode block art converter
#!/usr/bin/env python3
from __future__ import print_function
import sys, argparse, codecs
from PIL import Image, ImagePalette
xterm256colors = [ #
0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x80, 0x00,
0x00, 0x00, 0x80, 0x80, 0x00, 0x80, 0x00, 0x80, 0x80, 0xc0, 0xc0, 0xc0,
0x80, 0x80, 0x80, 0xff, 0x00, 0x00, 0x00, 0xff, 0x00, 0xff, 0xff, 0x00,
0x00, 0x00, 0xff, 0xff, 0x00, 0xff, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,