Skip to content

Instantly share code, notes, and snippets.

View marcan's full-sized avatar

Hector Martin marcan

View GitHub Profile
@marcan
marcan / canon-ef-protocol-notes.md
Last active February 19, 2024 13:35
Canon EF protocol notes
View canon-ef-protocol-notes.md

Testing done using a Canon EOS 600D and a Canon EF-S18-55mm f/3.5-5.6 IS II.

Pinout

  1. VBAT
  2. DET (common with P-GND on lens side)
  3. P-GND
  4. VDD
  5. DCL
  6. DLC
View ecc_crack.py
import struct, time
## This experiment demonstrates that the claimed "hash" (that is not a hash) used
## by the L2 cache ECC debug feature used by Operation Triangulation is not secure,
## and can be trivially reverse engineered by anyone who owns one of the machines
## with the hardware (such as any M1 Mac), in seconds to days. Therefore, this proves
## that no "insider" access or leak is necessary to obtain this table, and that the
## attackers most likely did exactly the same thing.
## This is the "black box", i.e. the hardware: The table is not exposed to the caller.
class BlackBox:
@marcan
marcan / wiipointer.c
Last active February 11, 2024 14:43
Wiimote sensor bar tracking and pointer control algorithm
View wiipointer.c
/*
* Algorithm to process Wiimote IR tracking data into a usable pointer position
* by tracking the sensor bar.
*
* Copyright (c) 2008-2011 Hector Martin "marcan" <marcan@marcan.st>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
View config-20240112
#
# Automatically generated file; DO NOT EDIT.
# Linux/arm64 6.6.0 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.1 20231011 (Red Hat 13.2.1-4)"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=130201
CONFIG_CLANG_VERSION=0
CONFIG_AS_IS_GNU=y
CONFIG_AS_VERSION=23900
@marcan
marcan / gamma_trick.sh
Last active December 10, 2023 22:06
Two images in one using the PNG gamma header trick.
View gamma_trick.sh
#!/bin/sh
# PNG Gamma trick (by @marcan42 / marcan@marcan.st)
#
# This script implements an improved version of the gamma trick used to make
# thumbnail images on reddit/4chan look different from the full-size image.
#
# Sample output (SFW; images by @Miluda):
# https://mrcn.st/t/homura_gamma_trick.png
# https://www.reddit.com/r/test/comments/6edthw/ (click for fullsize)
# https://twitter.com/marcan42/status/869855956842143744
@marcan
marcan / tso.md
Created September 10, 2023 11:35
Apple TSO
View tso.md

ARM defines ACTLR_EL[321] as implementation defined.

Apple adds an IMPDEF ACTLR_EL12 as s3_6_c15_c14_6 and effectively implements VHE semantics. This does not seem to violate the architecture, since the register contents are IMPDEF anyway so nothing says they can't alias ACTLR_EL1 and ACTLR_EL2 together in EL2.

ACTLR_EL1 is trapped by HCR_EL2.TACR. It is also trapped by HACR_EL2<0> (which has all the controls for fine-grained Apple IMPDEF stuff).

In addition, AIDR_EL1 contains feature bits for Apple IMPDEF functionality. It is identical in EL1 and EL2 and is trapped by HCR_EL2.TID1 and HACR_EL2<4>.

TSO

@marcan
marcan / linux.sh
Last active December 1, 2023 15:18
Linux kernel initialization, translated to bash
View linux.sh
#!/boot/bzImage
# Linux kernel userspace initialization code, translated to bash
# (Minus floppy disk handling, because seriously, it's 2017.)
# Not 100% accurate, but gives you a good idea of how kernel init works
# GPLv2, Copyright 2017 Hector Martin <marcan@marcan.st>
# Based on Linux 4.10-rc2.
# Note: pretend chroot is a builtin and affects the current process
# Note: kernel actually uses major/minor device numbers instead of device name
@marcan
marcan / m1cat.c
Last active October 26, 2023 15:42
m1cat: a PoC for the M1RACLES covert channel vulnerability in the Apple M1
View m1cat.c
/*
* m1cat: a proof of concept for the M1RACLES vulnerability in the Apple M1.
*
* This program implements a covert channel that can be used to transmit data
* between two processes when run on the Apple Silicon "M1" CPUs.
*
* The channel is slightly lossy due to (presumably) the scheduler sometimes
* scheduling us on the wrong CPU cluster, so this PoC sends every byte twice
* together with some metadata/framing bits, which is usually good enough.
* A better approach would be to use proper FEC or something like that.
View grandpianist_convert.py
#!/usr/bin/python3
import mido, sys
mid = mido.MidiFile(sys.argv[1])
new_track = mido.MidiTrack()
sustain = 0
last = 0
t = 0
for ev in mido.merge_tracks(mid.tracks):
@marcan
marcan / bloom.py
Last active August 21, 2023 03:27
Simple Bloom filter implementation in Python 3 (for use with the HIBP password list)
View bloom.py
#!/usr/bin/python3
#
# Simple Bloom filter implementation in Python 3
# Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
# Licensed under the terms of the MIT license
#
# Written to be used with the Have I been pwned? password list:
# https://haveibeenpwned.com/passwords
#
# Download the pre-computed filter here (968MB, k=11, false positive p=0.0005):