Testing done using a Canon EOS 600D and a Canon EF-S18-55mm f/3.5-5.6 IS II.
- VBAT
- DET (common with P-GND on lens side)
- P-GND
- VDD
- DCL
- DLC
/* | |
* Algorithm to process Wiimote IR tracking data into a usable pointer position | |
* by tracking the sensor bar. | |
* | |
* Copyright (c) 2008-2011 Hector Martin "marcan" <marcan@marcan.st> | |
* All rights reserved. | |
* | |
* Redistribution and use in source and binary forms, with or without | |
* modification, are permitted provided that the following conditions are met: | |
* |
import struct, time | |
## This experiment demonstrates that the claimed "hash" (that is not a hash) used | |
## by the L2 cache ECC debug feature used by Operation Triangulation is not secure, | |
## and can be trivially reverse engineered by anyone who owns one of the machines | |
## with the hardware (such as any M1 Mac), in seconds to days. Therefore, this proves | |
## that no "insider" access or leak is necessary to obtain this table, and that the | |
## attackers most likely did exactly the same thing. | |
## This is the "black box", i.e. the hardware: The table is not exposed to the caller. | |
class BlackBox: |
#!/usr/bin/python3 | |
# | |
# Simple Bloom filter implementation in Python 3 | |
# Copyright 2017 Hector Martin "marcan" <marcan@marcan.st> | |
# Licensed under the terms of the MIT license | |
# | |
# Written to be used with the Have I been pwned? password list: | |
# https://haveibeenpwned.com/passwords | |
# | |
# Download the pre-computed filter here (968MB, k=11, false positive p=0.0005): |
# | |
# Automatically generated file; DO NOT EDIT. | |
# Linux/arm64 6.6.0 Kernel Configuration | |
# | |
CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.1 20231011 (Red Hat 13.2.1-4)" | |
CONFIG_CC_IS_GCC=y | |
CONFIG_GCC_VERSION=130201 | |
CONFIG_CLANG_VERSION=0 | |
CONFIG_AS_IS_GNU=y | |
CONFIG_AS_VERSION=23900 |
#!/bin/sh | |
# PNG Gamma trick (by @marcan42 / marcan@marcan.st) | |
# | |
# This script implements an improved version of the gamma trick used to make | |
# thumbnail images on reddit/4chan look different from the full-size image. | |
# | |
# Sample output (SFW; images by @Miluda): | |
# https://mrcn.st/t/homura_gamma_trick.png | |
# https://www.reddit.com/r/test/comments/6edthw/ (click for fullsize) | |
# https://twitter.com/marcan42/status/869855956842143744 |
ARM defines ACTLR_EL[321]
as implementation defined.
Apple adds an IMPDEF ACTLR_EL12
as s3_6_c15_c14_6
and effectively implements VHE semantics. This does not seem to violate the architecture, since the register contents are IMPDEF anyway so nothing says they can't alias ACTLR_EL1 and ACTLR_EL2 together in EL2.
ACTLR_EL1 is trapped by HCR_EL2.TACR
. It is also trapped by HACR_EL2<0>
(which has all the controls for fine-grained Apple IMPDEF stuff).
In addition, AIDR_EL1
contains feature bits for Apple IMPDEF functionality. It is identical in EL1 and EL2 and is trapped by HCR_EL2.TID1
and HACR_EL2<4>
.
#!/boot/bzImage | |
# Linux kernel userspace initialization code, translated to bash | |
# (Minus floppy disk handling, because seriously, it's 2017.) | |
# Not 100% accurate, but gives you a good idea of how kernel init works | |
# GPLv2, Copyright 2017 Hector Martin <marcan@marcan.st> | |
# Based on Linux 4.10-rc2. | |
# Note: pretend chroot is a builtin and affects the current process | |
# Note: kernel actually uses major/minor device numbers instead of device name |
/* | |
* m1cat: a proof of concept for the M1RACLES vulnerability in the Apple M1. | |
* | |
* This program implements a covert channel that can be used to transmit data | |
* between two processes when run on the Apple Silicon "M1" CPUs. | |
* | |
* The channel is slightly lossy due to (presumably) the scheduler sometimes | |
* scheduling us on the wrong CPU cluster, so this PoC sends every byte twice | |
* together with some metadata/framing bits, which is usually good enough. | |
* A better approach would be to use proper FEC or something like that. |
#!/usr/bin/python3 | |
import mido, sys | |
mid = mido.MidiFile(sys.argv[1]) | |
new_track = mido.MidiTrack() | |
sustain = 0 | |
last = 0 | |
t = 0 | |
for ev in mido.merge_tracks(mid.tracks): |