Skip to content

Instantly share code, notes, and snippets.


Hector Martin marcan

View GitHub Profile
marcan /
Last active June 1, 2023 00:07
Canon EF protocol notes

Testing done using a Canon EOS 600D and a Canon EF-S18-55mm f/3.5-5.6 IS II.


  1. VBAT
  2. DET (common with P-GND on lens side)
  3. P-GND
  4. VDD
  5. DCL
  6. DLC
marcan /
Last active May 6, 2023 04:33
Simple Bloom filter implementation in Python 3 (for use with the HIBP password list)
# Simple Bloom filter implementation in Python 3
# Copyright 2017 Hector Martin "marcan" <>
# Licensed under the terms of the MIT license
# Written to be used with the Have I been pwned? password list:
# Download the pre-computed filter here (968MB, k=11, false positive p=0.0005):
View dcp_surfaces.txt
0x000 1 isTiled
0x001 1 isTearingAllowed
0x002 1 isPremultiplied
0x003 4 planeCount
0x007 4 planeCount2
0x00b 4 pixelFormat
0x00f 4 YCbCrMatrix
0x013 1 transferFunctionIndex
13 == SDR
16 == HDR
marcan /
Last active May 3, 2023 02:19
Two images in one using the PNG gamma header trick.
# PNG Gamma trick (by @marcan42 /
# This script implements an improved version of the gamma trick used to make
# thumbnail images on reddit/4chan look different from the full-size image.
# Sample output (SFW; images by @Miluda):
# (click for fullsize)
View m1racles-poc.c
* m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1.
* This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register.
* Please visit for more information.
* Licensed under the MIT license.
marcan /
Created December 22, 2018 10:09
Alesis Vortex Wireless 2 patch to send MIDI messages when pressing the ribbon bank buttons
from asm import *
blob = open("image.bin", "rb").read()
start_addr = 0x08003000
patch_start = start_addr + len(blob)
assert patch_start % 4 == 0
marcan /
Last active April 19, 2023 02:12
Linux kernel initialization, translated to bash
# Linux kernel userspace initialization code, translated to bash
# (Minus floppy disk handling, because seriously, it's 2017.)
# Not 100% accurate, but gives you a good idea of how kernel init works
# GPLv2, Copyright 2017 Hector Martin <>
# Based on Linux 4.10-rc2.
# Note: pretend chroot is a builtin and affects the current process
# Note: kernel actually uses major/minor device numbers instead of device name
marcan / m1cat.c
Last active March 26, 2023 05:45
m1cat: a PoC for the M1RACLES covert channel vulnerability in the Apple M1
View m1cat.c
* m1cat: a proof of concept for the M1RACLES vulnerability in the Apple M1.
* This program implements a covert channel that can be used to transmit data
* between two processes when run on the Apple Silicon "M1" CPUs.
* The channel is slightly lossy due to (presumably) the scheduler sometimes
* scheduling us on the wrong CPU cluster, so this PoC sends every byte twice
* together with some metadata/framing bits, which is usually good enough.
* A better approach would be to use proper FEC or something like that.


Tested with 10-bit mode on KDE on an M1 Pro.

  • 12:
    • 10-bit mode: 0..1023
    • 8-bit mode: 0..255
    • Likely native primaries
      • Actually seems to be P3?
import tweepy, json, time, sys
auth = tweepy.OAuth1UserHandler(
<api keys here>
api = tweepy.API(auth)
d = json.loads(open(sys.argv[1]).read().split("=", 1)[1])