<azonenberg_work>
Ok, done with work-work for the day
<azonenberg_work>
Down in the lab with the fried coolrunner in the FIB
<azonenberg_work>
waiting for pumpdown
<balrog>
nice :D
digshadow has joined ##openfpga
<rqou>
hey, you know what's dumb? utf-16
<balrog>
rqou: and the fact that MS decided to use it and not utf-8
<azonenberg_work>
lol
<azonenberg_work>
yes utf-16 is stupid
<azonenberg_work>
adding null bytes between all of your ascii characters
<azonenberg_work>
it doubles the size of text in any language using the roman character set
<jn__>
UTF-16 made sense when Unicode chars were 16-bit long
<jn__>
(some sense)
<rqou>
<insert grapheme!=codepoint rant here>
<balrog>
jn__: now so?
<balrog>
how*
<jn__>
ok, i meant code points when i said chars
<jn__>
balrog: put every code point of the Unicode stream into one 16-bit location, done.
<jn__>
(ok, then you still have endianness which can bite you)
<rqou>
alright, opinions
<rqou>
given a Certain broken ABI with 16-bit wchar_t
<rqou>
what do you expect printf %ls to do given unpaired surrogates?
<rqou>
what do you expect printf %lc to do?
<rqou>
*what do you expect printf %lc to do given a surrogate?
<rqou>
my personal opinion: for %ls, output WTF-8
<rqou>
and for %lc output CESU-8
<rqou>
cr1901_modern: i know you're a fan of this particular platform with the broken ABI; what do you think?
<cr1901_modern>
rqou: Dunno, I pretend UTF doesn't exist b/c I don't need it ;)
<cr1901_modern>
rqou: (Btw, I'm well aware that this is a really shitty stance to take, so my real answer is: I don't know, I never looked it up)
<rqou>
egg|egg: how about you? opinions
amclain has quit [Quit: Leaving]
digshadow has quit [Ping timeout: 246 seconds]
<rqou>
offtopic: i just discovered the best (/s) way to handle filenames
<rqou>
"LHA stores a Windows code page with each filename."
pie_ has quit [Ping timeout: 240 seconds]
promach has quit [Ping timeout: 240 seconds]
promach has joined ##openfpga
<m_w>
12
fpgacraft1 has quit [Quit: ZNC 1.7.x-git-709-1bb0199 - http://znc.in]
fpgacraft1 has joined ##openfpga
azonenberg_work has quit [Ping timeout: 260 seconds]
<rqou>
hey strange question: does anybody know if wine does something strange with character encodings depending on if stdout is a tty?
m_w has quit [Quit: leaving]
Jarth has joined ##openfpga
<cyrozap>
JTAG Puzzle: I have 5 test points with signals TMS, TCK, TDO, TDI, and TRST. Two of those test points have 33-ohm resistors in series on them. How do I figure out which pins are which?
<cyrozap>
Actually I guess it's more of a riddle than a puzzle...
<cyrozap>
Also, all the pins output approximately 3V3 with nothing connected.
<cyrozap>
lain: Yup, that's partly what makes it such an interesting riddle :P
<lain>
I'm going to guess the two series-terminated lines are TCK and TDO, but I can't be sure
Jarth has quit [Ping timeout: 240 seconds]
Jarth has joined ##openfpga
SpaceCoaster has quit [Ping timeout: 248 seconds]
SpaceCoaster has joined ##openfpga
_whitelogger has joined ##openfpga
digshadow has joined ##openfpga
eduardo__ has joined ##openfpga
eduardo_ has quit [Ping timeout: 260 seconds]
<cyrozap>
It appears I was mistaken about some of the MiniProg3 stuff I found out yesterday: it looks like the FX2 firmware is _not_ auto-loaded at boot, and needs to be loaded each time you connect it to the PC. This makes more sense, because IIRC it doesn' have an internal EEPROM, and it didn't look like there was any on the board.
<cyrozap>
Also, I'm still looking for JTAG-pinout-RE help if anyone's interested :)
<cyrozap>
This device is ~$60 so I'd really like to not burn it out with a bad JTAG connection.
<rqou>
hmm, two resistors is unusual
<azonenberg>
yes it is
<azonenberg>
TDO being terminated makes sense
<cyrozap>
I KNOW
<azonenberg>
but not the other one...
<rqou>
take an intermediate-value resistor and see if you can drag any of them low?
<rqou>
that shouldn't burn out the chip i hope?
<azonenberg>
cyrozap: first off, all but TDO are inputs
<azonenberg>
so if you can identify TDO
<azonenberg>
it should be safe to spam gibberish into the rest
<rqou>
random guess: tck and trst have the resistors because *mumble* *mumble* signal integrity *mumble* *mumble*
<rqou>
totally a legit EE here :P
<lain>
rqou: trst is a slow line
<rqou>
but something something rise time?
<cyrozap>
(btw that "I KNOW" before was in reference to everyone saying "two resistors is odd" :P )
<cr1901_modern>
And is JTAG really fast enough for the transmission line BS to kick in?
<azonenberg>
So that was for going from the probe to the scope
<azonenberg>
i'm still using RG-316 for that
<azonenberg>
and just taping it down to avoid stress on the probe
<awygle>
ah
m_w has quit [Ping timeout: 260 seconds]
scrts has joined ##openfpga
m_w has joined ##openfpga
scrts has quit [Ping timeout: 255 seconds]
scrts has joined ##openfpga
azonenberg_work has joined ##openfpga
m_w has quit [Quit: leaving]
mifune has joined ##openfpga
scrts has quit [Ping timeout: 248 seconds]
scrts has joined ##openfpga
scrts has quit [Ping timeout: 255 seconds]
scrts has joined ##openfpga
scrts has quit [Ping timeout: 240 seconds]
scrts has joined ##openfpga
digshadow has joined ##openfpga
m_w has joined ##openfpga
<pie_>
whats starshipraider
<qu1j0t3>
use your imagination, gosh!
scrts has quit [Ping timeout: 246 seconds]
<azonenberg>
pie_: "mode of transportation" + "thief" + "future"
<azonenberg>
aka next-gen bus pirate replacement
<pie_>
:C
<pie_>
oh
<azonenberg>
I'm doing a small scale prototype that has less ram and io channels etc
<pie_>
cool
scrts has joined ##openfpga
<pie_>
azonenberg doing too much cool shit
<azonenberg>
Full version will be four io modules (each capable of up to 8 digital IOs, or a bunch of analog and other stuff, depending on what card you load)
<azonenberg>
then 4GB of 64-bit DDR3
<azonenberg>
gigabit and 10gbit ethernet
<azonenberg>
the prototype has 32 MB of 32-bit HyperRAM, 1gbit ethernet, and one io module
<pie_>
other people should be so prolific :P
<rqou>
meanwhile i have a completely different idea how to do the firmware for such a thing, so we'll see what happens with that
<rqou>
my original name was "bus armada" - tries to defeat the bus pirate, but like the spanish armada, actually ends up losing
<pie_>
lol
<azonenberg>
My problem now is that most of my upcoming projects will need the version 3 NoC to be finished
<pie_>
NoC?
<azonenberg>
And i havent had the time or motivation to work on it
<azonenberg>
network on chip
<pie_>
ahhhha....
<azonenberg>
in particular the antikernel v3 NoC
<pie_>
is this that one thing from back when
<azonenberg>
Which changes topology from a quadtree to a grid of stars, and supports variable bus width etc
<azonenberg>
What i may do in the shorter term, as it'd be more useful
<rqou>
meanwhile i don't care about NoCs, so my (does not exist yet) implementation is probably going to be a "traditional" big hairball of a shared bus
<rqou>
:P
<azonenberg>
is take my chipscope-esque LA tool
<azonenberg>
and make a NoC-independent wrapper for it
<azonenberg>
something i can access over raw JTAG
<pie_>
rqou, dumb idea: wyrmholediver
<azonenberg>
For either non-NoC projects or NoC debug
<rqou>
btw on a different topic, i've successfully ripped out musl libc's printf/scanf
<rqou>
it's now not dependent on locale or other stupid global settings
<pie_>
lol
<azonenberg>
incidentally this is one of the nice things about binary file formats
<azonenberg>
as long as you hton*() every multi-byte field you serialize
<azonenberg>
no locale or os/arch issues
<rqou>
<troll>just use json!</troll>
<rqou>
azonenberg: non-ieee754 systems? :P
<azonenberg>
rqou: a) eew
<azonenberg>
b) Do any of those exist these days?
<rqou>
yes, as optimizations
<azonenberg>
i've seen no-float, hard ieee754, and soft ieee754
<azonenberg>
and x87 but that's dying :p
<azonenberg>
i meant using the ieee754 encoding
<rqou>
arm (at least cortex-m) has an option for "no denormals but 1 more mantissa bit"
<azonenberg>
not necessarily strictly compliant to the letter as far as rounding etc goes
<rqou>
cortex-m has an option for a noncompliant half-float
<rqou>
but this is just a storage format
<rqou>
it gets unpacked when you load it
<azonenberg>
honestly the fractional representation i use most in embedded systems these days
<azonenberg>
is fixed point 16.16
<rqou>
but if you ignore silly optimizations and rounding/denormal issues, afaik systems that differ appreciably from ieee754 no longer really exist
<azonenberg>
or 24.8, depending on how much resolution i need
<rqou>
you're obviously not a DSP guy :P
<rqou>
not enough 1.<bits> fixed point
<azonenberg>
lol
<azonenberg>
well i've studied enough numerical computing to prefer fixed point for anything critical
<azonenberg>
b/c it's a lot easier to reason about the behavior
<azonenberg>
most, if not all, operations are commutative and associative
<azonenberg>
The precision is well defined
<azonenberg>
etc
<rqou>
wait, you mean you don't like to do things like 1 / (2^(-1074)) ? :P
<awygle>
fixed point is much easier and often much faster, but i see people screw up what format they're in fairly regularly
<rqou>
get a better type system :P
<awygle>
e.g. doing 16.16 + 24.8
<azonenberg>
awygle: yes that can end badly
<azonenberg>
but normally i use one representation for an entire project
<awygle>
(other people of course... definitely not me... nope...)
<egg|egg>
it's also quite nice to have things that are scale-free, where multiplication is well-behaved etc.
<azonenberg>
egg|egg: yes, exactly
<rqou>
awygle: i mean, just look at how many programmers who _didn't_ take cs61c don't even understand how floating point works at all :P
<azonenberg>
I actually should try and create a verilog fixed point library that takes a parameter to specify the format
<egg|egg>
azonenberg: um
<rqou>
azonenberg: vhdl has one
<awygle>
rqou: true
<egg|egg>
azonenberg: I'm talking about properties of floating point here
<rqou>
in the standard library
<azonenberg>
egg|egg: ? fixed point multiplication is pretty well defined
<rqou>
idk if it's supposed to be synthesizable or not
<egg|egg>
being scale-free, having low errors on multiplication, is a floating point thing
<azonenberg>
multiply then shift off the excess fractional bits
<awygle>
floating point is one of the two things that i've had people ask me really detailed questions about in interviews, and when challenged they admit they don't really understand it or haven't used it in real life
<azonenberg>
and i'm in no way saying fixed has *lower* errors than floating
<pie_>
yeah but we (rqou) all know vhdl is insane
<azonenberg>
I'm saying, it's a lot easier to *reason* about the errors
<rqou>
awygle: if the interviewer also went to berkeley, just say "i passed 61c" :P
<egg|egg>
if you have a well-defined model for the rounding though, you don't have a nice standard
<awygle>
rqou: usually i can get away with just saying the words "exponent" and "mantissa" and they back off :P
<rqou>
and then they come to you with a bug involving denormals :P
<awygle>
rqou: *after* i have the job
<rqou>
sure
<egg|egg>
azonenberg: and yeah, unfortunately dealing with floating point properly gets taught to mathematicians who don't care more than to programmers who go on to misuse it :D
<azonenberg>
egg|egg: lol
<azonenberg>
also do any of you folks know what the legal set of characters in an ext* filesystem label are?
<egg|egg>
azonenberg: I mean, literally, I did my BS and MSc in math, I got mandatory 2 semesters of numerics, and then took some additional stuff on eigenvalue problems of sparse matrices because I needed more courses in applied math for the degree
<azonenberg>
more specifically, what is the charset that e2label can print?
<rqou>
probably arbitrary bytes not including 0x00
<rqou>
traditional unix answer :P
Marex has joined ##openfpga
<azonenberg>
That was my thought, was wondering if anyone knew of a doc that specified for sure
<rqou>
try it and see? :P
<azonenberg>
i guess i could fire up a vm and test...
<awygle>
azonenberg: technically, NULL and '/' aren't allowed
<azonenberg>
awygle: / is not allowed?
<rqou>
in the label?
<rqou>
might be allowed :P
<awygle>
some production systems do (or did) allow it, but it's not supposed to be. let me dig up a reference
<qu1j0t3>
awygle was probably thinking of filenames.
<awygle>
ohohohohoh
<awygle>
yes
<awygle>
my bad
<qu1j0t3>
:)
<awygle>
thanks qu1j0t3
<azonenberg>
also keep in mind, i can hex edit the filesystem if needed
<azonenberg>
i care about what e2label will print
<qu1j0t3>
azonenberg: as in you really want to know the charset encoding?
<qu1j0t3>
azonenberg: or allowed characters?
<qu1j0t3>
seems like you asked for hte former
<azonenberg>
qu1j0t3: i'm wondering if it's possible to create an ext* filesystem
<azonenberg>
s.t. when you call e2label on it
<azonenberg>
it prints something like '); foo --
<azonenberg>
or ../etc/passwd
<qu1j0t3>
bobbytablesfs
<azonenberg>
or other things that can mess with auto-mounter apps
<qu1j0t3>
ok, so allowed characters
<azonenberg>
i know there's a 16 char cap but you can probably do a useful attack in that
<rqou>
!"#$%&'()*+,-./ are all allowed
<rqou>
$ /sbin/e2label testtest.img
<rqou>
!"#$%&'()*+,-./
<azonenberg>
Oooh
<rqou>
get rekt :P
<azonenberg>
Ok, dis gon b gud
<azonenberg>
Time to fuzz some automounters :)
<rqou>
also allowed: $ /sbin/e2label testtest.img
<rqou>
:;<=>?[\]^_{|}~
<qu1j0t3>
there are actually NO restrictions at all, afaics
<awygle>
this has me curious - is there an actual spec for ext* filesystems?
<rqou>
so go and XSS some stuff too :P
<qu1j0t3>
the argument to the command is written directly to the superblock...
<azonenberg>
It looks like $CLIENT's app is probably not exploitable this way based on the way they construct some other stuff
<qu1j0t3>
if you can get it into argv, then NUL is ok
<rqou>
hmm yeah
<azonenberg>
but still worth looking at for other stuff
<rqou>
strncpy
<qu1j0t3>
hard to do from shell i suppose.
<qu1j0t3>
rqou: yes.
<rqou>
wait
<azonenberg>
So you have to execve() yourself by hand
<azonenberg>
?
<rqou>
strncpy stops on null
<qu1j0t3>
oh well, right, so no NULs.
<qu1j0t3>
yep.
<azonenberg>
ah
<qu1j0t3>
but everything else is fair game.
<azonenberg>
ok so null is the only disallowed value
<rqou>
so afaics the superblock can contain anything, but e2label might not print it
* azonenberg
wonders
<azonenberg>
yeah the scenario was mounting a doctored FS
<qu1j0t3>
printing is the same, it prints verbatim
<azonenberg>
so you can hexedit illegal chars into it
<qu1j0t3>
it'll print up to NUL
<rqou>
i mean, nothing is illegal, so do whatever you want :P
<qu1j0t3>
azonenberg: i see where you're going :)
<rqou>
here's a fun one though: $ /sbin/e2label testtest.img
<rqou>
💩
<azonenberg>
qu1j0t3: the intended bug was something like
<rqou>
astral planes! (cc: egg|egg)
<azonenberg>
mount /dev/sda1 /mnt/../usr/bin/
<azonenberg>
where the second arg was /mnt/$LABEL
<azonenberg>
But yeah it won't work here
<egg|egg>
rqou: \o/
<rqou>
oh btw azonenberg do you guys have a script yet to auto-flag "mysql uses charset utf8 rather than utf8mb4?" :P
<azonenberg>
It would have been so nice to just stick an arbitrary filesystem over /usr/bin in $CLIENT
<azonenberg>
$CLIENTAPP*
<rqou>
i love utf8mb4 :P
<azonenberg>
and idk, i dont do much database/web stuff
<azonenberg>
the db i see most on the job is sqlite
<rqou>
which iirc doesn't have this problem
<azonenberg>
on boxen that run like busybox and a custom app
<azonenberg>
or something
<rqou>
azonenberg: have you tried mounting a corrupt hfs legacy filesystem with a malformed volume label :P :P
<rqou>
(this was an ios kernel bug a while back)
<rqou>
wait wait
<rqou>
azonenberg: this box can mount filesystems? over usb?
<rqou>
just fuzz the usb stack; basically guaranteed free 0-days there :P
<azonenberg>
rqou: Yes, it seems to support most of the standard linux-supported filesystems
<azonenberg>
at least fat*, ext*, and hfs
<azonenberg>
i didnt look for ntfs
<rqou>
usb stacks are universally pretty "great"
<azonenberg>
the last couple days i've been looking at everything that touches usb
<rqou>
have you at least tried a trivial symlink traversal?
<azonenberg>
there is a lot of code, today's focus was the mass storage
<azonenberg>
Not yet, the actual hardware is pretty locked down
<azonenberg>
i dont even have a shell yet
<rqou>
ah so you can't pull arbitrary files off?
<azonenberg>
i'm doing static analysis to find potential attack points now
<rqou>
"grep -r nodev" :P
<azonenberg>
Static analysis of cleartext firmware b/c the real firmware is encrypted :p
<azonenberg>
So cheating a bit
<rqou>
or did they remember nodev,nosuid?
<azonenberg>
I dont remember seeing nosuid in the mount flags, will double check... that might be an attack point, if i can figure out how to exec something
<azonenberg>
it would only be useful as a privesc
<azonenberg>
i have to get code exec first
<rqou>
how secure is this box? presumably no "press enter now to interrupt boot?"
<azonenberg>
SCADA HMI type application, doesnt even have a keyboard - only a touchscreen running their proprietary UI
<rqou>
ah so it's not a router :P
<azonenberg>
there's a bunch of physical buttons and such then a touchscreen
<azonenberg>
and a usb port that i think is mostly used for factory f/w updates?
<rqou>
i thought this was a consumer router+nas thingy :P
<azonenberg>
Nope, lol
<rqou>
idea: try plugging in a keyboard and using magic sysrq to kill the UI
<rqou>
i wonder if it restarts, drops to a shell, or drops to something useless
<azonenberg>
Good call, i saw distro boilerplate for both X and Wayland and not sure which it's actually running
<rqou>
unfortunately modern distros have turned off a lot of the really "fun" sysrq commands
<azonenberg>
I havent even tried ctrl-alt-Fn yet
<rqou>
lolol
<rqou>
i'll laugh if that works
<azonenberg>
But just jumping to a VT is useless as none of the Linux user accounts have passwords enabled
<azonenberg>
they're all auto login
<azonenberg>
So if i get to a login prompt i'm screwed
<rqou>
hmm, this reminds me of my pet project to use <super sekrit tricks> to fuzz the linux usb stack a bunch
<rqou>
i wonder how many 0-days i can get?
<azonenberg>
lol
<azonenberg>
On topic... i respun the greenpak thermal characterization board
<rqou>
hey, usb was used to pwn the ps3 and the chromecast
<azonenberg>
Should have them by end of month
<azonenberg>
I have the level shifter boards sitting in my garage soldered on one side
<azonenberg>
got distracted and havent finished :p
<balrog>
yeah in this case it was used to pull the firmware out of the wacom tablet MCU
<rqou>
nah, i just want to fuzz the linux desktop usb driver stack
<balrog>
ahh okay
<rqou>
"boring" traditional software stuff
<pie_>
oh god re: filesystems, i used a gui tool to mount an external drive that had its mount point set
<pie_>
....mounted right over root...
<indy>
marex-cloud, ping hi, what happen to git.bfuser.eu typhoon repo?
<pie_>
you can probably do a lot of shenaningans...
<Marex>
indy: vserver was doomed, should be back up
tinyurl_comSLASH has joined ##openfpga
<Marex>
indy: why ?
cr1901 has joined ##openfpga
tinyurl_comSLASH has left ##openfpga [##openfpga]
<indy>
Marex, updating fpga related clones - git remote update said server not available
<Marex>
indy: should be fixed now ... I hope
<indy>
Marex, ok, thanks
<Marex>
indy: np, I'm kinda happy to have my box back too
scrts has quit [Ping timeout: 268 seconds]
scrts has joined ##openfpga
digshadow has quit [Remote host closed the connection]
<rqou>
ugh i haven't done anything useful today
* rqou
goes to acquire noms
scrts has quit [Ping timeout: 255 seconds]
<cr1901>
I successfully relocated myself for petsitting, so there's that
scrts has joined ##openfpga
digshadow has joined ##openfpga
<rqou>
question: of the <foo>printf and <foo>scanf functions, which variants do you actually ever use?
<mtp>
snprintf, sscanf
<rqou>
heh, that's what i figured
<qu1j0t3>
fprintf
<awygle>
printf, snprintf, sprintf if i'm feeling lazy and it's not a "real" project
<rqou>
right, but nobody uses e.g. vdprintf
<awygle>
not me no. but i don't ever deal with text, basically.
<awygle>
sidebar, this is what confused me for a long time about people's Rust complaints. "str and String are confusing!" "ok but like how often do you really deal with strings? what? all the time every day? weird."
<rqou>
now imagine dealing with filenames
<rqou>
linux: all bytes except 0x00 and 0x2f. encoding? that's your problem
<rqou>
windows: 16-bit units. illegal values vary depending on if you use the \\.\ trick or not
<rqou>
macos: utf-8 (iirc?) except with broken NFD applied
<awygle>
boost::filesystem? :P i don't share your anti-dependency views
<rqou>
eww, a) c++ b) boost
<awygle>
yeah i agree with b) actually. tbh anytime i have to touch the filesystem i've usually already jumped up to python.
<rqou>
also, no library can reliably fix the impedance mismatch
<rqou>
consider: i need to write some kind of "project file"
<rqou>
and then this project file needs to move between OSs
<rqou>
afaik the actual answer is "you're screwed"
<balrog>
rqou: they're fixing that in macOS 10.13 / iOS 11
<rqou>
fixing which part?
<balrog>
unicode normalization
<balrog>
also the FS uses utf-16 iirc
<balrog>
err, hfsplus
<rqou>
are they fixing it by removing normalization or by unbreaking their NFD?
<balrog>
"APFS accepts only valid UTF-8 encoded filenames for creation, and preserves both case and normalization of the filename on disk in all variants"
<rqou>
ooh nice
<rqou>
unfortunately that doesn't make hfs+ stop existing
<rqou>
oh and i just remembered that ntfs case insensitivity is borked too
<rqou>
that part of ntfs a) only works on UCS-2 and b) has different casing rules depending on when the partition was formatted
<rqou>
because the "up-case table" is stored on the disk
<rqou>
i wonder how it works for turkish?
<rqou>
or if you just have a totally f*cked up up-case table like a->B