<rqou> i was reading through the L4T documentation and also found "something"
<rqou> but i have no idea if it really exists or is exploitable or not
<G33KatWork> using RCM you can write into ram. that ram contains two funny things
<G33KatWork> even if the signature isn't correct on the message, you still overwrite these structures
<balrog> fwiw I think at this point with as many people knowing about it as do, continued secrecy is somewhat silly
<G33KatWork> that's a) some debugging code
<G33KatWork> well not code. data for that code
<balrog> I think the fear is that Xecuter will grab it, commercialize it, and sell a warez solution
<balrog> since that's what they do :/
<rqou> i personally just don't care if people make warez solutions
<rqou> people who want to pirate are going to figure out how to pirate
<awygle> rqou: do you have something lined up for after graduating?
<balrog> I think it's more about enabling groups that profit from piracy
<G33KatWork> a magic value, a string table etc. relatively uninteresting from what we can tell
<G33KatWork> an b) some data for another boot path. apparently the tegra can boot from uart
<rqou> yes
<rqou> hmm
<G33KatWork> and you can overwrite some state variables for that boot path
<rqou> wtf
<rqou> that sounds like it might be it
<G33KatWork> but as far as I checked, all that data is initialized after reset
<rqou> hmm nvm then
<G33KatWork> should you be able to control two values there, we have an arbitrary memcpy
<rqou> also, keep in mind that maybe the switch ipatches disable that
<G33KatWork> oh yeah, I totally ignored these patches for now
<balrog> apparently this dump doesn't contain the ipatches
<G33KatWork> looks like it's public now
<G33KatWork> ¯\_(ツ)_/¯
<G33KatWork> no, it doesn't
<rqou> the rom or the sploit?
<rqou> is public?
<G33KatWork> the rom and the symbols from our IDB
<rqou> ok
<rqou> anyways, i was reading the L4T documentation
<rqou> and i'm really suspicious of the "Secure PMC Scratch Register Configurations for BootROM" stuff
<rqou> but i can't tell how much of it actually exists in the bootrom
<rqou> or even how to use it, since the documentation is incomplete
<rqou> there's some mechanism of encoding data for poking the PMIC on reset/warmboot/etc.
<rqou> the documentation claims "Commands can be either MMIO or I2C."
<rqou> the i2c path definitely exists in the bootrom
<rqou> idk about MMIO
<rqou> or whether MMIO is properly boundschecked
<rqou> however, afaict this isn't exploitable in a coldboot path
<implr> rqou: the bootrom pokes at tens of those secure_scratch registers
<rqou> G33KatWork, q3k: want to investigate this lead?
<implr> sometimes it stores totally random shit
<implr> sometimes crypto stuff
<rqou> yeah i know
<q3k> rqou: -ENOTIME, as I mentioned
<rqou> if these mysterious commands can do arbitrary MMIO writes though, you win
<rqou> there is definitely code that does I2C
<q3k> haven't looked at that at all
<rqou> assuming this isn't yet another red herring, it fits the publicly-dropped hints so far
<q3k> but if it's the PMIC doing that, then is it not received in hardware, and you have to be able to send i2c comands to do anything?
<q3k> i don't really get what you mean
<rqou> afaik the bootrom sends i2c commands to the PMIC to configure it
<pie___> warm boot? <G33KatWork> but as far as I checked, all that data is initialized after reset
<pie___> (i mean i have no fuckin clue what im talkin about)
<rqou> but the docs claim that the bootrom can also poke some MMIO
<G33KatWork> warmboot is a completely separate path where it doesn't load code from storage devices
<rqou> this isn't about loading code
<rqou> but "restoring PMIC state"
<G33KatWork> and that uart boot path would treat the uart as a storage device
<G33KatWork> rqou: sorry, I meant pie___
<rqou> this fits the description of "a future OS update can potentially make exploitation much more difficult"
<awygle> does zero day mean anything anymore? anything found in the Tegra at this point is definitionally an N-day, no?
<awygle> (for N>0)
<q3k> awygle: I think the counter starts ticking at public desclosure of vulnerability
<q3k> so vuln + sploit == 0day
<rqou> except reswitched already f*cking disclosed the exploit
<q3k> vuln then sploit = Nday
* awygle grumbles and subsides
<sorear> how is anti-tivoization research not an unalloyed good
<rqou> ^
<rqou> good question
<rqou> ask ktemkin
<rqou> this is actually a huge reason why i feel no ethical problems disclosing secure-boot-related vulns
<rqou> i would be much more careful around e.g. "measured boot" related vulns
<q3k> sorear: because anti-tivoization does not really work with DRM, no?
<sorear> why her
<rqou> because i have much fewer issues with "measured boot"
feuerrot has joined ##openfpga
<q3k> ie I cannot imagine having full code exec on a machine yet code executing there being able to apply DRM measures
<q3k> unless you implement something like SGX...
<rqou> q3k: which afaik you can defeat if you pwn ME
<rqou> q3k: want to help extract the SGX attestation keys?
<q3k> if I had infinite time OR infinite money
<rqou> heh
<q3k> ie find someone who will sponsor this and I can invoice them :)
<rqou> anyways, i strongly oppose secure boot and DRM, so i totally support dropping any 0days related to these
<q3k> well yeah, I don't like the idea of DRM either
<q3k> but game studios do
<rqou> whereas i would be much more hesitant to drop 0days in something like TPMs that help people secure their own data
<rqou> overall though i see a lot of whinging about "responsible disclosure"
<rqou> i guess i really just don't "get" "infosec culture"
<rqou> (not just in the case of the tegra but in general)
<q3k> i don't think there is a culture
<q3k> just do whatever you want as long as you stand for it
<q3k> people will disagree with whatever you do
<cr1901_modern> it's srs bsns?
<q3k> always
<balrog> rqou: does any phone use this sort of tegra?
<balrog> I believe yes since these exploits affect the Ouya
<rqou> ktemkin said a zune?
<q3k> yes, a few obscure ones
<rqou> and the surface rt
<rqou> and the tesla (car) instrument cluster and center console
<rqou> none of these are phones :P
<q3k> fuck tesla
<q3k> they can afford to patch
<rqou> i would just say fuck secure boot in general
<q3k> no, secure boot is cool
<rqou> meh, i disagree
<q3k> just let end users disable it, even if that means losing decryption keys
<rqou> ah, in that case yes
<q3k> ie. let them replace the root of trust with their own and live with the consequences
<rqou> yes
<pie___> fuck lock in, fuck user lock out, proven systems and proof carrying code for everyone
<pie___> kthxbai
<G33KatWork> google does a pretty good job at secure boot with the chromebooks
<q3k> yes
<rqou> yeah that's true
<rqou> i think chromebooks are _almost_ a perfect example
<rqou> except afaik you still can't reflash their coreboot without hax?
<rqou> but overall imo the chromebook policy is good
<G33KatWork> I think you can reflash everything
<G33KatWork> bootguard is not enabled
<rqou> oh nice
<G33KatWork> you might have to replace the SPI flash maybe
<rqou> then imo that's the perfect policy
<G33KatWork> because a region might be permanently write locked. but I'm not sure
<rqou> meh
<G33KatWork> but afaik, they never used bootguard
<rqou> great
<G33KatWork> I'd fact check first though :D
<rqou> i know i did reflash coreboot on a "stumpy" chromebox that i had access to
<rqou> since in general i don't care about attacks that require physical access
<rqou> it just has to be hard enough that you can't be trivially evil-maid-ed
<rqou> the only exception being HSMs/smartcards
<sorear> Yes
Lord_Nightmare has quit [Ping timeout: 264 seconds]
Lord_Nightmare has joined ##openfpga
<rqou> now i want glasses just so i can do this: https://twitter.com/profanegeometry/status/988225092747345925
pie___ has quit [Ping timeout: 264 seconds]
rohitksingh_work has joined ##openfpga
scrts has quit [Ping timeout: 248 seconds]
diadatp has quit [Ping timeout: 240 seconds]
diadatp has joined ##openfpga
scrts has joined ##openfpga
<rqou> (drama) wow, Vice really are total scum: https://twitter.com/monica_vv/status/987734406080102400
<rqou> heh, somebody really did implement the trick of loading an old vulnerable driver and exploiting it in order to bypass the silly windows driver signing enforcement: https://github.com/hfiref0x/TDL/blob/master/README.md
scrts has quit [Ping timeout: 264 seconds]
Bike has quit [Quit: Lost terminal]
<awygle> azonenberg: you keep saying 802.3ad and I keep reading 802.11ad
<azonenberg> yeah i'm talking about channel bonding
<azonenberg> At some point i want to play with PoE
<azonenberg> Then i can get a T-shirt made
<azonenberg> saying "I'm 802.3 AF"
<azonenberg> :D
* azonenberg hides
<awygle> but we're on to at now
<awygle> 802.11ad is way more interesting than lacp
<azonenberg> yeah but that doesnt make jokes quite as silly
<awygle> just saying
<azonenberg> i dont need a lot of bells and whistles in my switching
<awygle> everyone's switch needs 60GHz wifi
<azonenberg> i just want a buttload of bandwidth, reliability, security, and the ability to add stuff if i need it
<azonenberg> i don't plan to have any wifi at all in my new lab, except for the DMZ for $wife/guests
<awygle> if it was possible as an individual to buy a WiGig chipset that would be a good SFP module
<azonenberg> Yes, although i wouldn't persoanly use it
eduardo_ has joined ##openfpga
<awygle> wires are so 1988
<awygle> ima build a lab with 802.11ad and all wireless power
<azonenberg> lol
* azonenberg is sticking with fibers for as much as he can and using cat5 for the rest
eduardo__ has quit [Ping timeout: 264 seconds]
<awygle> free space optical everything
<awygle> in researching my current troll I found this:
<awygle> which is cool
<sorear> nah, ultrasonics everything
<awygle> obvious idea many people have certainly had before but cool that somebody actually built it and made it work
<awygle> (allegedly)
<sorear> > Wi-Charge products are approved by the US FDA.
<awygle> "certified organic, will not boil your flesh"
<sorear> this is approximately the last agency i would expect to have an opinion on the matter
<sorear> what's next, the USDA? MSHA?
<sorear> maybe FRA, they're col
<awygle> ADA
<awygle> MRA
<awygle> DSA
<awygle> ill stop
bitd has joined ##openfpga
<eduardo_> rqou: how is the status of the ice40 die imaging?
Lord_Nightmare has quit [Excess Flood]
Lord_Nightmare has joined ##openfpga
scrts has joined ##openfpga
ondrej2 has joined ##openfpga
<shuffle2> chromebooks use flash chips which support configuring write protection based on a value stored in the flash itself, and then that configuration value is locked by a pin of the flash chip
<shuffle2> that's how they're able to write protect a sub region of the flash, while still allowing you to remove the protection - they allow you to remove a screw which would normally be connected to the WP pin
<shuffle2> but you can't own it from software unless you find a bug in the flash itself
<azonenberg> shuffle2: yeah, my ethernet switch is going to do something similar
<azonenberg> the management engine is going to be a CPU that kinda lives off in its own little world
<azonenberg> physically separate ethernet interface, etc
<azonenberg> just has a uart to the fpga
<azonenberg> And the CPU will boot off a WP'd flash chip
<azonenberg> To update the flash, the FPGA will disconnect the CPU from the flash via some kind of mux
<azonenberg> then load the new image
<azonenberg> then reconnect the CPU
<azonenberg> or maybe it'll just hold the CPU in reset? not sure
<azonenberg> in any case, the FPGA will have a separate subsystem for doing firmware updates that's separate from the datapath and the management stuff
<azonenberg> and of course check signatures before it allows anything to be installed
<azonenberg> If you're the actual owner you can jtag whatever you want
<azonenberg> but over the LAN you can only install signed updates
pie_ has joined ##openfpga
eduardo_ has quit [Ping timeout: 276 seconds]
<whitequark> awygle: hell yea PCBs shipped
<whitequark> should get them tomorrow or the next day
<azonenberg> whitequark: glasgow prototypes inbound?
<pie_> y'all fast
<azonenberg> I should probably sleep but got a bit more work done
<azonenberg> May have to increase the height of the board slightly, i'm not sure i can fan out all of the LED signals in the available space without damaging the power/ground planes under the ethernet pairs
<azonenberg> But assuming I have say 380 mm of usable front panel space in a 19" chassis, I can bump this board from 82 up to 90 mm and still have plenty of space
<azonenberg> 90 mm * 3 line cards is 270 mm, which would leave me 100 mm for the brain board and 10mm for gaps between the boards, mounting tolerances, etc
rohitksingh_work has quit [Read error: Connection reset by peer]
<whitequark> azonenberg: yep
<azonenberg> anyway, yeah... it looks like i am basically going to have three 90mm wide line cards and one 100mm wide fpga/soc/optic card
<azonenberg> Which add up to 370mm of width
<azonenberg> also hmm seems i misremembered how big a rackmount case is
<azonenberg> i actually have closer to 410mm of usable space to work with
<azonenberg> Which would let me make the brain board a much more comfortable 130mm wide
pie_ has quit [Ping timeout: 240 seconds]
pie_ has joined ##openfpga
eduardo_ has joined ##openfpga
pie_ has quit [Ping timeout: 260 seconds]
pie_ has joined ##openfpga
rohitksingh_work has joined ##openfpga
pie_ has quit [Ping timeout: 260 seconds]
pie_ has joined ##openfpga
bitd has quit [Ping timeout: 265 seconds]
pie_ has quit [Ping timeout: 248 seconds]
rohitksingh_work has quit [Ping timeout: 256 seconds]
rohitksingh_work has joined ##openfpga
rohitksingh_work has quit [Read error: Connection reset by peer]
pie_ has joined ##openfpga
rohitksingh has joined ##openfpga
Bike has joined ##openfpga
bitd has joined ##openfpga
pie_ has quit [Ping timeout: 260 seconds]
rohitksingh has quit [Quit: Leaving.]
rohitksingh has joined ##openfpga
rohitksingh has quit [Client Quit]
rohitksingh has joined ##openfpga
<whitequark> azonenberg: so let's say I need to reflow Glasgow
<whitequark> right now I don't have a hot air gun or an oven or a hot plate or anything
<whitequark> what would you recommend I get?
indefini has quit [Disconnected by services]
indefini has joined ##openfpga
indefini has quit [Disconnected by services]
M59NAAH1D1 has joined ##openfpga
renze has quit [Remote host closed the connection]
renze has joined ##openfpga
<Ultrasauce> as far as hot air goes, a cheapo 858D clone works just fine
RaivisR has joined ##openfpga
<awygle> Hell yeah PCBs
<Ultrasauce> why is everyone involved in console RE a shitbird
<q3k> am I a shitbird? :(
<Ultrasauce> like everyone, you are subject to my broad generalizations
<awygle> Yeah I've been amazed and appalled while following this from a distance
<shuffle2> i haven't been paying attention to any switch stuff for a while. but, it may amuse you to know the bug embargo was set to end the 25th. something whoever posted that may or may not have known
ym has quit [Ping timeout: 256 seconds]
rohitksingh has quit [Ping timeout: 240 seconds]
rohitksingh has joined ##openfpga
diadatp has quit [Ping timeout: 240 seconds]
dfgg has joined ##openfpga
ym has joined ##openfpga
<whitequark> awygle: do you have an understanding of how to handle i2c error conditions?
<whitequark> what if I get a P or Sr while shifting the address?
pie_ has joined ##openfpga
rohitksingh has quit [Quit: Leaving.]
ym has quit [Ping timeout: 248 seconds]
<rqou> q3k: tested this?
<rqou> also, congrats
<rqou> i swear i fuzzed RCM and got nothing
<balrog> also http://memecpy.com
<jn__> memecpy ( ͡° ͜ʖ ͡°)
<q3k> rqou: yep, works
<rqou> wtf
<rqou> i definitely fuzzed RCM, how did i not get this?
<rqou> so how does persistence work?
<q3k> how did you fuzz it
<q3k> this is not in the RCM layer
<q3k> this is in the USB layer
<rqou> i was fuzzing random control transfers
<shuffle2> it would be hard to notice unless you inspected response data
<q3k> oh, you fuzzed it on the device
<rqou> i got basically no responses to most control transfers
<q3k> I though you were talking about emulation
<rqou> so how does this become persistent?
<rqou> burning pkc_disable like i suggested?
<q3k> dunno, you apparently can't just burn random fuses willy-nilly
<pie_> what did q3k crack it or something?
<q3k> no no no
<q3k> please
<q3k> I'm too lame for that
<pie_> awh :P
<q3k> rqou: maybe via fuse FAEC if you can burn that, dunno
<q3k> really no time to do any work on this now
<rqou> you can't burn fuses even in bootrom context?
ym has joined ##openfpga
<awygle> whitequark: I think you just let go of sda
rohitksingh has joined ##openfpga
<pie_> #BurninFusesLikeIBurnBridges
user10032 has joined ##openfpga
<awygle> pie_ is now a hit country artist
<awygle> CyberCountry
<pie_> omg
<balrog> rqou: FUSE_PRODUCTION_MODE apparently
futarisIRCcloud has joined ##openfpga
<pie_> there needs to be a cyberpunk novel with that in it. if it doesnt xist we have to make it x'D
<balrog> rqou: did you read the writeup?
diadatp has joined ##openfpga
<awygle> whitequark: oh i misunderstood. i would handle a STOP as an abort (state machine return to IDLE) and a repeated START as a new START (state machine returns to STARTED or whatever you call it). but i don't see anything about that in the spec or anything unfortunately
RaivisR has quit [Quit: Leaving]
<whitequark> that's amazing
<Ultrasauce> I've seen an implementation that dealt with misbehaving slaves by just holding sda low and strobing the clock a bunch
<rqou> q3k: so what was the hint about future updates making this much more difficult to exploit?
<rqou> just a red herring?
<awygle> Ultrasauce: that's exactly what you should do, but whitequark's writing a slave
<awygle> where "a bunch" == 9 times
<balrog> rqou: future updates make shorting the joycon pins mandatory and possibly on each boot
<balrog> (and possibly tethered)
<G33KatWork> rqou: on older fw versions you have kernel code exec. so you can set the PMC scratch register bit to jump into RCM on reset
<G33KatWork> if you can't do that, short the joycon pin and hold volume up on boot
<G33KatWork> but there will be modchips anyway, I guess
<balrog> so who will be the first to unbrick an Ouya (perhaps other than ktemkin) :)
<G33KatWork> they will do all of this for you
<shuffle2> you can also corrupt bct/bldr or disconnect emmc to force rcm
<shuffle2> the fact that BUTTON_HOME is routed (to joycon of all places) was actually found by yellows8 and myself
<rqou> balrog: wait wait, so you can burn fuse_production_mode but you can't burn pkc_disable?!
<balrog> hmm, the doc says it's ODM_PRODUCTION
<balrog> okay, they're the same
<rqou> that fuse is already burned?
<G33KatWork> what about these weird undocumented fuse bits that are security related?
<rqou> that's not how you get an untether?
<G33KatWork> FAEC[2] for example
<G33KatWork> q3k had theory this makes it a devboard again
<rqou> hmm wat
<rqou> so you think i cannot burn pkc_disable?
<rqou> but i can somehow burn FAEC?
<q3k> that brings you back to ODM mode but not to DEV mode
<q3k> *ODM_OPEN mode
<rqou> isn't a jetson still in ODM_OPEN mode?
<q3k> also dunno about which fuses can be and which cannot be burned, especially after PRODUCTION is burned
<G33KatWork> yeah, maybe it's locked. dunno
<rqou> so what's the untether?
<G33KatWork> build modchip
<rqou> wtf
<rqou> that's not a real untether
<G33KatWork> why not? wiggle pins, launch usb stack smashing, go to sleep
<shuffle2> you need to use another bug at resume
<rqou> so it doesn't involve burning fuses?
Lord_Nightmare has quit [Excess Flood]
<shuffle2> ofc there are a few, but .. :p
Lord_Nightmare has joined ##openfpga
<rqou> does the hardware enforce not burning any more fuses?
<balrog> rqou: do you have the "Jetson Platform Fuse Burning and Secure Boot Documentation and Tools" package?
<rqou> yes of course
<balrog> I guess the question is whether this is hardware or bootrom enforced
<rqou> anyways, this is going to be a huge breakthrough for Tesla hackers
<balrog> the writeup indicates this may be fixed in X2
<G33KatWork> yeah, heard that as well
<G33KatWork> I originally wanted to play around with denver
<G33KatWork> using this bug
<shuffle2> i think it would be cooler tbh
<G33KatWork> because on the TX2 there is the MB1 which is coming from flash
<G33KatWork> that is encrypted and I suspect that this thing sets up the memory carveout and loads the code for the binary translation
<G33KatWork> > This is UNPUBLISHED PROPRIETARY SOURCE CODE of NVIDIA Corp.;
<G33KatWork> gg
<balrog> "DO NOT EDIT - generated by simspec"
<shuffle2> if you know where to look there is copypasta'd bootrom code on github
<G33KatWork> wtf
<G33KatWork> I searched so much
<G33KatWork> for RCM etc.
<pie_> shuffle2, hook a brotha up^
<G33KatWork> had to reverse the host binaries in the end
<shuffle2> github online search is kinda wack
<shuffle2> code *very* similar to this is used in rom
<rqou> wtf
<rqou> anyways, it really does seem to imply the hardware disables fuse programming if secured
<rqou> idk about FAEC though
m_w has quit [Ping timeout: 240 seconds]
Lord_Nightmare has quit [Ping timeout: 248 seconds]
<rqou> alright, now that we have this, is it time for a warezloader or for linux? :P
<shuffle2> linux!
<pie_> linux is a warezloader
<rqou> yeah that would be really cool
<pie_> alternatively, linux is warez
<rqou> wait, so shuffle2: are you willing to state how your untether works?
<awygle> huh, i just realized that kicad draws transparent layers with "overstroke", where if something's drawn twice (intersecting tracks, or even just a corner) it gets darker
<awygle> wonder if that was a choice or just a derp
Lord_Nightmare has joined ##openfpga
<shuffle2> rqou: sorry but i have none (apart from just putting the system to sleep and using a different bug on the resume path)
<shuffle2> it's not something i looked into
<rqou> and this was what was used to make the demo?
m_w has joined ##openfpga
<shuffle2> yes, the rcm bug was used for that
rohitksingh has quit [Quit: Leaving.]
<shuffle2> at the time i made the demo i was unaware of the home button actually existing
<shuffle2> so i've actually entered rcm by disconnecting emmc, exploiting, then smacking emmc in so the demo could patch switchos as it booted (it was all in-memory) :)
<rqou> ah
digshadow has quit [Ping timeout: 256 seconds]
<rqou> i still can't believe i didn't find this after explicitly fuzzing for this
<pie_> fuckin sucks when that happens
<rqou> yup
<rqou> we should all collaborate on the next hax
<rqou> team not-really-open-fpgas
<pie_> #NormalGrammarNeedsParens
<awygle> oh wow whether it does that doublestroke thing or not depends on opengl-vs-cairos
<rqou> lolol
<rqou> look at awygle being actually productive today :P
* awygle is at work which definitely doesn't involve playing with kicad
<pie_> dont ruin it :P
<awygle> compiling!
<sorear> aren't symbiflow and openfpga basically already homebrew sdks
<awygle> better than swordfighting
* pie_ gets out the foam sweords
<pie_> damn inb4d
<G33KatWork> I hate replicating hacks of other people because of missing public information. always feels like so much wasted time that could have been spent on cooler stuff
<sorear> symbiflow/icestorm
<rqou> q3k, G33KatWork, others: we really need to do a collaboration on a hax
* pie_ just thought of a totally cool and not cheesy name
<pie_> Master Boot Wreckers
<G33KatWork> need to teach my siglent scope how to receive ADC samples in my own bitstream :3
<G33KatWork> this thing
<q3k> yeah, I'm also going back to siglenthax
<rqou> ah neat
<shuffle2> well like i said, it was going to be public in 2 days anyways
<shuffle2> people just really like sniping me
<awygle> hm i wonder how much of that would transfer to the spectrum analyzer
<rqou> so shuffle2: when i saw you at 34C3 you didn't have this yet?
<shuffle2> you saw me at ccc?
<rqou> yeah i think so?
<awygle> the way that's phrased really puts my back up
<rqou> you said to me at that time that you were "failing to hack the switch"
<rqou> after i asked about your Jetson
<shuffle2> i found it a few days after ccc iirc
<shuffle2> ok, ccc is a blur :)
<rqou> ok, that's what I thought
<rqou> so why the long delay?
<rqou> also, f*ck being stuck in school
<shuffle2> well, there'll be a blog post about it soon
<rqou> but why did you wait until now rather than releasing in January?
<rqou> I'm just curious about your thoughts/motivations
<rqou> since ktemkin has stated that her motovations are about "ethics"
<balrog> > This vulnerability is notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.
<rqou> meh, I've already stated my thoughts about that yesterday or so
<rqou> i _want_ locked down devices to get pwned
<balrog> even if it's your phone and the lock down is to protect storage encryption keys?
<balrog> (because this sort of a bug breaks chain of trust, which (unfortunately) we rely on)
<sorear> that's called a "hostage situation"
<Ultrasauce> wait is there an x1-based phone?
<balrog> Ultrasauce: this affects previous tegras as well
<rqou> first of all, I don't really consider phones secure (esp. since i have a Huawei)
<sorear> apple et al are holding your storage encryption keys up as a meat shield for their appstore cash cow
mumptai has joined ##openfpga
<rqou> and second, i believe relying on secure boot like this is wrong
<rqou> like I said, i support the use of measured boot (e.g. TPMs) because that allows people to protect their own data
<rqou> not secure boot that locks people out of their devices
<awygle> ... How about "even if it's your car, and someone can drive you into a center divider, or a bus full of children"?
<implr> 19:31 < awygle> hm i wonder how much of that would transfer to the spectrum analyzer | there's a r&s SA with a zynq, thesignalpath reviewed it recently
<rqou> i acknowledge the reality that that's not the world we currently live in, which is why i support pwning secure boot as much as possible
<implr> waaay more expensive though, so hacking would be.. exciting?
<awygle> implr: i have a siglent SA, is why i asked
<rqou> hoping that enough pwns encourage people to move to measured boot
<awygle> i get your point but find it naive, personally. but my general policy of security bankruptcy and being too poor to own a tesla means i don't have a ton of skin in teh game
digshadow has joined ##openfpga
<balrog> rqou: how will that end up working for people who just want a user-friendly secure device out of the box and aren't interested in tinkering with it?
<rqou> balrog: i don't have a great solution to that, but the cop-out is to pop-up a warning screen like how Android currently works
<balrog> rqou: people are conditioned to ignore that shit
<balrog> (warning screens)
digshadow has left ##openfpga [##openfpga]
<rqou> yeah, i know it's a cop-out
<implr> awygle: probably much different
<pie_> the probably dont understand the popups to begin with
<awygle> hm well, i won't be taking mine apart anytime soon, but maybe when it's out of cal anyway
<pie_> ask yourself if your senile dad could use something
<balrog> or if they do, they will treat it as an inconvenience and ignore it
* pie_ has bad experiences with old father and computer lol
<implr> awygle: I reversed most of the software for siglenthax (userspace, G33KatWork did the bootloader and hardware), there *is* support for a few different models, one of which is *not* zynq based
<implr> but that architecture would make little sense for a SA
<awygle> sure
<Ultrasauce> I think the notion that actual malicious actors aren't going to find exploits without other security researchers publicly releasing them is also a cop-out
digshadow has joined ##openfpga
<implr> so if they came out with a zynq-based sa they would probably rewrite half of it anyway
<pie_> Ultrasauce, certainly makes it cheaper tho ;D
<Ultrasauce> and also puts pressure on the vendor to do a better job
<rqou> awygle: maybe "hax encouraging use of measured boot" is naive, but imo giving people control of their devices is still worth it
<awygle> looks like there's a spartan 6 and an AM3352 in the siglent sa that i have
<awygle> rqou: i don't have a problem with hacks (i have an aesthetic problem with "hax"), but i don't think "eh screw it" is a good solution to the admittedly difficult problem of defining "responsible disclosure".
<rqou> i don't care about "responsible disclosure"
<G33KatWork> the zynq was cool because it's so easy to reverse
<awygle> i knwo you don't, that's my entire point of disagreement
<G33KatWork> dump fsbl, carve out register pokes, fiddle in vivado until they kind of match
<rqou> G33KatWork: extract zynq bootrom when? :P
<G33KatWork> done. linux boots
<G33KatWork> rqou: haha. that's on my list :>
<G33KatWork> PL pinout reversing is a bit more work, but doable in a few evenings with jtag boundary scan and a programmable power supply
<G33KatWork> just wiggle pins every second, probe the shit out of every IC on the board and note what pin is switching every second
<G33KatWork> might involve desoldering ddr3, ethernet phys you can't make shut up because of hard-wired reset etc.
<G33KatWork> but still easy
<G33KatWork> I even put 3.3V into the LVDS lanes of the ADC
<G33KatWork> accidentally
<G33KatWork> the clamping diodes did their work. nothing broke
<G33KatWork> and then I dropped a scope ground lead into one of the rf cages on my 2 channel version. that channel is toast now :(
<pie_> imho the bottom line is that by disclosing, you are putting the information out there at no cost to whoever. i still dont like the idea of *NOT* disclosing
<G33KatWork> the thing survived everything. and the the ground lead finishes the channel -_-
Sellerie has joined ##openfpga
<rqou> G33KatWork: :(
<rqou> pour one out for the dead channel?
<pie_> new cybercountry song right there
<awygle> "i love this bus bar"
<pie_> im sitting in a restauraunt and now im making a really idiotic grin.
<pie_> thanks.
m_w has quit [Quit: leaving]
<azonenberg> whitequark: hot air is good for rework but for new assembly, a toaster oven is soooo much better and more flexible
<azonenberg> you can do 2 side reflow with it, unlike a hot plate
<azonenberg> it doesnt blow parts around, unlike hot air
<azonenberg> If you are willing to pay a bit more on the oven, you can get one with a convection fan that provides some air circulation but it's far more gentle than a hot air gun
<azonenberg> I highly recommend doing so
<azonenberg> mine was somewhere around 50-60 USD
<gruetzkopf> i like the deep-fry vapor-phase process far better
<azonenberg> Vapor phase is nice if you have the gear but i dont
<azonenberg> a lot more expensive re consumables
<azonenberg> Convection reflow is the best i have now, i plan to add a nitrogen purge at the new lab
<gruetzkopf> literally 30€ deep-fryer
<gruetzkopf> (externally heated)
<azonenberg> yeah i mean the liquid
<azonenberg> not the fryer
<gruetzkopf> yeah you have to find someone who'll sell you small quantities
<whitequark> oh yeah i actually have the vapor phase liquid already
<azonenberg> that may be a good option then
futarisIRCcloud has quit [Quit: Connection closed for inactivity]
<whitequark> gruetzkopf: got any recommendation for the deep fryer?
<gruetzkopf> i got mine in a group buy when this idea was circulated in a german electronics forum
<gruetzkopf> sorry, i went the "dig around in the attic" route
<gruetzkopf> (and actually added a thermal limiter)
<whitequark> i mean which sort of construction should i look for
<gruetzkopf> get one without coils inside
<gruetzkopf> those need far too much liquid
<whitequark> hmm okay
<gruetzkopf> use "too much" liquid rather than too little, you DO NOT want all of it to go into vapor phase
<whitequark> i have like two liters
<gruetzkopf> and if you're slightly patient and let all of it recondense before removing the lid, you'll waste far less
<gruetzkopf> haha
<awygle> oo interesting, i've never heard of this option before
<awygle> i mean i've heard of vapor-phase processes but not a DIY version
<pie_> vapor phase. wat.
<pie_> sounds deeeeengerous
<pie_> "dont breathe this"
<awygle> iiuc the stuff is like, liquid teflon? it's super inert
<awygle> it is of course hot as hell so don't breath the vapor lol
<pie_> we're talking about soldering right?
<gruetzkopf> i think i have like 60ml in my fryer
<awygle> the solder is not what goes into vapor phase, you use the vapor to heat the board (again, iiuc, i haven't actually done it)
<gruetzkopf> for the german-speakers: https://www.mikrocontroller.net/topic/307715 this thread inspired me
<awygle> gruetzkopf: were there modifications required or do you just pour the stuff in and turn it on?
<gruetzkopf> if the thermal controller doesn't go high enough you get rid of it.
<gruetzkopf> if you're extremely cautious (you DO NOT want overheated PTFEs decomposing anywhere near yourself) you can add a cooling loop around the thing near the middle to force condensation
<pie_> oh
<gruetzkopf> you always keep some liquid at the bottom so it can't overheat
<awygle> right
<awygle> that sounds really easy/convenient
<awygle> $$$ fluid notwithstanding
<whitequark> awygle: correct
<awygle> someone good at chemistry should homebrew up an acceptable fluid replacement
<whitequark> ugh cant wait to get the boards
<whitequark> awygle: don't think you can easily do it
<whitequark> fluorinert is *awesome*
<awygle> it does look cool
<awygle> despite my deep and fundamental ignorance
<pie_> juits got (NANANANANANANANANANANANANANANANANANANA) FLOURINE
<awygle> ... Katamari?
<pie_> *its got
bitd has quit [Remote host closed the connection]
bitd has joined ##openfpga
ym has quit [Remote host closed the connection]
ym has joined ##openfpga
Lord_Nightmare has quit [Ping timeout: 248 seconds]
bitd has quit [Remote host closed the connection]
bitd has joined ##openfpga
Lord_Nightmare has joined ##openfpga
m_w has joined ##openfpga
Lord_Nightmare has quit [Ping timeout: 248 seconds]
Lord_Nightmare has joined ##openfpga
<gruetzkopf> yeah, PFPEs are fun stuff
<gruetzkopf> you could make them, but stuff that's good for soldering has a very uniform boiling point
<pie_> will it decompose into atomic/molecular flourine and react with atmospheric hydrogen?
<whitequark> no
<whitequark> it decomposes into fluorophosgene in air
<whitequark> that shit makes HF look like water
<pie_> aww
<Bike> whitequark: i saw the ultra low power datasheet on twoot and was excited to see what a femtoamp system could look like until
<pie_> [suspense noises]
<whitequark> lol
<sorear> femtoamps? you touch it ounce and it runs for a week on the triboelectric charging?
<pie_> lol, charges from contact with air
<Bike> wikipedia's "orders of magnitude: current" goes zepto (one electron) - pico (ion channel) - micro. need more work down there clearly
<Bike> and the smallest micro level one is "minimum current necessary to cause death". cool
<awygle> "femtoamp" analog circuits use air wires >1cm above the PCB
<awygle> i don't think it's a literal thing though
<Bike> the data sheet i'm referring to was a joke, being for a silicon die. i was fooled. japed.
<awygle> i know lol, i saw that too
<whitequark> 3 fA input bias amplifier
<awygle> holy wow
<Bike> now we're cooking with gas
<awygle> 3 fA input bias, 17 MHz GBW, 0.0007% THD, 1.3 mA
pie_ has quit [Ping timeout: 248 seconds]
<Bike> draws less current than a neuron trying to remember what magnitude "femto" is
<whitequark> lol
<awygle> and it's only 2.25$ in quantity
<qu1j0t3> what a time to be alive
<awygle> and 5.25$ on mouser
<qu1j0t3> Bob pease used to talk about femtoampere measurements.
<qu1j0t3> his EDN videos are online
<cr1901_modern> "What's All This Femtoampere Stuff, Anyhow?"
<whitequark> "With precautions such as these, 51/2-digit femtoammeters offer ranges down to 1.00000 pA (resolution of 0.01 fA or 10 attoamps)."
<whitequark> 10 attoamps
<whitequark> what the fuck
<whitequark> awygle: how about LTC6268-10
<whitequark> that has 4 GHz of GBP
<whitequark> that's giga
<awygle> wow
<awygle> on 16.5 mA
<awygle> 1500V per microsecond lol
<cr1901_modern> https://www.youtube.com/watch?v=B4G3YPlO6Wg Oh for fuck's sake
<cr1901_modern> I was just joking
<sorear> resolution of 100 e^-/s
<gruetzkopf> NationalSemi best company
m_w has quit [Quit: Leaving]
<awygle> lol when parasitics are in the "typical application" circuit you know you're having fun
<rqou> huh everybody on birdsite seems to be freaking out at the demo of faking a cell tower with those vga dongles
<gruetzkopf> heh
<gruetzkopf> just recently found a NationalSemiconductor Geode board (complete with NS SuperIO (TM) and NS Ethernet)
<rqou> btw, do we have f/oss code for implementing the tower side of LTE yet?
<awygle> my understanding is we're generally still on 2G but it's been a while since i've paid close attention
<whitequark> I think osmocom has LTE?
diadatp has quit [Ping timeout: 265 seconds]
<whitequark> ah no
<Ultrasauce> "novel sdr platform can spoof gps" is the new "3d printer can make a rifle receiver"
<balrog> yatebts does I think
<rqou> spoofing gps doesn't count until you can steal a Predator :P
<qu1j0t3> steal all of them and fly them into a volcano
<rqou> er, apparently it was a Sentinel drone
<rqou> we have too many gadgets for freedomizing other countries
<rqou> lolol: "On 17 January 2012, an Iranian company said it would send miniature, pink, toy versions of the captured drone to President Obama as a response to the request for sending the drone back."
diadatp has joined ##openfpga
<qu1j0t3> rqou: not to mention "Reaper"
m_w has joined ##openfpga
<balrog> > lmao, the dsi bootcode exploit was just released as well
pie_ has joined ##openfpga
<awygle> somebody yelled "olly olly oxen-free"
<rqou> balrog: link?
<balrog> don't have one yet
<rqou> how the heck does this work?
<balrog> idk
<balrog> someone's gonna have to disassemble it
<rqou> i know people dropped hints about fucky crypto, but idk if those were supposed to be exploitable
<rqou> i assume they turned out to be?
<rqou> oh what the fuck: "The flaw in stage2 is a buffer overflow involving Launcher's TMD file. If you provide a larger then normal TMD file, it will attempt to load the TMD into ram anyways (this occurs before it does the RSA check) This causes it to overwrite some code in arm9 ram causing arm9 to execute the custom payload. The full details are found in the info menus in the installer."
<pie_> The full details are found in the info menus in the installer.
<pie_> wat
<balrog> run it in an emulator and screencap it?
<pie_> > butwhy.jpg <
<rqou> why can't i find these fucking exploits
<rqou> E_TOO_MUCH_SCHOOL
<pie_> youre doing it wrong
<awygle> you're basically finished right?
<pie_> you already have the exploits
<awygle> graduating in May sometime?
<balrog> "Bootstage 2 is loading the launcher's title.tmd file to memory. That's done without any filesize>limit check (it's only checking filesize>filesize).
<balrog> "That is allowing to load about 80KBytes of useful code. And to overwrite a task switching structure. Causijng ARM9 to execute the loaded code. Which can then tweak ARM7 to execute custom code by remapping some portions of shared WRAM."
<balrog> "Yup. It's actually that simple. The bigger problem has been to find this exploit within the 400,000 lines of code that bootstages 2 and 3 consist of."
<balrog> rqou: chances there's an ntrboot method in the dsi?
<rqou> maybe, but you can just use a 3ds :P
<balrog> psh
<rqou> azonenberg: work? don't you mean messing with your house?
<azonenberg> work of all kinds :p
<azonenberg> But yes i would love to decap one
<azonenberg> gonna have to try and get time on a laser engraver
<azonenberg> i want to blacktop a dip and laser etch the signetics logo etc into it
<rqou> i have a laser engraver
<azonenberg> rqou: yeah i just mean, actually getting a chip on it
<azonenberg> tweaking settings
<azonenberg> etc
<azonenberg> the "time" is the hard part, not the laser cutter :p
<rqou> oh yeah haven't done much of that
<rqou> when will your friggin house be done?
<azonenberg> Also, blacktopping a pdip in a way that i can laser it and get good results
<rqou> let's have a race: me graduating vs you renovating
<azonenberg> i'm actually considering just seeing if i can use diamond lapping paste to polish off the old markings
<azonenberg> and get a smooth surface i can laser
<azonenberg> Rather than trying to paint over the top
<sorear> *reads datasheet* how do you run 150kV through a BGA without arcing?
<azonenberg> sorear: well if all of the pins are tied to the same potential
<azonenberg> you just have clearance around it to your ground :p
<azonenberg> rqou: re finishing the house, i have NFC how long it will take :p
<azonenberg> I'm taking it one day at a time doing what i can
<sorear> ah, Amtrak qualified
<rqou> > let's have a race: me graduating vs you renovating
<pie_> sorear, fukkin wut
<sorear> pie_: rqou's last link
<pie_> ahaaa
<pie_> ill need to add this to my boards when it becomes availible
<rqou> thanks Ellied!
<rqou> (who actually lurks here)
<sorear> oh neat
<pie_> can we crowdfund this
<rqou> yes please
<sorear> revolutionary 0nm process
<rqou> azonenberg: what's the manufacturing process like for "advanced packaging"/WLCSP?
<azonenberg> rqou: i think you just cover the die with kapton, cut openings, electroplate (?) copper over the bond pads, then reflow solder balls onto them
<azonenberg> Depending on the design there may be wiring in the kapton to rearrange bond pads into a grid
<rqou> hmm
<rqou> but that won't work for a blank die
<azonenberg> in those designs it's basically a flex cpb fanning out
<azonenberg> Yes
<azonenberg> I'm not sure how you'd do it on a bare die
<azonenberg> the signetics chip was a dip right?
<rqou> so we do need to do some very basic BEOL
<rqou> can we just sputter a wafer with Al?
<azonenberg> no
<whitequark> why wouldn't it work with a bare die?
<azonenberg> you'd have to do chrome first
<whitequark> just have some traces in kapton
<azonenberg> al wont stick
<rqou> wait what
<rqou> but metal layers stick to the ILD just fine?
<rqou> even back when metal was Al and ILD was SiO2?
<rqou> hmm or just do what whitequark said :P
<rqou> but then the balls aren't actually connected to the substrate like the datasheet claims :P
bitd has quit [Quit: Leaving]
<pie_> you could have physically maintained contact and just have spark gaps :D
<whitequark> lol
<awygle> that just explained the bottom of these chips, so thanks for that
<awygle> "why does this look like a tiny off-blue circuit board?"
<pie_> ???
<azonenberg> rqou: Al normally doesnt stick to Si
<azonenberg> i think even for ILD, you normally have a chrome adhesion promotor layer
<whitequark> chrome?
<whitequark> like actual chromium?
<rqou> our "for class" chips just used evaporated Al
<pie_> this atmosphere can be used as a daily supplement of minerals
<rqou> ooh wait, you have bare Si
<rqou> not SiO2
<pie_> only breathe small amounts of this
<rqou> pie_: wat
<azonenberg> Yes, actual chromium
<azonenberg> rqou: yeah the native oxide isnt thick enough to stick to usefully
<rqou> worked for us
<pie_> i finally switched my desktop theme to a dark theme. it was way overdue. so good.
<pie_> well, kind of bad actually, but still, not searing my eyes.
<pie_> little productivity things
<balrog> > It is actually amazing this wasn’t found by red-teams before it made it into the bootROM— and that less people found it.
<balrog> > I teach a USB-hacking training course, and one of the example scripts I’ve used for a _while_ finds the vulnerability.
user10032 has quit [Quit: Leaving]
<rqou> yeah, i guess i'm not familiar with how people normally implement/mess up USB
<rqou> i was mostly fuzzing wValue/wIndex
<rqou> oh, i see shuffle2/fail0verflow also does the "responsible disclosure" thing
<rqou> i see
<rqou> azonenberg: we should make a hardware thing to fuzz the hell out of usb devices (faster than you can with pyusb :P )
<jn__> why does noone say "coordinated disclosure"? that's such a nice moral-free term
<sorear> good plan, i will ongoin
<rqou> either way i don't believe in responsible/coordinated disclosure
<lain> wait so what is this bootROM thing about
<whitequark> awygle: wanna crunch some i2c today?
<whitequark> i wrote uh the write half i think
<rqou> lain: tegra bootroms have a silly exploit to get arbitrary code execution
<rqou> a whole bunch of people all found it (not me unfortunately)
<lain> rqou: lol
<awygle> whitequark: i can do something yeah
<rqou> but ktemkin/reswitched keeps showing a ton of sanctimony about "ethics" that just really irks me
<rqou> i really really need to be not stuck in school
<rqou> lain: anyways, somebody finally released it today so all the whinging about "ethics" can go away now
<lain> lol
<lain> fun times
<rqou> now we can make actually-fun hax/linux/homebrew/etc.
<lain> I just want mplayer
<balrog> I want bluetooth audio
<rqou> i want Horizon OS on Jetson :P
<balrog> I don't get why Nintendo doesn't care for bluetooth audio
<lain> if my Switch could play videos I wouldn't also need a media pc
<rqou> just for lulz
<lain> balrog: yeah that one is weird.
<balrog> I have AirPods and they work with everything except for Nintendo devices
<balrog> (inb4 "airpods suck" -- I can't stand in-ear, and headphones are bulky)
m_w has quit [Quit: Leaving]
<whitequark> balrog: try bone conduction
<rqou> q3k: i'm pretty sure i saw this when it was originally posted
<Bike> can you like... just buy bone conduction things?
<rqou> q3k: you should join me+azonenberg in our attempts to make yosys do a lot of this
<Bike> Neat
<balrog> q3k: that blog post makes me think of Robert Baruch's polychip https://github.com/RobertBaruch/polychip
<balrog> but that's being used for a different purpose
<rqou> i think polychip should _also_ dump data into yosys
Bike has quit [Ping timeout: 260 seconds]
<rqou> but maybe that's just me (and azonenberg?)
Xark has quit [Ping timeout: 256 seconds]
<balrog> which parts of this would yosys do?
<azonenberg> everything once you have a cell level netlist
Xark has joined ##openfpga
<pie_> give it a lisp shell
<pie_> man i need to stop shitposting and actually make someting cool already.
<rqou> pie_: give it a sneklang shell and make azonenberg sad
<pie_> i like sneklang but it doesnt have parenthesis and it doesnt have types, why would i want to do that
<rqou> but it has kitchen sinks
<pie_> import haskell
noobineer has joined ##openfpga
<pie_> man, proof assistants are pretty cool
<whitequark> import kitchen.sink
<awygle> sneklang is good for intense (insane?) metaprogramming
<whitequark> ew
<awygle> when around lisp-fearers
<rqou> i just love to say "in what other ecosystem can you mix a computer algebra system, a gui, a network service, and serial ports all in one environment?"
<whitequark> sneklang's metaprogramming *sucks*
<whitequark> it doesn't even have hygiene
<awygle> well it depends what you mean
<pie_> well there are python lisps
<awygle> but yes, it doesn't have hygiene
<rqou> whitequark: what about sagemath's metaprogramming?
<pie_> or lispy pythons rather
<pie_> but i havent tried them yet
<pie_> i suppose lack of libraries can be frustrating
<pie_> but thats probably because i scheme and not losp
<awygle> it's really easy to do mixins and terrible things with environments and dynamically generated modules and whatnot
<whitequark> rqou: havent seen sagemath
<rqou> i don't understand how it works
<pie_> then again, i dont do anything because i keep jumping from language to language. now its Coq, which is cool. but inb4 Agda
<rqou> other than "it's broken on my system right now"
<rqou> something about how six interacts with its metaclasses
<pie_> awygle, is that the one with the weird algebra variables
<whitequark> Coq has the stupidest name of all programming languages
<whitequark> if you know how to pronounce it correctly anyway
<pie_> no wait i think im thinking of sympy
<awygle> is it supposed to be "coke" or "cock"
<whitequark> "cock"
<pie_> whitequark, i dont speak french
* whitequark is 13
<awygle> freudian
<whitequark> pie_: well youre programming in cock now
<whitequark> congrats
<pie_> ...well how else would you pronounce it
<pie_> coque?
<pie_> coqueue
<pie_> whitequark, thats the joke ive been making for days but noone laughed :'(
<sorear> coke i think
mumptai has quit [Quit: Verlassend]
<sorear> oh that was mentioned already
<whitequark> "The word coq means "rooster" in French, and stems from a local tradition of naming French research development tools with animal names."
<pie_> it means cock (as in chicken, i dont think the french use tht for penis, but i wouldnt know), among vrious other things apparently, like sounding like the acronym for Calculus of Constructions and stuff
<sorear> is there any truth to thierry coquand naming it after himself
<awygle> i think sneklang is a good fit for "i have a complex GUI and also a console for scripting". aka many CAD/CAM tools.
<pie_> and the dudes friends wifes name or something
<awygle> i think ruby and js are probably _also_ good fits for that but i don't know them
<pie_> i fonly more principled languages would take off
<pie_> *enough to get MOAR LIBS
<q3k> balrog: I don't think polychip existed back when I was doing this ^^
noobineer has quit [Read error: Connection reset by peer]
<balrog> q3k: yeah it's fairly new
<pie_> then again i guess there really seems to be something about the c++ design space?
<balrog> Robert Baruch was already taking apart chips though :)
<pie_> so, what kind of salsa do you guys use
<awygle> none
<awygle> tomatos == bad
<Ellied> :0 a ping in openfpga
<pie_> otoh, repl in java anyone
<awygle> i would love a good rust repl but *sigh*
<pie_> s/in/
<rqou> o/ Ellied
<pie_> need ~maximum~ interactivity
<rqou> some of us actually want to make your fancy new proposed chip :P
<Ellied> o/ rqou
<Ellied> lol
<pie_> everyone loves a high effort shitpost
<rqou> but WLCSP BEOL is hard
<Ellied> I'd imagine so :P
<pie_> shitpost @ actually making it
<pie_> rqou, you think we could sell them to the chinese
<rqou> the chinese will sell anything :P
<pie_> oh dude
<rqou> idk about them buying it though
<pie_> duuuuude
<pie_> what we gotta do
<pie_> is convince the chinese to make counterfeit versions
<awygle> where's pie_'s car
<Ellied> bah
<pie_> without actually ever making anything ourselves
<pie_> awygle, are you trying to assassinate me with those tegra exploits
<rqou> lolol
<awygle> no i'm just referencing a terrible movie
<pie_> aw, the joke
<pie_> my head
<pie_> whitequark, please dont let the SJWs take my proof assistants from me
<pie_> ok maybe a few more proofs then sleep....
<whitequark> pie_: what
<pie_> well because cock
<pie_> its obviously promoting cis white male dominance in mathematical whatever :P
<jn__> i tabbed in and saw "well because cock"\
<jn__> i was confused for a moment
<Ellied> same
<Ellied> except I'm still confused
<awygle> Coq
<pie_> we were talking about how to pronounce the name of the Coq theorem prover
<pie_> *proof assistant
<sorear> whitequark was complaining ten minutes ago that coq is a stupid name, and i agree
<sorear> there are far worse, but still
<jn__> pie_: what *other* way is there to pronounce it?
<balrog> "cock" or "coke"?
<pie_> jn__, i. dont. know.
<balrog> "cock" obviously, based on the logo
<qu1j0t3> sorear: it's not necessarily a stupid name if you're French.
<pie_> well, maybe its not actually hard to ocme up with variations. english spelling can probably make some fun things
<balrog> ah maybe not -- french :P
<pie_> if ghoti is fish i guess you could call it "Kick"
<jn__> my Google translate -> received german spelling process tells me: kök
<sorear> wasn't he on star trek
<pie_> who, ghoti?
<jn__> that ghoti thing is terrible
<pie_> so uh, yo uguys were talking about polychip
<pie_> on note of which, anyone know any principled image processing textbooks
Bike has joined ##openfpga
<qu1j0t3> "principled"?
<pie_> i guess thats just my made up thing for "not a collection of miscellaneous things"
<pie_> i.e., has some kind of framework that makes sense?
<pie_> not that ive read any image processing textbooks or have any idea how that could possible be done.
<whitequark> pie_: where the fuck did you find "SJWs"
<whitequark> i think it's stupid because calling your language something that resembles an obscenity in english just means that will be the one thing everyone remembers
<pie_> maybe it was on purpose
* pie_ checks the date
<pie_> wow 1989
<whitequark> no the french are just like that
<balrog> 1984 apparently
<balrog> > It started in 1984 from an implementation of the Calculus of Constructions at INRIA-Rocquencourt by Thierry Coquand and Gérard Huet.
<pie_> ah i just looked at "initial release"
<balrog> there's your likely name origin :)
<pie_> i think they actually have a faq page on it
<pie_> if anyone wants to give it a poke this started at a basic enough level for me https://softwarefoundations.cis.upenn.edu/
<pie_> (all the material is there)
<rqou> i stepped away for a moment and wtf just happened?
<rqou> pie_: please don't use the term "SJW" anymore
<balrog> agreed with rqou on that :<
<whitequark> yeah
<balrog> and whitequark
<rqou> I'll admit that i also used to use the term back in the more-innocent pre-Tr*mp era
<pie_> i was using it ironically if that counts for anything but ok
<awygle> it's just not a funny joke
<awygle> for like, many reasons
<pie_> point taken
<Bike> so wait does "coq" mean penis in french or just a rooster
<whitequark> rooster
<Bike> civilized
<pie_> thats something i specifically mentioned my douts about earlier :P
<whitequark> lol
<awygle> somehow, when i was younger, i internalized "the french are the one culture it's okay to mock", and i've been trying to get over it ever since
<awygle> keeping quiet during this discussion has been... challenging
<balrog> I believe the name of Coq comes from "Calculus of Constructions"
<pie_> ok fine ill go find that one faq page i cant find
<balrog> I linked one above
<balrog> is there others?
<Bike> INRIA does cool stuff but mainly doesn't seem very fun
<pie_> i dont thin kthat was the one
<whitequark> Bike: why not
<whitequark> i considered working for INRIA
<Bike> they even made a scheme implementation that's not named after a crime or a murderer or anything
<Bike> whitequark: "fun" in the sense of "would name something scatologically"
<whitequark> oh
<awygle> wat
<whitequark> awygle: there's the Stalin Scheme
<whitequark> and I guess crime refers to Racket?
<Bike> racket, gambit, larceny
<awygle> ahhhhh yes
<Bike> i guess guile is halfway there
<whitequark> wait how is gambit a crime
<q3k> #openfga, more like #openlytalkingaboutcoqs
<q3k> what is even going on here
<balrog> q3k: no idea :|
<Bike> it's adjacent
<awygle> inefficiency
<whitequark> "Petit Larceny" and "Common Larceny"
<whitequark> they really went all the way
<awygle> wait when did we get R7RS
<q3k> whitequark: for a second I saw 'IA64' there
<whitequark> maaaany years ago
<q3k> alas
<q3k> no love for itanium
<whitequark> itanic
<balrog> itanium is dead
<balrog> :/
<azonenberg> q3k: you should have seen lockpickinglawyer's april fools special
<q3k> hackerspace.pl used to be hosted on a gentoo/ia64 box for years
<whitequark> >Development of Larceny has been supported by NSF, Sun Microsystems, and Microsoft.
<balrog> q3k: lol
<q3k> then it got in-place rebuild to target amd64
<balrog> when was that phased out?
<q3k> good times
<q3k> 5 years ago or so
<balrog> in place rebuild
<balrog> sounds like fun
<q3k> I think two years ago I still found an itanium library somewhere in /usr/local/lib
<pie_> whitequark, haha
<azonenberg> lain and monochroma have a fairly large sgi itanium cluster at their place iirc
<q3k> balrog: but that's not all. three years ago we run an Itanium CTF challenge
<azonenberg> i forget how many racks
<q3k> balrog: the title of the task was '64-bit intel'
<whitequark> q3k: cruel
<balrog> LOL
<balrog> q3k: one of these days I'm going to get my ppc32 mac mini back up
<balrog> I have at least one working one
<balrog> I was running most of my server stuff on an ARM box for a while
<rqou> fruit imac ftw :P
<balrog> now it's all on a (mostly boring) atom d525 box
<q3k> the thing you were supposed to sploit was a software 3d renderer serving over VNC https://www.youtube.com/watch?v=jEBntO_obVE
<rqou> unfortunately my cf card died
<balrog> aren't CF cards dirt cheap?
<rqou> apparently cf-as-ide-hdd really does flake out
<q3k> nobody solved it :((((
<balrog> were you running swap on it?
<rqou> yeah, i just need to get around to getting another one
<balrog> q3k: :/
<rqou> no swap
<q3k> also
<balrog> was it widely publicized?
<q3k> r2 was very useful when it loaded the ELF
<q3k> 'oh, it's a 64-bit intel elf'
<q3k> 'I KNOW I'LL LOAD IT AS AMD64 :---D'
<rqou> wait azonenberg: lain and monochroma are living together?
<balrog> q3k: is r2 really that stupid?
<q3k> i think they fixed it now
<rqou> PNW FPGA hacker dorm? :P
<q3k> i think that task becamse a r2 regression test actually
<balrog> LOL
<rqou> lolol
<q3k> balrog: the task was for an on-site CTF in cracow, so not really that publicized
<balrog> q3k: ahhhhh
<balrog> no wonder :D
<q3k> these machines were super useful
<q3k> for another CTF (belluminar/WCTF) every team was supposed to bring 2x tasks for other teams to solve
<q3k> (wierd format)
<q3k> and one of the tasks was supposed to be a 'Windows executable'
<q3k> ... guess what windows runs on :P
<rqou> SH4? :P :P :P
<rqou> trololololo
<rqou> you didn't specify what kind of windows :P
<q3k> that's wince, no?
<rqou> yes
<q3k> right, that's the point
* whitequark winces
<q3k> the organizers wanted a windwos exe
<q3k> so they got one for itanium ^^
<implr> I think we (me and another guy from hswaw) spent almost a week
<implr> trying to install server2k8 on that box
<awygle> rqou: now go the other way, windows syscalls from cygwin
<rqou> that's much harder
<q3k> yeah, you could only install that windows via a headless installer
<rqou> windows syscall numbers aren't stable
<pie_> rqou, deer god you actually did it
<rqou> did what?
<rqou> ooh wait i'm an idiot
<pie_> well not that its hard
<rqou> awygle: yeah you can do that
<rqou> the trick is to poke around the TEB->PEB and the loaded module list
<rqou> and then you can find kernel32/ntdll and start calling into it
<pie_> ^
<rqou> btw, this (used to at least) works to make an EXE that has zero imports
<awygle> lulz
<awygle> what's going on with midipix
<rqou> idk
<rqou> weird secrecy
<awygle> it feels very cliqueish
<rqou> yeah
<awygle> somebody should dump their bootrom
<rqou> also a weird gplv2 or gplv3
<rqou> awygle: oh i have access
<rqou> i asked them for it a while back
<awygle> leak it on pastebin :p
<awygle> i'm just trolling
<awygle> i haven't even bothered to ask
<awygle> but i'm against the weird secrecy
<pie_> so, there was that shell script for making c calls
<pie_> yes
<rqou> yeah i have no idea what midipix is really doing
<rqou> they seem to be wasting time yak shaving with replacing libtool or doing a whole bunch of "build a distro"-type work
<whitequark> fuck libtool
<rqou> yeah
<rqou> i have no idea what the point of libtool is
<whitequark> it's twofold
<whitequark> first, dependencies between static libraries (but pkgconfig does that already)
<whitequark> second, building shared objects on ancient shit like irix or whatever
<rqou> ah ok
<rqou> either way, i personally would prioritize getting APIs working but apparently the midipix people disagree
<awygle> yeah, because of How Linux Is this should just involve emulating the syscall table, basically
<awygle> i.e. "do the thing the BSDs did a long time ago"
<rqou> they've been working on that too
<awygle> rqou: okay, flip the script - windows syscalls from WSL
<rqou> but apparently a _huge_ amount of complexity lives in weird global/kernel state such as job control and signals
<rqou> so they are somehow making a daemon to store all of that state
<rqou> but also trying to "do it right" so that two independent pieces of software shipped by two noncooperating entities can still have this global state working
<rqou> unlike multiple copies of cygwin somehow stepping over each other
<rqou> apparently they've also been making some weird loader thing to give elf-like semantics
<awygle> isn't this exactly what WSL does?
<rqou> i thought WSL also does a whole lot more
<rqou> e.g. you no longer have access to win32k
<rqou> but you do in midipix
X-Scale has quit [Ping timeout: 256 seconds]
<rqou> if it weren't for the strange licensing and if it were more complete i would advocate for only supporting midipix
<awygle> my understanding is WSL is just missing the bent pipe to do windows syscalls from an elf or linux syscalls from a PE
<rqou> no more weird mysterious bugs caused by windowsisms
<rqou> e.g. the thing whitequark mentioned the other day where "just shove whatever bytes are in my argv into open()" doesn't actually work on windows
<rqou> even though this works fine on most *nix's
<whitequark> "works"
<rqou> yeah it works?
<whitequark> solvespace asserts at startup if LANG doesn't indicate UTF-8
<whitequark> but even that doesn't actually mean that paths *will* be in UTF-8
<rqou> yes
<whitequark> it just makes that somewhat more likely
<rqou> but "just shoving bytes around" should always work?
<whitequark> UTF-8 is not closed under concatenation
<rqou> how so?
<sorear> …? do you mean NFC?
<rqou> also, why does that matter?
<whitequark> er, yes, sorear is correct of course, I mean NFC
<rqou> yes, but that doesn't affect filenames at all
<whitequark> sure it does if you ever try to concatenate them
<rqou> filenames don't care about NFC or utf-8 or anything? they're just bytes? (at least on linux)
<rqou> can you give an example?
<jn__> what is NFC?
<whitequark> let's say you have "A" and "B" which are in NFC but "A"+"B" isn't in NFC
<rqou> yes
<rqou> you can still open that as a filename
<whitequark> if you typed "AB" into a file save dialog then it will be normalized
<pie_> idk but my friend has like 5 different user directories on windows due to applications fucking up character encoding stuff in various ways
<rqou> but that's your file save dialog's problem
<whitequark> if your CLI tool concatenates "A" and "B" but doesn't normalize it won't find that file
<whitequark> no
<rqou> why not?
<whitequark> that's your CLI tool problem
<rqou> the file save dialog should return bytes
<rqou> it shouldn't canonicalize
<whitequark> the de facto standard names on *nix today is NFC, except on MacOS where it's NFD
<rqou> but you don't have to be NFC
<sorear> i think that can't happen if either A or B is ASCII
<rqou> you can have any bytes other than 0x2F and 0x00
<sorear> which means that most cases where a CLI tool smashes names together will work
<whitequark> you do realize most of the world isn't in ASCII right
<rqou> yes
<whitequark> sorear I mean
<sorear> (leaving aside the case where B starts with a floating diacritic)
<whitequark> you do lol
<sorear> whitequark: yes, but "/" is ASCII and that's 95% of what matters for path concatenation
<sorear> the other 5% is stuff like ".doc" which is also ASCII
<sorear> unless MS has decided to internationalize file extensions now?
<rqou> i mean, file extensions aren't anything special in *nix systems
<rqou> you can have any sequence of bytes except 0x00, and 0x2F separates path elements
<rqou> if file save dialogs run NFC, then they are borked for certain filenames
<rqou> e.g. if i purposely constructed a filename with a non-canonical sequence of codepoints
<rqou> and then i want to open this file
<whitequark> if they don't run NFC then behavior is far more surprising
<rqou> why?
<whitequark> e.g. you save a file with a title that has an Ä originally written on macOS
<whitequark> and then you save another that has an Ä you typed yourself
<whitequark> and they are different files
<whitequark> which is dumb
<rqou> but it's not any more dumb than the mysterious behaviors you can get moving between windows and linux
<rqou> or between windows and macos
<whitequark> you can't get this behavior on macos
<whitequark> since it normalizes everything to NFD
<rqou> iirc a while back somebody either here or in a different channel found that ntfs-3g would use wtf-8 but samba would do something different
<rqou> whitequark: yeah, but then that's also how you cause git and mercurial to each get a CVE
<sorear> i'm pretty sure name equivalence is a hard problem and "use NFC everywhere" helps a bit but we shouldn't pretend it's the final solution
<rqou> i think i can get behind "canonicalize by default if creating a new file, but return existing byte sequences if opening an existing file"
<whitequark> um
<whitequark> not canonicalizing results in CVEs too
<rqou> how?
<awygle> whitequark: did you push your i2c stuff to the glasgow repo? or someplace else?
<rqou> the linux rules are explicitly clear
<whitequark> if something else canonicalizes
<rqou> that only 0x00 and 0x2f are special
<sorear> canonicalizing differently from other tools on the same platform is a CVE issue
<whitequark> ^
<sorear> you need to do this consistently
<whitequark> awygle: will push in a bit
<awygle> whitequark: cool, no rush (i'm not even home yet)
<rqou> right, but the typical linux behavior (at least the behavior that i always encounter) is to not canonicalize at all on linux
<rqou> so applying NFC is also different
<sorear> the Apple approach of "our filesystems are always NFKD and case insensitive" is pretty good for the current state of the art, but I still think there's room for improvemnt
<whitequark> they're not case insensitive anymore
<whitequark> the new Apple FS is case-sensitive
<whitequark> rqou: all Linux GUIs canonicalize text input to NFC
<whitequark> regardless of where you put it
<whitequark> well, maybe tk or something doesn't
<rqou> i've never observed that behavior
<whitequark> Qt and GTK do it since forever
<rqou> does it do this at "inputting data" time or does it end up munging your data afterwards?
<rqou> e.g.
<rqou> if you have a text box and load some non-canonicalized text into it
<rqou> and later ask for the text back
<rqou> will your text be changed?
<whitequark> that's a good question
<whitequark> I don't know the precise answer for it
<rqou> I know i've definitely succeeded in picking files in the file picker that had names that weren't valid utf-8 at all
<sorear> whitequark: if I buy a Mac today and open a terminal, I'll be able to create README and readme in ~/Desktop ?
<whitequark> rqou: no, picking files is fine
<whitequark> it's about input
<whitequark> sorear: I think so yes
<whitequark> with the latest macos
<rqou> hmm, so i'm still not sure exactly what kind of scenario you would end up in where you are concatenating and might want to explicitly canonicalize
<rqou> i can see some very contrived scenarios
<rqou> e.g. if you auto-name files something like ${PROJECT}${SUBPROJECT}
<rqou> and then PROJECT ends with an 'A' and SUBPROJECT starts with a combining accent
<rqou> or something like that
<rqou> but i would say that "that's your own damn fault"
<whitequark> there's no reason that shouldn't work
<rqou> i mean, it works
<rqou> and you'll just end up with a not-NFC filename
<rqou> but those can still be opened and selected and otherwise interacted with