<rqou>
heh, somebody really did implement the trick of loading an old vulnerable driver and exploiting it in order to bypass the silly windows driver signing enforcement: https://github.com/hfiref0x/TDL/blob/master/README.md
scrts has quit [Ping timeout: 264 seconds]
Bike has quit [Quit: Lost terminal]
<awygle>
azonenberg: you keep saying 802.3ad and I keep reading 802.11ad
<azonenberg>
yeah i'm talking about channel bonding
<azonenberg>
At some point i want to play with PoE
<azonenberg>
Then i can get a T-shirt made
<azonenberg>
saying "I'm 802.3 AF"
<azonenberg>
:D
* azonenberg
hides
<awygle>
but we're on to at now
<awygle>
802.11ad is way more interesting than lacp
<azonenberg>
yeah but that doesnt make jokes quite as silly
<awygle>
just saying
<azonenberg>
i dont need a lot of bells and whistles in my switching
<awygle>
everyone's switch needs 60GHz wifi
<azonenberg>
i just want a buttload of bandwidth, reliability, security, and the ability to add stuff if i need it
<azonenberg>
i don't plan to have any wifi at all in my new lab, except for the DMZ for $wife/guests
<awygle>
if it was possible as an individual to buy a WiGig chipset that would be a good SFP module
<azonenberg>
Yes, although i wouldn't persoanly use it
eduardo_ has joined ##openfpga
<awygle>
wires are so 1988
<awygle>
ima build a lab with 802.11ad and all wireless power
<azonenberg>
lol
* azonenberg
is sticking with fibers for as much as he can and using cat5 for the rest
eduardo__ has quit [Ping timeout: 264 seconds]
<awygle>
free space optical everything
<awygle>
in researching my current troll I found this:
<eduardo_>
rqou: how is the status of the ice40 die imaging?
Lord_Nightmare has quit [Excess Flood]
Lord_Nightmare has joined ##openfpga
scrts has joined ##openfpga
ondrej2 has joined ##openfpga
<shuffle2>
chromebooks use flash chips which support configuring write protection based on a value stored in the flash itself, and then that configuration value is locked by a pin of the flash chip
<shuffle2>
that's how they're able to write protect a sub region of the flash, while still allowing you to remove the protection - they allow you to remove a screw which would normally be connected to the WP pin
<shuffle2>
but you can't own it from software unless you find a bug in the flash itself
<azonenberg>
shuffle2: yeah, my ethernet switch is going to do something similar
<azonenberg>
the management engine is going to be a CPU that kinda lives off in its own little world
<azonenberg>
physically separate ethernet interface, etc
<azonenberg>
just has a uart to the fpga
<azonenberg>
And the CPU will boot off a WP'd flash chip
<azonenberg>
To update the flash, the FPGA will disconnect the CPU from the flash via some kind of mux
<azonenberg>
then load the new image
<azonenberg>
then reconnect the CPU
<azonenberg>
or maybe it'll just hold the CPU in reset? not sure
<azonenberg>
in any case, the FPGA will have a separate subsystem for doing firmware updates that's separate from the datapath and the management stuff
<azonenberg>
and of course check signatures before it allows anything to be installed
<azonenberg>
If you're the actual owner you can jtag whatever you want
<azonenberg>
but over the LAN you can only install signed updates
pie_ has joined ##openfpga
eduardo_ has quit [Ping timeout: 276 seconds]
<whitequark>
awygle: hell yea PCBs shipped
<whitequark>
should get them tomorrow or the next day
<azonenberg>
I should probably sleep but got a bit more work done
<azonenberg>
May have to increase the height of the board slightly, i'm not sure i can fan out all of the LED signals in the available space without damaging the power/ground planes under the ethernet pairs
<azonenberg>
But assuming I have say 380 mm of usable front panel space in a 19" chassis, I can bump this board from 82 up to 90 mm and still have plenty of space
<azonenberg>
90 mm * 3 line cards is 270 mm, which would leave me 100 mm for the brain board and 10mm for gaps between the boards, mounting tolerances, etc
rohitksingh_work has quit [Read error: Connection reset by peer]
<whitequark>
azonenberg: yep
<azonenberg>
anyway, yeah... it looks like i am basically going to have three 90mm wide line cards and one 100mm wide fpga/soc/optic card
<azonenberg>
Which add up to 370mm of width
<azonenberg>
also hmm seems i misremembered how big a rackmount case is
<azonenberg>
i actually have closer to 410mm of usable space to work with
<azonenberg>
Which would let me make the brain board a much more comfortable 130mm wide
pie_ has quit [Ping timeout: 240 seconds]
pie_ has joined ##openfpga
eduardo_ has joined ##openfpga
pie_ has quit [Ping timeout: 260 seconds]
pie_ has joined ##openfpga
rohitksingh_work has joined ##openfpga
pie_ has quit [Ping timeout: 260 seconds]
pie_ has joined ##openfpga
bitd has quit [Ping timeout: 265 seconds]
pie_ has quit [Ping timeout: 248 seconds]
rohitksingh_work has quit [Ping timeout: 256 seconds]
rohitksingh_work has joined ##openfpga
rohitksingh_work has quit [Read error: Connection reset by peer]
pie_ has joined ##openfpga
rohitksingh has joined ##openfpga
Bike has joined ##openfpga
bitd has joined ##openfpga
pie_ has quit [Ping timeout: 260 seconds]
rohitksingh has quit [Quit: Leaving.]
rohitksingh has joined ##openfpga
rohitksingh has quit [Client Quit]
rohitksingh has joined ##openfpga
<whitequark>
azonenberg: so let's say I need to reflow Glasgow
<whitequark>
right now I don't have a hot air gun or an oven or a hot plate or anything
<whitequark>
what would you recommend I get?
indefini has quit [Disconnected by services]
indefini has joined ##openfpga
indefini has quit [Disconnected by services]
M59NAAH1D1 has joined ##openfpga
renze has quit [Remote host closed the connection]
renze has joined ##openfpga
<Ultrasauce>
as far as hot air goes, a cheapo 858D clone works just fine
<awygle>
Yeah I've been amazed and appalled while following this from a distance
<shuffle2>
i haven't been paying attention to any switch stuff for a while. but, it may amuse you to know the bug embargo was set to end the 25th. something whoever posted that may or may not have known
ym has quit [Ping timeout: 256 seconds]
rohitksingh has quit [Ping timeout: 240 seconds]
rohitksingh has joined ##openfpga
diadatp has quit [Ping timeout: 240 seconds]
dfgg has joined ##openfpga
ym has joined ##openfpga
<whitequark>
awygle: do you have an understanding of how to handle i2c error conditions?
<whitequark>
what if I get a P or Sr while shifting the address?
<rqou>
i definitely fuzzed RCM, how did i not get this?
<rqou>
so how does persistence work?
<q3k>
how did you fuzz it
<q3k>
this is not in the RCM layer
<q3k>
this is in the USB layer
<rqou>
i was fuzzing random control transfers
<shuffle2>
it would be hard to notice unless you inspected response data
<q3k>
oh, you fuzzed it on the device
<rqou>
i got basically no responses to most control transfers
<q3k>
I though you were talking about emulation
<rqou>
so how does this become persistent?
<rqou>
burning pkc_disable like i suggested?
<q3k>
dunno, you apparently can't just burn random fuses willy-nilly
<pie_>
what did q3k crack it or something?
<q3k>
no no no
<q3k>
please
<q3k>
I'm too lame for that
<pie_>
awh :P
<q3k>
rqou: maybe via fuse FAEC if you can burn that, dunno
<q3k>
really no time to do any work on this now
<rqou>
you can't burn fuses even in bootrom context?
ym has joined ##openfpga
<awygle>
whitequark: I think you just let go of sda
rohitksingh has joined ##openfpga
<pie_>
#BurninFusesLikeIBurnBridges
user10032 has joined ##openfpga
<awygle>
pie_ is now a hit country artist
<awygle>
CyberCountry
<pie_>
omg
<balrog>
rqou: FUSE_PRODUCTION_MODE apparently
futarisIRCcloud has joined ##openfpga
<pie_>
there needs to be a cyberpunk novel with that in it. if it doesnt xist we have to make it x'D
<balrog>
rqou: did you read the writeup?
diadatp has joined ##openfpga
<awygle>
whitequark: oh i misunderstood. i would handle a STOP as an abort (state machine return to IDLE) and a repeated START as a new START (state machine returns to STARTED or whatever you call it). but i don't see anything about that in the spec or anything unfortunately
RaivisR has quit [Quit: Leaving]
<whitequark>
that's amazing
<Ultrasauce>
I've seen an implementation that dealt with misbehaving slaves by just holding sda low and strobing the clock a bunch
<rqou>
q3k: so what was the hint about future updates making this much more difficult to exploit?
<rqou>
just a red herring?
<awygle>
Ultrasauce: that's exactly what you should do, but whitequark's writing a slave
<awygle>
where "a bunch" == 9 times
<balrog>
rqou: future updates make shorting the joycon pins mandatory and possibly on each boot
<balrog>
(and possibly tethered)
<G33KatWork>
rqou: on older fw versions you have kernel code exec. so you can set the PMC scratch register bit to jump into RCM on reset
<G33KatWork>
if you can't do that, short the joycon pin and hold volume up on boot
<G33KatWork>
but there will be modchips anyway, I guess
<balrog>
so who will be the first to unbrick an Ouya (perhaps other than ktemkin) :)
<G33KatWork>
they will do all of this for you
<shuffle2>
you can also corrupt bct/bldr or disconnect emmc to force rcm
<shuffle2>
the fact that BUTTON_HOME is routed (to joycon of all places) was actually found by yellows8 and myself
<rqou>
balrog: wait wait, so you can burn fuse_production_mode but you can't burn pkc_disable?!
<balrog>
hmm, the doc says it's ODM_PRODUCTION
<balrog>
okay, they're the same
<rqou>
that fuse is already burned?
<G33KatWork>
what about these weird undocumented fuse bits that are security related?
<rqou>
that's not how you get an untether?
<G33KatWork>
FAEC[2] for example
<G33KatWork>
q3k had theory this makes it a devboard again
<rqou>
hmm wat
<rqou>
so you think i cannot burn pkc_disable?
<rqou>
but i can somehow burn FAEC?
<q3k>
that brings you back to ODM mode but not to DEV mode
<q3k>
*ODM_OPEN mode
<rqou>
isn't a jetson still in ODM_OPEN mode?
<q3k>
also dunno about which fuses can be and which cannot be burned, especially after PRODUCTION is burned
<G33KatWork>
yeah, maybe it's locked. dunno
<rqou>
so what's the untether?
<G33KatWork>
build modchip
<rqou>
wtf
<rqou>
that's not a real untether
<G33KatWork>
why not? wiggle pins, launch usb stack smashing, go to sleep
<shuffle2>
you need to use another bug at resume
<rqou>
so it doesn't involve burning fuses?
Lord_Nightmare has quit [Excess Flood]
<shuffle2>
ofc there are a few, but .. :p
Lord_Nightmare has joined ##openfpga
<rqou>
does the hardware enforce not burning any more fuses?
<balrog>
rqou: do you have the "Jetson Platform Fuse Burning and Secure Boot Documentation and Tools" package?
<rqou>
yes of course
<balrog>
I guess the question is whether this is hardware or bootrom enforced
<rqou>
anyways, this is going to be a huge breakthrough for Tesla hackers
<balrog>
the writeup indicates this may be fixed in X2
Lord_Nightmare has quit [Ping timeout: 248 seconds]
<rqou>
alright, now that we have this, is it time for a warezloader or for linux? :P
<shuffle2>
linux!
<pie_>
linux is a warezloader
<rqou>
yeah that would be really cool
<pie_>
alternatively, linux is warez
<rqou>
wait, so shuffle2: are you willing to state how your untether works?
<awygle>
huh, i just realized that kicad draws transparent layers with "overstroke", where if something's drawn twice (intersecting tracks, or even just a corner) it gets darker
<awygle>
wonder if that was a choice or just a derp
Lord_Nightmare has joined ##openfpga
<shuffle2>
rqou: sorry but i have none (apart from just putting the system to sleep and using a different bug on the resume path)
<shuffle2>
it's not something i looked into
<rqou>
and this was what was used to make the demo?
m_w has joined ##openfpga
<shuffle2>
yes, the rcm bug was used for that
rohitksingh has quit [Quit: Leaving.]
<shuffle2>
at the time i made the demo i was unaware of the home button actually existing
<shuffle2>
so i've actually entered rcm by disconnecting emmc, exploiting, then smacking emmc in so the demo could patch switchos as it booted (it was all in-memory) :)
<rqou>
ah
digshadow has quit [Ping timeout: 256 seconds]
<rqou>
i still can't believe i didn't find this after explicitly fuzzing for this
<pie_>
fuckin sucks when that happens
<rqou>
yup
<rqou>
we should all collaborate on the next hax
<rqou>
team not-really-open-fpgas
<pie_>
#NormalGrammarNeedsParens
<awygle>
oh wow whether it does that doublestroke thing or not depends on opengl-vs-cairos
<rqou>
lolol
<rqou>
look at awygle being actually productive today :P
* awygle
is at work which definitely doesn't involve playing with kicad
<pie_>
dont ruin it :P
<awygle>
compiling!
<sorear>
aren't symbiflow and openfpga basically already homebrew sdks
<awygle>
better than swordfighting
* pie_
gets out the foam sweords
<pie_>
damn inb4d
<G33KatWork>
I hate replicating hacks of other people because of missing public information. always feels like so much wasted time that could have been spent on cooler stuff
<sorear>
symbiflow/icestorm
<rqou>
q3k, G33KatWork, others: we really need to do a collaboration on a hax
* pie_
just thought of a totally cool and not cheesy name
<pie_>
Master Boot Wreckers
<G33KatWork>
need to teach my siglent scope how to receive ADC samples in my own bitstream :3
<shuffle2>
well like i said, it was going to be public in 2 days anyways
<shuffle2>
people just really like sniping me
<awygle>
hm i wonder how much of that would transfer to the spectrum analyzer
<rqou>
so shuffle2: when i saw you at 34C3 you didn't have this yet?
<shuffle2>
you saw me at ccc?
<rqou>
yeah i think so?
<awygle>
the way that's phrased really puts my back up
<rqou>
you said to me at that time that you were "failing to hack the switch"
<rqou>
after i asked about your Jetson
<shuffle2>
i found it a few days after ccc iirc
<shuffle2>
ok, ccc is a blur :)
<rqou>
ok, that's what I thought
<rqou>
so why the long delay?
<rqou>
also, f*ck being stuck in school
<shuffle2>
well, there'll be a blog post about it soon
<rqou>
but why did you wait until now rather than releasing in January?
<rqou>
I'm just curious about your thoughts/motivations
<rqou>
since ktemkin has stated that her motovations are about "ethics"
<balrog>
> This vulnerability is notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.
<rqou>
meh, I've already stated my thoughts about that yesterday or so
<rqou>
i _want_ locked down devices to get pwned
<balrog>
even if it's your phone and the lock down is to protect storage encryption keys?
<balrog>
(because this sort of a bug breaks chain of trust, which (unfortunately) we rely on)
<sorear>
that's called a "hostage situation"
<Ultrasauce>
wait is there an x1-based phone?
<balrog>
Ultrasauce: this affects previous tegras as well
<rqou>
first of all, I don't really consider phones secure (esp. since i have a Huawei)
<sorear>
apple et al are holding your storage encryption keys up as a meat shield for their appstore cash cow
mumptai has joined ##openfpga
<rqou>
and second, i believe relying on secure boot like this is wrong
<rqou>
like I said, i support the use of measured boot (e.g. TPMs) because that allows people to protect their own data
<rqou>
not secure boot that locks people out of their devices
<awygle>
... How about "even if it's your car, and someone can drive you into a center divider, or a bus full of children"?
<implr>
19:31 < awygle> hm i wonder how much of that would transfer to the spectrum analyzer | there's a r&s SA with a zynq, thesignalpath reviewed it recently
<rqou>
i acknowledge the reality that that's not the world we currently live in, which is why i support pwning secure boot as much as possible
<implr>
waaay more expensive though, so hacking would be.. exciting?
<awygle>
implr: i have a siglent SA, is why i asked
<rqou>
hoping that enough pwns encourage people to move to measured boot
<awygle>
i get your point but find it naive, personally. but my general policy of security bankruptcy and being too poor to own a tesla means i don't have a ton of skin in teh game
digshadow has joined ##openfpga
<balrog>
rqou: how will that end up working for people who just want a user-friendly secure device out of the box and aren't interested in tinkering with it?
<rqou>
balrog: i don't have a great solution to that, but the cop-out is to pop-up a warning screen like how Android currently works
<balrog>
rqou: people are conditioned to ignore that shit
<balrog>
(warning screens)
digshadow has left ##openfpga [##openfpga]
<rqou>
yeah, i know it's a cop-out
<implr>
awygle: probably much different
<pie_>
the probably dont understand the popups to begin with
<awygle>
hm well, i won't be taking mine apart anytime soon, but maybe when it's out of cal anyway
<pie_>
ask yourself if your senile dad could use something
<balrog>
or if they do, they will treat it as an inconvenience and ignore it
* pie_
has bad experiences with old father and computer lol
<implr>
awygle: I reversed most of the software for siglenthax (userspace, G33KatWork did the bootloader and hardware), there *is* support for a few different models, one of which is *not* zynq based
<implr>
but that architecture would make little sense for a SA
<awygle>
sure
<Ultrasauce>
I think the notion that actual malicious actors aren't going to find exploits without other security researchers publicly releasing them is also a cop-out
digshadow has joined ##openfpga
<implr>
so if they came out with a zynq-based sa they would probably rewrite half of it anyway
<pie_>
Ultrasauce, certainly makes it cheaper tho ;D
<Ultrasauce>
and also puts pressure on the vendor to do a better job
<rqou>
awygle: maybe "hax encouraging use of measured boot" is naive, but imo giving people control of their devices is still worth it
<awygle>
looks like there's a spartan 6 and an AM3352 in the siglent sa that i have
<awygle>
rqou: i don't have a problem with hacks (i have an aesthetic problem with "hax"), but i don't think "eh screw it" is a good solution to the admittedly difficult problem of defining "responsible disclosure".
<rqou>
i don't care about "responsible disclosure"
<G33KatWork>
the zynq was cool because it's so easy to reverse
<awygle>
i knwo you don't, that's my entire point of disagreement
<G33KatWork>
dump fsbl, carve out register pokes, fiddle in vivado until they kind of match
<rqou>
G33KatWork: extract zynq bootrom when? :P
<G33KatWork>
done. linux boots
<G33KatWork>
rqou: haha. that's on my list :>
<G33KatWork>
PL pinout reversing is a bit more work, but doable in a few evenings with jtag boundary scan and a programmable power supply
<G33KatWork>
just wiggle pins every second, probe the shit out of every IC on the board and note what pin is switching every second
<G33KatWork>
might involve desoldering ddr3, ethernet phys you can't make shut up because of hard-wired reset etc.
<G33KatWork>
but still easy
<G33KatWork>
I even put 3.3V into the LVDS lanes of the ADC
<G33KatWork>
accidentally
<G33KatWork>
the clamping diodes did their work. nothing broke
<G33KatWork>
and then I dropped a scope ground lead into one of the rf cages on my 2 channel version. that channel is toast now :(
<pie_>
imho the bottom line is that by disclosing, you are putting the information out there at no cost to whoever. i still dont like the idea of *NOT* disclosing
<G33KatWork>
the thing survived everything. and the the ground lead finishes the channel -_-
Sellerie has joined ##openfpga
<rqou>
G33KatWork: :(
<rqou>
pour one out for the dead channel?
<pie_>
new cybercountry song right there
<awygle>
"i love this bus bar"
<pie_>
im sitting in a restauraunt and now im making a really idiotic grin.
<pie_>
thanks.
m_w has quit [Quit: leaving]
<azonenberg>
whitequark: hot air is good for rework but for new assembly, a toaster oven is soooo much better and more flexible
<azonenberg>
you can do 2 side reflow with it, unlike a hot plate
<azonenberg>
it doesnt blow parts around, unlike hot air
<azonenberg>
If you are willing to pay a bit more on the oven, you can get one with a convection fan that provides some air circulation but it's far more gentle than a hot air gun
<azonenberg>
I highly recommend doing so
<azonenberg>
mine was somewhere around 50-60 USD
<gruetzkopf>
i like the deep-fry vapor-phase process far better
<azonenberg>
Vapor phase is nice if you have the gear but i dont
<azonenberg>
a lot more expensive re consumables
<azonenberg>
Convection reflow is the best i have now, i plan to add a nitrogen purge at the new lab
<gruetzkopf>
literally 30€ deep-fryer
<gruetzkopf>
(externally heated)
<azonenberg>
yeah i mean the liquid
<azonenberg>
not the fryer
<gruetzkopf>
yeah you have to find someone who'll sell you small quantities
<whitequark>
oh yeah i actually have the vapor phase liquid already
<azonenberg>
that may be a good option then
futarisIRCcloud has quit [Quit: Connection closed for inactivity]
<whitequark>
gruetzkopf: got any recommendation for the deep fryer?
<gruetzkopf>
i got mine in a group buy when this idea was circulated in a german electronics forum
<gruetzkopf>
sorry, i went the "dig around in the attic" route
<gruetzkopf>
(and actually added a thermal limiter)
<whitequark>
i mean which sort of construction should i look for
<gruetzkopf>
get one without coils inside
<gruetzkopf>
those need far too much liquid
<whitequark>
hmm okay
<gruetzkopf>
use "too much" liquid rather than too little, you DO NOT want all of it to go into vapor phase
<whitequark>
i have like two liters
<gruetzkopf>
and if you're slightly patient and let all of it recondense before removing the lid, you'll waste far less
<gruetzkopf>
haha
<awygle>
oo interesting, i've never heard of this option before
<awygle>
i mean i've heard of vapor-phase processes but not a DIY version
<pie_>
vapor phase. wat.
<pie_>
sounds deeeeengerous
<pie_>
"dont breathe this"
<awygle>
iiuc the stuff is like, liquid teflon? it's super inert
<awygle>
it is of course hot as hell so don't breath the vapor lol
<pie_>
we're talking about soldering right?
<gruetzkopf>
i think i have like 60ml in my fryer
<awygle>
the solder is not what goes into vapor phase, you use the vapor to heat the board (again, iiuc, i haven't actually done it)
<awygle>
gruetzkopf: were there modifications required or do you just pour the stuff in and turn it on?
<gruetzkopf>
if the thermal controller doesn't go high enough you get rid of it.
<gruetzkopf>
if you're extremely cautious (you DO NOT want overheated PTFEs decomposing anywhere near yourself) you can add a cooling loop around the thing near the middle to force condensation
<pie_>
oh
<gruetzkopf>
you always keep some liquid at the bottom so it can't overheat
<awygle>
right
<awygle>
that sounds really easy/convenient
<awygle>
$$$ fluid notwithstanding
<whitequark>
awygle: correct
<awygle>
someone good at chemistry should homebrew up an acceptable fluid replacement
<whitequark>
ugh cant wait to get the boards
<whitequark>
awygle: don't think you can easily do it
<whitequark>
fluorinert is *awesome*
<awygle>
it does look cool
<awygle>
despite my deep and fundamental ignorance
<awygle>
lol when parasitics are in the "typical application" circuit you know you're having fun
<rqou>
huh everybody on birdsite seems to be freaking out at the demo of faking a cell tower with those vga dongles
<gruetzkopf>
heh
<gruetzkopf>
just recently found a NationalSemiconductor Geode board (complete with NS SuperIO (TM) and NS Ethernet)
<rqou>
btw, do we have f/oss code for implementing the tower side of LTE yet?
<awygle>
my understanding is we're generally still on 2G but it's been a while since i've paid close attention
<whitequark>
I think osmocom has LTE?
diadatp has quit [Ping timeout: 265 seconds]
<whitequark>
ah no
<Ultrasauce>
"novel sdr platform can spoof gps" is the new "3d printer can make a rifle receiver"
<balrog>
yatebts does I think
<rqou>
spoofing gps doesn't count until you can steal a Predator :P
<qu1j0t3>
steal all of them and fly them into a volcano
<rqou>
er, apparently it was a Sentinel drone
<rqou>
we have too many gadgets for freedomizing other countries
<rqou>
lolol: "On 17 January 2012, an Iranian company said it would send miniature, pink, toy versions of the captured drone to President Obama as a response to the request for sending the drone back."
diadatp has joined ##openfpga
<qu1j0t3>
rqou: not to mention "Reaper"
m_w has joined ##openfpga
<balrog>
> lmao, the dsi bootcode exploit was just released as well
<rqou>
i know people dropped hints about fucky crypto, but idk if those were supposed to be exploitable
<rqou>
i assume they turned out to be?
<rqou>
oh what the fuck: "The flaw in stage2 is a buffer overflow involving Launcher's TMD file. If you provide a larger then normal TMD file, it will attempt to load the TMD into ram anyways (this occurs before it does the RSA check) This causes it to overwrite some code in arm9 ram causing arm9 to execute the custom payload. The full details are found in the info menus in the installer."
<pie_>
The full details are found in the info menus in the installer.
<pie_>
wat
<balrog>
run it in an emulator and screencap it?
<pie_>
> butwhy.jpg <
<rqou>
why can't i find these fucking exploits
<rqou>
E_TOO_MUCH_SCHOOL
<pie_>
youre doing it wrong
<awygle>
you're basically finished right?
<pie_>
you already have the exploits
<awygle>
graduating in May sometime?
<balrog>
"Bootstage 2 is loading the launcher's title.tmd file to memory. That's done without any filesize>limit check (it's only checking filesize>filesize).
<balrog>
"That is allowing to load about 80KBytes of useful code. And to overwrite a task switching structure. Causijng ARM9 to execute the loaded code. Which can then tweak ARM7 to execute custom code by remapping some portions of shared WRAM."
<balrog>
"Yup. It's actually that simple. The bigger problem has been to find this exploit within the 400,000 lines of code that bootstages 2 and 3 consist of."
<balrog>
rqou: chances there's an ntrboot method in the dsi?
<pie_>
ill need to add this to my boards when it becomes availible
<rqou>
thanks Ellied!
<rqou>
(who actually lurks here)
<sorear>
oh neat
<pie_>
can we crowdfund this
<rqou>
yes please
<sorear>
revolutionary 0nm process
<rqou>
azonenberg: what's the manufacturing process like for "advanced packaging"/WLCSP?
<azonenberg>
rqou: i think you just cover the die with kapton, cut openings, electroplate (?) copper over the bond pads, then reflow solder balls onto them
<azonenberg>
Depending on the design there may be wiring in the kapton to rearrange bond pads into a grid
<rqou>
hmm
<rqou>
but that won't work for a blank die
<azonenberg>
in those designs it's basically a flex cpb fanning out
<azonenberg>
Yes
<azonenberg>
I'm not sure how you'd do it on a bare die
<azonenberg>
the signetics chip was a dip right?
<rqou>
so we do need to do some very basic BEOL
<rqou>
can we just sputter a wafer with Al?
<azonenberg>
no
<whitequark>
why wouldn't it work with a bare die?
<azonenberg>
you'd have to do chrome first
<whitequark>
just have some traces in kapton
<azonenberg>
al wont stick
<rqou>
wait what
<rqou>
but metal layers stick to the ILD just fine?
<rqou>
even back when metal was Al and ILD was SiO2?
<rqou>
hmm or just do what whitequark said :P
<rqou>
but then the balls aren't actually connected to the substrate like the datasheet claims :P
bitd has quit [Quit: Leaving]
<pie_>
you could have physically maintained contact and just have spark gaps :D
<whitequark>
lol
<awygle>
that just explained the bottom of these chips, so thanks for that
<awygle>
"why does this look like a tiny off-blue circuit board?"
<pie_>
???
<azonenberg>
rqou: Al normally doesnt stick to Si
<azonenberg>
i think even for ILD, you normally have a chrome adhesion promotor layer
<whitequark>
chrome?
<whitequark>
like actual chromium?
<rqou>
our "for class" chips just used evaporated Al
<pie_>
this atmosphere can be used as a daily supplement of minerals
<rqou>
ooh wait, you have bare Si
<rqou>
not SiO2
<pie_>
only breathe small amounts of this
<rqou>
pie_: wat
<azonenberg>
Yes, actual chromium
<azonenberg>
rqou: yeah the native oxide isnt thick enough to stick to usefully
<rqou>
worked for us
<pie_>
i finally switched my desktop theme to a dark theme. it was way overdue. so good.
<pie_>
well, kind of bad actually, but still, not searing my eyes.
<balrog>
but that's being used for a different purpose
<rqou>
i think polychip should _also_ dump data into yosys
Bike has quit [Ping timeout: 260 seconds]
<rqou>
but maybe that's just me (and azonenberg?)
Xark has quit [Ping timeout: 256 seconds]
<balrog>
which parts of this would yosys do?
<azonenberg>
everything once you have a cell level netlist
Xark has joined ##openfpga
<pie_>
give it a lisp shell
<pie_>
man i need to stop shitposting and actually make someting cool already.
<rqou>
pie_: give it a sneklang shell and make azonenberg sad
<pie_>
i like sneklang but it doesnt have parenthesis and it doesnt have types, why would i want to do that
<rqou>
but it has kitchen sinks
<pie_>
import haskell
noobineer has joined ##openfpga
<pie_>
man, proof assistants are pretty cool
<whitequark>
import kitchen.sink
<awygle>
sneklang is good for intense (insane?) metaprogramming
<whitequark>
ew
<awygle>
when around lisp-fearers
<rqou>
i just love to say "in what other ecosystem can you mix a computer algebra system, a gui, a network service, and serial ports all in one environment?"
<whitequark>
sneklang's metaprogramming *sucks*
<whitequark>
it doesn't even have hygiene
<awygle>
well it depends what you mean
<pie_>
well there are python lisps
<awygle>
but yes, it doesn't have hygiene
<rqou>
whitequark: what about sagemath's metaprogramming?
<pie_>
or lispy pythons rather
<pie_>
but i havent tried them yet
<pie_>
i suppose lack of libraries can be frustrating
<pie_>
but thats probably because i scheme and not losp
<awygle>
it's really easy to do mixins and terrible things with environments and dynamically generated modules and whatnot
<whitequark>
rqou: havent seen sagemath
<rqou>
i don't understand how it works
<pie_>
then again, i dont do anything because i keep jumping from language to language. now its Coq, which is cool. but inb4 Agda
<rqou>
other than "it's broken on my system right now"
<rqou>
something about how six interacts with its metaclasses
<pie_>
awygle, is that the one with the weird algebra variables
<whitequark>
Coq has the stupidest name of all programming languages
<whitequark>
if you know how to pronounce it correctly anyway
<pie_>
no wait i think im thinking of sympy
<awygle>
is it supposed to be "coke" or "cock"
<whitequark>
"cock"
<pie_>
whitequark, i dont speak french
* whitequark
is 13
<awygle>
freudian
<whitequark>
pie_: well youre programming in cock now
<whitequark>
congrats
<pie_>
...well how else would you pronounce it
<pie_>
coque?
<pie_>
coqueue
<pie_>
whitequark, thats the joke ive been making for days but noone laughed :'(
<sorear>
coke i think
mumptai has quit [Quit: Verlassend]
<sorear>
oh that was mentioned already
<whitequark>
"The word coq means "rooster" in French, and stems from a local tradition of naming French research development tools with animal names."
<pie_>
it means cock (as in chicken, i dont think the french use tht for penis, but i wouldnt know), among vrious other things apparently, like sounding like the acronym for Calculus of Constructions and stuff
<sorear>
is there any truth to thierry coquand naming it after himself
<awygle>
i think sneklang is a good fit for "i have a complex GUI and also a console for scripting". aka many CAD/CAM tools.
<pie_>
and the dudes friends wifes name or something
<awygle>
i think ruby and js are probably _also_ good fits for that but i don't know them
<pie_>
i fonly more principled languages would take off
<pie_>
*enough to get MOAR LIBS
<q3k>
balrog: I don't think polychip existed back when I was doing this ^^
noobineer has quit [Read error: Connection reset by peer]
<balrog>
q3k: yeah it's fairly new
<pie_>
then again i guess there really seems to be something about the c++ design space?
<balrog>
Robert Baruch was already taking apart chips though :)
<pie_>
so, what kind of salsa do you guys use
<awygle>
none
<awygle>
tomatos == bad
<Ellied>
:0 a ping in openfpga
<pie_>
otoh, repl in java anyone
<awygle>
i would love a good rust repl but *sigh*
<pie_>
s/in/
<rqou>
o/ Ellied
<pie_>
need ~maximum~ interactivity
<rqou>
some of us actually want to make your fancy new proposed chip :P
<Ellied>
o/ rqou
<Ellied>
lol
<pie_>
everyone loves a high effort shitpost
<rqou>
but WLCSP BEOL is hard
<Ellied>
I'd imagine so :P
<pie_>
shitpost @ actually making it
<pie_>
rqou, you think we could sell them to the chinese
<rqou>
the chinese will sell anything :P
<pie_>
oh dude
<rqou>
idk about them buying it though
<pie_>
duuuuude
<pie_>
what we gotta do
<pie_>
is convince the chinese to make counterfeit versions
<awygle>
where's pie_'s car
<Ellied>
bah
<pie_>
without actually ever making anything ourselves
<pie_>
awygle, are you trying to assassinate me with those tegra exploits
<rqou>
lolol
<awygle>
no i'm just referencing a terrible movie
<pie_>
aw, the joke
<pie_>
my head
<pie_>
whitequark, please dont let the SJWs take my proof assistants from me
<pie_>
ok maybe a few more proofs then sleep....
<whitequark>
pie_: what
<pie_>
well because cock
<pie_>
its obviously promoting cis white male dominance in mathematical whatever :P
<jn__>
i tabbed in and saw "well because cock"\
<jn__>
i was confused for a moment
<Ellied>
same
<Ellied>
except I'm still confused
<awygle>
Coq
<pie_>
we were talking about how to pronounce the name of the Coq theorem prover
<pie_>
*proof assistant
<sorear>
whitequark was complaining ten minutes ago that coq is a stupid name, and i agree
<sorear>
there are far worse, but still
<jn__>
pie_: what *other* way is there to pronounce it?
<balrog>
"cock" or "coke"?
<pie_>
jn__, i. dont. know.
<balrog>
"cock" obviously, based on the logo
<qu1j0t3>
sorear: it's not necessarily a stupid name if you're French.
<pie_>
well, maybe its not actually hard to ocme up with variations. english spelling can probably make some fun things
<pie_>
so uh, yo uguys were talking about polychip
<pie_>
on note of which, anyone know any principled image processing textbooks
Bike has joined ##openfpga
<qu1j0t3>
"principled"?
<pie_>
i guess thats just my made up thing for "not a collection of miscellaneous things"
<pie_>
i.e., has some kind of framework that makes sense?
<pie_>
not that ive read any image processing textbooks or have any idea how that could possible be done.
<whitequark>
pie_: where the fuck did you find "SJWs"
<whitequark>
i think it's stupid because calling your language something that resembles an obscenity in english just means that will be the one thing everyone remembers
<pie_>
maybe it was on purpose
* pie_
checks the date
<pie_>
wow 1989
<whitequark>
no the french are just like that
<balrog>
1984 apparently
<balrog>
> It started in 1984 from an implementation of the Calculus of Constructions at INRIA-Rocquencourt by Thierry Coquand and Gérard Huet.
<pie_>
ah i just looked at "initial release"
<balrog>
there's your likely name origin :)
<pie_>
i think they actually have a faq page on it
<rqou>
i stepped away for a moment and wtf just happened?
<rqou>
pie_: please don't use the term "SJW" anymore
<balrog>
agreed with rqou on that :<
<whitequark>
yeah
<balrog>
and whitequark
<rqou>
I'll admit that i also used to use the term back in the more-innocent pre-Tr*mp era
<pie_>
i was using it ironically if that counts for anything but ok
<awygle>
it's just not a funny joke
<awygle>
for like, many reasons
<pie_>
point taken
<Bike>
so wait does "coq" mean penis in french or just a rooster
<whitequark>
rooster
<Bike>
civilized
<pie_>
thats something i specifically mentioned my douts about earlier :P
<whitequark>
lol
<awygle>
somehow, when i was younger, i internalized "the french are the one culture it's okay to mock", and i've been trying to get over it ever since
<awygle>
keeping quiet during this discussion has been... challenging
<balrog>
I believe the name of Coq comes from "Calculus of Constructions"
<pie_>
ok fine ill go find that one faq page i cant find
<balrog>
I linked one above
<balrog>
is there others?
<Bike>
INRIA does cool stuff but mainly doesn't seem very fun
<pie_>
i dont thin kthat was the one
<whitequark>
Bike: why not
<whitequark>
i considered working for INRIA
<Bike>
they even made a scheme implementation that's not named after a crime or a murderer or anything
<Bike>
whitequark: "fun" in the sense of "would name something scatologically"
<rqou>
yeah i have no idea what midipix is really doing
<rqou>
they seem to be wasting time yak shaving with replacing libtool or doing a whole bunch of "build a distro"-type work
<whitequark>
fuck libtool
<rqou>
yeah
<rqou>
i have no idea what the point of libtool is
<whitequark>
it's twofold
<whitequark>
first, dependencies between static libraries (but pkgconfig does that already)
<whitequark>
second, building shared objects on ancient shit like irix or whatever
<rqou>
ah ok
<rqou>
either way, i personally would prioritize getting APIs working but apparently the midipix people disagree
<awygle>
yeah, because of How Linux Is this should just involve emulating the syscall table, basically
<awygle>
i.e. "do the thing the BSDs did a long time ago"
<rqou>
they've been working on that too
<awygle>
rqou: okay, flip the script - windows syscalls from WSL
<rqou>
but apparently a _huge_ amount of complexity lives in weird global/kernel state such as job control and signals
<rqou>
so they are somehow making a daemon to store all of that state
<rqou>
but also trying to "do it right" so that two independent pieces of software shipped by two noncooperating entities can still have this global state working
<rqou>
unlike multiple copies of cygwin somehow stepping over each other
<rqou>
apparently they've also been making some weird loader thing to give elf-like semantics
<awygle>
isn't this exactly what WSL does?
<rqou>
i thought WSL also does a whole lot more
<rqou>
e.g. you no longer have access to win32k
<rqou>
but you do in midipix
X-Scale has quit [Ping timeout: 256 seconds]
<rqou>
if it weren't for the strange licensing and if it were more complete i would advocate for only supporting midipix
<awygle>
my understanding is WSL is just missing the bent pipe to do windows syscalls from an elf or linux syscalls from a PE
<rqou>
no more weird mysterious bugs caused by windowsisms
<rqou>
e.g. the thing whitequark mentioned the other day where "just shove whatever bytes are in my argv into open()" doesn't actually work on windows
<rqou>
even though this works fine on most *nix's
<whitequark>
"works"
<rqou>
yeah it works?
<whitequark>
solvespace asserts at startup if LANG doesn't indicate UTF-8
<whitequark>
but even that doesn't actually mean that paths *will* be in UTF-8
<rqou>
yes
<whitequark>
it just makes that somewhat more likely
<rqou>
but "just shoving bytes around" should always work?
<whitequark>
UTF-8 is not closed under concatenation
<rqou>
how so?
<sorear>
…? do you mean NFC?
<rqou>
also, why does that matter?
<whitequark>
er, yes, sorear is correct of course, I mean NFC
<rqou>
yes, but that doesn't affect filenames at all
<whitequark>
sure it does if you ever try to concatenate them
<rqou>
filenames don't care about NFC or utf-8 or anything? they're just bytes? (at least on linux)
<rqou>
can you give an example?
<jn__>
what is NFC?
<whitequark>
let's say you have "A" and "B" which are in NFC but "A"+"B" isn't in NFC
<rqou>
yes
<rqou>
you can still open that as a filename
<whitequark>
if you typed "AB" into a file save dialog then it will be normalized
<pie_>
idk but my friend has like 5 different user directories on windows due to applications fucking up character encoding stuff in various ways
<rqou>
but that's your file save dialog's problem
<whitequark>
if your CLI tool concatenates "A" and "B" but doesn't normalize it won't find that file
<whitequark>
no
<rqou>
why not?
<whitequark>
that's your CLI tool problem
<rqou>
the file save dialog should return bytes
<rqou>
it shouldn't canonicalize
<whitequark>
the de facto standard names on *nix today is NFC, except on MacOS where it's NFD
<rqou>
but you don't have to be NFC
<sorear>
i think that can't happen if either A or B is ASCII
<rqou>
you can have any bytes other than 0x2F and 0x00
<sorear>
which means that most cases where a CLI tool smashes names together will work
<whitequark>
you do realize most of the world isn't in ASCII right
<rqou>
yes
<whitequark>
sorear I mean
<sorear>
(leaving aside the case where B starts with a floating diacritic)
<whitequark>
you do lol
<sorear>
whitequark: yes, but "/" is ASCII and that's 95% of what matters for path concatenation
<sorear>
the other 5% is stuff like ".doc" which is also ASCII
<sorear>
unless MS has decided to internationalize file extensions now?
<rqou>
i mean, file extensions aren't anything special in *nix systems
<rqou>
you can have any sequence of bytes except 0x00, and 0x2F separates path elements
<rqou>
if file save dialogs run NFC, then they are borked for certain filenames
<rqou>
e.g. if i purposely constructed a filename with a non-canonical sequence of codepoints
<rqou>
and then i want to open this file
<whitequark>
if they don't run NFC then behavior is far more surprising
<rqou>
why?
<whitequark>
e.g. you save a file with a title that has an Ä originally written on macOS
<whitequark>
and then you save another that has an Ä you typed yourself
<whitequark>
and they are different files
<whitequark>
which is dumb
<rqou>
but it's not any more dumb than the mysterious behaviors you can get moving between windows and linux
<rqou>
or between windows and macos
<whitequark>
you can't get this behavior on macos
<whitequark>
since it normalizes everything to NFD
<rqou>
iirc a while back somebody either here or in a different channel found that ntfs-3g would use wtf-8 but samba would do something different
<rqou>
whitequark: yeah, but then that's also how you cause git and mercurial to each get a CVE
<sorear>
i'm pretty sure name equivalence is a hard problem and "use NFC everywhere" helps a bit but we shouldn't pretend it's the final solution
<rqou>
i think i can get behind "canonicalize by default if creating a new file, but return existing byte sequences if opening an existing file"
<whitequark>
um
<whitequark>
not canonicalizing results in CVEs too
<rqou>
how?
<awygle>
whitequark: did you push your i2c stuff to the glasgow repo? or someplace else?
<rqou>
the linux rules are explicitly clear
<whitequark>
if something else canonicalizes
<rqou>
that only 0x00 and 0x2f are special
<sorear>
canonicalizing differently from other tools on the same platform is a CVE issue
<whitequark>
^
<sorear>
you need to do this consistently
<whitequark>
awygle: will push in a bit
<awygle>
whitequark: cool, no rush (i'm not even home yet)
<rqou>
right, but the typical linux behavior (at least the behavior that i always encounter) is to not canonicalize at all on linux
<rqou>
so applying NFC is also different
<sorear>
the Apple approach of "our filesystems are always NFKD and case insensitive" is pretty good for the current state of the art, but I still think there's room for improvemnt
<whitequark>
they're not case insensitive anymore
<whitequark>
the new Apple FS is case-sensitive
<whitequark>
rqou: all Linux GUIs canonicalize text input to NFC
<whitequark>
regardless of where you put it
<whitequark>
well, maybe tk or something doesn't
<rqou>
i've never observed that behavior
<whitequark>
Qt and GTK do it since forever
<rqou>
does it do this at "inputting data" time or does it end up munging your data afterwards?
<rqou>
e.g.
<rqou>
if you have a text box and load some non-canonicalized text into it
<rqou>
and later ask for the text back
<rqou>
will your text be changed?
<whitequark>
that's a good question
<whitequark>
I don't know the precise answer for it
<rqou>
I know i've definitely succeeded in picking files in the file picker that had names that weren't valid utf-8 at all
<sorear>
whitequark: if I buy a Mac today and open a terminal, I'll be able to create README and readme in ~/Desktop ?
<whitequark>
rqou: no, picking files is fine
<whitequark>
it's about input
<whitequark>
sorear: I think so yes
<whitequark>
with the latest macos
<rqou>
hmm, so i'm still not sure exactly what kind of scenario you would end up in where you are concatenating and might want to explicitly canonicalize
<rqou>
i can see some very contrived scenarios
<rqou>
e.g. if you auto-name files something like ${PROJECT}${SUBPROJECT}
<rqou>
and then PROJECT ends with an 'A' and SUBPROJECT starts with a combining accent
<rqou>
or something like that
<rqou>
but i would say that "that's your own damn fault"
<whitequark>
there's no reason that shouldn't work
<rqou>
i mean, it works
<rqou>
and you'll just end up with a not-NFC filename
<rqou>
but those can still be opened and selected and otherwise interacted with