Posts

May 2026 update

This post was written at a time of significant turmoil in my life, when multiple correlated events happened in quick succession. What I wrote in the post below is true, but a lot was left unsaid, as some things were still being investigated.

At the time when I wrote the post, despite resigning from my leadership position, I had hoped to eventually recover from my burnout and resume contributing to Asahi Linux and the Linux community at large at some point in the future.

Preface

I’m a big fan of Prometheus and Grafana. As a former SRE at Google I’ve learned to appreciate good monitoring, and this combination has been a winner for me over the past year. I’m using them for monitoring my personal servers (both black-box and white-box monitoring), for the Euskal Encounter external and internal event infra, for work I do professionally for clients, and more. Prometheus makes it very easy to write custom exporters to monitor your own data, and there’s a good chance you’ll find an exporter that already works for you out of the box. For example, we use sql_exporter to make a pretty dashboard of attendee metrics for the Encounter events.

The Korg Kronos is an interesting beast. Korg’s flagship synth, it’s marketed as a music workstation, but under the hood it’s actually built on a commodity x86 motherboard and some custom I/O hardware. And it runs Linux.

That’s just asking to be hacked, isn’t it? :-)

I’ve owned one of these for a few years, and at one point did some investigation into the software, but got bored and never really did anything interesting with it (to be fair, it’s already complicated enough with the stock software!). Recently, though, I decided to take a look at it again, and I ended up stumbling upon a year-old blog called kronoshacker.

I own a Fujitsu Primergy server (hosted at a secret location ;-) ) that I use for offsite backups and a few misc things (and for which it’s, incidentally, grossly overpowered). It came with a Fujitsu D2607 RAID controller, which is based on the LSI SAS2008 (“Falcon”) chipset. Unfortunately, its firmware is old and only barely supports drives in JBOD mode with some issues (I want to use software RAID 5), and also does not support drives larger than 2TB.

A lot has been written about the Apple vs. FBI saga. However, the truth about exactly what it all means from a technical standpoint is scattered among many sources, amidst quite a bit of misinformation. This post is my attempt to provide, in a question and answer format, what I consider to be the current knowledge of the state of affairs, from the perspective of a security researcher.

Very little of this is my own research. Rather, consider this a collection of information based on publicly available sources, filtered by my knowledge as a security engineer of how secure systems work. It represents the true state of iOS PIN code security to the best of my knowledge, and what is and isn’t possible. I do not guarantee that everything stated here is 100% accurate, but rather, it is my understanding of the status quo.

Yesterday, early morning, I was working on a friend’s Windows PC. The plan was simple: migrate the Windows install from an HDD partition to a smaller SSD by freeing up space, running ntfsresize to shrink the partition down to something that fits on the SSD, and then dd-ing it over. I figured ntfsresize would be pretty safe and well-tested, since it’s used by pretty much every Linux distro installer to resize Windows partitions.

To say that my blog was gathering dust would be a bit of an understatement; the post before this one was written over 2 years ago.

Part of the reason for the lack of updates has undoubtedly been laziness, but part of it was also that I’m not a huge fan of WordPress. Over the past few years I have been using static site generators like Hyde on other sites, and in particular I much prefer to write anything longer than a tweet in a text editor rather than web UI, and commit it to git instead of a database. So, with a rather long article coming up, I finally decided to pull the trigger and rewrite the site using Hugo.

Jeffrey Nelson just let me know about an awesome project that he put together: LaserShark! Instead of using OpenLase with the hacky sound card output, he put together a proper open DAC board based around an LPC1343 Cortex-M3 microcontroller. I haven’t had a chance to see it in action yet, but considering that the systems I’ve seen so far either use proprietary DACs (that tend to suck) or sound card DACs (with all their problems), I think this is easily the best DAC solution for using OpenLase today.

I apologize for taking this long to post this! I’ve been busy non-stop since 27c3 and never got a chance to get around to it. Finally, though, here it is: the description of the Mark 1 laser projector that I use with OpenLase.

But wait, there’s more! If you don’t have the hardware and don’t want to build it, or you want to try out OpenLase, or you want to be able to mess around with it on the go, you can now do that. There’s a new OpenGL-based simulator in the OpenLase tree. It works off of the JACK data (so you still need JACK) and it tries to simulate the dynamics of my laser scanner, including brightness effects and some of the physical limitations of the galvos. Here’s a comparison of the simulator vs. the real thing:

Ah, the world of computers. Thanks to the wonderful world of bits and bytes, we can experiment with any application, file, driver, or even the core operating system. Rip them apart, change things, put them together, and if it doesn’t work, just try again. At worst, you’ll have to wipe your hard drive and start over. If you somehow manage to destroy a computer purely through bad software, that’s considered a design problem and a true feat to pull off. Just think about it: what other profession or hobby lets you experiment as much as you want and make as many mistakes as you want without having to spend a cent if you do something wrong?

As you probably already know, libgpod has included support for Apple’s iOS 2.x hash for a while now. With their new devices, Apple changed the hash again, but for some reason the change only applies to new devices – old devices running iOS 4.x still work. However, if you have a new device (iPad, iPhone 4, or iPod touch 4G), music sync does not work.

If your device is not jailbroken, you’ll have to wait until the new hash is reverse engineered. However, if your device is jailbroken, you’re in luck. As it turns out, the old DBVersion trick once again works to convince those devices to use the previous hash method.

First of all, as I’m sure everyone knows by now, I’ve been working on hacking the Kinect and writing open drivers for it. There’s a website for the community and a Git repo with the code, and it’s working fairly nicely by now.

With that out of the way, here’s a project that I’ve been working on on-and-off for the past year or so. I’ve been interested in laser scanning and DIY laser projectors, but I couldn’t find any good open source software to drive them. Specifically, I was interested in the realtime aspect: rendering and showing dynamically generated images and responding to events, not just making and preprocessing laser shows. So I set out to write my own set of software to do real-time rendering. This was the result:

As most of you will probably already know, I’ve been working on a project recently which aims to run Linux on the PS3 (including the PS3 Slim) using the PSJailbreak exploit, effectively replacing GameOS on the fly. I think it’s gotten to the point where it’s useful enough for other people to be interested, so here’s something resembling an official announcement.

Obligatory demo video:

AsbestOS (a mineral, and meaning “inextinguishable” in Greek) is a bootloader to run PS3 Linux without OtherOS. It runs using the USB GameOS exploit (on PS3 version 3.41) from any compatible device, and any reprogrammable devices currently running the PS3 exploit can be used as long as they have enough free internal or external storage (40kB or so) to hold the loader. It is general enough that it should be useful to boot Linux given any other GameOS exploit in the future. It has been tested to work on the PS3 Slim too.

Linux has a tweakable knob called laptop_mode which is meant as an energy saving tool for laptop users on battery: it basically says “try not to touch the disk for X minutes at a time, unless you really need to, and once you do, do everything that you’ve been piling up all at once”. It’s great for laptop users, and doubly so for things like my huge laptop with two 7200RPM HDDs. Seriously.

Last post was more along the lines of an announcement, so here’s a more concrete guide. There have been new releases of most parts of the software stack in the past few days, so now is the time to grab them if you’re interested. Libgpod is the exception, since it’s still being worked on to get proper support for the iPhone OS 3.x database. That said, if you’re interested in being an early adopter of iPhone sync support and helping us test it, here’s how. If you are a new or inexperienced user, or you are not used to compiling things from source, editing configuration files, and doing some basic troubleshooting, stop here. This isn’t ready for you. In the not too distant future, distros will package this, it will be delivered with your usual dose of healthy and working open source software, and it will all work automagically as soon as you plug in your device. A few notes:

Those who watch my git repos may have noticed that I’ve been working on this for a while now. iPhones and iPod Touches have never been properly supported under Linux (especially non-jailbroken devices) because they are just so different from all the previous iPod models. There was a lot of new code to write and Apple hasn’t exactly made it easy either:

With the new OS version, Apple totally changed up the database format. Now it’s based on a whole bunch of SQLite files and there are also a few files in a format similar to the old proprietary one. There are more than likely still hashes in the critical files, and there’s also a suspicious pair of files that appear to be entirely encrypted. The SQLite format is open and certainly better than the old one, but someone still needs to interface a media player to it.

After a few days of reading very, very weird disassembled code and poking registers, the odd 2D hardware finally works (for the most part). It can draw lines, so I threw in a software 3D transform. Here’s the Stanford Bunny in a glorious 448 vertices and 1416 lines of jaggy wireframe awesomeness.



The chip has hardware line styling (stippling), and you can see 4 different settings (solid, “10″ dashed, “100″ dashed, “1000″ dashed) in sequence. At the higher setting it starts to look more like a point cloud with many more points than it has real vertices.

I’ve joined a bunch of friends in a quest to reverse engineer and write custom software for Sunplus SPMP305x chips. These chips are inside all sorts of chinese media players, particularly the fairly powerful kind with a camera, video playback, etc. The chip is based around an ARM926EJ-S core, but the peripherals around it are completely custom – check out the marketing blurb. Most current work is on reverse engineering the hardware interface so we can completely replace the default firmware.

I’ll eventually write a longer post about how different bits and pieces of this laptop’s hardware fare under Linux. For now, I’ve managed to strike one of the more annoying issues: proper audio. Scroll down if you’re impatient and want the code; read on if you want the full story.

This laptop is peculiar because it has built-in “5.1” audio. Yes, it does really have 6 speakers, though you’d be hard pressed to get much spatial separation out of them (and they aren’t even placed around symmetrically). However, the speakers do end up making a very decent multiway audio system, by laptop standards: the “rear” pair (which is actually between the keyboard and the screen; the mind boggles) is good with the high end, the “front” and center speakers (front edge of the laptop) are your average mediocre speakers that can handle mid-end, and the “Tuba” not-so-“sub” woofer fills in enough low-end to equal a decent overall speaker, although of course with zero stereo/spatial separation since there’s only one of it (actual subwoofers can pull off mono because the human ear can’t really hear spatial position at low frequencies, but the Tuba is more like the only non-sucky speaker in the entire laptop).

If you’ve ever worked with other people on some piece of code or program, particularly over IRC or IM or some other form of real-time or fast text communication, chances are you’ve used one of the many “paste” sites available (my personal favorite is pastie). These sites offer a convenient way of sending small to medium chunks of text to other people quickly, by simply copyng and pasting the text into a web form. This is a lot better than the old way of having to send an e-mail attachment, spam an IRC channel, or upload the text to some web host, but as I used pastie more and more often I started to realize that it could be made even faster.

And I wasn’t even watching protected content.

This is (one of the many reasons) why DRM needs to die.

With newer iPods and the iPhone 2.x firmware, Apple decided to implement a new hash scheme for iTunesDB to prevent third-party apps from managing the iPod database. Stupid. They decided to make it part of the FairPlay codebase, including its obfuscation. Very Stupid. But just in case that weren’t enough, then they went ahead and tried to take down the iPodHash project which was attempting to reverse engineer the (annoyingly obfuscated) algorithm. Completely Stupid.