Rairii

Rairii, 3 months ago to random

due to the admin of this server being out of contact for a few months, and the various mastodon security issues, i'm about to move servers.

see you on the akkoma side :)

Rairii, 3 months ago to random

i just found by a google search some old internal apple documentation about the OF ROM of the blue&white powermac G3

...it defines "MacOS-X" as: UNIX-based MacOS; think of it as "Mac OS NT".

it also mentions putting the macio MMIO physical address at 0x80800000 "to boot NT just in case" haha

it also mentions that OF's little endian mode "actually works in OF"

looking at the disassembly of the B&W's init code i have, it actually should work!

basically, when little-endian is set, after setting MSR[LE] it will set bit 5 (LE_MODE bit, turns on little endian) to PICR1, by using CONFIG_ADDR/CONFIG_DATA writes, and only uses every second instruction to do that (with each other instruction being a nop mainly) because of how MSR_LE works

in fact it seems the bootrom of every ppc mac after this has the exact same code, even those that use a different memory controller, no WONDER little-endian? is notorious for bricking lol

Rairii, 3 months ago to random

decided to throw securebootai.dll (from latest germanium build) into IDA, was not disappointed

there's a list of systems where db/dbx updates aren't attempted, that being:

• any (amd64) apple system (those with secure boot just hardcodes db/dbx, without the ability to update it, right?)
• fujitsu FJNBB38
• a big list of HP systems: 83D5, 83DA, 83DD, 83E7, 83E8, 83E9, 8401, 8460, 8461, 8462, 8463, 8464, 8584, 8589, 8617, 8618, 8619, 8620, 869B, 86A3, 86A5, 86A8, 870B, 870C, 870F, 8710, 8711, 8712, 8713, 8714, 8715, 8717, 8718, 8719, 871A, 871B, 871C, 8723, 8724, 8725, 872B, 872C, 872D, 872E, 8736, 874D, 874E, 874F, 8750, 8751, 8752, 8753, 8754, 8755, 8760, 876D, 8779, 877D, 8780, 8783, 87EC, 880F, 8810, 882C, 882D, 8830, 8835, 8836, 885C, 887E
• and any HP system where its custom protection against performing db/dbx updates is enabled

also:

the file doesn't exist right now, but there's code (behind a registry(?) flag) to apply "dbxupdate2024.bin", and debug strings imply that would revoke the PCA 2011 cert entirely!(GetSecureBootUpdateFilePathPCA2011RevokeDBX)

i expected that to be done, but only on new systems, fun (given that it's behind a flag it may well happen only on new systems)

Rairii, 3 months ago to random

ok, this is going to be interesting

i obviously need to be able to map physmem at 0x80000000

but OF puts keylargo and the usb controllers there

Rairii, 3 months ago to random

current status: so the open firmware framebuffer is set to use a colour lookup table

I'M GOING TO NEED TO KNOW WHERE THAT TABLE IS IN MEMORY

Rairii, 3 months ago to random

if the flipper zero is so good where's the flipper one

Rairii, 3 months ago to random

current status: used all my remaining blank CDs on powerpc mac related things, everything classic mac or osx i've burned so far (and that includes the one already installed on the 20GB hd, which is ja-jp 9.2.2) reconfigures the framebuffer to 640x480

...i know the radeon 7500s in these ibook G3s are notorious for dying, but OF's setting up the initial 1024x768 framebuffer fine...

i would burn disc 1 of 10.2.4 for ibook g3, but as just said i'm out of blank CDs

oh well, if I port NT to this thing I'll only care about the OF framebuffer anyway

Rairii, 3 months ago to random

woo

i ordered an ibook G3 (with charger) from yahoo auctions

it just arrived

Rairii, 3 months ago to random

bootmgr in 26052 updated the revocation version to 2.0 (from 1.0) and also changed the checks for said revocation version (early in main() and when boot application loads bootmgr) to parse dbx (using a new GUID for that) instead of just checking a NV|BS variable

Rairii, 3 months ago to random

i hope the people talking about Bluesky mean the ELO song

Rairii, 3 months ago to random

v5 = (void ******************)*v5;

no, hex-rays, this is a singly linked list

Rairii, 3 months ago to random

current status: fixed the hal bug causing kd over usb gecko not to work, next issue:

>ppckd

Microsoft(R) Windows NT Kernel Debugger
Version 4.00
Copyright (C) Microsoft Corp. 1981-1996

Symbol search path is: D:\dolphin\SYMBOLS
KD: waiting to reconnect...
KD: Kernel Debugger connection established.
Kernel Version 1381 UP Free
Kernel base = 0x80439000 PsLoadedModuleList = 0x804b4490
[ppckd crashes]

Rairii, 3 months ago to random

dabian

Rairii, 3 months ago to random

dbupdate2024.bin

say hello to Windows UEFI CA 2023

Rairii, 3 months ago to random

eugen made sure nobody would ever want to hard fork mastodon when he chose to use ruby on rails

Rairii, 3 months ago to random

...huh

xbox alpha ii april 2001 recovery, build 3424.1, includes xboxkrnl private symbols

Rairii, 3 months ago to random

closed source? what's that? oh, you mean reversing skill issue?

Rairii, 3 months ago to random

lol

so after @dangoodin mentioned a certain website that tried to block right click

I noticed it was done by a wordpress plugin

long story short I noticed another wordpress plugin by the same publisher

and basically rediscovered CVE-2023-51484 lol (the paid pro version is also vuln)

Rairii, 3 months ago to random

oh, this is going to take a while

I decided to mirror the whole set of laoguangpan (chinese software preservation group)'s torrents on IA

because the canonical place they're stored on is baidupan, which is awkward to download from if you're not in china

what a great time to learn that IA will download torrents you upload to it

hopefully it'll EVENTUALLY FINISH downloading the entire set: 24.2 TB

Rairii, 4 months ago to random

how long will it take for eurostar to go supernova

Rairii, 4 months ago to random

https://uefi.org/sites/default/files/resources/Evolving%20the%20Secure%20Boot%20Ecosystem_Flick%20and%20Sutherland.pdf

"some OEMs have lost their PK private keys"

"some OEMs shipped broken db-update implementations, that in some cases cause an outright brick"

why am I not surprised

Rairii, 4 months ago to random

lol, kitboga's seraph secure thing

the list of "trusted domains" in the current defs include rapid7.com

Rairii, 4 months ago to random

"free vpn" windows application, listed as developed by the tanzanian government

sussy baka

Rairii, 4 months ago to random

so, if you had an .af domain, does that mean you just got tali-banned?

Rairii, 4 months ago to random

lol

looks like my experience low level debugging nt with just an emulator/hypervisor debugger is going to come in handy

now having to do it for modern nt using vmware's gdbserver stub.

found a possible bypass for CVE-2024-20666, exploitation has happened and derived keys are in memory, but smss is deadlocking somewhere!