Thursday, June 07, 2012


This post is about Extended Display Identification Data.
It's the information your monitor or TV sends to your PC or media player to let it know what video/audio formats are supported. Most of the time it's correct and everything works like you want it to. There are several reasons to modify or override the EDID data coming from your TV/monitor via the DDC2B protocol (I2C address 0x50 and 0x30).
  • Get higher refreshrates than 60Hz.
  • Solve ghosting or other quirks in 3D interlaced/checkerboard mode.
  • Tell attached equipment to pass DTS audio. Your TV often does not know that your audio receiver can handle DTS.
First, some fiddling with OSX to retrieve EDID data from attached display:

ioreg -l | grep -5 IODisplayEDID

Returns some long number...

Save that to EDID.txt or something and look at the details with edid-decode.
cat EDID.txt | xxd -r -p | ./edid-decode

Now we want to tinker with it! There are some options to do that.

Phoenix EDID Designer (Windows, yuck)This program accepts only files in a special format, so we need to convert it somehow.

cat EDID.txt | xxd -r -p | (echo 'EDID BYTES:';\
echo '0x   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F';\
echo '    ------------------------------------------------';\
xxd -g 1 -c 16 | sed -E 's/00000(..): (.{47}).*/\1 | \2/g'\
) | tr abcdef ABCEDF | sed 's/$'"/`printf '\r'`/g" > conv.dat

Compare the exported raw data with original:
cat EDID.txt | xxd -r -p | ./edid-decode > left.txt
cat exported.raw | ./edid-decode > right.txt
diff left.txt right.txt

The new data will show:
EDID block does NOT conform to EDID 1.3!
Missing monitor ranges
That's too bad!

010 Editor

I made a template file for 010 Editor, which is a nifty binary editor.
Download the template here.
Somehow they did not put the CRC fixing script (.1sc extension) there, but it's quite short:

file.checksum = -Checksum(CHECKSUM_SUM8, startof(file), startof(file.checksum) - startof(file));
local int i;
for (i=0; exists(file.extensions[i]); i++) file.extensions[i].checksum = -Checksum(CHECKSUM_SUM8, startof(file.extensions[i]), 127);

That's pretty neat uh?

Create EDID override file for OS X (method 1)

Assuming you have saved the modified exported.raw, generate a hex dump like so:

xxd -ps exported.raw

Create a plist file (without extension) and open with XCode or Property List Editor.
The VID/PID in the directory/filename are in unpadded lowercase hexadecimal format.

DisplayProductName String "My modified display name"
DisplayProductID Number 1 (displayed in decimal)
DisplayVendorID Number 7789 (displayed in decimal)
IODisplayEDID Data <00ffffff...> (paste the data between brackets)

Create EDID override file for OS X (method 2)

Paste the result of
(echo -n '<data>'; (cat exported.raw | base64 | tr -d '\n'); echo '</data>')
into the override file (see method 1) where you can use the following as a base:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
    <string>My modified display name</string>


Somehow, the resolution went back to 960x540 (HiDPI) whenever I change the EDID and replug my video connector.
Also, I have to find out how to reprogram my LG TV with new EDID data. There is some option in the service menu, but haven't looked how to do it yet.
It's nice that I can override EDID data in OS X, but I cannot override it on my PS3 for example. Thus, I need the optical audio output if I want DTS.

Video timing calculator
EDID 1.3 data format

Sunday, October 23, 2011

PocketStation Google Authenticator

Do you have a Google account and want to be more secure? Own a Sony PocketStation? Now you can use this device as a security token to login with 2-factor authentication on the Google site and even use it for logging into your linux machine using a PAM module.
It supports one key using the 30-second Time-based One-time Password algorithm. It's hashing up a secret key together with the current time to come to a 6 digit number. The small program takes up one memory block.

I used to collect handheld game devices and other gadgets. The PocketStation once caught my eye but could not easily find it here. It's a PlayStation-memory-card device with a small display that can run mini-games. It was supposed to be better than the Dreamcast VMU, which I owned already. The PocketStation has infrared, better CPU, better battery life, better software support, bettter looks.
When I went to Japan for holiday some year or two ago, I finally bought a 2nd hand PocketStation. I'm not playing so many games anymore, so it was just waiting for me to get a good idea and get the tools set up.
The idea was to use this device instead of my iPhone doing the authenticator part. Of course, malware on a phone would not be good anyway, but getting the key out of the authenticator app is a lot easier than hijacking a browser session. Also, switching between the authenticator and browser can take some while and has a risk of apps being closed when running out of memory. That sums up the risks of jailbroken iPhone I guess.
Anyways, with one small PocketStation app made, I could try to find other applications. One idea I just came up with is using the infrared as a replacement for an Apple remote and lock my MacBook using the iAlertU application.

Anyways, what I currently have for you:
Emulator screenshot.

YouTube video of real device.

Pre-compiled zip. (only need to add your key.)
Source-only zip.
More info in the readme contained in the zip files.

For programming the PocketStation,
1) I used an official Sony PS3 memory adapter. It's normally used to transfer old savegames into the PS3. For this, I used a program called MCRWwin.
There are other ways to do it but I have not investigated them yet:
2) Using and old hacked PlayStation and some save game editor homebrew application.
3) Use a different interface device, such as a parallel port. Check out the PSXGameEdit or PSX Memory Card Manager pages for more information.

edit, created sf project:

Saturday, January 22, 2011

Tomato firmware configuration

I have the Tomato firmware loaded into my Linksys router (WRT54GL 1.1). I acquired a second router of the same type and thought it'd be nice to duplicate the configuration. (if it breaks down or for whatever reason)
When I tried restoring the configuration, I got the error: "You cannot restore settings to a different router".
So I first needed to check what I had to change in the cfg file...

Source device:
gunzip -c tomato_v128_mDA3159.cfg | tr "\0" "\n" | grep "addr=00:1"

Target device (to be overwritten):
gunzip -c tomato_v128_m4AF795.cfg | tr "\0" "\n" | grep "addr=00:1"

Ah! It might check the MAC address! Let's try changing that...
gunzip -c tomato_v128_mDA3159.cfg | perl -pi -e \
| gzip -9 > tomato_v128_copy.cfg
(NB: OS X didn't have a sed command that worked nicely with binary files.)

It restored the modified configuration file!
After resetting the modem and other connections that have the old MAC address in memory, I could connect to the internet again.


When upgrading to a different model router, the configuration files will not match. (it checks
boardtype, boardnum, boardflags and other settings).
In that case, you could also SSH to old router and export the configuration in an easier format:
nvram export --dump > 1.txt
scp 1.txt darkfader@

On the new router, you can them import the edited file.

Sunday, January 02, 2011

Snow Leopard theme for Windows 7 (by sagorpirbd)

Download and installation instructions here: Snow Leopard for Windows 7 theme by sagorpirbd
If you run into problems with the free-activator (just click the advertisement) or just want to see what's in there beforehand, you can extract the files yourself.
Extract "Snow Leopard for Win7 Setup.exe" using a RAR-extractor. The password is snhgqzsdhbktin7
Here's a batch file (put in "System Files") to help replacing the system files:

@echo off
if exist backup goto :SKIPBACKUP

mkdir backup
copy "%windir%\Explorer.exe" backup
copy "%windir%\System32\Shell32.dll" backup
copy "%windir%\System32\ExplorerFrame.dll" backup
copy "%windir%\System32\OobeFldr.dll" backup

call :REPLACE "explorer\64 BIT\explorer.exe" "%windir%\Explorer.exe"
call :REPLACE "shell32.dll\64 BIT\shell32.dll" "%windir%\System32\Shell32.dll"
call :REPLACE "ExplorerFrame.dll\64 BIT\ExplorerFrame.dll" "%windir%\System32\ExplorerFrame.dll"
call :REPLACE "Welcome Center\64 BIT\OobeFldr.dll" "%windir%\System32\OobeFldr.dll"
goto :EOF

echo --- From %~1 to %~2 ---
if not exist "%~1" goto :ERROR
takeown /F "%~2"
Icacls "%~2" /grant Administrators:F
rename "%~2" "%~nx2.old"
copy "%~1" "%~2"
sleep 5
fc /B "%~1" "%~2" || echo ------------- %~2 mismatch ---------------
exit /B

echo Could not find source file!

There is also a program called "leftsider" which puts the control icons of a window on the left side, just like on a real Mac.

Thursday, October 21, 2010

DataGridView virtual mode with custom control race condition fix

This is for when you have a DataGridView in virtual mode in which you have both unbound and bound columns which depend on each other. It went wrong when editing the cells.
I found out that I got a race condition. I then checked the stacktrace:

- MyGridView.OnCellValueNeeded(System.Windows.Forms.DataGridViewCellValueEventArgs e)
- System.Windows.Forms.DataGridView.OnCellValueNeeded(int columnIndex, int rowIndex)
- System.Windows.Forms.DataGridViewCell.GetValue(int rowIndex)
- DataGridViewControlCell.GetValue(int rowIndex)
- System.Windows.Forms.DataGridView.OnCellValidating(ref System.Windows.Forms.DataGridViewCell dataGridViewCell, int columnIndex, int rowIndex, System.Windows.Forms.DataGridViewDataErrorContexts context)
- System.Windows.Forms.DataGridView.CommitEdit(ref System.Windows.Forms.DataGridViewCell dataGridViewCurrentCell, System.Windows.Forms.DataGridViewDataErrorContexts context, System.Windows.Forms.DataGridView.DataGridViewValidateCellInternal validateCell, bool fireCellLeave, bool fireCellEnter, bool fireRowLeave, bool fireRowEnter, bool fireLeave)
- System.Windows.Forms.DataGridView.CommitEdit(System.Windows.Forms.DataGridViewDataErrorContexts context, bool forCurrentCellChange, bool forCurrentRowChange)

So it tried getting the value for the cell that was currently being edited !
I fixed it in MyGridView (called with base.OnCellValueNeeded):

        protected override void OnCellValueNeeded(DataGridViewCellValueEventArgs e)
            if (Columns[e.ColumnIndex] is DataGridViewControlColumn)
                 * Special check to prevent race condition. Call this method first like this:
                 *    base.OnCellValueNeeded(e);
                 *    if (e.Value != null) return;
                if (Rows[e.RowIndex].Cells[e.ColumnIndex].IsInEditMode)        // editing control present?
                    if ((EditingControl as TControl).EditingControlRowIndex == e.RowIndex)        // make sure it's the correct row
                        if ((EditingControl as TControl).EditingControlValueChanged)    // prevent re-use of old editing control
                            e.Value = (EditingControl as TControl).EditingControlFormattedValue;    // use value from editing control

 Hopefully, you find this a bit useful.

Wednesday, October 06, 2010

iPhone native internet tethering (4.0.1)

When I was on 3.1.2 I had native internet tethering working without much problems. Just use ultrasn0w or other unlock hack and install any carrier profile to make the switch visible.
There was no real need to patch the CommCenter executable.
The CommCenter patches were initially released as plain patchfiles that required entering shell commands, but later appeared in Cydia repositories too.
With 4.0.1, it is required to do it this way. So you don't need an unlock hack installed per say. The CommCenter patch can be found in some shady repository you might need to add. (Try searching on
The CommCenter patch makes it accept any non-matching signature in the carrier bundle.
Anyway, it is not that difficult and can be read about on other sites. I got all the handy tools on my iPhone already (ssh with changed passwords, vim), so here's what I did... (you should use FTP if you don't want to mess with SSH)

ssh root@yourphone
cd /var/mobile/Library/Carrier\ Bundle.bundle
plutil -convert xml1 carrier.plist
vim carrier.plist

Under <key>apn</key><string>mms</string>
I changed

Google for typemask.png to see what bits to toggle.
Don't forget to make a backup of the file if you are unsure.
Then, for some reason you need to reset the network settings. Perhaps it just updates /var/mobile/Library/Preferences/ I don't know exactly yet)
Perhaps you could try killall CommCenter SpringBoard too.
Btw, The directory is actually a symbolic link and the files in it gets updated occasionally by Apple. It will ask you however before doing that.
To recreate, use something like: ln -s /System/Library/Carrier Bundles/TMobile_nl.bundle /var/mobile/Library/Carrier\ Bundle.bundle

While MyWi (in Cydia) offers internet tethering too, it got it's limitations (but is being worked on). e.g. it cannot connect via bluetooth to a laptop. Also, it costs a bit of money.

NOTE: Your mobile provider probably does not accept free internet tethering.

Friday, July 23, 2010

sshdo, an alternative to sudo

With sudo, you can execute any or custom command as the root user, optionally asking for your password. That poses some risk if someone knows your password (e.g. by logging/tapping).
But you could replace sudo with something that can login locally via other means like SSH. You need to use SSH(-agent) forwarding to pass down your identity so you won't have to type in any password. You then can decide with -A or -a option for ssh whether to enable or disable SSH forwarding (and thus root access).
It's not very fine grained though and it won't ask for a password each time you 'sshdo' but you could probably set something up with PAM settings (multi-factor). I'll look into that later.
Anyway, for root: /root/.ssh/authorized_keys should contain the allowed key. You'll want root access only locally and only via passwordless-authentication. For that, add to /etc/sshd_config

PermitRootLogin no
Match Address
        PermitRootLogin without-password

In your normal user directory, you can add an easy-to-use alias similar to sudo to ~/.bashrc or ~/.bash_profile

alias sshdo='ssh -q -t root@localhost -- cd $PWD \&\& sudo'

Test it and then disable sudo.
Hopefully this gives some good ideas.

Tuesday, July 20, 2010

Static ARP script for OSX

For security reasons, you may wish to set a static ARP entry for your gateway. This script automates this step. Note that this doesn't prevent DHCP or MAC spoofing however.
The script runs whenever a network connection is made or broken by using the launchd feature to check a path for changes. In this case, I used resolv.conf.
The scripts determines the default gateway IP address and then keep trying to find the corresponding MAC address in the ARP table. Then it sets up the static ARP entry.
Two files are needed: one launchd configuration file and a shell script file. You need to give execute rights on the shell script with chmod +x. Copy the files in place and rename/edit the filenames. You need to restart to make the configuration active.

The contents of /Users/darkfader/

# if the resolv.conf file was deleted, create an empty one to enable file watch again
touch /var/run/resolv.conf
while true; do
        IP=$(netstat -rn | grep -m 1 default | tr -s ' ' | cut -d' ' -f 2)
        if [ "$IP" == "" ]; then
                exit 0
        MAC=$(arp -an | grep -m 1 $IP | tr -s ' ' | cut -d' ' -f 4)
        if [ "$MAC" == "" ]; then
                sleep 1
        arp -S $IP $MAC
        exit 0

The contents of /Library/LaunchDaemons/net.darkfader.static-arp.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Wednesday, April 28, 2010

Windows on Intel Mac and AHCI mode

My configuration:
single internal hard drive in iMac with a single NTFS partition. This is BIOS identifier (hd0,1). In linux, this will be SATA device /dev/sda. The SATA controller is from ICH8M and has PCI identifier 8086:2828. Please change these references to your system configuration.
Don't worry, I still have OS X on an external FW800 drive but that's not relevant here.

First of all, I tried loading Windows 7 on my Intel Mac and then came to a few conclusions:
  • BIOS mode boot has the negative side-effect that it disables AHCI mode in the SATA controller. This leads to degraded performance of hard drive access.
  • EFI mode boot of Windows 7 requires EFI 2.0 which isn't included in the firmware.
  • Macs don't like to boot from external devices. Windows doesn't like to be installed on external drives.
So I swapped my OS X drive with Windows drive in the process of undusting my iMac. It now can boot both OSes.
This post is all about getting the SATA controller back into AHCI mode after the compatibility layer in the intel Mac changed it. AHCI gives NCQ and might be somewhat faster so I really wanted to try that after my younger brother nagged me about it during our dayly Mac-vs-PC argues.

I can talk about what I did wrong during those attempts but I will try to keep it short:
  • Start regedit and locate the following key: HKLM\System\CurrentControlSet\Services\msahci
    Change the "Start" value to "0". This will make Windows attempt to load the AHCI driver stack when it boots.
  • Download a Linux live-CD with GRUB 1.98. (others might indicate 0.xx as grub and 1.xx as grub2). I decided on the latest Ubuntu live-CD. Older versions just won't do unless you want ugly patches. You want to have the setpci grub module.
  • Download the "Rapid Storage Technology" manager software (includes the driver) and the "RST Driver Files for F6 Install" from the Intel website.
    In my case the latest version for x64 Windows was iata96enu.exe and
    The manager software will not install yet but you have to install at least the driver by unpacking it and force a device installation:
    Go to Device Manager, select Serial ATA Storage Controller, Update driver software, Browse, Pick from list, Have disk, Ignore the warning. This should be ok since the next time you'll boot Windows, the device will be different anyway.
  • Boot the Linux CD :-)
    Hold option key when booting the Mac to see it as a boot option. Load the System until you can start a terminal. Get root access:
    sudo -i
  • Because it booted from CD, it doesn't know much about the hard drive. Therefore create a device map file that maps (hd0) to /dev/sda.
    vi /boot/grub/
    If you know some linux, you know what I mean.
  • Mount your Windows partition in Linux.
    mkdir /mnt/win
    ntfs-3g /dev/sda1 /mnt/win
  • Install grub to the MBR and copy the data files too.
    grub-install --no-floppy --modules=ntfs --root-directory=/mnt/win /dev/sda
    This should report no error.
  • If you already had a Boot directory on your Windows partition (most likely), you'll now have two boot directories (-.-); Fix it by moving the contents.
    mv /mnt/win/boot/grub /mnt/win/Boot

    rmdir /mnt/win/boot
  • reboot
    reboot (duh)
  • At the grub prompt you should now be able to try some commands.
    setpci -d 8086:2828 90.b=40
    lspci (should now show 2829 instead of 2828)
    root (hd0,1)
    chainloader +1
  • If Windows now boots, it should be in AHCI mode and hopefully go ask for the drivers.
    You can install the RST manager or just check the Device Manager to see if it's working as intended.
  • You can create a C:\Boot\grub\grub.cfg file to automate the booting process. (Note: 'Manual editing of /boot/grub/grub.cfg is not encouraged')
    set timeout=10
    set default=0
    menuentry "Windows 7 with AHCI" {
    setpci -d 8086:2828 90.b=40
    set root=(hd0,1)
    chainloader +1
  • PS: If somehow Windows booting was not working in the first place or you don't want any of this anymore, you can use the Windows 7 DVD. Some recovery commands you then can use:
    bootrec /FixBoot

    bootrec /RebuildBcd

    bootrec /FixMbr
    (should erase grub again but I don't know why you would want that)
I this I have all my notes into this post and hope that besides me remembering how to do it, also will help you and other Mac fans :P

Wednesday, January 13, 2010

Atmel production file

Atmel has implemented a so called 'production file' in its programmer software. It's a simple ELF file containing sections for Flash, EEprom and fuses. You can create these sections from your C code too.
The board I developed for contains an Atmega128 attached to an ethernet controller. Also, it contains a bootloader that can program and dump the flash and eeprom memory.
What I wanted is a complete snapshot of a working board for production use (special bootloader/firmware version without final encryption keys). It will also have the default MAC and IP address and checksum information in EEprom.

So, first I prepare a complete working board and start dumping the program memory in encrypted format by using a special bootloader function. The tool automatically writes out a special format complete with checksums etc.
bootload -m 00-01-23-45-67-89 -d -i dump.img -b
Then I call the encryption/decryption tool to turn it into a plain binary.
imgtool -d -b dump.bin -i dump.img

I do the same with the bootloader that is located at 0x1E000.
bootload -m 00-01-23-45-67-89 -d -i bldump.img -s 0x1E000 -b
And decrypt that as well:
imgtool -d -b bldump.bin -i bldump.img -s 0x1E000

Then comes the EEprom dump which is already in plain binary form:
bootload -m 00-01-23-45-67-89 -e -b
You might want to crop it down to a reasonable working size since programming the EEprom is terribly slow.
srec_cat eeprom.bin -binary -crop 0x0 0x80 -o eeprom.bin -binary

We also need small files containing the (lock-)fuses and the CPU signature that needs to match before programming. The order of bytes need to be reversed.
You could also compile this data with your project.
signature.bin (3 bytes): 02 97 1E for atmega128.
fuse.bin (3 bytes): BF D8 FF
lock.bin (1 byte): DC blocks programming cable and user-mode reads of bootloader area. The lock is written last and will activate the bootloader boot process.

There are various ways to combine it all together. I chose to combined the flash sections first:
srec_cat dump.bin -binary bldump.bin -binary -offset 0x1E000 -o combined_dump.hex -intel
and then add the extra sections:
avr-objcopy -O elf32-avr -I ihex combined_dump.hex --gap-fill 0xFF --add-section .eeprom=eeprom.bin --add-section .fuse=fuse.bin --add-section .lock=lock.bin --add-section .signature=signature.bin --rename-section .sec1=.text --rename-section .sec2=.text --set-section-flags=.eeprom="alloc,load" --set-section-flags=.fuse="alloc,load" --set-section-flags=.lock="alloc,load" --set-section-flags=.signature="alloc,load" temp.elf
The final step is assigning the section addresses and turning the file into executable ELF format.
avr-ld -s -mavr5 -o ProductionFile.elf temp.elf --section-start .eeprom=0x810000 --section-start .fuse=0x820000 --section-start .lock=0x830000 --section-start .signature=0x840000
The section offsets don't mean very much but the programming tool might check for them.
After this, you can delete all other intermediate files.

Ready to test to production file...
Stk500 -cUSB -datmega128 -ipProductionFile.elf -e -pafeb
And there you have it.
I hope you stumbled upon this post and found it useful.