Update: For a much more in-depth analysis of the problem, head over to Naked Security where Paul Ducklin explains the bug in much more detail.

Gizmodo recently published an article about OS X Mountain Lion crashing when the text File:/// is typed into TextEdit, Spotlight, Mail or some other OS X apps. It’s also reported that Safari and Chrome also crash though I haven’t personally tested them.

I did some sniffing around with gdb and the problem seems to come down to an Apple framework called DataDetector. A bit of Googling shows that this private framework is responsible for looking in text for text that might be ‘special’ such as dates and giving them special options.

It seems that the data detector for URLs is broken and will crash when called upon. The workaround is to remove it from being run. Open Finder, open the Go menu, click Go to Folder and put in /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/Resources/ then rename the file called com.apple.datadetectorscore.cache.urlifier.system to com.apple.datadetectorscore.cache.urlifier.system.backup

You can also do all of this in one handy terminal command:

sudo mv -v /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/Resources/com.apple.datadetectorscore.cache.urlifier.system /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/Resources/com.apple.datadetectorscore.cache.urlifier.system.backup

You may need to reboot afterwards. This was tested to be working on OS X 10.8.1.

Status updates are now available from the wiki entry on Hackspire.

I’ve completed a boot loader that loads Linux and ramdisks and replaces that TI-Nspire operating system in-place.

This should have multiple improvements over the old one and values are not hard coded as much as possible.

Github source

I’ve just begun a port of Linux to the TI-Nspire CX and I’m happy to say I have a minimal kernel booting successfully on the calculator!

Here’s the UART bootlog and you can see we actually make it to userland without crashing!

The minimal port has support for the interrupt controller and the timer. UART support is on its way (at the moment, it’s just using the early printk console) and I’m hoping to get the framebuffer working soon so I don’t have to rely on the dodgy serial adapter I made.

I’ll also be needing a lot of help so if you’re familiar with Linux kernel development, I’d appreciate your help immensely. Contact me if you’re interested.

Edit: For updates and downloads, visit the Omnimaga thread here.

I found my old GameBoy Advance consoles and found that I’ve never done any development work on it and decided to play around with it.

Unfortunately, I don’t have a flashcart and it’s difficult to find decent ones to buy on the internet anymore. The only option to actually upload code was to use the multiboot protocol in the GBA BIOS to run the code.

If you don’t know, the GBA has a feature where it’s possible to multiplayer link multiple consoles even if the other consoles did not have the game cartridges. The master console can download 256K worth of game code to each of the slave units so they can each run a copy of the game without a game cartridge.

The first obstacle to bypass was to actually able to communicate with the console. There are actually many ways to communicate with the GBA. With a bit of searching around and debugging, I found that the GBA can actually use 3 different serial protocols to download code. There’s the normal serial mode that is really just 32bit SPI. Then you have your proprietary Joybus mode and 16bit multiplayer serial interface.

After reading through a lot of diagrams and code, I managed to set up a Teensy AVR to bitbang the multiplayer serial protocol and bridge it to USB serial. (Hint: don’t ever use digitalWrite for bitbanging. It’s too slow!).

Second obstacle is actually working out the protocol. I had to read through lots of reverse engineered code to work it out. It seems the GBA uses this weird as encryption and checksumming scheme which I cannot work out. I have managed to complete all the handshaking except encryption and checksum verification though.

I will post source code and documentation once I finish it completely. In the meantime, here’s a video.

One of the most heavily used application I have is nspire_emu. I use it for testing my programs and debugging. Up until today, I used a VM to run the program.

I decided that ~1GB of RAM to run a small emulator was a little too much – not to mention other overheads. I decided to install Wine and get the emulator to run on OS X without a VM.

Unfortunately, there were some minor issues to getting it to run.

• Wine buffers stdout. This means messages from the serial port weren’t being showed on the screen until the buffer was full.
• The easiest way to fix it was to modify the sources to output on stderr instead.
• The binary the mingw cross compiler produced on my Mac kept crashing. Yet the original binary from the same source worked fine.
• The binary also had garbage titles and menu options.

Turns out the crashing was caused by a dodgy hack for quickly dumping an array. The array was casted to a va_list which worked for the original compiler but not for my mingw compiler. This was fixed easily.

The garbage in the titles and menu options was caused by the resources file being incorrectly compiled by my cross compiler. I fired up my VM, installed a native mingw system, compiled it from there and brought the (now correct) object file across and plugged it into the Makefile.

And of course, I changed every printf, putc call to a fprintf(stderr, etc..) call so Wine doesn’t buffer output.

I put everything together nicely into a Applescript bundle which launches Wine which launches the patched emulator. I’ve made this available for others who want to use it and included a README too.

nspire_emu_mac

One of the biggest show-stoppers in writing a bFLT file loader for Ndless was the lack of documentation with the bFLT file format. Information was scattered everywhere and it was hard to find how to implement some specific feature. I decided to write a simple description of all the features in bFLT and how to implement them.

The first thing I should mention is that there are two versions of bFLT out there. I will be describing the simpler, version 4 format.

First, we have the file header structure:

#define	FLAT_VERSION			0x00000004L

struct flat_hdr {
	char magic[4];
	unsigned long rev;          /* version (as above) */
	unsigned long entry;        /* Offset of first executable instruction
	                               with text segment from beginning of file */
	unsigned long data_start;   /* Offset of data segment from beginning of
	                               file */
	unsigned long data_end;     /* Offset of end of data segment
	                               from beginning of file */
	unsigned long bss_end;      /* Offset of end of bss segment from beginning
	                               of file */

	/* (It is assumed that data_end through bss_end forms the bss segment.) */

	unsigned long stack_size;   /* Size of stack, in bytes */
	unsigned long reloc_start;  /* Offset of relocation records from
	                               beginning of file */
	unsigned long reloc_count;  /* Number of relocation records */
	unsigned long flags;
	unsigned long build_date;   /* When the program/library was built */
	unsigned long filler[5];    /* Reservered, set to zero */
};

#define FLAT_FLAG_RAM    0x0001 /* load program entirely into RAM */
#define FLAT_FLAG_GOTPIC 0x0002 /* program is PIC with GOT */
#define FLAT_FLAG_GZIP   0x0004 /* all but the header is compressed */
#define FLAT_FLAG_GZDATA 0x0008 /* only data/relocs are compressed (for XIP) */
#define FLAT_FLAG_KTRACE 0x0010 /* output useful kernel trace for debugging */

For simplicity, all fields are in network byte order (i.e. big endian) and are 32 bits wide. When you write your loader, make sure you correctly convert the endian appropriate for your machine.

Loading Executables

The magic field should be the bytes “bFLT”. The rev field should be set to FLAT_VERSION. It’s advisable to check these fields before loading the binary.

The next 3 fields are all file offsets. If your system doesn’t differentiate between code and data, you can load the text and data sections all in one reading since the sections are one after the other in the file. It is assumed that text_start = entry, text_end = data_start, data_end = bss_start.

Although the bss_end field implies that a bss section exists in a file, it actually doesn’t. You need to make sure that (bss_end – data_end) bytes are available and zero’d at the end of the executable image.

The total executable image size can be calculated by (bss_end – entry).

The stack_size field is pretty much self-explanatory.

The flags field is a bitfield of flags. The FLAT_FLAG_* definition comments describe the meaning of the flags.

Relocations

There are two kinds of relocation you may need to do. The first is relocating global and static pointers and the other being fixing up the GOT.

Relocating global and static pointers

If reloc_count is more than 0, it means that there are pointers that needs to be fixed up.

The reloc_start field is a file offset to a list of pointers (note, they are still big endian!). These pointers point to pointers in the executable image. These pointers are zero-based offsets into the executable image (exceptions being shared library references – explained later).

If you’re implementing XIP and you’re keeping code and data separate, you can work out which section the offsets are pointing to by taking the pointer and comparing it to the sizes of each section. I.e.

if (offset < (data_start - entry)) {
    //pointing to code section
} else if (offset < (data_end - entry)) {
    //pointing to data section
} else if (offset < (bss_end - entry)) {
    //pointing to bss section
}

In most cases, you can derive the real address of the offsets by adding the executable image base address to the offset (obviously a little more work is required for XIP executables).

Deference the pointer and you get another offset (this time, it’s the native endian for the target). This is an offset you need to fix up. In most cases you can add the executable image base image to it and store it back. With XIP, you will need to work out how you can get the absolute address for the offset (not very difficult).

After you’ve gone through all reloc_count offsets, you’re done for this part.

GOT relocation

If your flags indicate that your program is PIC with GOT, you need to do some additional fixups.

At the start of your data section is a list of pointers terminated by a pointer value of -1. They need to be fixed up in the same way you fixed up relocation above.

Entry point

After all the relocation has taken place, you can simply jump to the base of the code section to run the executable.

Shared libraries

Shared libraries are equivalent to executables in bFLT. The executable linkage to the shared library is determined at compile-time rather than runtime.

Shared libraries are identified by numbers between 0-255. 0 and 255 are reserved.

During relocation, the high byte of the offset determines the library needed to complete the linkage.

For example, if the offset needed fixing during relocation was 0x030003a0, the fix up for that offset would be a pointer pointing to the offset 0x03a0 into the library identified by the number 0×03.

You would find the library associated with the number in the high byte, load it into memory, find the absolute address of the offset into the library and replace the fixup with that.

Using the same example, if I had a executable loaded into memory at 0×1000 and a library with an ID of 3, loaded into memory at 0×2000, the fix up for 0x030003a0 would be 0x23a0.

When a shared library is loaded, I believe you also need to enter its entry point to initialize the library before the main binary runs.

Shared libraries are, otherwise, loaded and treated exactly the same as a normal executable.

I’ve been struggling for quite a while now on the best way to implement a movie player for the NSpire calculator. nPlayer was also born around the same time and I realised there were other’s trying to do the same thing as I. I had to gain an edge over them. I immediately identified a few things I could improve in nPlayer. First, nPlayer was closed source and secondly, it didn’t have decent video compression. From there, I set out on my journey to create a good movie player for the NSpire.

The first version I made was a failure. It worked but took way too much storage. I recall it was in the tens of megabytes for just over a minute.

Since then, I have been looking for ways to reduce the amount of storage needed for a video file. I looked at using run length encoding but I realised that if the video didn’t have simply the same data repeated all the time (which is basically all the time), run length encoding would actually take more storage than if I hadn’t used it.

At one point, I looked at porting libmpeg to the NSpire. After several failed attempts, I finally had something that ‘probably’ works. But I realised the converting process is too complicated. The library needs a pure mpeg2 stream and thats not so easy to produce. Eventually I gave up on that.

Next, I took a look at using zLib to compress the frames. This, however, only reduced sizes by around 10 percent maximum and that’s still not good enough.

After a long break, I realised that with videos, a lossy compression was needed or else the size wouldn’t reduce by much. And so, I decided to look at motion jpeg. However, I wasn’t successful to get it working on the NSpire.

Finally, I compromised. I decided to give up on porting a real video codec while still using lossy compression. I remembered that jpeg files compress extremely well and I decided I could concatenate a whole series of jpeg files together into a single file and have them uncompress on the spot as it was being played.

All that’s left was to find a library that would decode jpeg files. I found a one-shot C library that did exactly that. I would feed it jpeg data and it would spit out a decoded frame.

All that’s left is to process the buffer and convert the colors and draw them out.

And voila, that is how Nspire Movie Player was born!

I was working on an ELF loader for Ndless and I kept wondering why my test suites kept crashing while the main program loader worked – even though they were loading the exact same files.

Yup, after an hour almost going insane, I found the problem. I was using fp = fopen("file", "r"); instead of fp = fopen("file", "rb");

Ouch,

So, a few weeks ago, I posted something about using C++ with the Ndless framework. Unfortunately, while the compiler worked, the end binary kept crashing. I figured that it was because of the C++ vtables having invalid function pointers. The linker wasn’t updating them correctly.

This was the same problem when doing static declarations to pointers. The following code crashes on Ndless.

void foo() {}
int main() {
    static void (*var)() = foo;
    var();
    return 0;
}

The reason is because of the way Ndless links and loads your programs. When you link it on your development machine, it sets a load address and everything is calculated on that. But with Ndless, you can’t load it to a static load address because you don’t know what address you’re going to get from malloc. So, we solve this by relocating.

The startup file that is compiled into Ndless binaries looks up at the Global Offset Table and fills in the correct data at run time. What is run first is PIC which gets its current location and the location of the GOT and patches it so our executable can run correctly.

Unfortunately, when we have statically allocated pointers, they are stored on the .data section of the executable. When it’s turned into a memory image for running on Ndless, all the symbol information telling the linker where each section starts and stops and where all the variables are gone. So, while the GOT may get updated with correct pointers, our statically allocated pointers don’t.

This is a fundamental problem with Ndless’s way of loading things. With this, I started working on a ELF loader a few days ago. An ELF file still contains all the required symbol definitions and the whole lot. That means, our ELF loader can patch everything completely for our program to run.

The code is still in it’s disgusting stage and is in need of a lot of polishing. If you would like to take a look, the code is hosted on Github https://github.com/tangrs/ndless-elfloader