File:/// crash in Mountain Lion workaround

Update: For a much more in-depth analysis of the problem, head over to Naked Security where Paul Ducklin explains the bug in much more detail.

Gizmodo recently published an article about OS X Mountain Lion crashing when the text File:/// is typed into TextEdit, Spotlight, Mail or some other OS X apps. It’s also reported that Safari and Chrome also crash though I haven’t personally tested them.

I did some sniffing around with gdb and the problem seems to come down to an Apple framework called DataDetector. A bit of Googling shows that this private framework is responsible for looking in text for text that might be ‘special’ such as dates and giving them special options.

It seems that the data detector for URLs is broken and will crash when called upon. The workaround is to remove it from being run. Open Finder, open the Go menu, click Go to Folder and put in /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/Resources/ then rename the file called to

You can also do all of this in one handy terminal command:

sudo mv -v /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/Resources/ /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/Resources/

You may need to reboot afterwards. This was tested to be working on OS X 10.8.1.

Linux Kernel port to TI-Nspire CX

I’ve just begun a port of Linux to the TI-Nspire CX and I’m happy to say I have a minimal kernel booting successfully on the calculator!

Here’s the UART bootlog and you can see we actually make it to userland without crashing!

The minimal port has support for the interrupt controller and the timer. UART support is on its way (at the moment, it’s just using the early printk console) and I’m hoping to get the framebuffer working soon so I don’t have to rely on the dodgy serial adapter I made.

I’ll also be needing a lot of help so if you’re familiar with Linux kernel development, I’d appreciate your help immensely. Contact me if you’re interested.

Edit: For updates and downloads, visit the Omnimaga thread here.

GameBoy Advance development

I found my old GameBoy Advance consoles and found that I’ve never done any development work on it and decided to play around with it.

Unfortunately, I don’t have a flashcart and it’s difficult to find decent ones to buy on the internet anymore. The only option to actually upload code was to use the multiboot protocol in the GBA BIOS to run the code.

If you don’t know, the GBA has a feature where it’s possible to multiplayer link multiple consoles even if the other consoles did not have the game cartridges. The master console can download 256K worth of game code to each of the slave units so they can each run a copy of the game without a game cartridge.

The first obstacle to bypass was to actually able to communicate with the console. There are actually many ways to communicate with the GBA. With a bit of searching around and debugging, I found that the GBA can actually use 3 different serial protocols to download code. There’s the normal serial mode that is really just 32bit SPI. Then you have your proprietary Joybus mode and 16bit multiplayer serial interface.

After reading through a lot of diagrams and code, I managed to set up a Teensy AVR to bitbang the multiplayer serial protocol and bridge it to USB serial. (Hint: don’t ever use digitalWrite for bitbanging. It’s too slow!).

Second obstacle is actually working out the protocol. I had to read through lots of reverse engineered code to work it out. It seems the GBA uses this weird as encryption and checksumming scheme which I cannot work out. I have managed to complete all the handshaking except encryption and checksum verification though.

I will post source code and documentation once I finish it completely. In the meantime, here’s a video.

bFLT format – implementation notes

One of the biggest show-stoppers in writing a bFLT file loader for Ndless was the lack of documentation with the bFLT file format. Information was scattered everywhere and it was hard to find how to implement some specific feature. I decided to write a simple description of all the features in bFLT and how to implement them.

The first thing I should mention is that there are two versions of bFLT out there. I will be describing the simpler, version 4 format.

First, we have the file header structure:

#define	FLAT_VERSION			0x00000004L

struct flat_hdr {
	char magic[4];
	unsigned long rev;          /* version (as above) */
	unsigned long entry;        /* Offset of first executable instruction
	                               with text segment from beginning of file */
	unsigned long data_start;   /* Offset of data segment from beginning of
	                               file */
	unsigned long data_end;     /* Offset of end of data segment
	                               from beginning of file */
	unsigned long bss_end;      /* Offset of end of bss segment from beginning
	                               of file */

	/* (It is assumed that data_end through bss_end forms the bss segment.) */

	unsigned long stack_size;   /* Size of stack, in bytes */
	unsigned long reloc_start;  /* Offset of relocation records from
	                               beginning of file */
	unsigned long reloc_count;  /* Number of relocation records */
	unsigned long flags;
	unsigned long build_date;   /* When the program/library was built */
	unsigned long filler[5];    /* Reservered, set to zero */

#define FLAT_FLAG_RAM    0x0001 /* load program entirely into RAM */
#define FLAT_FLAG_GOTPIC 0x0002 /* program is PIC with GOT */
#define FLAT_FLAG_GZIP   0x0004 /* all but the header is compressed */
#define FLAT_FLAG_GZDATA 0x0008 /* only data/relocs are compressed (for XIP) */
#define FLAT_FLAG_KTRACE 0x0010 /* output useful kernel trace for debugging */

For simplicity, all fields are in network byte order (i.e. big endian) and are 32 bits wide. When you write your loader, make sure you correctly convert the endian appropriate for your machine.

Loading Executables

The magic field should be the bytes “bFLT”. The rev field should be set to FLAT_VERSION. It’s advisable to check these fields before loading the binary.

The next 3 fields are all file offsets. If your system doesn’t differentiate between code and data, you can load the text and data sections all in one reading since the sections are one after the other in the file. It is assumed that text_start = entry, text_end = data_start, data_end = bss_start.

Although the bss_end field implies that a bss section exists in a file, it actually doesn’t. You need to make sure that (bss_end – data_end) bytes are available and zero’d at the end of the executable image.

The total executable image size can be calculated by (bss_end – entry).

The stack_size field is pretty much self-explanatory.

The flags field is a bitfield of flags. The FLAT_FLAG_* definition comments describe the meaning of the flags.


There are two kinds of relocation you may need to do. The first is relocating global and static pointers and the other being fixing up the GOT.

Relocating global and static pointers

If reloc_count is more than 0, it means that there are pointers that needs to be fixed up.

The reloc_start field is a file offset to a list of pointers (note, they are still big endian!). These pointers point to pointers in the executable image. These pointers are zero-based offsets into the executable image (exceptions being shared library references – explained later).

If you’re implementing XIP and you’re keeping code and data separate, you can work out which section the offsets are pointing to by taking the pointer and comparing it to the sizes of each section. I.e.

if (offset < (data_start - entry)) {
    //pointing to code section
} else if (offset < (data_end - entry)) {
    //pointing to data section
} else if (offset < (bss_end - entry)) {
    //pointing to bss section

In most cases, you can derive the real address of the offsets by adding the executable image base address to the offset (obviously a little more work is required for XIP executables).

Deference the pointer and you get another offset (this time, it’s the native endian for the target). This is an offset you need to fix up. In most cases you can add the executable image base image to it and store it back. With XIP, you will need to work out how you can get the absolute address for the offset (not very difficult).

After you’ve gone through all reloc_count offsets, you’re done for this part.

GOT relocation

If your flags indicate that your program is PIC with GOT, you need to do some additional fixups.

At the start of your data section is a list of pointers terminated by a pointer value of -1. They need to be fixed up in the same way you fixed up relocation above.

Entry point

After all the relocation has taken place, you can simply jump to the base of the code section to run the executable.

Shared libraries

Shared libraries are equivalent to executables in bFLT. The executable linkage to the shared library is determined at compile-time rather than runtime.

Shared libraries are identified by numbers between 0-255. 0 and 255 are reserved.

During relocation, the high byte of the offset determines the library needed to complete the linkage.

For example, if the offset needed fixing during relocation was 0x030003a0, the fix up for that offset would be a pointer pointing to the offset 0x03a0 into the library identified by the number 0x03.

You would find the library associated with the number in the high byte, load it into memory, find the absolute address of the offset into the library and replace the fixup with that.

Using the same example, if I had a executable loaded into memory at 0x1000 and a library with an ID of 3, loaded into memory at 0x2000, the fix up for 0x030003a0 would be 0x23a0.

When a shared library is loaded, I believe you also need to enter its entry point to initialize the library before the main binary runs.

Shared libraries are, otherwise, loaded and treated exactly the same as a normal executable.

A movie player for NSpire. Finally.

I’ve been struggling for quite a while now on the best way to implement a movie player for the NSpire calculator. nPlayer was also born around the same time and I realised there were other’s trying to do the same thing as I. I had to gain an edge over them. I immediately identified a few things I could improve in nPlayer. First, nPlayer was closed source and secondly, it didn’t have decent video compression. From there, I set out on my journey to create a good movie player for the NSpire.

The first version I made was a failure. It worked but took way too much storage. I recall it was in the tens of megabytes for just over a minute.

Since then, I have been looking for ways to reduce the amount of storage needed for a video file. I looked at using run length encoding but I realised that if the video didn’t have simply the same data repeated all the time (which is basically all the time), run length encoding would actually take more storage than if I hadn’t used it.

At one point, I looked at porting libmpeg to the NSpire. After several failed attempts, I finally had something that ‘probably’ works. But I realised the converting process is too complicated. The library needs a pure mpeg2 stream and thats not so easy to produce. Eventually I gave up on that.

Next, I took a look at using zLib to compress the frames. This, however, only reduced sizes by around 10 percent maximum and that’s still not good enough.

After a long break, I realised that with videos, a lossy compression was needed or else the size wouldn’t reduce by much. And so, I decided to look at motion jpeg. However, I wasn’t successful to get it working on the NSpire.

Finally, I compromised. I decided to give up on porting a real video codec while still using lossy compression. I remembered that jpeg files compress extremely well and I decided I could concatenate a whole series of jpeg files together into a single file and have them uncompress on the spot as it was being played.

All that’s left was to find a library that would decode jpeg files. I found a one-shot C library that did exactly that. I would feed it jpeg data and it would spit out a decoded frame.

All that’s left is to process the buffer and convert the colors and draw them out.

And voila, that is how Nspire Movie Player was born!

ELF loader for Ndless

So, a few weeks ago, I posted something about using C++ with the Ndless framework. Unfortunately, while the compiler worked, the end binary kept crashing. I figured that it was because of the C++ vtables having invalid function pointers. The linker wasn’t updating them correctly.

This was the same problem when doing static declarations to pointers. The following code crashes on Ndless.

void foo() {}
int main() {
    static void (*var)() = foo;
    return 0;

The reason is because of the way Ndless links and loads your programs. When you link it on your development machine, it sets a load address and everything is calculated on that. But with Ndless, you can’t load it to a static load address because you don’t know what address you’re going to get from malloc. So, we solve this by relocating.

The startup file that is compiled into Ndless binaries looks up at the Global Offset Table and fills in the correct data at run time. What is run first is PIC which gets its current location and the location of the GOT and patches it so our executable can run correctly.

Unfortunately, when we have statically allocated pointers, they are stored on the .data section of the executable. When it’s turned into a memory image for running on Ndless, all the symbol information telling the linker where each section starts and stops and where all the variables are gone. So, while the GOT may get updated with correct pointers, our statically allocated pointers don’t.

This is a fundamental problem with Ndless’s way of loading things. With this, I started working on a ELF loader a few days ago. An ELF file still contains all the required symbol definitions and the whole lot. That means, our ELF loader can patch everything completely for our program to run.

The code is still in it’s disgusting stage and is in need of a lot of polishing. If you would like to take a look, the code is hosted on Github

Getting a C++ compiler for Ndless

The more I work on nspire-gamekit, the more I think a object orientated programming language would be more suitable for the task. I’m currently playing around with C++ and getting it to work with the ndless SDK (which doesn’t natively support C++).

It is very likely I will consider making the whole project object orientated since it models the problem of game development much better. Overall it can produce cleaner looking code (the current example game has loads of static variables it’s not even funny).

So, if there are people who want to use C++ on ndless code, here is how you can get g++ working alongside the ndless SDK.

First, (if you haven’t already), install newlib for the arm architecture. Download it or check it out from CVS, cd into the directory and configure it with ./configure --target=arm-none-eabi then the usual make and make install.

Next, we’ll need to compile g++ and have it work with ndless.

I configured my GCC installation with ../gcc-4.6.1/configure --target=arm-none-eabi --disable-libssp --disable-multilib --disable-nls --disable-threads --disable-shared --enable-languages=c,c++ --with-newlib --disable-newlib-supplied-syscalls. Again, make and make install.

If you have trouble with redefinitions of “signal.h” like I did, simply delete the signal.h file in /usr/local/arm-none-eabi/include and replace it with an empty file.

Now, you need to go into your ndless/bin folder and copy nspire-gcc to nspire-g++. In the new file, change the last few lines so they look like this:

GCC=`(which arm-elf-g++ arm-none-eabi-g++ arm-linux-gnueabi-g++ | head -1) 2>/dev/null`
# -fno-builtin: We prefer to use syscalls. And GCC's builtins expansion (
# is incompatible with the inline definition of most syscalls.
"$GCC" -mcpu=arm926ej-s -I "$DIRNAME/../include" -fno-exceptions -nostdlib -fpic -fno-builtin "$@"

Pay special attention to adding -fno-exceptions -nostdlib to the list of flags. We will be disabling built in functions and sacrificing being able to use exceptions since the ndless SDK doesn’t implement the required functions.

We also need to change the linker from GCC to G++ so the linker is capable of linking both C++ and C files. It also needs to insert some initialization logic for C++ into the final binary before main() is called.

Change your nspire-ld file so the last few lines look like this:

# some newlib symbols are not found if ld is used...
GCC=`(which arm-elf-g++ arm-none-eabi-g++ arm-linux-gnueabi-g++ | head -1) 2>/dev/null`
# lazy system build: must be built with the same toolchain
(cd "$DIRNAME/../system" && make -s all)
if [ $ret -ne 0 ]; then
exit $ret
if [ $nostartup = false ]; then
[ $lightstartup = true ] && startupobj=crt0light.o || startupobj=crt0.o
args=("$DIRNAME/../system/$startupobj" "${args[@]}")
# -nostartfiles: avoids newlib startup which would be added before ours
"$GCC" -nostartfiles -T "$DIRNAME/../system/ldscript" -e _nspire_start -L "$DIRNAME/../lib" -static "$DIRNAME/../system/crt0sym.o" "${args[@]}" -lndls -mcpu=arm9

Lastly, in your code, you have to implement the new and delete operators using the ndless malloc() and free(). The built in functions uses the stubs in newlib I think so we can’t use that.

Somewhere in your code, implement this code:

void *operator new(size_t size)
    return malloc(size);
void *operator new[](size_t size)
    return malloc(size);
void operator delete(void *p)
void operator delete[](void *p)

After all of the above modifications, your SDK should still work perfectly as before. You also now have a working C++ compiler!

Remember, you cannot use exceptions with this SDK since they require the use of unimplemented functions.

Samsung Galaxy SII USB Jig

I had spare time (read: was bored) and I decided to make a USB Jig for my Galaxy to reset its custom binary count.

What is this?

When you root a Galaxy S2, the bootloader keeps a record of how many custom firmwares you flash. I’ve flashed a couple of ROMs already so my phone’s “custom binary count” was 4. Basically, once you’ve rooted your phone or flashed a custom ROM, you’ve voided the warranty.

Samsung knows if you’ve voided the warranty by checking your “custom binary count”. If it isn’t 0, then they presume you’ve voided the warranty and can refuse to service your device. It doesn’t matter if you go back to stock firmware because your “custom binary count” won’t go down. Simply put, once you flash a custom ROM, your warranty is bye bye.

If you run a custom ROM, you also get this huge yellow triangle with an exclamation mark on it to signify you’re not running an official firmware.

Back to the point, this USB Jig will reset the “custom binary count” to zero and get rid of that yellow triangle. The Jig is basically an imitation of Samsung’s tool to kick the device into recovery mode. In short, the Jig will make your phone look like it’s never been rooted before.

The Jig can also save you if you screw up flashing your bootloader and your Android won’t boot into Download mode.

How to make one?

There are numerous guides on the internet but in short, you need to make 301Kohms of resistance between pin 4 and 5 of the USB plug that goes into the phone. You’ll actually have to unsheath the plug since normally pin 4 isn’t connected to anything.

Personally, I just got a plastic one and cracked it open (since it can be put back easily with a bit of super glue while rubber ones can’t be replaced – apart from that, no difference).

How to use?

I had problems with it not working at the start.

What I had to do was first take out the battery from the phone once you’ve powered it off. Plug in the jig, then place the battery back in. It should automatically boot into a special Download mode that says “Erasing download information succeeded”.

You can now unplug the jig and reboot your phone. Voila! “Custom binary count” is zero. No more yellow exclamation mark. Yet the phone is still rooted. Win!


I kept the cable intact in this picture because I wanted to be able to reuse the cable but it’s totally optional.