Yosemite and the missing ACPI Tables property

Up until OS X 10.10 (Yosemite) the ACPI table data could be extracted from the ioreg, but that doesn’t work anymore. This sucks if you need to debug say stuff for power management, and that is why I like to propose a possible fix for it. One that hopefully will be implemented in all boot loaders, otherwise it won’t help us much. And here is what I did for RevoBoot:

I changed function addConfigurationTable() in fake_efi.h a little:

+if (strcmp(tableAlias, "ACPI_20") == 0)
+	Node *acpiTablesNode = DT__AddChild(tableNode, "ACPI Tables");
+	gPlatform.EFI.Nodes.ACPI_Tables = acpiTablesNode;

This adds a new child note called “ACPI Tables” to:


To me that was the most logical place to add it. Here’s how it looks:
New EFI ACPI Table node

And at the bottom of efi.c I added some lines to add the actual data. That’s all. The next thing that I plan on doing is to check a boot argument, perhaps debug, so that the data will only be there when you need it.

What do you think?


LZVN take II

In June 2014 I published a blog post about OS X 10.10 Yosemite DP1 kernel(cache) like how you can change the default/preferred compression from LZVN to LZSS and published a disassembled copy of the lzvn_decode routine. I also published a link to the opcode tables that I made available via dropbox. Then I said:

Anyone willing to have a go with it? Yes. You will need to convert it and figure out how to get it going, but we are hackers. Right?

Then someone with the nickname ‘coercion’ said: That looks pretty straightforward. I’ll give it a shot this evening if no one else has gotten around to it.

My thoughts exactly. Pretty straightforward, but he somehow never delivered. Which I’m glad he didn’t, because after this a well known company contacted me and said:

Pike. We know that you are a busy man, but what about making a quick extra 5K for your home? We are open to suggestions. Contact me…

Right. I could not say NO so that was basically when I stepped in, but I had to sign a NDA agreement, and thus you, the community, won’t ever get to see it. In other words; I had to wait for someone else to publish something that I could use/refer to, and Andy Vandijck was that person. That is, almost, because he did not publish source code that could be used – lzvn_decode was still the same assembler code.

Some weeks later a person using the nick name ‘MinusZwei’ published a flat-conversion of the disassembled code that I published here, but this would have been something that I could use. Unfortenately not, because he slammed a copyright on it. Even on main.c written and published by Andy Vancijcke. But that wasn’t it. Nope. He also went on putting a claim of ownership (copyright) on something that clearly doesn’t belong to him, but Apple’s copyright portfolio. Next to that; there is no word of thanks for my work. I guess thanks but no thanks. Hmm. I wonder when people will start to be nice.

Edit: I should have asked ‘MinusZwei’ per PM why he did it, but it turns out that there was no wrong doing. The copyright string was generated by Xcode. He just forgot to remove it. Not only that. Andy was totally fine with it. Cased closed.

Anyway. I still want to help out where I can, but with the remark that I will not claim overship (copyright) of something that is not mine. That is why you will find this on top on the file that I am about to publish:

* Copyright (c) 2014 Apple Computer, Inc. All rights reserved.
* Portions Copyright (c) 2003 Apple Computer, Inc. All Rights
* Reserved. This file contains Original Code and/or Modifications of
* Original Code as defined in and that are subject to the Apple Public
* Source License Version 2.0 (the "License"). You may not use this file
* except in compliance with the License. Please obtain a copy of the
* License at http://www.apple.com/publicsource and read it before using
* this file.
* The Original Code and all software distributed under the License are
* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* License for the specific language governing rights and limitations
* under the License.
* The lzvn_decode function was first located and disassembled by Pike R.
* Alpha and later converted to flat C code by someone using the handle
* 'MinusZwei' over at insanelymac.com. This after Andy Vandijcke published
* a working version at the for mentioned website.
* Thanks to Andy Vandijcke and 'MinusZwei' for their work, but I (Pike
* R. Alpha) will not claim ownership of this work, other than the work
* that I have done, for educational purpose, to improve the readability
* so that it is understandable for everyone.

So Pike. Where is the source code/file you talked about? Ok. Hold on. I am writing this during my tea break, and we want to have something that works. Right? Also. The minute you see what I did, you definitely understand that this – my work – is not only ‘quite different’ but it will also show you why I said this.


Edit I am currently waiting for approval, but we should be good to go some time later today.

Edit-2 Nope. They want me to make three more changes and then it’s fine, but I am getting some sleep first of course 😉

Edit-3 And nope again! One of their software engineers discovered a huge flaw in the software that Andy and ‘MinusZwei’ released and they don’t want me to publish ‘my’ source code until they fixed their code.

Note to Andy: I know that you asked for my help, but now you know that I am in a difficult spot and thus this is also why I didn’t reply to your request. I hope that you can understand this and I am sure that you guys will figure out what is missing. Without my help of course 😉

Edit-4 I made some changes and now I can publish the polished source code. Finally. I must admit. It sucks to have to wait just because someone says that you cannot do that what needs to be done. Deliver!

Patch for Shellshock vulnerability

Apple has yet to patch the Shellshock vulnerability (Bash specially-crafted environment variables code injection attack) found by Stephane Chazelas (see also http://seclists.org/oss-sec/2014/q3/650)


Apple released patches for Lion, Mountain Lion and Mavericks:

OS X bash Update 1.0 – OS X Lion
OS X bash Update 1.0 – OS X Mountain Lion
OS X bash Update 1.0 – OS X Mavericks

You should soon see the update for your OS (not yet for Yosemite) in the App Store!

People who don’t like to wait… here is what you can do:

1.) download the bash-92 tarball here.
2.) unpack it (double click on it).
3.) cd into the bash-92 directory
4.) launch: patch -p1 < ../bash_52.patch

And that should end with:

patching file bash-3.2/builtins/common.h
patching file bash-3.2/builtins/evalstring.c
patching file bash-3.2/patchlevel.h
patching file bash-3.2/variables.c

5.) compile bash/sh (launch Xcode)

6.) replace: /bin/bash and /bin/sh with the compiled files from:


7.) verify version info with the info at the bottom of this article.

The patch to remedy this specific vulnerability can be found below, and can be downloaded from GNU project archive.

diff -uwr bash-92/bash-3.2/builtins/common.h bash-93/bash-3.2/builtins/common.h
--- bash-92/bash-3.2/builtins/common.h	2009-06-12 01:29:43.000000000 +0200
+++ bash-93/bash-3.2/builtins/common.h	2014-09-25 01:52:13.000000000 +0200
@@ -33,6 +33,8 @@
 #define SEVAL_RESETLINE	0x010
 /* Flags for describe_command, shared between type.def and command.def */
+#define SEVAL_FUNCDEF		0x080	/* only allow function definitions */
+#define SEVAL_ONECMD		0x100	/* only allow a single command */
 #define CDESC_ALL		0x001	/* type -a */
 #define CDESC_SHORTDESC		0x002	/* command -V */
 #define CDESC_REUSABLE		0x004	/* command -v */
diff -uwr bash-92/bash-3.2/builtins/evalstring.c bash-93/bash-3.2/builtins/evalstring.c
--- bash-92/bash-3.2/builtins/evalstring.c	2009-06-12 01:29:43.000000000 +0200
+++ bash-93/bash-3.2/builtins/evalstring.c	2014-09-25 01:58:33.000000000 +0200
@@ -234,6 +234,14 @@
 	      struct fd_bitmap *bitmap;
+ 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+		{
+ 			  internal_warning ("%s: ignoring function definition attempt", from_file);
+ 		  should_jump_to_top_level = 0;
+ 		  last_result = last_command_exit_value = EX_BADUSAGE;
+ 		  break;
+ 		}
 	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
 	      begin_unwind_frame ("pe_dispose");
 	      add_unwind_protect (dispose_fd_bitmap, bitmap);
@@ -291,6 +299,9 @@
 	      dispose_command (command);
 	      dispose_fd_bitmap (bitmap);
 	      discard_unwind_frame ("pe_dispose");
+ 	      if (flags & SEVAL_ONECMD)
+ 		break;
diff -uwr bash-92/bash-3.2/patchlevel.h bash-93/bash-3.2/patchlevel.h
--- bash-92/bash-3.2/patchlevel.h	2013-01-22 02:37:34.000000000 +0100
+++ bash-93/bash-3.2/patchlevel.h	2014-09-25 01:51:19.000000000 +0200
@@ -25,6 +25,6 @@
    regexp `^#define[ 	]*PATCHLEVEL', since that's what support/mkversion.sh
    looks for to find the patch level (for the sccs version string). */
-#define PATCHLEVEL 51
+#define PATCHLEVEL 52
 #endif /* _PATCHLEVEL_H_ */
diff -uwr bash-92/bash-3.2/variables.c bash-93/bash-3.2/variables.c
--- bash-92/bash-3.2/variables.c	2009-06-12 01:29:43.000000000 +0200
+++ bash-93/bash-3.2/variables.c	2014-09-25 02:03:54.000000000 +0200
@@ -318,12 +318,10 @@
 	  temp_string[char_index] = ' ';
 	  strcpy (temp_string + char_index + 1, string);
-	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
-	  /* Ancient backwards compatibility.  Old versions of bash exported
-	     functions like name()=() {...} */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
-	    name[char_index - 2] = '\0';
+ 	  /* Don't import function names that are invalid identifiers from the
+ 	     environment. */
+ 	  if (legal_identifier (name))
+ 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
 	  if (temp_var = find_function (name))
@@ -332,10 +330,6 @@
 	    report_error (_("error importing function definition for `%s'"), name);
-	  /* ( */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
-	    name[char_index - 2] = '(';		/* ) */
 #if defined (ARRAY_VARS)
 #  if 0

Is my version of bash/sh Vulnerable?

Most likely yes. You can verify this in two ways.

1.) run this terminal command:

bash -version

If that reports something like this (Mountain Lion, OS X 10.8.5)

GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin12)
Copyright (C) 2007 Free Software Foundation, Inc.

Or this with Mavericks (10.9.5 Build 13F34):

GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

And this with Yosemite (10.10 Build 14A343f):

GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin14)
Copyright (C) 2007 Free Software Foundation, Inc.

Then your version of OS X is vulnerable! After you have applied the patch you should see this:

GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin1[2/3/4])
Copyright (C) 2007 Free Software Foundation, Inc.

Note the new patch level (52) in the above lines.

2.) The second test is to run code in a shell by entering:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks like this:

this is a test

Then your version of bash/sh is vulnerable, but this is what you should see with the patched version of bash/sh:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Which is fine!

ssdtPRGen.sh version 13.9 released

A new version of ssdtPRGen (v13.9) is now available from my Github repository. This update includes the data for the new Intel® Xeon® E5-1600 and X5-2600 Processor Series aka Haswell EP with up to 18 cores and 36 threads and cool new features like:

Per Core P-States

Good news. Intel introduced a new Per Core P-States (PCPS) feature. Something I personally have been waiting for, for several years already. Note though that new power management features are not always a blessing, because they tend to add a new layer of complexity. And PCPS certainly does.

AVX2 Turbo Frequencies

The new Haswell EP processors also come with an new extended instruction set, including AVX2, and ditto maximum Turbo Frequency. This because AVX2 instructions require more power, and thus the processor will run hotter, so Intel decided to throttle it down a little more than the usual turbo frequency.

Intel PCPS

Integrated Memory Controller

There are SKUs with one and two Integrated Memory Controllers (IMC) and SKUs with a single IMC supports four DDR3 or DDR4 channels – configurable via registers – and SKUs with two IMC’s support two channels each. The first memory controller (IMC 0) is accessible via registers on Device 19-21 and the second memory controller (IMC 1) via registers on Device 22-23 – though for SKUs with one memory controller, Device 22-23 (IMC 1) is not used and should be ignored.


You can get this update by running the following terminal command:

curl -o ~/ssdtPRGen.sh https://raw.githubusercontent.com/Piker-Alpha/ssdtPRGen.sh/master/ssdtPRGen.sh


Questions and bug reports (so called ‘issues’) should be filed at:


Please do not use my blog for this.

Thank you!

New repository for acpiTableExtract.pl

I have updated acpi-extract.pl and renamed it to acpiTableExtract.pl and pushed it to its own Github repository (version on Dropbox will no longer be maintained). This makes it much easier to find with Google and here is how to get it:

sudo curl -o ~/acpiTableExtract.pl https://raw.githubusercontent.com/Piker-Alpha/acpiTableExtract.pl/master/acpiTableExtract.pl

This command will download the file to your user directory and the next step is to change the file mode (+x) with:

chmod +x ~/acpiTableExtract.pl




Questions and bug reports (so called ‘issues’) should be filed at:


Please do not use my blog for this.

Thank you!

VoLTE to boost revenues and attract new customers

Here you have it:

The Alcatel-Lucent End-to-End Voice over LTE (E2E VoLTE) solution helps you deliver voice that enriches the LTE experience. This solution enables you to use voice to boost data revenues and attract new customers

A double win. Then we add this fact:

4G LTE subscribers consume 168% more data than 3G

Good for a triple victory to get your money. Good thinking!

Source: http://www.alcatel-lucent.com/solutions/volte

iPhone 6 (Plus) reviews

Is it me or all iPhone 6 (Plus) reviews the same? Oh wait. Reviewers are not allowed to talk about benchmark results. No. Heaven forbid. Someone could be disappointed (example: memory in the iPhone 6 is slower than that in the iPhone 6 Plus) and not order the new iPhone. Me? Well. I won’t get one. Not until Apple cart me out in a nice limo to the Apple store. LOL

So Pike. Are you using an Android phone? No. I’m not. In fact. I no longer use “a mobile phone”. What? Yeah man. This phone stuff is out dated. Watch my words!

p.s. I am also not going to use an Apple Watch. Not until it matches a Breitling or Tag Heuer.


I like to add that Apple did an amazing job with the Apple Watch. It’s much better than what they had in mind for us with the first iPhone, but the battery life is still one of the biggest problems. I mean. Having to charge a mobile phone, or watch, each and every day is just not working for me. And Apple could have solved this problem, because the technology is there already, but that would have made the new devices much more expensive. The problem is that Apple refuses to give in on making such a high profit margin… and that is why the new iPhone isn’t using the latest battery technology. Probably not until companies like Samsung push Apple into a corner again. And again yes, because that is exactly what Samsung did with having bigger screen sizes and contact less charging. Which is still unavailable to iPhones users. I wonder how long this is going to take. Another two years maybe?

iPhone 6 (Plus) serials ending in GXXX

The links to the Technical Specifications of the new iPhone 6 (Plus) went up live and here they are:

iPhone 6

G5MG – iPhone 6
G5MD – iPhone 6
G5MF – iPhone 6
G5MJ – iPhone 6
G5MK – iPhone 6
G5MH – iPhone 6
G5MC – iPhone 6
G5MN – iPhone 6
G5ML – iPhone 6
G5MP – iPhone 6
G5MM – iPhone 6
G5N0 – iPhone 6
G5MW – iPhone 6
G5MV – iPhone 6
G5MQ – iPhone 6
G5MY – iPhone 6
G5MT – iPhone 6
G5MR – iPhone 6

iPhone 6 Plus

G5QP – iPhone 6 Plus
G5QG – iPhone 6 Plus
G5QH – iPhone 6 Plus
G5QK – iPhone 6 Plus
G5QR – iPhone 6 Plus
G5QL – iPhone 6 Plus
G5QQ – iPhone 6 Plus
G5QF – iPhone 6 Plus
G5QJ – iPhone 6 Plus
G5QN – iPhone 6 Plus
G5QM – iPhone 6 Plus
G5QW – iPhone 6 Plus
G5QY – iPhone 6 Plus
G5QV – iPhone 6 Plus
G5QT – iPhone 6 Plus
G5R2 – iPhone 6 Plus
G5R0 – iPhone 6 Plus
G5R1 – iPhone 6 Plus


I have updated Apple Serial Numbers Ending With G000-GZZZ to include the latest data.

AppleIntelFramebufferAzul.sh v3.0 Beta

The preview of AppleIntelFramebufferAzul.sh v3.0 (updated earlier today) showed off the features that I was working on, and later today (after work) I will share my latest work (DONE).

Please note that this commit will not be the official v3.0 release, but a Beta version for people who want to help me get v3.0 released (earlier). It will however include this sub menu:

What I did was that I renamed Change the connector type to Change port layout/configuration and added a new sub-menu, which will only show the port specific data. Well. That and the new menu of course.

Editable Data

One other big improvement is that the frame buffer data is saved in editable data files (example: Azul-0x0d220003.dat) instead of one long string, so that you can open them in nano for a quick free form edit. One major drawback is that the files are now incompatible with older versions, and thus you must remove/move the old data files/to a new directory!


1.) The cursor byte feature isn’t working for AppleIntelFramebufferCapri.kext
2.) Capri support is untested and most likely broken (will be fixed a.s.a.p)


I may have missed bugs/issues so I’d like to ask people here to provide feedback via Github issues. Use “v3.0B” in the title to prevent confusion with future updates. Thanks!

Experimental bin-patch for HD4600 (mobile GT2)

Apple won’t update AppleIntelHD5000Graphics.kext anymore (GM state I believe) so it is time for us to figure out what is going on with the Mobile GT2 SKU’s that somehow don’t have QE/CI enabled so let’s give it a first go…


First you go to the directory by entering:

cd /System/Library/Extensions/AppleIntelHD5000Graphics.kext/Contents/MacOS

Then you add the missing device-id (0x04168086) to the plist with:

sudo nano Info.plist

This is what it should look like:

<string>0x04168086 0x0d268086 0x0a268086 0x0a2e8086 0x0d228086 0x04128086 0x0a168086</string>

Now use Ctrl+O to save your changes and Ctrl+X to exit nano. The next logical step is to refresh the kernel cache with:

sudo kextcache -Boot -U /

Note: Clover users can inject the missing device-id from their config file.


Patch the AppleIntelHD5000Graphics binary with one of the following terminal commands:

Then you run this terminal command:

sudo /usr/bin/perl -pi -e 's|\x3d\x86\x80\x12\x04\x74\x10\xeb\x5d|\x3d\x86\x80\x16\x04\x74\x10\xeb\x5d|g' AppleIntelHD5000Graphics

Note: This can be changed to a shorter variant when it works, and Clover users can use find and replace from their config file.

If the first one didn’t work (it should mind you) then try this one:

sudo /usr/bin/perl -pi -e 's|\x3d\x86\x80\x12\x04\x74\x10\xeb\x5d|\x3d\x86\x80\x12\x04\x74\x10\xeb\x4d|g' AppleIntelHD5000Graphics

The first bin-patch will change the desktop device-id (0x04128086) to that of your mobile device-id (0x04168086). The second bin-patch will change a jump address, to that of the Apple/Intel supported GT3 one.

Make sure to have a backup of the vanilla binary handy (make a backup) and do not run both commands without restoring the vanilla binary. And in case you need to patch the frame buffer data, please try version 2.9 of AppleIntelFramebufferAzul.sh The changes to the binary should get detected and trigger a rebuild of the kernel cache, but in case that fails for you, you enter:
sudo touch /System/Library/Extensions

Not working?

This is a first experimental bin-patch so yeah it may not work, but make sure to check the bottom of Intel HD4600 with full resolution. There’s a tip that may help you 😉


The patch works (see comments) so let’s take it one step further. Like I said earlier, you can use a shorter variant because all you need to change is this:

-3d86801204 cmpl $0x4128086, %eax
+3d86801204 cmpl $0x4168086, %eax

Clover users can add some lines to their config to patch AppleIntelFramebufferAzul so that they don’t have to worry about it anymore. They could use this data:

Find pattern—:PYaAEgQ=
Replace patter-:PYaAFgQ=

But since I don’t use Clover… someone with Clover will have to verify and confirm this to be actually working first.