Yosemite and the missing ACPI Tables property

Up until OS X 10.10 (Yosemite) the ACPI table data could be extracted from the ioreg, but that doesn’t work anymore. This sucks if you need to debug say stuff for power management, and that is why I like to propose a possible fix for it. One that hopefully will be implemented in all boot loaders, otherwise it won’t help us much. And here is what I did for RevoBoot:

I changed function addConfigurationTable() in fake_efi.h a little:

+if (strcmp(tableAlias, "ACPI_20") == 0)
+	Node *acpiTablesNode = DT__AddChild(tableNode, "ACPI Tables");
+	gPlatform.EFI.Nodes.ACPI_Tables = acpiTablesNode;

This adds a new child note called “ACPI Tables” to:


To me that was the most logical place to add it. Here’s how it looks:
New EFI ACPI Table node

And at the bottom of efi.c I added some lines to add the actual data. That’s all. The next thing that I plan on doing is to check a boot argument, perhaps debug, so that the data will only be there when you need it.

What do you think?

LZVN take II

In June 2014 I published a blog post about OS X 10.10 Yosemite DP1 kernel(cache) like how you can change the default/preferred compression from LZVN to LZSS and published a disassembled copy of the lzvn_decode routine. I also published a link to the opcode tables that I made available via dropbox. Then I said:

Anyone willing to have a go with it? Yes. You will need to convert it and figure out how to get it going, but we are hackers. Right?

Then someone with the nickname ‘coercion’ said: That looks pretty straightforward. I’ll give it a shot this evening if no one else has gotten around to it.

My thoughts exactly. Pretty straightforward, but he somehow never delivered. Which I’m glad he didn’t, because after this a well known company contacted me and said:

Pike. We know that you are a busy man, but what about making a quick extra 5K for your home? We are open to suggestions. Contact me…

Right. I could not say NO so that was basically when I stepped in, but I had to sign a NDA agreement, and thus you, the community, won’t ever get to see it. In other words; I had to wait for someone else to publish something that I could use/refer to, and Andy Vandijck was that person. That is, almost, because he did not publish source code that could be used – lzvn_decode was still the same assembler code.

Some weeks later a person using the nick name ‘MinusZwei’ published a flat-conversion of the disassembled code that I published here, but this would have been something that I could use. Unfortenately not, because he slammed a copyright on it. Even on main.c written and published by Andy Vancijcke. But that wasn’t it. Nope. He also went on putting a claim of ownership (copyright) on something that clearly doesn’t belong to him, but Apple’s copyright portfolio. Next to that; there is no word of thanks for my work. I guess thanks but no thanks. Hmm. I wonder when people will start to be nice.

Edit: I should have asked ‘MinusZwei’ per PM why he did it, but it turns out that there was no wrong doing. The copyright string was generated by Xcode. He just forgot to remove it. Not only that. Andy was totally fine with it. Cased closed.

Anyway. I still want to help out where I can, but with the remark that I will not claim overship (copyright) of something that is not mine. That is why you will find this on top on the file that I am about to publish:

* Copyright (c) 2014 Apple Computer, Inc. All rights reserved.
* Portions Copyright (c) 2003 Apple Computer, Inc. All Rights
* Reserved. This file contains Original Code and/or Modifications of
* Original Code as defined in and that are subject to the Apple Public
* Source License Version 2.0 (the "License"). You may not use this file
* except in compliance with the License. Please obtain a copy of the
* License at http://www.apple.com/publicsource and read it before using
* this file.
* The Original Code and all software distributed under the License are
* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* License for the specific language governing rights and limitations
* under the License.
* The lzvn_decode function was first located and disassembled by Pike R.
* Alpha and later converted to flat C code by someone using the handle
* 'MinusZwei' over at insanelymac.com. This after Andy Vandijcke published
* a working version at the for mentioned website.
* Thanks to Andy Vandijcke and 'MinusZwei' for their work, but I (Pike
* R. Alpha) will not claim ownership of this work, other than the work
* that I have done, for educational purpose, to improve the readability
* so that it is understandable for everyone.

So Pike. Where is the source code/file you talked about? Ok. Hold on. I am writing this during my tea break, and we want to have something that works. Right? Also. The minute you see what I did, you definitely understand that this – my work – is not only ‘quite different’ but it will also show you why I said this.


Edit I am currently waiting for approval, but we should be good to go some time later today.

Edit-2 Nope. They want me to make three more changes and then it’s fine, but I am getting some sleep first of course 😉

Edit-3 And nope again! One of their software engineers discovered a huge flaw in the software that Andy and ‘MinusZwei’ released and they don’t want me to publish ‘my’ source code until they fixed their code.

Note to Andy: I know that you asked for my help, but now you know that I am in a difficult spot and thus this is also why I didn’t reply to your request. I hope that you can understand this and I am sure that you guys will figure out what is missing. Without my help of course 😉

Edit-4 I made some changes and now I can publish the polished source code. Finally. I must admit. It sucks to have to wait just because someone says that you cannot do that what needs to be done. Deliver!

Patch for Shellshock vulnerability

Apple has yet to patch the Shellshock vulnerability (Bash specially-crafted environment variables code injection attack) found by Stephane Chazelas (see also http://seclists.org/oss-sec/2014/q3/650)


Apple released patches for Lion, Mountain Lion and Mavericks:

OS X bash Update 1.0 – OS X Lion
OS X bash Update 1.0 – OS X Mountain Lion
OS X bash Update 1.0 – OS X Mavericks

You should soon see the update for your OS (not yet for Yosemite) in the App Store!

People who don’t like to wait… here is what you can do:

1.) download the bash-92 tarball here.
2.) unpack it (double click on it).
3.) cd into the bash-92 directory
4.) launch: patch -p1 < ../bash_52.patch

And that should end with:

patching file bash-3.2/builtins/common.h
patching file bash-3.2/builtins/evalstring.c
patching file bash-3.2/patchlevel.h
patching file bash-3.2/variables.c

5.) compile bash/sh (launch Xcode)

6.) replace: /bin/bash and /bin/sh with the compiled files from:


7.) verify version info with the info at the bottom of this article.

The patch to remedy this specific vulnerability can be found below, and can be downloaded from GNU project archive.

diff -uwr bash-92/bash-3.2/builtins/common.h bash-93/bash-3.2/builtins/common.h
--- bash-92/bash-3.2/builtins/common.h	2009-06-12 01:29:43.000000000 +0200
+++ bash-93/bash-3.2/builtins/common.h	2014-09-25 01:52:13.000000000 +0200
@@ -33,6 +33,8 @@
 #define SEVAL_RESETLINE	0x010
 /* Flags for describe_command, shared between type.def and command.def */
+#define SEVAL_FUNCDEF		0x080	/* only allow function definitions */
+#define SEVAL_ONECMD		0x100	/* only allow a single command */
 #define CDESC_ALL		0x001	/* type -a */
 #define CDESC_SHORTDESC		0x002	/* command -V */
 #define CDESC_REUSABLE		0x004	/* command -v */
diff -uwr bash-92/bash-3.2/builtins/evalstring.c bash-93/bash-3.2/builtins/evalstring.c
--- bash-92/bash-3.2/builtins/evalstring.c	2009-06-12 01:29:43.000000000 +0200
+++ bash-93/bash-3.2/builtins/evalstring.c	2014-09-25 01:58:33.000000000 +0200
@@ -234,6 +234,14 @@
 	      struct fd_bitmap *bitmap;
+ 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+		{
+ 			  internal_warning ("%s: ignoring function definition attempt", from_file);
+ 		  should_jump_to_top_level = 0;
+ 		  last_result = last_command_exit_value = EX_BADUSAGE;
+ 		  break;
+ 		}
 	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
 	      begin_unwind_frame ("pe_dispose");
 	      add_unwind_protect (dispose_fd_bitmap, bitmap);
@@ -291,6 +299,9 @@
 	      dispose_command (command);
 	      dispose_fd_bitmap (bitmap);
 	      discard_unwind_frame ("pe_dispose");
+ 	      if (flags & SEVAL_ONECMD)
+ 		break;
diff -uwr bash-92/bash-3.2/patchlevel.h bash-93/bash-3.2/patchlevel.h
--- bash-92/bash-3.2/patchlevel.h	2013-01-22 02:37:34.000000000 +0100
+++ bash-93/bash-3.2/patchlevel.h	2014-09-25 01:51:19.000000000 +0200
@@ -25,6 +25,6 @@
    regexp `^#define[ 	]*PATCHLEVEL', since that's what support/mkversion.sh
    looks for to find the patch level (for the sccs version string). */
-#define PATCHLEVEL 51
+#define PATCHLEVEL 52
 #endif /* _PATCHLEVEL_H_ */
diff -uwr bash-92/bash-3.2/variables.c bash-93/bash-3.2/variables.c
--- bash-92/bash-3.2/variables.c	2009-06-12 01:29:43.000000000 +0200
+++ bash-93/bash-3.2/variables.c	2014-09-25 02:03:54.000000000 +0200
@@ -318,12 +318,10 @@
 	  temp_string[char_index] = ' ';
 	  strcpy (temp_string + char_index + 1, string);
-	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
-	  /* Ancient backwards compatibility.  Old versions of bash exported
-	     functions like name()=() {...} */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
-	    name[char_index - 2] = '\0';
+ 	  /* Don't import function names that are invalid identifiers from the
+ 	     environment. */
+ 	  if (legal_identifier (name))
+ 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
 	  if (temp_var = find_function (name))
@@ -332,10 +330,6 @@
 	    report_error (_("error importing function definition for `%s'"), name);
-	  /* ( */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
-	    name[char_index - 2] = '(';		/* ) */
 #if defined (ARRAY_VARS)
 #  if 0

Is my version of bash/sh Vulnerable?

Most likely yes. You can verify this in two ways.

1.) run this terminal command:

bash -version

If that reports something like this (Mountain Lion, OS X 10.8.5)

GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin12)
Copyright (C) 2007 Free Software Foundation, Inc.

Or this with Mavericks (10.9.5 Build 13F34):

GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

And this with Yosemite (10.10 Build 14A343f):

GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin14)
Copyright (C) 2007 Free Software Foundation, Inc.

Then your version of OS X is vulnerable! After you have applied the patch you should see this:

GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin1[2/3/4])
Copyright (C) 2007 Free Software Foundation, Inc.

Note the new patch level (52) in the above lines.

2.) The second test is to run code in a shell by entering:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks like this:

this is a test

Then your version of bash/sh is vulnerable, but this is what you should see with the patched version of bash/sh:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Which is fine!

ssdtPRGen.sh version 13.9 released

A new version of ssdtPRGen (v13.9) is now available from my Github repository. This update includes the data for the new Intel® Xeon® E5-1600 and X5-2600 Processor Series aka Haswell EP with up to 18 cores and 36 threads and cool new features like:

Per Core P-States

Good news. Intel introduced a new Per Core P-States (PCPS) feature. Something I personally have been waiting for, for several years already. Note though that new power management features are not always a blessing, because they tend to add a new layer of complexity. And PCPS certainly does.

AVX2 Turbo Frequencies

The new Haswell EP processors also come with an new extended instruction set, including AVX2, and ditto maximum Turbo Frequency. This because AVX2 instructions require more power, and thus the processor will run hotter, so Intel decided to throttle it down a little more than the usual turbo frequency.

Intel PCPS

Integrated Memory Controller

There are SKUs with one and two Integrated Memory Controllers (IMC) and SKUs with a single IMC supports four DDR3 or DDR4 channels – configurable via registers – and SKUs with two IMC’s support two channels each. The first memory controller (IMC 0) is accessible via registers on Device 19-21 and the second memory controller (IMC 1) via registers on Device 22-23 – though for SKUs with one memory controller, Device 22-23 (IMC 1) is not used and should be ignored.


You can get this update by running the following terminal command:

curl -o ~/ssdtPRGen.sh https://raw.githubusercontent.com/Piker-Alpha/ssdtPRGen.sh/master/ssdtPRGen.sh


Questions and bug reports (so called ‘issues’) should be filed at:


Please do not use my blog for this.

Thank you!

New repository for acpiTableExtract.pl

I have updated acpi-extract.pl and renamed it to acpiTableExtract.pl and pushed it to its own Github repository (version on Dropbox will no longer be maintained). This makes it much easier to find with Google and here is how to get it:

sudo curl -o ~/acpiTableExtract.pl https://raw.githubusercontent.com/Piker-Alpha/acpiTableExtract.pl/master/acpiTableExtract.pl

This command will download the file to your user directory and the next step is to change the file mode (+x) with:

chmod +x ~/acpiTableExtract.pl




Questions and bug reports (so called ‘issues’) should be filed at:


Please do not use my blog for this.

Thank you!

VoLTE to boost revenues and attract new customers

Here you have it:

The Alcatel-Lucent End-to-End Voice over LTE (E2E VoLTE) solution helps you deliver voice that enriches the LTE experience. This solution enables you to use voice to boost data revenues and attract new customers

A double win. Then we add this fact:

4G LTE subscribers consume 168% more data than 3G

Good for a triple victory to get your money. Good thinking!

Source: http://www.alcatel-lucent.com/solutions/volte

iPhone 6 (Plus) reviews

Is it me or all iPhone 6 (Plus) reviews the same? Oh wait. Reviewers are not allowed to talk about benchmark results. No. Heaven forbid. Someone could be disappointed (example: memory in the iPhone 6 is slower than that in the iPhone 6 Plus) and not order the new iPhone. Me? Well. I won’t get one. Not until Apple cart me out in a nice limo to the Apple store. LOL

So Pike. Are you using an Android phone? No. I’m not. In fact. I no longer use “a mobile phone”. What? Yeah man. This phone stuff is out dated. Watch my words!

p.s. I am also not going to use an Apple Watch. Not until it matches a Breitling or Tag Heuer.


I like to add that Apple did an amazing job with the Apple Watch. It’s much better than what they had in mind for us with the first iPhone, but the battery life is still one of the biggest problems. I mean. Having to charge a mobile phone, or watch, each and every day is just not working for me. And Apple could have solved this problem, because the technology is there already, but that would have made the new devices much more expensive. The problem is that Apple refuses to give in on making such a high profit margin… and that is why the new iPhone isn’t using the latest battery technology. Probably not until companies like Samsung push Apple into a corner again. And again yes, because that is exactly what Samsung did with having bigger screen sizes and contact less charging. Which is still unavailable to iPhones users. I wonder how long this is going to take. Another two years maybe?