Okay, that was kind of a lie. But let me explain.

I don't have anything against AI tools. On this blog, I occasionally use tools such as Apple's proofread feature, and other tools such as Kagi Doc (which is in a private preview as of the writing of this post), to help polish an already-written post. I've also used AI to help create some of the features and elements on bomberfish.ca. Most recently, I used AI to create the animated interactive background (based on a set of guidelines that I set out), and the Google Photo Sphere viewer component used in the Google Glass post (although, that actually wraps an existing library). It's also really useful for menial tasks such as cleaning up stylesheets and migrating library versions.

But, I would like to make some commitments here.

I will never fully AI-generate any text or image on my blog. If I refine a post using AI tools, I will commit both the unedited and edited versions to the git repository. You can see an example of such a diff here. If an image is enhanced with AI-powered tools (such as Topaz Photo for upscaling), I will disclose it as such in the image caption.

I'm not going to outsource my creativity to a robot. This blog is a place for me to express myself, and I intend on keeping it that way. It has been, and will remain, a slop-free zone.

I really want to start posting on this blog more often. I have a slightly longer post in the works right now, and a whole pile of discards that I couldn't get to be the length I wanted.

But then again, I could just start writing more short posts so I don't have to keep to that high standard.

It's 2026, and it's time I redesigned this website for the 4th time since last fall. Let's take a look at what's new.

I've decided to start doing update logs on the website now. Stay tuned for future updates!

New layout

In 9.0, I opted for a much cleaner and more compact layout, with a centered content box. On mobile, the box occupies the entire screen for visual neatness. It also adapts well to smaller displays and older browsers.

Refined visual language

Since 9.0 is mainly a layout overhaul, the general visual language of 8.x has been mostly left intact, with tweaks to how elevated surface colors are used. More iconography is present throughout the site, and the appearance of things like borders has been consolidated.

Adjusted colour palette

The palette from 8.x has been tweaked a considerable amount, being somewhat darkened and with the hue shifted to match that of my new profile picture. Additionally, I've refractored how certain colors are computed, adding more flexibility to the palette. You can even temporarily hue-rotate the palette using the slider in the "About This Website" page. Note that it does not persist on a full reload.

Updated background

Gone is the slow-to-load dithered background from 7.x and 8.x. In 9.1 (which was released the day after 9.0), it's been replaced with the grid from late 6.x, which in it of itself it a modified version of the dot grid of 5.x. A couple of the parameters were tweaked to match the vibe of version 9, but it remains largely unchanged from its 6.2 incarnation.

Overhauled projects page

Keeping with the theme of bringing back older design decisions, the projects page's grid layout from 6.x and 7.x has been brought back in 9.2 (released 2 days after 9.0). Additionally, support has been added for the finalized version of CSS masonry, meaning an even more beautiful layout will be coming soon to a modern browser near you!

Performance and compatibility

I've been hard at work improving performance. That's why I'm glad to announce that bomberfish.ca has achieved a perfect score across all categories in Lighthouse desktop performance! Font loading was optimized to lazily load web fonts, with the page using the system's installed version of the regular Helvetica font and swapping Helvetica Now in when it loads. I've also removed various unused assets, and while the CSS bundle size has risen since last time, I was able to increase browser compatibility. I can now confirm that the site functions with a near-perfect layout on Firefox 10!

This post originally started as something where I talked about my experience using BlackBerry's software keyboard on Android, but soon morphed into a discussion about reclaiming your attention span in a world where everything seems to be hand over fist in trying to take a slice of it.

I have a pretty weird hobby: collecting old BlackBerry phones. All my friends call me crazy, but on the other hand I've talked to many former RIM employees who've assured me otherwise. Nonetheless, there's been one thing that's stuck with me: those keyboards were goddamn excellent.

My experiences

In the past few months, I've personally been trying to fix my attention span somewhat by segmenting my digital life. I usually carry a mobile phone for communication, a camcorder for taking photos and video, an iPod for listening to music, and a PSP for playing video games. This makes it so moving between digital tasks requires you to take your attention off the current device, physically swap devices, and then finally refocus on the new task. This is unlike the current paradigm, where everything you do is an app on your phone, and you end up doing multiple things at once and keeping multiple tasks on your mind at once (which does get rather fatiguing!)

I did attempt to daily drive a BlackBerry Q10 from my collection for about a week, but dealing with the sheer pile of workarounds needed to make modern messengers usable quickly got tedious. I have since decided to concede that part of my life and switch back to a mainstream vertical phone, but I do have a pre-order placed for the Zinwa Technologies Q25 (a BlackBerry Classic retrofitted with a modern budget Android mainboard) and it should be arriving in late January of 2026. Earlier backers have already received their units, and they seem to be going pretty well quality-wise, so expect a full review on this blog when my unit arrives.

Now, let's get to where it all ties in with the physical form factor of the keyboard phone.

Form factor is everything

This is a BlackBerry Q10, released in 2013. It has a 3.1 inch 720p AMOLED, 2GB of RAM, 16GB of storage, and a 35-key QWERTY keyboard.

The first thing that you'll notice is that the aspect ratio is extremely inconvenient for things like short-form vertical video, but very useful for doing things like writing emails. The Q10 specifically has a square screen, but the majority of devices of this form factor used horizontal screens typically at a 4:3 aspect ratio.

Usually on a mainstream, vertically-oriented phone, you get the same usable amount of screen space when composing text as on a keyboard phone. The key part is when you're composing text. Due to, well, consumer wants, modern phones are content consumption machines first and foremost. You scroll X, TikTok, and Instagram vertically, and you occasionally rotate the phone sideways to watch traditional horizontal video. The originally-intended purpose of the device, to make phone calls and send messages to people, is demoted to a secondary function.

Apart from the attention span bit, physical keyboards on phones have other benefits. One example I've heard is that it's much easier to type while busy doing something like driving (for legal reasons I don't condone this bla bla bla). Additionally, a hallmark feature of some phones of that era (especially BlackBerry devices) is the ability to navigate the operating system through a set of hardware navigation buttons in addition to a trackball, optical trackpad, or rotary encoder. This enables the use of the device with gloves, an absolute godsend in my home country of Canada, where in the winter your hands will get cold and numb after a minute of typing on a touchscreen phone.

Conclusion

Maybe it is time to make a returnal to how we used to do it. Maybe we will be better off doing it. But there's only one way to find out.

Before I moved onto my current 16" MacBook Pro with an M4 Pro, I used to daily drive the 4-port variant of the 2020 13" MacBook Pro. Being the last model of Intel Mac ever produced, it obviously became a hot mess (literally! the idle temperature was 80ºC) which is why I made the move. One thing I did miss however, was the Touch Bar.

For the uninitiated, from 2016 to 2020, certain Mac notebooks ditched the standard function row for a small touchscreen OLED, which could change its software buttons and controls based on the context of the current app. This choice quickly became a controversial one with many power users complaining that it ruined muscle memory. This concern was actually addressed in the Touch Bar's original implementation, with an always-present software escape key (which was later replaced with a physical one in the 2019 and 2020 models to create a very nice hybrid approach) and the ability to display the classic function keys instead of the app-dependent controls.

Now, I actually used the app-dependent mode, and I actually quite liked it! It was really useful in apps that supported it, and didn't really get in the way when I didn't need it. There was an option to change the mode on a per-app basis, so when I used an app that didn't support the Touch Bar and made heavy use of the function keys, I could force it to display those keys all the time.

In the end, I did end up adjusting to the return to hardware keys on my new MacBook. But something inside me still yearns for that, even if unorthodox, cool little differentiating feature.

I'd like to preface this by saying that I am by no means qualified or deeply knowledgeable in the topic at hand. If you came here expecting a nuanced and well-researched take on the current pace of AI development, it's best you turn back now. I'm just a moody teenager with a strong opinion and nowhere to voice it.

And if you were wondering, this post was never touched by clanker hands (tool calls? shoggoth tentacles?)
What you're reading is 100% human-created.

With all of that out of the way, let's get started.

Some background

The year is (late) 2025. "Attention Is All You Need" was published 8 years ago, OpenAI released gpt-3.5-turbo 3 years ago (despite a year earlier refusing to release GPT-3 due to concerns around misinformation!), and we currently live in an absolute hellscape of an AI race. We're continually getting the new "best model ever" on a weekly basis. Billions are being poured into anything with "AI" in the pitch deck, and if it all goes south, we get a second Great Depression. Not to mention, everyone's racing to build hyperscale datacenters and GPU farms to train these models and do inference with them, which has definitely had quite a few consequences.

And you're telling me we haven't stopped to think for just a minute? Let's just go over a few of the adverse effects:

• Layoffs: No, this doesn't mean that LLMs can replace people's jobs. It means that managers think that they can.
• Environmental Impact: You've heard this one before, but it's still true. Those aforementioned hyperscalers use lots of electricity, and all of that has to come from somewhere. Let's just say, renewables aren't quite our main power source yet, and the noise made from their cooling systems is an absolute nuisance they are to the towns they're built near.
• Everyone forgets how to think for themselves: Studies show that making the machine think for you does in fact make you think less.
• Misalignment: If we don't stop and make sure the machine is aligned with human values, we'll end up building Skynet.
• Misuse out the wazoo: ...wait. That deserves an entire section of its own!

How other people are using AI to make the world a worse place

Alright. First of all, let's pick off the easiest thing: fabricated information. As I mentioned before, OpenAI themselves were worried about the proliferation of fake news when GPT-3 was created (that didn't stop them from releasing it anyways!).

The obvious things are fake news stories, backed up by AI-generated images, video, and audio. But that only scratches the surface. Take, for example, scams. Now, a random fella in Nigeria can fake the voice and face of one of your relatives and demand a ransom. Do you really want that future? Your grandparents– hell, even your parents don't stand a chance!

Now, for something a bit more serious. Various private companies (e.g. Palantir, Flock Safety) are using AI-based solutions to enhance their (rather creepy!) surveillance platforms. It's only a matter of time before we slip into the Watch Dogs timeline, and it probably won't be as cool as the games.

Anyway, now that I'm getting a bit tired of writing, let's go over a few common arguments against the slowing of AI development in rapid-fire succession.

"If we stopped, China would beat us!"

Bullshit. If humanity was able to work out nuclear nonproliferation in the 60s, I can guarantee we can agree to put down the H100s for a few years and work out the ethics of this Pandora's box we've opened and maybe regulate it a bit.

Also, the Cold War is over, ya damn boomer.

"You're just a luddite!"

For crying out loud, I'm not calling for some kind of Butlerian Jihad against all autocorrect. I said I just wanted to take a short break.

"Regulation stifles innovation!"

Yeah, apply the same logic to something like cars. Would it really be a great idea to have every road be an Autobahn with no traffic lights or signs? Hopefully then you can understand why putting regulations on AI is a good idea.

Conclusion

All in all, I really think we should just take a breather, y'know? Figure out if it's really worthwhile to go all in on the tech, and maybe put some rules and regulations in place to tame the beast we've created.

But of course, that'll never happen, because number must go up now.

Note: I do plan on posting on this blog more often now. I'm not exactly good at it right now, but it'll get better over time.

I was recently working on adding an RSS feed to this newly-moved blog, and I couldn't help but notice that less and less sites had RSS feeds as time went on. Now, I personally grew up mostly in a post-RSS world, but I do remember the tail end of its popularity.

Origins

The early internet was very sparse, as search engines were far less advanced as they are today. I mean, think back to the last time you actually used a bookmark instead of either using Google or letting your browser's history autocomplete do most of the work. RSS was created so you could keep a tab on your favourite blog, and its ability to attach files even gave birth to podcasting! (Whether that was a good or bad thing is up to you.) Nonetheless, RSS was popular enough that most blogs used it and most blogging software supported it.

Decline

Social media has been around for around as long as RSS has been. In fact, many social media platforms offered RSS feeds, so you could check up on what your friends or the people you followed were up to. This all changed with the advent of the algorithmic timeline, shifting the focus from connecting with others to consuming content. Many social media platforms quietly removed their RSS feeds in the early 2010s.

The decline can also be attributed to people starting to get their news exclusively from social media platforms and other algorithmic news feeds such as Flipboard or Google News. This meant that people no longer needed to subscribe to individual blogs or news sites, as they had all their information fed to them by the machine.

Rebirth?

From the late 2010s, and especially in the mid 2020s, there's been a resurgence in desire for a return to a simpler web. To put it simply, people are tired of the current meta. With the advent of LLMs skewing the share of human to nonhuman content on social media, people yearn for a time when the web was a place for humans to connect with each other, not slop farms. RSS perfectly fits into this vision, because it allows users to curate their own experience on the net without relying on algorithms dictating what they should see.

So, who knows? Maybe we'll all be using RSS again in a couple years.

I recently came across an interesting listing on eBay. At first I thought it was a Dev Alpha B, a device sent out to developers before the release of the BlackBerry 10 platform. But upon closer inspection, I realized it more closely resembled a retail Z10, albeit with markings denoting its status as a non-consumer unit. So, I ordered it.

Initial impressions

The device arrived after a few weeks (as to be expected with international shipping), and the first thing I noticed is that when powering it on, it first showed the initial boot splash, but the screen went dark immediately after with no signs of life afterwards. After a little bit, I decided to press a few buttons, and to my surprise, I accidentally activated the screen reader. This means that the phone booted fine, but some kind of bug prevented it from initializing the display. I then connected it to an older computer and started up BlackBerry Link, and the software recognized the device.

Update (2025-11-31): It turns out that the display backlight was off. Oops.

Update (2026-01-03): I managed to figure out that running displayctl power_off; displayctl power_on through the exposed telnet root shell brought the display up manually. I might do a quick follow up post later about all the interesting internal goodies and whatnot I was able to find.

The software version however didn't seem right. Instead of starting with "10.x.x", the version number was "127.0.1.7295". I decided to ask around in the Lunar Project Discord server, and one member suggested running RIM's Command-Line Programmer, also known as cfp.exe. I did so, and some of the output was interesting:

Bootrom Version:       5.35.0.33
    Hardware ID:       0x8500240A RIM BlackBerry Device
    HW ID Override:    0x8500240A (OSTypes: 0x00000010)
    Hardware OS ID:    0x051D0001
    BR ID:             0xFF009000
    Supported Bands:   0xFFFF                    ***** WARNING *****
    Metrics Version:   6.43
    Build Date:        Feb  7 2013
    Build Time:        13:29:07
    Build User:        ec_agent
    Security:          Disabled

OS Version:            127.0.1.7295 DEV
    Hardware ID:       0x051D0001 RIM BlackBerry Device
    Metrics Version:   3.18
    FS Code Version:   0.0.0.0
    Package Version:   ""
    Build Date:        Sep 30 2013
    Build Time:        13:07:49
    Build User:        ec_agent

Note the "Security: Disabled" and the "DEV" suffix on the OS version. This meant that it was an internal OS version that had many security features disabled. Someone else suggested trying to connect to the device through the RNDIS network device exposed over the USB connection, which worked. There was a shell exposed over telnet with the credentials root/root, and a separate developer console on HTTP port 8080.

I then inserted a microSD card and used dd to extract various partitions. Finally, I uploaded the created images to the Internet Archive, where you can download them right now.

Note: This article is primarily an embedded frame. This may cause problems with assistive software.

I've recently been working on Transcribe, a tool which transfers playlists between music streaming services directly inside your browser (Demo video). To add support for Apple Music, I had to reverse-engineer its API. Now, you may be wondering:

Why not just use MusicKit?

For anyone who doesn't know, MusicKit (JS) is Apple Music's official API. The issue with MusicKit is that using it requires an active Apple Developer Program membership. This would require me to pay Apple almost $150 every year, which is money I do not have. So, I had to resort to a more legally dubious method.

Now without any further ado, let's get into the cool stuff!

Please note that this is far from complete and should not be considered complete documentation. It might be updated in the future. Also, please hire me Apple :3

How I did it

This is very simple. I simply opened Apple Music's web client in my browser, opened the Network tab in Chrome's DevTools, and watched any fetch requests it made.

The base URL for all requests is https://amp-api.music.apple.com.

Authentication

The API seems to need two pieces of information to accept requests: a user token (via the Authentication header) and some cookies.

As for the cookies, I haven't looked into what parts of the cookie the API actually requires to be there, but pasting everything sent in the Cookie header works fine.

Common data types

Here are a selection of TypeScript types from Transcribe. I'll refer to them later in example responses.

/**
 * Represents a generic reference to an Apple Music resource.
 */
interface AMResourceReference {
  id: string;
  type: AMResourceType;
  href: string;
}

/**
 * Represents a relationship link to other resources.
 */
interface AMRelationship<T extends AMResourceReference> {
  href: string;
  data: T[];
  meta?: { // Optional meta information, seen for tracks
    total: number;
  };
}

/**
 * Container for included resource objects, keyed by type, then ID.
 */
interface AMResourcesContainer {
  'library-playlists'?: { [id: string]: AMLibraryPlaylist };
  'playlists'?: { [id: string]: AMCatalogPlaylist };
  'library-songs'?: { [id: string]: AMLibrarySong };
  'songs'?: { [id: string]: AMCatalogSong };
  'apple-curators'?: { [id: string]: AMAppleCurator };
  'artists'?: { [id: string]: AMArtist };
  'albums'?: { [id: string]: AMAlbum };
  'music-videos'?: { [id: string]: AMMusicVideo };
  'stations'?: { [id: string]: AMStation };
  'uploaded-videos'?: { [id: string]: AMUploadedVideo };\
}

Getting stuff from your Library

Recently Added

Endpoint: GET /v1/me/library/recently-added

All Playlists

Endpoint: GET /v1/me/library/playlists

You can limit the number of playlists returned with the limit parameter. What the response would look like:

[
  {
	tracks: AMRelationship<AMResourceReference>,
	catalog?: AMRelationship<AMResourceReference>,
  }
]

Songs in a specific playlist

Endpoint: GET /v1/me/library/playlists/:id

What the response would look like:

[
  {
	data: AMResourceReference[],
	resources?: AMResourcesContainer,
  }
]

Managing your Library

Creating a Playlist

Endpoint: POST /v1/me/playlists What your body should look like:

{
  attributes: {
    name: string;
	description: string;
	isPublic: boolean;
  },
  relationships: {
  	tracks: {
	  data: [
	  	id: string,
		type: "songs"|"library-songs"|"music-videos",
	  ]
	}
  }
}

What the response would look like:

[
  {
  	id: string;
  	type: "library-playlists",
  	attributes: any,
  }
]

Other

Search

Endpoint: GET /v1/catalog/ca/search This one's a bit tricky. I haven't quite cracked how it handles parameters, but here's what parameters I use in Transcribe to search for only songs:

let params = {
    "art[music-videos:url]": "c",
    "art[url]": "f",
    extend: "artistUrl",
    "fields[albums]":
        "artistName,artistUrl,artwork,contentRating,editorialArtwork,editorialNotes,name,playParams,releaseDate,url,trackCount",
    "fields[artists]": "url,name,artwork",
    "format[resources]": "map",
    "include[albums]": "artists",
    "include[songs]": "artists",
    l: "en-CA",
    limit: limit,
    "omit[resource]": "autos",
    platform: "web",
    "relate[albums]": "artists",
    "relate[songs]": "albums",
    term: query,
    types: "songs",
    with: "lyricHighlights,lyrics,serverBubbles,subtitles",
};

Relevant types for the response:

/**
 * The top-level structure of the Apple Music API search response.
 */
interface AMSearchResponse {
    results: AMSearchResults;
    resources?: AMResourcesContainer; // Included full resources (optional based on request/results)
    meta?: AMSearchMeta; // Optional meta information
}

/**
 * Represents the 'results' part of the search response, containing different groups.
 * Keys are typically the `groupId` values.
 */
interface AMSearchResults {
    top?: AMTopSearchResultGroup;
    artist?: AMSearchResultGroup<AMResourceReference>;
    album?: AMSearchResultGroup<AMResourceReference>;
    song?: AMSearchResultGroup<AMResourceReference>;
    playlist?: AMSearchResultGroup<AMResourceReference>;
    'radio_episode'?: AMSearchResultGroup<AMResourceReference>; // Note: uses station type reference
    station?: AMSearchResultGroup<AMResourceReference>;
    'music_video'?: AMSearchResultGroup<AMResourceReference>;
    'video_extra'?: AMSearchResultGroup<AMResourceReference>; // Note: uses uploaded-video type reference
    [key: string]: AMTopSearchResultGroup | AMSearchResultGroup<any> | undefined; // Index signature for flexibility
}

/**
 * Represents the 'top' results group which contains mixed types.
 */
interface AMTopSearchResultGroup {
    // No href/next at this level
    data: AMResourceReference[];
    name: string; // e.g., "Top Results"
    groupId: 'top';
}

/**
 * Represents a group of search results for a specific type (e.g., artists, albums).
 */
interface AMSearchResultGroup<T extends AMResourceReference> {
    href?: string; // Link to refine search for this type
    next?: string; // Link to next page of results for this type
    data: T[]; // Array of references for this type
    name: string; // Display name (e.g., "Artists")
    groupId: string; // Internal group ID (e.g., "artist")
}

/**
 * Represents the 'meta' part of the search response.
 */
interface AMSearchMeta {
    results: {
        order: string[]; // Array of groupIds in display order
        rawOrder: string[]; // Array of groupIds potentially including types with no results
    };
    metrics?: { // Optional metrics data
        dataSetId: string;
    };
}

macOS is a nice operating system, but is very lacking in good functionality out of the box. Thankfully, lots of solutions exist for minor nitpicks and issues.

All apps are free unless indicated otherwise, and I am not affiliated with any of the developers. Expect this list to be updated over time.

Productivity

Raycast

Raycast is a Spotlight Search replacement for macOS.

yabai

yabai is a tiling window manager for macOS, similar to Hyprland, sway, or i3 on Linux.

Bartender 5

Bartender ($30, but free trial can be reset by clearing app data) is an app that can hide excess menu bar items until you expand them. As mentioned earlier, if you clear the app data (e.g. using AppCleaner), the free trial can be extended by another 30 days.

Development

Warp

Warp is an excellent terminal application for macOS, Linux and Windows that has a modern user interface. They also gave me a free shirt once.

Hex Fiend

Hex Fiend is a fast, native hex editor for macOS.

Maintenance

OnyX

OnyX is a comprehensive utility for maintaining your Mac. It lets you perform maintainance tasks such as rebuilding indexes and clearing system caches, in addition to other useful features such as various inaccessible system settings.

OmniDiskSweeper

OmniDiskSweeper shows you a map of the files on any storage device sorted by size, and lets you easily free up space.

AppCleaner

AppCleaner lets you completely and thoroughly uninstall apps on macOS. It's pretty useful for clearing the data of apps that download a lot of miscellaneous files.

Hello! In this article, I’d like to go over how I was able to make an Arc Browse For Me result link which could display whatever content I wanted.

In this article, I’ll refer to The Browser Company of New York as “BCNY”, and Browse For Me as “BFM”.

Update (2025-03-04)

BCNY seems to have resolved this issue... by disabling the sharing of BFM pages. The API endpoint seems to be down as well. Existing links however, still work.

The goal

Make a shared BFM link display whatever content I want.

What is Arc Search?

Arc Search is the mobile companion app to BCNY’s popular desktop browser, Arc. Arc Search’s claim to fame is Browse For Me, an AI-powered search engine, similar to Perplexity or SearchGPT. In the Arc Search app, you can press the share button in a BFM page, which generates a link you can share with your friends (i.e. https://search.arc.net/UYwUAKlR1Qm5fWDYuzPO).

Backstory

Recently while I was using BFM on Arc Search, I began to wonder why sharing the page took a long time (~5-10 seconds). So, I fired up Proxyman on my iPhone to intercept the HTTP traffic going to and from my phone, and what I found was surprising.

How sharing a Browse For Me result works

When you press the Share button on a BFM page in Arc Search, it fires a POST request to https://search.arc.net/api/share. However, in the body of request, I found that the entire contents of the search page were sent as well. Here’s how a typical request looks:

POST /api/share HTTP/1.1
Content-Type: text/plain; charset=utf-8
Host: search.arc.net
Connection: close
Content-Length: 142321

{
  "stream": [],
  "raw": "",
  "shouldRetain": false,
  "finished": true
}

The raw key can be ignored, as the server also seems to ignore it. The real magic is in the stream key, which is an array of JSON objects. This contains everything that is displayed on the frontend.

All objects in stream have the following keys in common:

• title: string
• type: string, can be one of the following:
  • emojiList - A list with emoji as bullet points
  • sectionTitle - A subheading
  • userFeedback - Asks for user feedback
  • citation - A citation. This will show a “Verified” tag next to the url, regardless if it was fake.
  • pageTitle - The title at the top of the page
• isFinished: boolean
• isPlaceholder: boolean There are also other values in objects which differ depending on the type.

Any value in the body can be changed without the server caring, which means you can easily falsify results.

Once a link is created, the server sends a response like the following:

HTTP/1.1 200 OK
Cache-Control: public, max-age=0, must-revalidate
Content-Type: text/plain;charset=UTF-8
Date: Mon, 28 Oct 2024 20:30:45 GMT
Server: Vercel
Strict-Transport-Security: max-age=63072000
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url
X-Matched-Path: /api/share
X-Vercel-Cache: MISS
X-Vercel-Id: cle1::iad1::wd6z4-1730147445251-0db83fb9f76c
Connection: close
Transfer-Encoding: chunked

{"shareID":"PNmICgV7lW4zJxmVDr71"}

shareID seems to be the link’s ID. I navigated to https://search.arc.net/<id>, and lo and behold, my content was there!

It even works on the Arc Search app, when visiting the shared link:

What are the risks?

The ability to create custom search results brings with it dire consequences, most alarmingly the ability to falsify search results and pass them off as legitimate. For example, my hijacked page includes a fake quote from https://arc.net, which displays a “Verified” tag next to it.

This creates a risk of misinformation being spread through Arc Search, while it appears to be a legitimate search result. For example, a search for “Who won the 2020 US election?” could be modified to state the winner was Kermit the Frog. The link could then be shared online, and convince some people of the fabricated result.

Demo

You can see a live version of a fake search page here, and an archived version is available here in case BCNY takes it down or they go out of business (VC money doesn’t last forever). For research purposes, the exact request body I used to generate it can be found here.

Fix and Conclusion

BCNY can fix this issue by generating a fixed link when a result is first generated and keep the process completely opaque from the client, similar to what competing services do already. But for now, this has been BomberFish, and I do declare; end broadcast.

Hello, friends! Today, I'd like to go over how I got root shell access to the Jadoo3, an obscure set-top box from 2013.

What is the Jadoo3?

As you can extrapolate from the name, the Jadoo3 is the third set-top box by JadooTV. The device aims to provide on-demand content from South Asia and the Middle East, with the name originating from the Hindi word for "magic".

I've had the device for a while, but haven't found anything to do with it until now. As such, it's been collecting dust in a half-disassembled state for some time.

Internals

Opening up the device, we can see the heart of the machine.

In the center, we can see some sort of SoC, with a model number of VSI1871A-CBE3. Searching for this online returns very few results, with no datasheet available.

NOTE: Just off screen to the bottom left of the image, there seems to be a 10-pin header, which could be a debugging interface such as JTAG. However, this was not needed, as will be discussed later in the article.

However, in the front-left corner of the PCB, we can see some identifying information. The device seems to be based on the Syabas Popbox V8, another set-top box which is powered by the SMP8670, a MIPS CPU created by Sigma Designs.

Getting in

Booting the device up and getting it connected to a network, we can run nmap to reveal an open telnet service on port 23. This can't be good.

That's right, a root shell was exposed on an open, unauthenticated channel. From there, it was as simple as connecting with nc <ip> 23.

What's very interesting is that the box seems to run on a flavor of Linux. Running uname -a gives us the following output:

Linux JADOO 2.6.29.6-22-sigma #263 PREEMPT Thu Feb 12 17:19:10 MYT 2015 mips GNU/Linux

This seems to confirm this is a MIPS processor by Sigma Designs, as discussed earlier. The contents of /proc/cpuinfo gives us more insight:

system type             : Sigma Designs TangoX
processor               : 0
cpu model               : MIPS 24Kc V7.12  FPU V0.0
BogoMIPS                : 466.94
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
ASEs implemented        : mips16
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

SMP8XXX Chip ID         : 8671
SMP8XXX Rev ID          : 2
System bus frequency    : 351000000 Hz
CPU frequency           : 702000000 Hz
DSP frequency           : 351000000 Hz

Specifically, it seems to be a revised version of the SMP8670, called the SMP8671.

Checking /proc/meminfo indicates the device comes with ~128MB of RAM.

What now?

The device's interface is apparently Flash-based, so it might be possible to replace some of the included apps with arbitrary swf files. Additionally, the standard Linux framebuffer is exposed, which could open up the possibility of running non-flash programs (DOOM anyone?).

I will most likely make one or more follow-up posts if I manage to get my own programs running on the device.

For now, this has been BomberFish, and I do declare; end broadcast.

Note: Scroll to the bottom of the article for a TL;DR.

Updates

Recently, Apple has added the capability to install apps directly from a developer's website. However, the review requirements discussed below still apply.

Access control

NEW: iOS appears to use a new daemon, countryd, to determine eligibility. It checks various device factors, such as Wi-Fi region, SIM card, and more.

In iOS 17.3, a new MobileGestalt key called DeviceSupportsEUCapabilities was added, which may have something to do with sideloading. If somehow a sandbox escape is released for 17.4, it might be possible to enable this even if you don't live in the EU. However, it may not be worth it. Let's find out.

Becoming a Marketplace

All quotes in this section come from this article.

First of all, the changes aren't "sideloading" per se. Instead, Apple is allowing registered developers (the ones who pay a $100 fee yearly) to create an "alternative app marketplace". I'll let Apple themselves explain how someone can do that.

If you’re interested in becoming a marketplace developer in the EU, the Account Holder of your Apple Developer Program membership will first need to agree to the Alternative Terms Addendum for Apps in the EU. Once they’ve agreed, they can submit a request for the entitlement.

Additionally, you must "provide Apple a stand-by letter of credit from an A-rated financial Institution of €1,000,000". This makes it impossible for smaller companies (let alone individuals) to open their own app stores, and essentially crushes any hopes of true sideloading by the end user.

Codesigning

All quotes in this section come from this article.

As you may know, all binaries that run on iOS require a valid code signature. Let's see how this works for the new sideloading mechanism.

Developers can submit a single binary and will be able to choose alternative distribution options in App Store Connect.

Apple will encrypt and sign all iOS apps intended for alternative distribution to help protect developers’ intellectual property and ensure that users get apps from known parties.

These two quotes from Apple signify that you will still have to submit apps to Apple for signing if you want them to run on iOS.

Functionality — Binaries must be reviewable, free of serious bugs or crashes, and compatible with the current version of iOS. They cannot manipulate software or hardware in ways that negatively impact the user experience.

Security — Apps cannot enable distribution of malware or of suspicious or unwanted software. They cannot download executable code, read outside of the container, or direct users to lower the security on their system or device. Also, apps must provide transparency and allow user consent to enable any party to access the system or device, or reconfigure the system or other software.

These two points mean that it will be impossible to install jailbreaks (or jailed tools) through this new "sideloading" mechanism.

Conclusion

Apple's recent announcement of allowing third-party app stores for customers in the EU is not much more than a case of malicious compliance. They did the bare minimum to comply with the law, and it shows. If you want a better explanation, I highly recommend this video.

TL;DR

• The new "sideloading" in iOS 17.4 sucks.
• Developers have to pay Apple not only $99 a year for the Dev Program, but also €1,000,000 so Apple can "trust" them.
• All apps still need to be reviewed by Apple.
• It will be impossible to install jailbreaks/jailed tools with this new sideloading mechanism.

Updates

• 2024-01-26 (shortly after initial publish)
  • Add conclusion
• 2024-04-23
  • Fix wording, clarify web installation and countryd

Recently, I made a proof-of-concept edge proxy called Superposition. It was very unpolished, and served only as a proof-of-concept.

Infrared

In my last post on this topic, I mentioned I was working on a new proxy called Infrared. I am proud to announce that I have officially released it, and you can visit it at infrared.bomberfish.ca. This post will explain the challenges behind creating a proxy like this.

TompHTTP

Since my last proxy was so unpolished, I made sure Infrared conformed to a popular proxy standard. Thankfully, the TompHTTP standard proved popular enough.

bare-server-worker

It turned out that work was already done for porting the TompHTTP bare-server to the Workers runtime, called bare-server-worker. However, this implementation was not maintained, so it only supported the older V2 standard.

Adding V3

Adding support for the newer V3 standard was trivial, as the only major change was merging the old URL segment headers into a new header, named x-bare-url.

Frontend

I opted to use Ultraviolet as my bare client, as it was well-maintained and had a large userbase. For the webpage, I used a heavily-modified version of Ultraviolet-Static, as it was written in vanilla HTML.

Hosting

For hosting the website, I decided to use Cloudflare Pages, as hosting both backend and frontend on Cloudflare's edge network would reduce the chance of the frontend being blocked via IP address (versus GitHub Pages, which was my host of choice)

What next?

I plan on adding search suggestions and overall improving user experience.

Windows 11

• Used tiny11 b1 iso
• Got to winPE, trackpad did not work. USB mouse did though.
• Couldn't start installation, complained about missing disk drivers

Windows 10

• Worked fine, needed to install EC drivers from CoolStar.
• Make sure to use a dedicated Windows USB installer such as WoeUSB on Linux.

Fedora 38 Workstation

• Booted and installed fine
• All devices seem to work well (trackpad, kb, wifi, bt)
• Best to install to stateful partition. Storage size is good enough™, also allows you to go back to crOS via recovery usb.
• Stable enough to daily drive

This post is a part of an ongoing series on running web proxies using Cloudflare Workers.

Recently, I made a proxy called Superposition, running on Cloudflare's Workers serverless platform.

You can check out its source code here.

How?

It turns out there's already a project for proxying requests using CF Workers, called Workers-Proxy. It works by making a request to a fixed URL, then returning the response to the user. The only issue is that it only works with a single domain, which is hard-coded into the program.

Superposition fixes this issue by checking for a ?url= parameter in the requested URL. If the parameter is present, it proxies the provided URL. If not, it returns a landing page for you to input a URL.

Another feature of Superposition is that when it proxies a website, it also injects a button fixed to the top-left of the screen to go back to the landing page.

Why?

The idea was simple: Since existing proxy websites rely on a central server which may or may not be close to the user, why not use an established global network such as Cloudflare to proxy the requests?

What next?

I am currently working on a new proxy, dubbed Infrared, which is completely compliant with the TompHTTP specifications. Infrared aims to be more stable than Superposition, and includes more advanced features such as WebSocket proxying.

Wait. What exactly is MacDirtyCow?

MacDirtyCow, often abbreviated as MDC, is a security vunerability that exploits a race condition in XNU's virtual memory system to overwrite the cached version of any given file. Because of its versatility, it has been used in a number of recent iOS customization apps such as Cowabunga.

I'm saying this like I'm some mega-nerd who knows how everything works, but in reality I don't even know how copy-on-write works 😭

Now with that out of the way, let's get into how you can make your own app that leverages the MacDirtyCow exploit.

Prerequisites

• A Mac with Xcode 14+ installed
• An iOS device with an iOS version of 16.1.2 or below. I recommend anywhere from 15.0 to 16.1.2.

Getting Started with your Xcode Project

Open Xcode. You should be presented with a screen similar to this:

Click "Create a new Xcode project" to create a new project. Select "App" under the "iOS" tab. Click Next and you will be prompted to choose options for the project. Set it up similar to the image below, but make sure to change the Product Name to what you want your app to be called, and the Organization Identifier to whatever you want. Make sure Interface is set to SwiftUI and Language is set to Swift.

Click next and save the directory wherever you want.

Congratulations! You've made your first Xcode project.

Adding MDC

Now here comes the fun part: adding the MacDirtyCow exploit.

Option 1: Using DirtyCowKit

Step 1: In Xcode, under the file menu, click "Add Packages..."

Step 2: In the search bar, enter https://github.com/BomberFish/DirtyCowKit. Click "Add Package" and then "Add Package" (again) and it should add the package to your project.

OPTIONAL: Add the AbsoluteSolver package from the following link: https://github.com/BomberFish/AbsoluteSolver-iOS. Absolute Solver will automatically toggle between regular file operations using Swift's FileManager and an MDC-based operation.

Option 2 (advanced, not recommended): Manually adding the exploit files

Step 1: Get the exploit files. You can easily find these from somewhere like the Cowabunga GitHub repository.

Step 2: Add the files to your Xcode project, making sure to include them in your bridging header. If you don't know what that is or are confused, you're best off using option 1. The steps below are for option 1 only.

Unsandboxing

At the top of your <Project name>App.swift file, type import DirtyCowKit. Then, under ContentView(), add the following code:

.onAppear {
    if #available(iOS 16.2, *) {
        print("Throwing not supported error (mdc patched)")
        DispatchQueue.main.async {
            let alert = UIAlertController(title: "Not Supported", message: "This version of iOS is not supported.", preferredStyle: .alert)
            alert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
            UIApplication.shared.windows.first?.rootViewController?.present(alert, animated: true, completion: nil)
        }
    } else {
        // grant r/w access
        if #available(iOS 15, *) {
            print("Escaping Sandbox...")
            DispatchQueue.main.asyncAfter(deadline: .now() + 0.15) {
                do {
                    try MacDirtyCow.unsandbox()
                } catch {
                    let alert = UIAlertController(title: "Unsandboxing Error", message: "\(error.localizedDescription)\nPlease close the app and retry. If the problem persists, reboot your device.", preferredStyle: .alert)
                    UIApplication.shared.windows.first?.rootViewController?.present(alert, animated: true, completion: nil)
                }
            }
        }
    }
} 

Your file should look something like this:

import MacDirtyCow
import SwiftUI

@main
struct DirtyCowExampleApp: App {
    var body: some Scene {
        WindowGroup {
            ContentView()
                .onAppear {
                    if #available(iOS 16.2, *) {
                        print("Throwing not supported error (mdc patched)")
                        DispatchQueue.main.async {
                            let alert = UIAlertController(title: "Not Supported", message: "This version of iOS is not supported.", preferredStyle: .alert)
                            alert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
                            UIApplication.shared.windows.first?.rootViewController?.present(alert, animated: true, completion: nil)
                        }
                    } else {
                        // grant r/w access
                        if #available(iOS 15, *) {
                            print("Escaping Sandbox...")
                            DispatchQueue.main.asyncAfter(deadline: .now() + 0.15) {
                                do {
                                    try MacDirtyCow.unsandbox()
                                } catch {
                                    let alert = UIAlertController(title: "Unsandboxing Error", message: "\(error.localizedDescription)\nPlease close the app and retry. If the problem persists, reboot your device.", preferredStyle: .alert)
                                    UIApplication.shared.windows.first?.rootViewController?.present(alert, animated: true, completion: nil)
                                }
                            }
                        }
                    }
                }
        }
    }
}

Using MDC

Here are some examples of using MDC in your app.

How to replace a file

import MacDirtyCow
MacDirtyCow.overwriteFileWithDataImpl(originPath: String, replacementData: Data)

If you opted to add AbsoluteSolver earlier

import AbsoluteSolver
AbsoluteSolver.replace(at: URL, with: NSData)

What now?

I recommend using websites like Hacking With Swift to up your Swift knowledge. Also make sure to look at the source code of other MDC applications like Cowabunga, ControlConfig or AppCommander for more advanced usage.

Otherwise, happy hacking!

Revisions

• 2023-05-12: Minor updates
• 2023-09-26: Fix formatting