Here is a list of projects that I have involved myself in at one point or another. This list is incomplete (indeed, you might find that a recurring theme on this site), but you might find it useful for getting an idea of things that I'm interested in. This is roughly sorted from most recent to most ancient; at the very top are recent actions I've taken on GitHub, which might give a better view of what I've been spending my time on lately.

see also: my local Gitweb setup, on which truly ancient projects are stored, my GitHub page, an old revision of this page.

Recent GitHub activity

All projects

  • ndfslave - reverse engineering a damaged SD card's controller for data recovery (June 2012 - December 2012; Verilog, C, hardware, NAND flash, reverse-engineering, ~300 LOC Verilog, ~4100 LOC C)

    At some point, I accidentally dropped my laptop with an SD card sticking out the side of it, and snapped the SD card in half. Being as I don't believe in losing data, this resulted in a six-month effort of desoldering the NAND flash part and reverse-engineering the controller from it -- and evntually the device management algorithm, too. All of the pictures and videos from the flash medium were eventually recovered.

    on this site: writeup of algorithms and process
    on the web:
    on the web: photos

  • Dali Pebble - a port of Jamie Zawinski's xdaliclock to Pebble (March 2014; Pebble, C, embedded, ~500 LOC)

    on the web:
    on the web: video 1; video 2

  • HoRNDIS - USB tethering driver for Mac OS X (November 2012; Mac OS X, C, kernel-mode, USB, ~1350 LOC)

    on this site: main page for HoRNDIS
    on the web: github/jwise/horndis

  • SSTC mk.II - solid state tesla coil (November 2011 -; electronics, hardware)

    built in collaboration with Jacob Potter and Chris Lu
    on this site: main page for SSTC2

  • rust - various improvements on the Rust programming language (October 2011 -; Rust, C, Linux)

    on the web: github/graydon/rust
    on the web: my commits to Rust

  • naim - Lua and OSCAR support for an ncurses AIM client (late 2008; August 2011; Lua, OSCAR, naim, Linux)

  • e3fsck - a Lua implementation of an ext3 filesystem checker, for 18-746 (March 2011; Lua, Ext3, Linux)

    Sort of like e3lua, except with write support, and for a class. Based on no e3lua code, but based on many of the same design ideas. A little bit more refined this time, for sure... Source eventually, maybe.

  • virtexsquared - a system-on-chip on a Xilinx Virtex-5 (September 2010 - December 2010; Verilog, C, ARM, CPU, SoC, XUPV5, 18-545, ~10000 LOC RTL, ~5300 LOC C)

    For 18-545, my senior capstone design class at Carnegie Mellon, I worked with two others -- Josiah Boning, and Bradley Yoo -- to build a functional system-on-chip on top of the Digilent XUPV5 FPGA development board. Almost every line of RTL in this project was designed and written by us -- the only major component that we didn't write was the DDR2 PHY. (The core was based off of the FireARM core that Chris Lu and I wrote.) The SoC was functional enough to run a small rhythm game (also written entirely by us) that demonstrated real time audio playback, program-controlled CompactFlash access, and real time graphics display.

    There is truly no magic in this system -- everything from the gates to the high-level program code is ours. By the end of these short 3.5 months, we had a SoC, a working demo, and a writeup that, although not perfect, represented the magnitude of the project that we took on. I am immensely proud of this; I think it's the coolest thing I've done to date.

    on the web: final project report (PDF)
    on the web: 545wiki
    on the web: github/teamdragonforce/virtexsquared

  • Precise Power Characterization of Modern Android Devices - what it sounds like (September 2010 - December 2010; electronics, Android, EVO 4G, C, power, 18-743, energy)

    Wei Lin and I collaborated for 18-743 (Energy Aware Computing) at Carnegie Mellon to precisely characterize what, exactly, is drawing so much power on my HTC EVO 4G -- hopefully, answering the question, "where is all the battery going?". This work was only possible from the freedom obtained from unrevoked. This inspired some conversations with Matthew Garrett that as of yet I haven't had a chance to write up, but were certainly interesting.

    on the web: final project report (PDF)
    on the web: 743wiki
    on the web: a close-up of the measurement hardware

  • USB3317 breakout board - evaluation board for a USB3317 ULPI PHY to interface with a DNV6F6PCIe card (August 2010; electronics, work, board design, hardware, USB, FPGA, surface mount, TQFN)

    At work, we purchased a Dini DNV6F6PCIe FPGA board to prototype our next-generation ASIC with. We wanted to test the USB/ULPI functionality of the chip (that was one of the main goals of the FPGA effort), but it turned out that Dini hadn't built the USB board yet, and that it was still a few weeks out on the horizon. I decided to take it upon myself to design, etch, and assemble a USB board that would plug into the .1"-pitch header on the board. I did two spins of the board; the second spin came up pretty much on the first try.

    I got a chance to really hone my board design skills (hopefully to be used again in 18-545), a chance to develop a very effective process for etching a board, and a chance to learn how to do surface-mount assembly (especially with really tiny parts like QFNs). I'm very proud of how the board came out; I look forward to the next time I get to do this.

    on the web: photos of the board during assembly
    on the web: board layout, as shown in EAGLE

  • dumload - an scp client for Android, aimed at easily uploading photos (August 2010; Android, Java, I hate Java, I hate Android, ssh, actually useful, ~650 LOC)

    After four days of blood, sweat, and tears, I finally wrestled Android into running code in a straight line. (For those of you out there who are Android developers, you know how hard this can be.) The fruits of my labor are Dumload, which is a silly scp photo uploader for Android. It is so named because of the techniques that were required to get Android to relinquish control flow to me, but still allow me to prompt the user on occasion.

    Dumload registers for notifications from the 'Share' intent in Android, and uploads the sent file to a (currently hardcoded) ssh server. Once the upload is complete, it runs a script on the remote end called 'pscale', which resizes the image to 1024x768.

    on the web and disgustingly ugly:
    on the web: YouTube video demonstrating dumload

  • snipe for BlargCPU - retargeting of my snipe compiler to BlargCPU (July 2010 - August 2010; SML, compiler, blargcpu, toy, fun, ~1450 LOC)

    At some point, for unrevoked, we needed a good way to pack binaries to keep HTC from reverse-engineering our hacks. We decided that VMprotect seemed like a good idea, but was 1) expensive, 2) too common, and 3) not for ARM, so I went and retargetted my "snipe" L5 compiler to a modified BlargCPU. Without regard to using it as a packer / binary obfuscation mechanism, it was a fun thing to revisit; I'm glad I got to look at that codebase again. One of these days, I might functorialize everything such that both the x86 backend and the BlargCPU backend can live in the same tree.

    Source lives in git; right now, the binutils port is still only on my laptop.

    on the web:

  • unrevoked - set your phone free (June 2010 - ...; Android, Linux, root, security, reverse engineer, EVO 4G, Incredible, C, ARM)

    unrevoked is the name for a project encompassing many subprojects, all of which with the end goal of rooting (and keeping root on) Android devices that you own. Details are scant on the techniques that we used, but we wrote tools to exploit the userspace on Android phones, to exploit the kernel, to exploit the bootloader, and to exploit the radio (all for the goal of allowing the owner to run code in ring 0, and to allow the owner to reflash the ROM on his own device).

    I never though I would be involved in security, and I can't decide whether I like it or not. I long for the day when this arms race doesn't have to exist.

    on the web:

  • granada - proof of concept Linux kernel exploit for CVE-2010-1084 (June 2010; Linux, security, exploit, C, ~350 LOC)

    Over the course of the unrevoked project, we considered many different avenues for rooting the Droid Incredible. One of the methods that we considered, but that didn't pan out, was an attack against the Linux kernel. This ultimately developed into a successful exploit on x86 (but not on ARM), and subsequently, a talk at DEF CON 18.

    I decided not to release source code for this exploit (it was done, and the lessons were learned), since I didn't want to aid skr1pt k1dd13s who would use it maliciously. So, only slides from my talk are available. Brad Spengler IMed me at some point after the talk and posed some questions as to the feasibility of doing it with some GRsecurity features enabled (specifically, PAX_UDEREF and PAX_KERNEXEC). I think I have a mechanism by which I could make this work, but it would be a lot hairier. I need to give it more thought.

    on the web: DEF CON 18 talk listing
    on the web: slides from DEF CON 18 talk

  • patchfork - fork of the excellent Pitchfork MPD client (January 2010; Linux, MPD, PHP, webdev, hate myself)

    When the original author of Pitchfork, Roger Bystrøm, disappeared from the Internet, I took over maintaining Pitchfork, since I absolutely love it. It was starting to bit rot, and was not compatible with newer versions of MPD. It now lives in my git repositories.

    Also, I hate PHP, JavaScript, and most everything about webdev.

    on the web:

  • monitor wall - a 3x3 grid of monitors running Xdmx (October 2009; hardware, wood, Linux, X11, hack)

    Around when the 15-412 lab moved to the new Gates Building at CMU, the lab also acquird about 12 machines from the Wean 5207 cluster that was being upgraded. Along with the machines came their monitors, which connected by DVI, and curiously, could be detached from their mounts.

    Obviously, the correct course of action was to arrange nine of them in a 3x3 array, and run Xdmx on them.

    built in collaboration with Jacob Potter and Chris Lu
    images: xeyes, glxgears.

  • e3lua - an Ext3 filesystem framework written in Lua (July 2009 - September 2009; Lua, Ext3, RAID, Linux; ~700 LOC)

    At some point during the e3tools effort, I discovered that I was going to have to write a lot of datastructure code, which is a task that I despise doing in C. I realized that I was going to keep a lot of tables around, and that I was going to need to do a lot of string manipulation if I wanted to write a small command line interface for my toolset. What better language for the task than Lua? I used the Lunary serialization toolkit to reformat the data that I read from disk. In the end, the library was capable of reading directories using customized "alternate read" parameters; it also provided a simple command line interface using readline to allow a user to explore the filesystem and determine how intact directory structures are.

    on the web: github/jwise/e3lua

  • ambien - kernel extension for Mac OS X to prevent sleeping when clamshell is closed (June 2009; C++, kernel, OS X, ~100 LOC)

    When I bought my MacBook Pro 13", one of the problems that I found was that the system went to sleep automatically when I closed the lid (and there was nothing I could do to disable that behavior). This is probably fine for most use cases, but I usually keep multiple SSH sessions alive with substantial amounts of state while I carry around my laptop, and sleeping the laptop could result in my sessions timing out (or worse, my IP changing when I reobtain my lease!).

    You may be curious at the name; those knowledgeable in pharmaceuticals might note that Ambien actually is for helping one sleep. The name was derived from the original anti-sleep kext, "Insomnia"; Insomnia was unmaintained, closed-source, and would not allow the Mac to sleep even on requests from the Apple menu. Ambien, then, was written to resolve one's problems with Insomnia. (I know. The pun does kill.)

    on the web: Disk image with installer; compatible with both Leopard and Snow Leopard
    on the web:

  • exncall - call/cc implemented in C by copying the stack (May 2009; C, PL, setjmp, insane, hack, ~250 LOC)
  • e3tools - an Ext3 filesystem framework specializing in "no-assumptions" recovery (May 2009 - August 2009; C, Ext3, RAID, Linux, ~2500 LOC)

    In mid-May, there was a gigantic data loss incident on a system that I administrate (mostly brought on by a series of mistakes). Since the machine contained a fair bit of data that I cared about, I decided to write some tools to determine how much of the filesystem was salvageable (the basic method was to determine what "looked bad", and try to look in alternate spots for the data). A significant amount of investigation was done with this toolset; it would be adaptable for other uses, but such adaptation would require writing a nontrivial amount of code. This project was superceded by e3lua.

    on the web: github/jwise/e3tools

  • peblin - Pebbles compatibility layer for Linux completed to about 15-410 Checkpoint 2 (March 2009; C, insane, hack, Pebbles, 15-410, Linux, ~700LOC)

  • FireARM - a first attempt at a pipelined ARM-like core on a FPGA (December 2008 - March 2009; Verilog, CPU, ARM, ~2700 LOC)

    Really needs to be burned to the ground and redone using the knowledge gained in 18-447. A collaboration with Christopher Lu.

  • snipe - C-like compiler written in SML from when I actually did know squat about compilers (written with Chris Lu) (September 2008 - December 2008; SML, compiler, x86, 15-411, ~4500 LOC)
  • NetWatch - a "lights-on lights-out box" running in system management mode, including a VNC server (September 2008 - December 2008; C, SMM, x86, lwIP, ~6000 LOC)

    NetWatch is a System Management Mode (SMM) monitor for off-the-shelf x86 hardware. The project was written for 15-412 class credit in collaboration with Jacob Potter. As a continuation from my work at Google on smash!, we ported the 3c905 network driver from the Linux kernel, wrote a framework for running code in system management mode, wrote a keyboard emulator, wrote a VNC server, and countless other tidbits to make it all work together. The neat thing about NetWatch is that it works while the host operating system is running, even if the host doesn't have its network interface running.

    This project was a spiritual successor to smash!, which was a similar project that I worked on at Google. Thanks to Tim Hockin for helping to get me permission from Google to continue along the lines of the work I started there.

    on the web: github/jwise/netwatch
    on the web:
    on the web: NetWatch project blog
    on the web: presentation slides

  • MandelFPGA - a fully pipelined realtime Mandelbrot set renderer on a Xilinx FPGA (December 2008 - March 2009; Verilog, math, ~500 LOC)

    Although the code style isn't great, I'm proud of this. This worked really well, and shows off the power of what an FPGA can do compared to a general purpose processor. A collaboration with Christopher Lu.

    on the web: Chris's writeup of the project. Well worth a read.

  • xvmouse - small application to get "nice" mousekeys behavior on X11 (June 2008; C, X11, Linux, ~150 LOC)

    on the web:

  • s3load - reverse-engineered USB driver for Digilent NEXYS-2 (May 2008-ish; C, USB, FPGA, reverse engineering, Linux, ~1250 LOC)

    on the web:

  • sb16 driver for Pebbles - Sound Blaster 16 driver for my 15-410 Pebbles kernel (December 2007; C, systems, kernel, sound, ~400 LOC)

    This project was done when I was taking a break from work on the Project 4 that I was supposed to be writing (a memory-mapped filesystem). Ironically, it actually became a Project 4 for one semester when I started TAing.

    on the web: the presentation I gave introducing the project
    on the web: the handout I wrote documenting the card and project (I'm pretty proud of having written that; it was at least correct and clear enough for the majority of our students to successfully implement a Sound Blaster driver.)

  • jwcc - small C-like compiler written in Lua targetting BlargCPU from when I didn't know squat about compilers (August 2007; Lua, compiler, BlargCPU, ~1200 LOC)

    It never worked very well; I ran into issues with register allocation that I never resolved. I maintain that Lua was probably a good language for hacking that out in, though. Maybe I'll come back to it some day.

    on the web:

  • smash! - system management mode post mortem debugger (written for Google, Inc.). Precursor to NetWatch. (July 2007 - August 2007; C, SMM, x86, Linux, debugger, Google)
  • maildir-archive - small utility to archive a Maildir INBOX by date (December 2006; C, Linux, Maildir, Dovecot, ~275 LOC)

    on the web:

  • photon - a silly photon-mapping forward ray tracer (in collaboration with Christopher Lu and Matthew Maurer) (May 2006; C, graphics, ray-tracing, hack, ~1200 LOC)

    on the web: a representative sample rendering

  • blargcpu - small RISC CPU designed to be implementable in hardware (with binutils port) (2005 - 2006; C, CPU, BlargCPU, ~1200 LOC)
  • makepong - silly little trick to play pong on an oscilloscope using X-Y mode mapped to the red and green channels of a VGA port (late 2005; oscilloscope, C, Linux, SDL, ~350 LOC)
  • glPresent - OpenGL presentation/slideshow rendering engine (December 2004; Linux, C++, OpenGL, GLUT, ~2000 LOC except it's C++ so it's inflated from class definitions)

    I had to give a presentation for some class (I think World History in high school), and doing online research in class was boring and frustrating since the high school's computers at the time were incredibly slow (and ran Netscape 4.51 or some such). So, I spent the time in class for working on the presentation writing a presentation layout engine. (It actually produced some nice looking output, rendered by OpenGL -- the only major issue was that the fonts were pretty bad.) The presentations were hardcoded into the source; there was no runtime configurability.

    on the web: glpresent.tar.gz
    screenshot: the only presentation I ever used it for. My presentation skills appeared not to be as strong back then.

  • softfan - a small PWM controller for fans attached to the parallel port (...yeah) (October 2004; Linux, hardware, bit-banging, parallel port, ~150 LOC and a transistor)

    on the web:

  • debrick/hamcop - reverse engineered JTAG interface for HAMCOP companion chip (NAND controller) on iPAQ h2210 (September 2004; Linux, PXA250, iPAQ, JTAG, ARM, reverse-engineering, hardware, ~3000 LOC)

    on the web: CVS, module debrick/hamcop

  • clang - Forth-like language intended for TI-83+. has functional interpreter, incomplete JIT for x86, incomplete TI-83+ port (mid-late 2004; Z80, assembly, C, clang, language, JIT, ~2000 LOC)
  • fastjtag - Mechanism to reprogram the flash on a dead PXA250-based device in a novel fashion (January 2004; Linux, PXA250, ARM, JTAG, hardware, ~2200 LOC)

    The neat thing about this, anyway, was that it loaded the smallest possible stub on the PXA250 using boundary scan -- just enough to have the PXA wait for further instructions to be directly loaded into its instruction cache over JTAG. (Later versions didn't even need the boundary scanned bit, but were rather timing sensitive as to when the chip was reset.) This 'first stage' allowed for up to about 4K of code to be loaded in, which was enough to use the PXA250's debug registers to allow arbitrary memory reads and writes, and "burst" reads and writes to contiguous addresses. I can't remember the exact performance figures, but I seem to remember that it was at least an order of magnitude, if not two, better than boundary scanning an entire image in to flash.

    on the web: CVS, module debrick/fastjtag -- dead link

  • DYCP - Proof-of-concept dynamic Y-coordinate positioning (DYCP) for monochrome GameBoys. (2005?; Gameboy, hardware, Z80)
  • monstertruck - Mini-ITX powered R/C car. Built at camp one year. (2004; hardware, mini-ITX, Linux)
  • iPAQ h2200 Linux - developer on Linux port to iPAQ h2200 (2004; C, ARM, assembly, Linux, NAND,

    Wrote code to load system from NAND flash. Debugged NAND flash I/O code. Added support to LAB to bootstrap system.

  • X-Plane Linux port - port of Laminar Research's X-Plane flight simulator to Linux (2003 - 2007; C, C++, CVS, OpenGL, X11, Linux, Laminar Research)

    Ported Macintosh-specific and Windows-specific code to Linux, including window management using the X Window System, OpenGL interfacing, and sound interfacing using OpenAL. Designed build system. Set up source control in CVS. Tested on various platforms. Provided technical support to users.

    on the web: the X-Plane web site

  • iPAQ h1910 Linux - project leader and lead developer for Linux port to HP iPAQ h1910 (2003; C, ARM, assembly, Linux, iPAQ,

    Wrote BSP supporting LCD, LEDs, USB, battery charging, power management. Coordinated development and integrated submissions from other developers. Provided support.

    on the web: page (dead link)

  • LAB - project leader and lead architect for Linux As Bootloader (2002 - 2005; C, ARM, assembly, Linux, bootloader, iPAQ,

    Linux As Bootloader ("LAB") was the next-generation bootloader for the Linux kernel on embedded devices such as hp's iPAQ product series, leveraging the kernel itself to bring up the board. Designed architecture behind LAB, and implemented LAB to the point of booting an iPAQ h1910 and loading a kernel. Modified kernel Makefiles, linkscripts, and initialization code to support a first-stage loader at the beginning of the binary.

  • ...and more...