Dissecting an asthma inhaler with a dose counter

Back in the 90s, before Le Chiffre made asthma inhalers cool, my mother taught me how to tell if my Proventil canister was empty. If there was any of that sweet sweet albuterol left, it would float vertically in water, but if it went horizontal it was empty.

Apparently, in the years since I was a wheezyboy, inhaler technology has advanced a bit. Modern ones have clockwork contrivances to tell you how much is left, which I have to admit is convenient.

Photo of part of a Symbicort inhaler, showing the dose counter

I got curious about its inner workings, so I pried the whole thing apart and took pictures. Click through to see!

Continue reading...

System76 Darter Pro 6: power supply, case screws

I like this laptop a lot! It comes with a Chicony power supply, 19V 3.42A 65W. Those are easy to find, but you have to get the right barrel connector. The nominal outer diameter of the barrel is 5.5mm, the nominal inside is 2.5mm. The tip is positive. I ordered this power adapter from amazon, and the brick part is exactly what I got from System76. The barrel fits correctly except it’s a couple mm too long, which I don’t mind. If that link is dead, try searching for “chicony toshiba satellite 19v 65w.” I like supporting System76, but not quite enough to buy replacement AC adaptors from them.

My case screws keep slowly working out somehow, which is annoying. The screws are M2 by 5 mm long if you need to order them. This screw assortment included them.

Delights of a Minnesotan Gigabit Switch (part 3, good hax!)

Welcome back! I’m rehabilitating and taking control of a Waters Network Systems GSM-2112-POE 12-port managed Ethernet switch. You can check out part 1 or part 2 if you feel like it.

In case you don’t feel like it, I’ll sum up where we are in the story: my current Ethernet switch has no character and isn’t rack-mounted so much as rack-zip-tied:

My old switch held onto a rack shelf by ignominious zip ties

I expect to need more than its four power-over-ethernet ports. I’ve bought a high-quality but decade-old switch from eBay for pretty cheap. The people who sold me the switch did not do a factory reset, and I don’t have the admin password. My attempts to hack the thing over the network have failed up to this point. They could possibly be successful eventually, but they seem like an annoying amount of work. I have bought the cable to go from my USB port to this Serial console on the back of the box:

Photo of the serial port on the back of the ethernet switch

Okay, I hook the new cable up between the Serial port and my laptop. How do I actually talk to it?

In my youth, my daddy taught me to use a program called Kermit to dial into some computer at his work so that I could read rec.pets. Fond memories, and Kermit is furthermore a great name for a program, but alas: I now find it 100% incomprehensible. GNU Screen seems to be the actual thing to use.1

The baud2 rate 57600 comes from the manual. Here’s the command line to connect and start interacting:

sudo screen /dev/ttyUSB0 57600

And rebooting the switch gives:

Read system parameters from IIC EEPROM...Done!

BIOS v1.07 

BIOS(0)> ................................................
............Now booting image...

Followed by the normal login prompt - the login isn’t any different from what I see on telnet. But hey, the BIOS(0)>. The > looks like a command prompt? Yes actually! Apparently you have to be quite speedy, there’s only a few seconds grace period, but after a few tries:

BIOS(0)> help
        BIOS Command line interface HELP     
 help       :  Help for bios command. 
 ls         :  Display the bios command list. 
 sysconf    :  System parameter configuration. 
 flash      :  Flash Device Utility. 
 load(r)    :  Excutable image download[load] & run[loadr] at free memory area. 
 boot       :  vLinux Boot Loader can be selected. 
 dump       :  Memory Dump Command. 
 sys        :  Usage : sys {model|mac{0|1}|prod|ser|hard|mech|ram|flash|show} value . 
 look       :  look ext 0 , 1 ,2 . 
 fill       :  fill memory (4 byte) . 
 sdram      :  SDRAM test . 
 p1         :  p1 {0|1} GBIO Port 1. 
 rd         :  rd block sublock reg 


Huh, sysconf looks vaguely interesting, let’s look:

BIOS(1)> sysconf view

Read system parameters from IIC EEPROM...Done!

|           System Configuration Table             |
|  Configuration Parameter valid !!!               |
|               Boot Configuration                 |
|  BOOT Method : manual                            |
|  Boot File Name :                                |
|  TFTP Server IP Address :          |
|             Ethernet Configuration               |
|  Host Name : RubyTech                            |
|  Ethernet IP Address :               |
|  Ethernet Default Gateway :        |
|  Ethernet Default Subnet Mask :    |
|  Ethernet H/W Address : 00:40:c7:d0:00:00        |

Cool! You love to see the text-based tables, for one thing. But more pertinently, it looks like if I created a bootable firmware image, the BIOS would let me load it onto the switch using TFTP and boot into it! So how do I do that?! Actually, it’s not super easy.3 So I put this possibility in my back pocket for now. Another interesting thing we can see here is the name RubyTech. I asked Jeeves, and RubyTech is apparently a Taiwanese supplier of private label network equipment. Presumably it’s where Waters bought the hardware?

I poked around the menu a while longer, which I’ll spare you. The most useful thing turned out to be the memory dump command:

BIOS(4)> dump 0x0
00000000:0000000f   18 f0 9f e5 18 f0 9f e5  -  18 f0 9f e5 18 f0 9f e5 
00000010:0000001f   18 f0 9f e5 18 f0 9f e5  -  18 f0 9f e5 18 f0 9f e5 
00000020:0000002f   01 18 a0 e3 01 24 a0 e3  -  04 30 90 e4 04 30 82 e4 
00000030:0000003f   04 10 51 e2 fb ff ff 1a  -  58 23 5e 00 ff 10 a0 e3 
00000040:0000004f   00 10 80 e5 14 01 9f e5  -  20 10 a0 e3 00 10 80 e5 
00000050:0000005f   f8 00 9f e5 f8 10 9f e5  -  00 10 80 e5 5c 00 8f e2 
00000060:0000006f   fe 1f 90 e8 ec 00 9f e5  -  fe 1f 80 e8 f0 00 9f e5 
00000070:0000007f   01 18 a0 e3 5e 28 a0 e3  -  04 30 90 e4 04 30 82 e4 
00000080:0000008f   04 10 51 e2 fb ff ff 1a  -  5e f8 a0 e3 00 00 00 00 
00000090:0000009f   f8 3f 50 05 60 00 00 04  -  50 00 08 24 4c 00 09 25 
000000a0:000000af   00 00 00 00 00 00 00 00  -  00 00 00 00 80 03 04 20 
000000b0:000000bf   00 00 00 00 00 00 00 00  -  00 00 00 00 60 83 21 9c 
000000c0:000000cf   f8 3f 50 05 60 00 04 14  -  50 00 08 24 4c 00 09 25 
000000d0:000000df   00 00 00 00 00 00 00 00  -  00 00 00 00 80 03 00 10 
000000e0:000000ef   00 00 00 00 00 00 00 00  -  00 00 00 00 60 83 21 9c 
000000f0:000000ff   f8 3f 50 05 60 00 00 04  -  50 00 08 24 4c 00 09 25 

=   1. Next Memory Address View![Any Key] =
=   2. New Address Input![N]              =
=   3. Exit [Q]                           =

Well, cool - we can see the memory in hexadecimal format. That page doesn’t actually mean anything to me yet, but there’s got to be good stuff in there if we look through everything! At last, a clear direction - time to start hackin’, baby! That’s what real hackers say, right?

Here’s a script using pexpect to start the serial communication and interact with the BIOS menu to record everything to a file, memory_dump.txt.

Assuming you’ve got a Python 3 virtualenv env with pexpect installed, and the script is dump_memory.py, you’d invoke it as sudo env/bin/python dump_memory.py. Once the script is started, you would Reset the switch.

import pexpect
import time

# Start communicating with the switch
child = pexpect.spawn('screen /dev/ttyUSB0 57600')
# Tell pexpect to record one side of the conversation -
# everything the switch sends to the laptop - to a file
child.logfile_read = open('memory_dump.txt', 'wb')

# This means to ignore everything the switch sends to us,
# UNTIL we get the '> ' - the BIOS command prompt.
child.expect('> ')
# Start the memory dump at address 0
child.send('dump 0\r\n')

# Keep sending Space every time it's done printing
# a block of memory
while True:
    child.expect('Next Memory Address View')
    child.send(' ')

I run it for a while - maybe an hourish? At some point, I notice that it only seems to be reading f8 3f 50 05 over and over and over again. This pattern seems to start at the 20 megabyte boundary (0140 0000 hex). There are a few other bytes thrown in, but this seems boring, so I stop the process.

I don’t want to deal with this as hex, I want to make it a binary file so that I can unzip it if it’s zipped, search for strings, and so on. So I write another small python3 script, to separate the lines with hex data from the lines with BIOS(0), the instructions, and so on, and then convert the hex to the binary characters it represents:

out = open('memory_dump.bin', 'wb')

# Example lines this will deal with:
000000e0:000000ef   00 00 00 00 00 00 00 00  -  00 00 00 00 60 83 21 9c
000000f0:000000ff   f8 3f 50 05 60 00 00 04  -  50 00 08 24 4c 00 09 25

=   1. Next Memory Address View![Any Key] =
=   2. New Address Input![N]              =
=   3. Exit [Q]                           =
00000100:0000010f   00 00 00 00 00 00 00 00  -  00 00 00 00 13 02 04 a0
00000110:0000011f   00 00 00 00 00 00 00 00  -  00 00 00 00 60 83 21 9c
for line in open('memory_dump.txt', 'r'):
    # Exclude lines with only instructions & stuff.
    # There's also all kinds of control codes and junk
    # in there, but I ignored it and it didn't
    # seem to matter?
    if line and line[0] in '01234567890abcdef':
        line = line.strip()
        # The sections of the line are separated by double spaces.
        # We don't care about the address or the dash, just the
        # first and second sections of data.
        addr, first, dash, second = line.split('  ')


So I’ve got a 20+ megabyte binary file - what is in there? I have seen people do pretty wild stuff to firmware images with a program called binwalk, so I install that and set it loose. Unfortunately, it misidentifies basically everything. Nope, that’s not a stuffit file, and that other thing isn’t 7zip. I don’t know. It doesn’t do it for me.

Presumably there must be a kernel in there, and possibly file data, but I don’t get as far as figuring that out, because strings turns out to be the only analysis tool I need. strings is a basic Unix tool that looks inside a binary file for parts that look like text. I spend a bit of time paging through the results, but eventually I get bored, and search for admin, the administrator username from the documentation. Boom!


There it is! Very likely the password!4

I had been expecting a normal Linux /etc/passwd or shadow file entry like admin:$1$YjOzcqrf$Zqx4sx5CQRuEIFCdOLAJV0:0:0:admin:... but no, it seems to be sitting there in plain text, no password cracking required! Sure enough:

L2 Managed Switch - GEPoEL2-SW12

Login: admin


If you’re doing this on your system and the memory layout is identical, then you should just have to dump one block, starting at 0x011b0400. This switch has the concept of two independent configurations, one that’s used when rebooting and another that can be made active by a command. So that you can really screw up the temporary config, and when everything goes to hell, reboot the switch and everything should be peachy again. Anyway, I did see another copy of the user/pass data at 0x013b0400, two megabytes after the first copy, so maybe that’s how this double config thing works.

Anyhow! Yay! The switch is mine now! My naming scheme for computers is names of fictional musicians (e.g. Jake and Elwood Blues), plus fanciful stage names of real musicians (e.g. Tank Slagknuckle and Stellar Tellar).5 So, I’m pleased to introduce Mr. Fabulous:

Beauty shot of the switch installed in a network rack Wider shot of the network rack

Mr. Fabulous been doing strong work for a month or two now, and I’m very pleased. I set up a VLAN for some of my Internet of Shit devices, and the switch’s port mirroring capability made that very easy to debug. The switch’s extremely beefy-looking internal power supply has had zero trouble taking care of the four powered devices on my network - I’ve never noticed the switch get perceptibly warmer than ambient temperature.

relaxen und watschen der blinkenlichten

Given the one to two decade old network security of the switch’s web interface, I’ve placed that off in an inaccessible subnet, and I do all my admin through the serial console. Just because I’m too lazy and simpleminded to hack this thing over the network, that doesn’t mean everyone is.

Thanks for reading!

  1. Why is Screen a serial communication console as well as a window manager and a bad process supervisor? IDK, I slightly resent Screen. Give me Tilix any day! Except the day I need to talk to a crusty ol’ serial console. Humph. 

  2. Re: data transmission, check these videos out if you want to be fascinated, or this paper if you want to be both fascinated and bored! 

  3. According to an article from hackaday,

    There is no uniform way that ARM processors are booted and there’s no uniform or even standardized boot software for ARM-based chips.

  4. It’s not the real one, since I told you too much about the institution the box came from. The real password had an air of sadness though. 

  5. I made an exception for this switch’s predecessor. I thought that since it was a Power over Ethernet (PoE) switch, it should be called Edgar Allan. But I bet everyone with a PoE switch thinks the same thing :-/ 

Delights of a Minnesotan Gigabit Switch (part 2, good fans and bad hax)

My charming blue piece of history arrived with two problems:

  1. Its fans were noisy
  2. Its management interface was locked and I didn’t know the password

Good Fans

For problem 1, the solution was obvious: new fans. It needs two of these:

IMG_0617 fan-3f7b15.JPG

The OEM parts only seems to exist in odd places now, but the concept is universal and cheap: 5 Volt 40x40x10mm fans. PCs use 12 Volt versions, you have to be careful to get 5V. And match or go under the watts of the existing item. I bought Noctua NF-A4x10 5V fans, with 3-pin connections. This worked fine, except that the original fans’ power connectors appeared to be wired backwards from the new ones. WTF wat. I checked with a voltmeter and yeah.


The helpful Austrians at Noctua anticipated this kind of problem, and sent some solderless, insulation displacement connectors and plenty of adaptors and extension cables. This let me fix the wiring without destroying anything actually connected to the fan. The connectors, the transparent orange thingies flopping around below, work great, but only if you squash them COMPLETELY. My fingies, my hands, and even I’m ashamed to say my teeth, were not sufficient to close them and make a good connection - pliers are a must.

fan wiring screengrab.jpg

The fans are quiet! One reason they’re quiet is that they’re lower power than the old ones, but with only three Powered Devices attached, I’ve never noticed the switch get hotter than ambient.

A weird thing is that I’m 80% sure the fans blow in opposite directions. The one you can see well in the video is an exhaust fan, but I think the other one blows on the “lee side” of the PoE power supply, so that it isn’t becalmed.

Bad Hax

Anyway, that accomplished, it was time to attempt to gain control. The switch’s model number is Waters Network Systems GSM-2112-POE. Here is its manual. As it arrived, I did not even know its IP address - I tried pinging its factory default, but no dice.

To find what it thought of as its address, I connected to it with an ethernet cable and ran sudo tcpdump -i enp38s0f1 (the latter being the name of my wired ethernet device apparently). This worked, it considered itself I set my laptop up as its neighbor, .209, added a route, and sure enough I could ping it now. Time to telnet!

Screenshot_2020-10-22 Microsoft Word - GSM2112_poe_manual doc - GSM2112_poe_manual pdf.png

That’s from their manual - it looks so easy! But the default admin/admin login was not in place. I dejectedly tried passwords like admin, nimda, root, toor, wizard, 12345, qwerty, asdf, zxcv, xyzzy, hunter2, and so on, but alas: nuthin.

I poked around for a telnet password brute-force program, and found Hydra plus a list of the 10k most common passwords. I set it going, but it turned out that the telnet service on the box was not actually reliable enough to brute force very well. Apart from actual failed logins, it would also just disconnect pretty often.

I had noticed that if you fail to login, it will eventually provide you help:

Please keep the serial number and contact the sales representative !


L2 Managed Switch - GEPoEL2-SW12


This implies that there’s some way to reset the password over the network, maybe over telnet or maybe with a magic packet of some kind, computed from the serial number? Without anything more specific to go on, I didn’t feel like investigating further. I did try actually contacting sales, but Waters Network Systems’ sales staff did not get back to me despite my polite and complimentary e-mail. All the phone numbers I tried from the web site were disconnected. I tried hard in google and found a current office for the company in a town called Hayfield: it does seem to exist still, but I was making progress on other fronts so I never did manage to get in touch.

Inside the case are two jumper switches, and on the outside is a Reset button. I thought maybe it would do a factory reset if you cross your eyes, remove one jumper, hold Reset for 22 seconds, and pray to Saint Dunstan (patron saint of locksmiths)? I tried every combination of the jumpers and the button I could think of, but no joy.

The switch runs its management web site on thttpd 2.0.4, which was released in 1998.

HTTP/1.1 200 OK
Server: thttpd/2.04 10aug98

And sure enough, it has a 1998-style security hole: a buffer overflow when parsing the If-Modified-Since header, discovered by DJB (who has the coolest domain name, cr.yp.to). Unfortunately, I was not able to find a pre-made exploit for this two decade old vulnerability. And in terms of actual development of exploits, I know just nothing at all. Smashing the Stack for Fun and Profit passed me right by…

But there could still be web app vulnerabilities! Command injection! Arbitrary file reads! That would also be right in style for 1-2 decade old software! Even before I logged in, some of the pages would load skeleton versions with no data. But I was having a heck of a time guessing more than a couple page names, and the manual frustratingly did not show the URL bar on the screen caps. One feeble exception:


At this point, I ordered a USB -> db9 serial cable. I hoped that the console port on the back would give me more privileged access.

Screenshot_2020-10-23 Waters Network Systems GSM-2112-POE 12-port ProSwitch PoE Gigabit Switch eBay.jpg

Spoilers, YES it did! I recommend that you get excited for PART THREE in which I… PWN! THAT! SWITCH!

Delights of a Minnesotan Gigabit Switch (part 1, background)

My old Asus wireless router was done. Dropped connections, Drawfee constantly interrupted, the black box physically hot all the time. Hardware fault? Crypto miner? Unauthorized host of copyrighted videos and malware? Who could say? I felt the pain, but an excitement was also brewing: A chance to Do It Right, read, obsess, crawl on my belly like a reptile (under the house with Ethernet cable). Yes. r/HomeNetworking shot up the ranking on my new tab screen. (I poked my head briefly into r/homelab before deciding that honestly I do have limits). After a discernment process, I bought a lightly used UniFi ensemble, and the calm blue glow cheered my heart.


I made what I felt were elegant loopies going up to my patch panel.

network on wall.jpeg

But what is someone who buys the fanciest system and then… stops? The boring kind of nerd. They have no ambition, only purchasing power from a good job in IT related fields. I thirsted for something more. Something rack-mounted, yeah, and old. Something inscrutable. But something supplying power over Ethernet, because a separate PoE injector is inelegant. And not 100 megabit, hey, even our Comcast is faster than that.

Many fresh faces stared at me from eBay. But too fresh.

Screenshot_2020-10-21 BV-Tech 5 Port Gigabit PoE  Switch (4 PoE  1 Ethernet Uplink) – 65W – 802 3at 813076025507 eBay.png BVTech, gadish!

Screenshot_2020-10-21 Netgear Prosafe FS728TP 24 Port 10 100 POE Smart Switch w Rack Ears 801096835138 eBay.png Netgear, at least it’s metal

Screenshot_2020-10-21 TRENDnet 10-Port Gigabit PoE  Switch Web Smart 710931161106 eBay.png TRENDnet, entertaining that the status LEDs’ arrangement has no relationship at all to the row of ports

The Cisco Catalyst and HP ProCurve stirred me a little more. Screenshot_2020-10-21 Cisco Catalyst 3560 WS-C3560-48PS-S 48 Port 100Mb s Fast PoE Ethernet Switch eBay.png Screenshot_2020-10-21 HP ProCurve 2520-8 8 Port PoE 10 100 Rack Mountable Network Switch J9137A eBay.png

Gigabit is cheap, actually, in the used market, and so is PoE. But the combination is both expensive and bulky. I realized that almost all of the charming ones were a few inches too deep for the tiny network rack I’d bought from a German roboticist in a police station parking lot outside Indianapolis.

Frustrated and increasingly frantic, I returned to the very, very end of my eBay watch list, to a box that had caught my eye a week earlier. Waters Network Systems, you say? Who the heck is that?

Screenshot_2020-10-21 Switches from Waters Network Systems.png

A website ©2011, featuring case studies of jelly bean iMacs!

Screenshot_2020-10-21 Google Maps.png

A sheet metal office in a Minnesota town literally called Hayfield!

Screenshot_2020-10-21 Waters Network Systems GSM-2112-POE 12-port ProSwitch PoE Gigabit Switch eBay.png

A blue metal case with noisy fans, for $50 OBO. Pulled from a school in Boca Ratón but currently living in Brooklyn. Yes. This is the level of mystery I want in my life. Gigabit, PoE, AND it fit the rack with whole inches to spare. I bought it for $45 plus shipping, and it arrived strong and blue, four days later.

The fans had the shottest bearings I ever did hear.

And the management interface was still password protected. The Reset button wasn’t that kind of reset button. Por favor, get excited to hear how I beat down these obstacles! You can now read part two, in which I fix the fans and don’t quite own the switch, and part three in which I break in!

Doctests in Octave

Hey nice, ten years later my goofy hack of prefixing all the variables with DOCTEST__ still lives on in the octave-doctest package! I love to see it.

Blog renewal / sorry for RSS spam

Hey, I’m switching around my blog hosting. Hopefully if it’s easy to post, I will post more than once every 6 years. And, just in case there’s somehow still someone using Atom to follow this blog, sorry for reposting all that stuff from 2014.

Wait, is that William Carlos Williams?

3-part PSA:

  1. Don’t run the disposal if there is glass in it.

  2. Remove glass from the disposal if it ends up there, or at least let people know.

  3. The disposal is broken because it is full of glass.

– Paul Stewart, a former housemate.


JSON Web Token (JWT) Authorization for Python's Requests

JSON Web Tokens are “a compact URL-safe means of representing claims to be transferred between two parties.” The “claims” are assertions about what’s going on, and they’re cryptographically signed, either with a shared secret between client and server or using public key cryptography.

One place they’re being used is in Mozilla’s BadgeKit API. There, clients of the API have a shared secret with the server. That secret is used to sign a statement of the HTTP path, method, and request body (for POST and PUT requests). Assuming nothing important happens in the other HTTP headers, this means that an evesdropper can only replay the exact HTTP request that the real client made. This makes it better than simply including unchanging credentials, because once the credentials are sniffed from the network, they can be reused to make any request to the server.

Unfortunately, JSON Web Tokens are fiddly to assemble. There is a good implementation for Python called PyJWT (PyPI). However, to use it with Kenneth Reitz’s immortal work, requests, one must write a custom authentication plugin. Well, I’ve done that! Yay! The code is on GitHub, and on PyPI as requests-jwt. The documentation is on Read the Docs.

import requests
from requests_jwt import JWTAuth, payload_method

auth = JWTAuth('superSekr3t')
# ... other claims/payloads
resp = requests.get('http://auth-required.example.com/', auth=auth)

This is part of my current work with Dr. Daniel Hickey, bringing digital badges (which are more interesting than they sound) to online courses hosted with Open edX.

Matlab xUnit DocTest transfers ownership

At a previous job, I worked a lot with Matlab. This was in 2010, before Matlab had any testing tools included, and the best testing tool was Steve Eddins’ Matlab xUnit package.

I loved (and love) the Python doctest module: it’s both a clever hack and a very useful tool. I decided to make a version of it for Matlab.

Matlab isn’t the kind of language that lets you really control the namespace of the code that is running. Python, for instance, has a nearly empty namespace by default when you run code in a separate file. R has similar capabilities, although (for me) they are clunkier to use. But, unless you explicitly make some code a function, Matlab runs it more like a script, sharing the namespace of whatever code calls it. This makes ‘doctest’ a tricky concept to implement - either you have to manipulate the documentation strings into functions, or else control the available variables very carefully.

I chose the latter route, ending up with this hilarious test-running method. I wrote it normally, and then renamed all the variables, from example_var to DOCTEST__example_var. So, the test code isn’t actually isolated, but at least it should never modify the test-running function’s state accidentally. I think, given the limitations of the language, that’s the best I could do. And it was useful. And check out the doctest on that method! Heheheh.

Anyway, the reason this comes up today is that I haven’t worked at a job with a Matlab license for several years. And GNU Octave, while probably useful for number crunching, lacks a lot of Matlab’s finer points, including its classdef classes. So I basically haven’t worked on it at all for 3 years.

But hey good news, Open Source! Mr Paul Sexton has offered to take over maintainership! I accept. That’s nice. He’s already made some changes that make the code runnable on modern Matlab versions, showing the value of having a maintainer who can at least run the code. I’m glad, and excited to see where he takes the project! Even if it’s just keeping it runnable, I expect that a few people will benefit. Good!

As an aside, I’m on the lookout for my next numeric language. I’ve had success with NumPy and Pandas, but I’ve also heard nice things about Julia. I was thinking about making doctests my first practice project in Julia, but actually, Julia doesn’t even support docstrings. Its builtins have text that’s associated with them, that shows up in help("blah"), but there’s currently no way to do that for your own code. That seems really important to me. I’ll probably stick with Python for my next vectorized-math project, though I continue to follow Julia now and then.