ChanServ changed the topic of #asahi-re to: Asahi Linux: porting Linux to Apple Silicon macs | Hardware / boot process / firmware interface reverse engineering | WARNING: this channel (only) may contain binary reverse engineering discussion | RE policy: https://alx.sh/re (MANDATORY READ) | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Logs: https://alx.sh/l/asahi-re
hdbngr has joined #asahi-re
chrisl has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
chrisl has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
chrisl has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
chrisl has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
chrisl has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
chrisl has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
m42uko has quit [Ping timeout: 480 seconds]
hdbngr has quit [Ping timeout: 480 seconds]
chrisl has joined #asahi-re
m42uko has joined #asahi-re
hdbngr has joined #asahi-re
chrisl has quit [Ping timeout: 480 seconds]
Graypup_ has joined #asahi-re
nicolas17 has quit [Ping timeout: 480 seconds]
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
chadmed has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
pb17 has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
pb17 has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
Larwive has joined #asahi-re
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
gnuiyl has quit [Remote host closed the connection]
hdbngr has quit [Ping timeout: 480 seconds]
ddxtanx has joined #asahi-re
chrisl has joined #asahi-re
hdbngr has joined #asahi-re
chrisl has quit [Ping timeout: 480 seconds]
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
nicolas17 has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
Larwive has quit [Remote host closed the connection]
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
pb17 has quit [Ping timeout: 480 seconds]
chrisl has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
Larwive has joined #asahi-re
chrisl has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
pb17 has joined #asahi-re
hdbngr has joined #asahi-re
Larwive has quit [Ping timeout: 480 seconds]
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
chrisl has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
chrisl has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
chrisl has joined #asahi-re
opticron has quit [Read error: Connection reset by peer]
hdbngr has joined #asahi-re
opticron has joined #asahi-re
gnuiyl has joined #asahi-re
pb17 has quit [Ping timeout: 480 seconds]
chrisl has quit [Ping timeout: 480 seconds]
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
glem810054889 has quit [Quit: Ping timeout (120 seconds)]
pb17 has joined #asahi-re
glem810054889 has joined #asahi-re
chrisl has joined #asahi-re
chrisl has quit [Ping timeout: 480 seconds]
ohtwoone has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
pb17 has quit [Ping timeout: 480 seconds]
hightower2 has joined #asahi-re
hdbngr has joined #asahi-re
pb17 has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
chrisl has joined #asahi-re
chrisl has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
hdbngr has quit [Ping timeout: 480 seconds]
hdbngr has joined #asahi-re
pb17 has quit [Ping timeout: 480 seconds]
chrisl has joined #asahi-re
<nickchan>
previous stage is pongoOS and the security and seprom stuff is typical jailbreak patches nothing special there
<nickchan>
now xnu uses ttbr1 so restoring m1n1 context is not a big problem in general... just like dealing with yet another userland thread... problem is of course before xnu rebases its pc to high address
chrisl has quit [Ping timeout: 480 seconds]
<nickchan>
so on boot do not apply tracing patches till xnu rebases its pc when branching into shellcode from a hooked ret
<nickchan>
note some nop only patches like kernel lockdown patches are still applied on boot
pb17 has joined #asahi-re
<nickchan>
another problem is that when xnu is switching into EL0 xnu unmaps basically all of kernel memory by increasing t1sz in tcr, this is unacceptable for tracing, though just skipping the t1sz modifcation is enough
<nickchan>
i think this is a meltdown mitigation?
<nickchan>
due to lack of wfi retention the cpu actually comes out of reset a lot and this one is tricking because unlike during bootup the kernel is *already* patched with undefined instructions
<sven>
so i still wonder if we'll have to resort to patching xnu for tracing m4+ or if it's easier to virtualize GL2, etc.
<nickchan>
this one is kind of hacked around by writing magic values to x2 and patching how the kernel setup its stack after a cpu reset
<sven>
if we do the tracing all this work you've been doing sounds like a good base to start from though
<sven>
*if we do the tracing via patching xnu
<nickchan>
so the m1n1 stack remain usable (m1n1 is sandwidthed between xnu and top of kernel data so xnu's init pagetables will have m1n1 mapped)
<nickchan>
sandwiched
<nickchan>
and to reenter m1n1 context from kernel's vbar in high addr it goes like this:
<nickchan>
1. set pan, spsel 2. save gpr to kernel stack 3. save ttbr0_el1 tcr_el1 mair_el1 to kernel stack 4. recover m1n1's ttbr0 5. recover m1n1's mair 6. barrier instructions 7. branch into m1n1 8. set sp to m1n1's stack
<nickchan>
now it is possible to call any m1n1 functions
gnuiyl_ has joined #asahi-re
gnuiyl has quit [Ping timeout: 480 seconds]
<nickchan>
this is on a10x. a11 has more APRR stuff to care about but a10 already have the basics, don't think that would be a problem
<nickchan>
and a7-a9 has el3 but since the monitor has a grand total of two smc can just implement in m1n1
<nickchan>
one to set where to eret into after the cpu comes out of reset and one that locks down the kernel (this one is just going to be implemented as no op)