ChanServ changed the topic of #asahi-re to: Asahi Linux: porting Linux to Apple Silicon macs | Hardware / boot process / firmware interface reverse engineering | WARNING: this channel (only) may contain binary reverse engineering discussion | RE policy: https://alx.sh/re (MANDATORY READ) | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Logs: https://alx.sh/l/asahi-re
millenialhacker has joined #asahi-re
millenialhacker has quit [Ping timeout: 480 seconds]
user982492 has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<rqou_>
ugh, the scalers are such a huge pain to RE
<rqou_>
a bajillion different settings covering basically everything iosurface supports
<rqou_>
and the driver is implemented as a giant chain of classes inheriting from each other, one for each hardware version
<rqou_>
also each tiny group of registers is managed by its own set of classes
<chadmed>
millennialhacker: you can write a tracer for the hypervisor to snoop memory accesses to the camera's MMIO. see the tracers in proxyclient/hv/ for examples
user982492 has joined #asahi-re
<chadmed>
generating those mmio traces will probably be more useful than trying to decipher the censored XNU boot logs and decompiled kext since we know what interfaces it talks over
<rqou_>
anybody happen to know what a "ASE" might be? or what a "DPE" might be?
<chadmed>
in what context? the scalers?
<rqou_>
yeah, scalers
<chadmed>
my first guess would be apple scaling engine or something to that effect
<chadmed>
as for DPE, no clue
user982492 has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
phiologe has joined #asahi-re
PhilippvK has quit [Ping timeout: 480 seconds]
user982492 has joined #asahi-re
ntino^ has joined #asahi-re
millenialhacker has joined #asahi-re
millenialhacker has quit [Ping timeout: 480 seconds]
<chadmed>
huh so the unmapped iova is apparently at 0x2?
<chadmed>
and the 0x18 endpoint of mesa only ever tries to touch that when you put your finger on it?
<chadmed>
obviously trying to map that fai;s because its not real or properly aligned
<chadmed>
i dont _think_ the offsets im reading out of the iova block are wrong since size always returns 0x7200 when you put your finger down
<chadmed>
hmm so the sio dart seems to map the memory range with the fingerprint data in it _only_ while youre actively touching the sensor. if i break into the hypervisor while touching, i can add that range to RegMonitor, poll it, and get a huge dump of data
<chadmed>
but if i try to do that after removing my finger, the pages are unmapped
<chadmed>
i still dont know where this 0x2 is coming from and what that endpoint is trying to do with it, but this is progress i guess
jakebot has joined #asahi-re
user982492 has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<robinp>
millenialhacker: where did you get those cam debug stings from ?
alexsv has joined #asahi-re
user982492 has joined #asahi-re
millenialhacker has joined #asahi-re
ntino^ has quit [Ping timeout: 480 seconds]
millenialhacker has quit [Ping timeout: 480 seconds]
nicolas17 has quit [Quit: Konversation terminated!]
AdityaJS[m] has joined #asahi-re
millenialhacker has joined #asahi-re
<marcan>
robinp: that "security switch" is just the thing that turns off the mic/camera when the lid is closed
<marcan>
there is no control line from the SEP on M1 Pro/Max and a good chance the one GPIO from the SEP on M1 doesn't do anything
<marcan>
absolutely no reason to believe the SEP has anything to do with the camera on these platforms until proven otherwise
millenialhacker has quit [Ping timeout: 480 seconds]
<marcan>
millenialhacker: everything should be controlled via ISP over the RTKit interface. RTKit fundamentally uses 64-bit messages and shared memory for everything.
<marcan>
you don't care about how the camera works, you only care about what interface ISP exposes for it over the mailbox
<millenialhacker>
Are logs falling under "Referencing other open source project" ? or marcan was referring to some bits I got from strings dumped?
<millenialhacker>
I have read it a couple of days ago
<marcan>
I meant the facetimehd driver
<millenialhacker>
Oh, marcan I only paste the link for sake of research but I haven't dive into it.
<millenialhacker>
Boot-args I found was by RE init process in Apple's Facetime KEXT
<millenialhacker>
Apple's Camera KEXT*
<marcan>
same thing; keep in mind that if you're reverse engineering the kext then you can't contribute to the Linux driver a priori
<millenialhacker>
I know, the clean room stuff
<marcan>
then we're good :)
<millenialhacker>
(but nothings prevents to write my own driver as long as I do not share it, right?)
<millenialhacker>
That was a rhetorical question :)
<marcan>
I mean you can share it too, that's your own choice; that policy is about the project as a whole
<marcan>
the point is we're trying to keep everything developed as part of the Asahi Linux project legally in the clear
<marcan>
obviously I can't stop people from going off and doing whatever they want outside the project
MajorBiscuit has joined #asahi-re
millenia_ has joined #asahi-re
millenia_ has quit [Remote host closed the connection]
millenia_ has joined #asahi-re
millenialhacker has quit [Ping timeout: 480 seconds]
user982492 has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
millenia_ has quit []
millenialhacker has joined #asahi-re
MajorBiscuit has quit [Ping timeout: 480 seconds]
alexsv has quit [Ping timeout: 480 seconds]
millenialhacker has quit [Remote host closed the connection]
millenialhacker has joined #asahi-re
millenialhacker has quit [Ping timeout: 480 seconds]
millenialhacker has joined #asahi-re
millenia_ has joined #asahi-re
millenialhacker has quit [Read error: Connection reset by peer]
millenia_ has quit [Remote host closed the connection]
MajorBiscuit has joined #asahi-re
millenialhacker has joined #asahi-re
<chadmed>
oh the command buffer for the fingerprint sensor is encrypted in both directions after the power on sequence
<sven>
yeah, that’s what I’d expect
<chadmed>
yeah i was just confused as to why there was no discernible pattern in any of the data at all beyond the addresses it accesses and got gaslit into going on a goose chase
<chadmed>
well at least i kind of understand the format and the power on sequence but i think decrypting the command buffer and getting any useful data out of it is probably beyond me :(
<sven>
the command buffer probably directly comes from SEP
<sven>
if I were to design this the xnu driver would just be a dumb shin that forwards messages between SEP and the sensor
<sven>
*shim
<chadmed>
its interesting because theres actually two drivers for xnu, one does in fact just look like a shim for the SEP but the other is quite large and kind of does what ive been trying to do in my crappy little tracer and seems to handle the low level operation of the device
<chadmed>
the SEP shim seems to do the actual encryption etc and this bigger one actually sends/receives the data i think
<chadmed>
also handles power gating, command syncrhonisation, etc
<chadmed>
oh well good to know i was (kind of) on the right track but theres probably no point in going any further without the SEP to talk to