<Jamie[m]>
by firmware properties you mean the things set with command 6?
<Jamie[m]>
oh yeah i see
opticron has quit [Remote host closed the connection]
opticron has joined #asahi-re
MajorBiscuit has joined #asahi-re
<Jamie[m]>
alright, i'm going to do something awful
<Jamie[m]>
on the assumption that it's sane to try doing AVD just with direct register poking and maybe a little custom firmware, I'm gonna see if I can get the firmware running in an emulated cortex-m3, proxying peripheral read/writes back to the hardware
<Jamie[m]>
and interrupts from the hardware
<Jamie[m]>
so we can treat all of macos PLUS the firmware as a single black box
<Jamie[m]>
and feed video in -> watch register accesses come out
<sven>
i think you mean s/aweful/amazing/
<Jamie[m]>
i think the awful/amazing verdict will probably be decided by whether i do this in c in m1n1 or as a proxyclient script
Major_Biscuit has joined #asahi-re
MajorBiscuit has quit [Ping timeout: 480 seconds]
m5zs7k has quit [Ping timeout: 480 seconds]
m5zs7k has joined #asahi-re
goldsoultheory has joined #asahi-re
pjakobsson has quit [Remote host closed the connection]
millenialhacker has quit [Ping timeout: 480 seconds]
compassion has quit [Quit: Ping timeout (120 seconds)]
compassion has joined #asahi-re
millenialhacker has joined #asahi-re
<rqou_>
Jamie[m]: i'm literally trying that right this moment
<rqou_>
except Unicorn Engine is behaving like the flaky pile of hacks it is
<rqou_>
Jamie[m]: got any good cortex-m3 emulators?
<chadmed[m]>
doesnt qemu?
<rqou_>
well, Unicorn Engine wraps qemu
<rqou_>
but it's flaking out in a way that doesn't make sense
<rqou_>
my hook for emulating MMIO triggers only once, but only for one of the address ranges
<rqou_>
a different address range works correctly
<rqou_>
wtf, of course
<rqou_>
Unicorn Engine is working fine on my x86_64 laptop
<rqou_>
so something is just broken in Unicorn on some combination of macOS/aarch64/m1
<rqou_>
epic fail time
<chadmed[m]>
there is no disappointment quite like "oh, it just doesnt work on my machine... ok then" except maybe being served a cold pizza
<Jamie[m]>
rqou_: awesome haha
<Jamie[m]>
m3 is tiny enough that I was thinking of emulating the periphals used (basically nothing) myself
<Jamie[m]>
(basically just the nvic i think?
<Jamie[m]>
)
<Jamie[m]>
but wasn't sure what to use for actually running the code, unicorn is probably what i would have begrudgingly settled on
<rqou_>
well, i've just hooked up the firmware in unicorn engine and i can successfully send the start session command and get its reply
<Jamie[m]>
>:3
<rqou_>
with a hack-tastic fake NVIC
<Jamie[m]>
hey matrix turned my > : 3 into a :3
<Jamie[m]>
that does not convey the evilness of my :3
<Jamie[m]>
are you forwarding peripheral register access to the real peripherals?
<Jamie[m]>
yeah you must be if mailbox is working right?
<Jamie[m]>
+ use hv to override writes to the firmware region, instead writing a firmware where all the exception vectors just go to a while(true) {} that doesn't touch memory*
<Jamie[m]>
+ hook it up so that the sram region is backed by the actual real sram region, as are the decoder/dma/etc peripherals
<Jamie[m]>
+ double-check that there's memory barrier stuff to ensure all the sram region accesses are immediately reflected (if necessary?)
<Jamie[m]>
+ run the whole thing under hv'd macos, watching using hooks on the peripherals etc
<Jamie[m]>
**todo: figure out how to make the real-device exception handlers not interfere with the sram by putting stuff on the stack
<rqou_>
oh right now i'm doing something slightly different of "feed captured commands into an emulated firmware and see what it spits out"
<rqou_>
the emulated firmware gets all the way to trying to poke the PIODMA peripheral now
<Jamie[m]>
i guess that is easier than REing the firmware with all the dynamic varaiables that actually just point to 0x10000000 haha :P:P
<Jamie[m]>
(part of my reason for doing this was to isolate and understand the behaviour of the DMA peripherals, but I get the impression that you already understand them much more than I do)
<rqou_>
the "PIODMA" block itself is used only in the dumbest possible way by the firmware
<rqou_>
no idea about any of the other actually-video-related DMA
<rqou_>
but yeah, PIODMA has been pushed for a few days now
<Jamie[m]>
btw have i got my offsets wrong or is DMACFGMEMSRC serving a dual purpose where it seems to be read from as a "is the dma currently busy" register?
<rqou_>
i think you have it wrong
<Jamie[m]>
hmm yep i sure do
<Jamie[m]>
oh i think i typed all these peripheral names from tunables into binaryninja by hand lmao
<Jamie[m]>
that would explain some mistakes :P
<Jamie[m]>
yeah i just put MEMSRC at +4 directly after CFG instead of leaving a gap haha
<Jamie[m]>
if this works out we can outdo lina by writing not just the kernel module in rust but also the firmware :P
<rqou_>
maybe
<rqou_>
might be less confusing than apple's
<chadmed[m]>
surely it will be possible to come up with something with a simpler interface than what apple have done
<chadmed[m]>
like do we even need to worry about fairplay at all?
<Jamie[m]>
if it lets us do fairplay then fairplay is broken
<rqou_>
i was going to ignore anything related to fairplay for now
<rqou_>
although we _might_ be able to play SD trailers etc. that don't require a secure boot chain
<amarioguy>
alright perfect, i'll start working on this
<sven>
I have reverse the Gigalocker file as well
<sven>
(The xART thing)
<sven>
it’s essentially just a key vakue store with constant size blocks
<sven>
each blocks is a key/Val and protected with a common crc
<sven>
i can paste that later as well
<amarioguy>
please do that'd be helpful
<sven>
the hard part is the sks ipc anyway
<sven>
I’d recommend to load the kext symbols into the hv and then use bt() inside the tracer
<sven>
that’s how I found that sks ipc hash fwiw
<nicolas17>
hash? :|
<nicolas17>
oh like a packet checksum?
<amarioguy>
sven: yep - should get a full KDK setup rolling
<sven>
kdk doesn’t help
<sven>
the regular kexts have enough symbols usually because they export everything
<sven>
nicolas17: something like that, dunno why it’s there tbh
<sven>
it’s sha256 iirc
<sven>
which is a bit overkill for a simple checksum
jonmasters has quit [Read error: No route to host]
linxz has quit [Read error: No route to host]
Manouchehri has quit [Read error: No route to host]
jonmasters has joined #asahi-re
<amarioguy>
gotcha
<sven>
I think it stuffs some identifier of the userspace client that called the function in there
<sven>
so maybe to protect again evil userspace something something?
<sven>
very weird either way
<amarioguy>
might be to protect against attacks from a malicious mailbox request?
linxz has joined #asahi-re
<sven>
if you have access to those regs you can just compute the hash yourself
<sven>
which is why it doesn’t really make sense
<nicolas17>
sven: there's a Continuity protocol that uses something like "s=sha512(payload); hash = s[0..15] xor s[16..31] xor ..."
<nicolas17>
I don't know why they went for sha512 instead of 256 and why they didn't just truncate it instead of xoring pieces of it to make it fit in the BTLE packet
<sven>
lol
Manouchehri has joined #asahi-re
<nicolas17>
(also I think it's actually more than 16 bits, I don't remember exactly)
<nicolas17>
oh right, it's 8 bytes
nicolas17 has quit [Quit: lunch]
nicolas17 has joined #asahi-re
nicolas17 has quit [Ping timeout: 480 seconds]
nicolas17 has joined #asahi-re
nicolas17 has quit [Ping timeout: 480 seconds]
goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
nicolas17 has joined #asahi-re
goldsoultheory has joined #asahi-re
nicolas17 has quit [Ping timeout: 480 seconds]
goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
goldsoultheory has joined #asahi-re
genhack[m] has joined #asahi-re
<genhack[m]>
Hi everyone! I have a question about this beautiful project, through uboot is it possible to read the syscfg and write it back?
<sven>
assuming you mean the syscfg stored on the NOR flash, no
<sven>
you'd need to boot a linux kernel with SPI support and the NOR node enabled in the device tree and then be brave enough to actually write your modifications back
Major_Biscuit has quit [Ping timeout: 480 seconds]
goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
goldsoultheory has joined #asahi-re
goldsoultheory has quit []
<genhack[m]>
thanks sven for the reply, the rom should be the soc eep. (on schematics) if I understood correctly the W25Q64. My question was instead addressed to nand, that is, if they contain a Syscfg partition (like ios).
<sven>
syscfg is on the NOR flash on these machines
<genhack[m]>
this is strange no sn is inside of the nor
<sven>
sn?
<genhack[m]>
serial
<genhack[m]>
sn bt or wifi
goldsoultheory has joined #asahi-re
<genhack[m]>
so if i change the nand bga110 the apple configurator will restore the nand without any mod?
<sven>
why are you trying to do that?
<sven>
i have no idea what apple configurator will do in that case
<genhack[m]>
256gb to 1tb nand
goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
goldsoultheory has joined #asahi-re
goldsoultheory has quit []
goldsoultheory has joined #asahi-re
goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
goldsoultheory has joined #asahi-re
goldsoultheory has quit []
goldsoultheory has joined #asahi-re
illenialhackerm has joined #asahi-re
millenialhacker has quit [Ping timeout: 480 seconds]
goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]