#asahi-re on 2022-12-03 — irc logs at oftc.irclog.whitequark.org

2022-08-14 19:46 ChanServ changed the topic of #asahi-re to: Asahi Linux: porting Linux to Apple Silicon macs | Hardware / boot process / firmware interface reverse engineering | WARNING: this channel (only) may contain binary reverse engineering discussion | RE policy: https://alx.sh/re (MANDATORY READ) | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Logs: https://alx.sh/l/asahi-re

00:00 <sven> there’s dart.ioread or something like that

00:01 <sven> that one just walks the pagetable to find the physical address and then just reads that

00:01 chengsun_ has joined #asahi-re

00:02 <amarioguy> ah i see

00:02 <amarioguy> rn i'm just trying to figure out how SEP knows where the gigalocker is because i'm not seeing any shared writes

00:02 <amarioguy> strings on apple sep manager talk about "OOL buffers"

00:02 chengsun has quit [Ping timeout: 480 seconds]

00:02 <amarioguy> perhaps those have smth to do with it

00:03 <amarioguy> or maybe i have this all wrong and AP just queries the locker on demand whenever it needs to decrypt it

00:22 roxfan has quit [Remote host closed the connection]

00:24 roxfan has joined #asahi-re

00:28 <amarioguy> okay so the CRCs that XNU is saying the lockers have don't match up at all with the gigalocker CRCs...

00:48 chengsun_ has quit [Ping timeout: 480 seconds]

01:19 <amarioguy> also apparently single user mode data accesses do not trigger SEP - likely because of how it's decrypted on the fly through the storage controller ephemeral key

01:26 <amarioguy> LOL setting a breakpoint while the framebuffer comes on causes snow effects like old TVs

01:26 <amarioguy> (or rather right after SEP changes the lock state)

01:36 <amarioguy> okay so one of the absolute most verbose sep operations is pfk_data_unwrap and it's associated reply in the tracer

01:36 <amarioguy> (yes i am just dumping what i find as i find it how did you know :) )

01:37 * amarioguy sure hopes i'm doing this mmio tracing thing right

01:49 <amarioguy> huh so during the unlock sequence after the first unlock, XNU logs the replies on the AP side with 0xffff in the upper two bytes

01:50 <amarioguy> then it logs as "saving" the xart with a 2 byte crc

01:50 <amarioguy> on the tracer side though, the actual mailbox message has that two byte CRC at the start

01:50 <amarioguy> (the upper two bytes i mean)

01:53 <amarioguy> think i'll want to look at the gigalocker file i have very closely tomorrow

01:54 <amarioguy> to match up the xnu "crc" with the GL CRC

02:20 Emantor_ has quit []

02:20 Emantor has joined #asahi-re

02:38 user982492 has joined #asahi-re

02:57 ma has joined #asahi-re

03:03 ma4 has quit [Ping timeout: 480 seconds]

03:37 user982492 has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]

03:41 mini0n has joined #asahi-re

04:01 <marcan> eiln: also you may know this already, but ane1/ane3 are fused off on Max/Ultra devices

04:01 <marcan> I don't know why, but iBoot filters them out

04:01 <marcan> they seem to be hard shut down

04:02 <marcan> my theory is it's either broken silicon or they decided not to implement it due to power envelope reasons

04:03 <marcan> concurrency *should* be used on M1 Ultra for the ANE across each die

04:03 <marcan> macOS has some kind of balancer/dispatcher kext for this

04:04 <marcan> it was probably intended for M1 Max too, I don't think the reason they ditched the second ANE is because it wasn't ready in time, though it could be

04:06 <marcan> and yes, geohot's "research" is, well... yeah what you said tracks

04:31 mini0n has quit []

04:39 nicolas17 has quit [Ping timeout: 480 seconds]

05:03 eiln has joined #asahi-re

06:09 SSJ_GZ has joined #asahi-re

06:39 <eiln> ohh I thought max/pros had ane1 enabled

06:39 <eiln> so "device with two neural processor circuits" == just ultra

06:39 <eiln> that makes a lot more sense

06:39 <eiln> marketing speak says "32-core Neural Engine" for ultra

06:39 <eiln> and "16-core Neural Engine" for all else

06:39 <eiln> assuming core == ne*8, that checks out

06:39 <eiln> seems they are pretty set on that decision

06:39 <eiln> my question is why they'd add more cores to ultra if 3 max models had issues with exactly that?

06:40 <eiln> i guess m2+ lines would give the definite answer

06:40 <eiln> h14 firmware is definitely different tho if that signals anything

06:40 <eiln> also what exactly is meant by "iBoot filters them out"?

06:40 <eiln> associated clock/power node doesn't go through?

07:30 mattgirv has quit [Server closed connection]

07:30 mattgirv_ has joined #asahi-re

07:38 eiln has quit [Quit: Page closed]

07:49 arekm has quit [Server closed connection]

07:49 arekm has joined #asahi-re

08:37 n1c has quit [Server closed connection]

08:37 n1c has joined #asahi-re

08:41 robinp has joined #asahi-re

09:29 nuup has quit [Server closed connection]

09:29 nuup has joined #asahi-re

09:38 <sven> Iboot removes them from the template device tree iirc

09:39 <sven> and I think marcan tried turning them on in pmgr and that just didn’t work

10:45 chengsun has joined #asahi-re

10:52 corion has joined #asahi-re

10:58 vup has joined #asahi-re

11:18 Dcow has quit [Ping timeout: 480 seconds]

11:22 Dcow has joined #asahi-re

12:27 corion has quit [Quit: Page closed]

12:52 goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]

13:20 chadmed_ has joined #asahi-re

13:25 yamii has joined #asahi-re

13:28 goldsoultheory has joined #asahi-re

14:14 <marcan> eiln: it's 16 cores per neural engine

14:14 <marcan> everything has one functional one per die, Ultra has two dies

14:14 <marcan> ultra is just two max dies

14:14 <marcan> if ane0 works on max then ane2 will work on ultra since it's just two of the same thing

14:15 <marcan> ane1 is the broken one, which means also ane3 on ultra

14:15 <marcan> pro does not have ane1 at all

14:15 <marcan> pro only has one ane

14:15 <marcan> so there is only one die, max, with two anes, and one is always disabled

14:15 <marcan> hence my theory about silicon bug or power delivery issues

14:34 goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]

14:54 chadmed_ has quit [Remote host closed the connection]

15:34 goldsoultheory has joined #asahi-re

15:41 goldsoultheory has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]

16:14 SSJ_GZ has quit [Ping timeout: 480 seconds]

16:18 SSJ_GZ has joined #asahi-re

16:49 corion has joined #asahi-re

16:52 user982492 has joined #asahi-re

16:56 corion has quit [Quit: Page closed]

17:01 Dcow has quit [Remote host closed the connection]

17:02 Dcow has joined #asahi-re

17:22 os has quit [Server closed connection]

17:22 os has joined #asahi-re

17:30 paddatrapper_ has quit [Server closed connection]

17:30 paddatrapper_ has joined #asahi-re

20:07 nicolas17 has joined #asahi-re

20:57 goldsoultheory has joined #asahi-re

21:30 ChaosPrincess has quit [Quit: WeeChat 3.7.1]

21:32 ChaosPrincess has joined #asahi-re

22:25 Tom__ has quit [Read error: Connection reset by peer]

23:21 SSJ_GZ has quit [Ping timeout: 480 seconds]

23:37 Dcow has quit [Remote host closed the connection]