571 replies to this topic

[rcork]

dmazar, on 17 February 2012 - 10:50 PM, said:

You can start with MachOView http://sourceforge.n...ects/machoview/ if you want.

For example, on Lion 10.7.3 AICPUPM flAked's patcher will give you:

Searching for wrmsr #0: a11a
Searching for wrmsr #1: a1e2
Searching for wrmsr #2: a260
Searching for wrmsr #3: a2a9
Searching for wrmsr #4: ab64
Searching for wrmsr #5: ac16
...
a11a, a1e2 .. are addresses that are patched.

You can open AICPUPM.kext/Contents/MacOS/AICPUPM in MAchOView and then select
Fat Binary/Kernel Extension (X86_64)/Section64 (__TEXT,__text)/Assembly
and check what's in there.
Open the original one and patched one in the same way and compare them at addresses that are patched. Make sure RAW option is checked - MachOView will give you positions/offsets of instructions inside the file.
You are looking for something like:
B9E2000000 movl $0x000000e2, %ecx
(possible instructions in between)
0F30 wrmsr

You can also open each file in some hex editor and check each patch address in there in parallel with MachOView.

That's good to do to get the feeling of what flAked is doing.

For patching, MachOView will not be enough. Saving and searching disassembled code does not work. But you can use otool:
otool -tV -arch x86_64 AICPUPM.kext/Contents/MacOS/AICPUPM > tmp.asm
and then search through tmp.asm in text editor.
One note: addresses here are, hm ... do not know how to say it simply and still be correct ... maybe it's easiest to compare them with MachOView offsets - so just add some constant to them (in above example for 10.7.3 it is hex 0x1000) to get positions of each instruction in the file.

Once you know what wrmsr you want to patch, you just need to open the file in hex editor and replace your 0F30 (wrmsr) with 9090 (2 nops).

But before patching, it would probably be good to go through all above with some other version of AIPCUPM (getting addresses from flAked's patcher, comparing original with patched AICPUMP on each address).
And, probably, double check every wrmsr (around 50 of them) if %ecx register is set to 0xe2 (just 10 of them in 10.7.3).

This saved me a lot of time researching. I can easily see now each of the places that need to be patched and verified against the 10.7.3 patched version. Shouldn't be too difficult to manually do this when a new version is released. However, coming up with a dynamic method is a different story.

[jazzyguy]

Well if dynamic were to be possible, that'd be amazing, but I (don't really) get how complicated this is.

Want to test out this new ability on the Mountain Lion version?

[oSxFr33k]

@dmazar


Thanks for that information I am going to try this on my own since I have used debuggers and dissemblers in the past to try and make well I won't say but I am sure you got the picture.  What is otool is that part of xcode utils?

I use IDA Pro and since Current MAcs are Intel x86, I have to assume I can use it with IDA Pro or is that overkill?

Thanks again!!

[rcork]

jazzyguy, on 17 February 2012 - 11:50 PM, said:

Well if dynamic were to be possible, that'd be amazing, but I (don't really) get how complicated this is.

Want to test out this new ability on the Mountain Lion version?

Send me the AICPM kext from Mountain Lion and i'll take a shot

[ricola]

rcork, on 18 February 2012 - 12:31 AM, said:

Send me the AICPM kext from Mountain Lion and i'll take a shot

Here ..  AppleIntelCPUPowerManagement.kext.zip   147.05K   75 downloads

[oldnapalm]

@dmazar, thanks, great guide.

dmazar, on 17 February 2012 - 10:50 PM, said:

For patching, MachOView will not be enough. Saving and searching disassembled code does not work.

I used "print", saved as PDF and searched for $0x000000e2, then for 0F30 after it. Found these in 10.8 AICPUPM, if anyone else is looking into this we can compare

0003BF13 0F30 wrmsr
0003C7A5 0F30 wrmsr
0003C830 0F30 wrmsr
0003C87D 0F30 wrmsr
0003C9AD 0F30 wrmsr
0003CCC8 0F30 wrmsr
0003D71A 0F30 wrmsr
0003DA0D 0F30 wrmsr
00043B49 0F30 wrmsr
00044FB4 0F30 wrmsr

Unfortunately I can't test this (don't have a system that needs it), so if someone wants...
 AppleIntelCPUPowerManagement.kext.zip   147.06K   14 downloads

[rcork]

ricola, on 18 February 2012 - 01:13 AM, said:

Here .. AppleIntelCPUPowerManagement.kext.zip

Try this.....
 AppleIntelCPUPowerManagement.kext-PATCHED.zip 153.55K 170 downloads

I found 10 locations that needed to be patched

0000000000008f0e movl $0x000000e2,%ecx
0000000000008f13 wrmsr

000000000000979d movl $0x000000e2,%ecx
00000000000097a2 movq %rsi,%rdx
00000000000097a5 wrmsr

0000000000009828 movl $0x000000e2,%ecx
000000000000982d movq %rsi,%rdx
0000000000009830 wrmsr

0000000000009875 movl $0x000000e2,%ecx
000000000000987a movq %rsi,%rdx
000000000000987d wrmsr

00000000000099a8 movl $0x000000e2,%ecx
00000000000099ad wrmsr

0000000000009cc3 movl $0x000000e2,%ecx
0000000000009cc8 wrmsr

000000000000a715 movl $0x000000e2,%ecx
000000000000a71a wrmsr

000000000000aa08 movl $0x000000e2,%ecx
000000000000aa0d wrmsr

0000000000010b44 movl $0x000000e2,%ecx
0000000000010b49 wrmsr

0000000000011faf movl $0x000000e2,%ecx
0000000000011fb4 wrmsr

I only patched the 64bit code so make sure you are running in 64-bit mode, not 32-bit

Attached Files

•  AppleIntelCPUPowerManagement.kext-PATCHED.zip   153.55K   170 downloads

Edited by rcork, 18 February 2012 - 03:21 AM.

[jazzyguy]

rcork, on 18 February 2012 - 02:28 AM, said:

Try this.....


I found 10 locations that needed to be patched

0000000000008f0e movl $0x000000e2,%ecx
0000000000008f13 wrmsr

000000000000979d movl $0x000000e2,%ecx
00000000000097a2 movq %rsi,%rdx
00000000000097a5 wrmsr0000000000009828 movl $0x000000e2,%ecx

000000000000982d movq %rsi,%rdx
0000000000009830 wrmsr

0000000000009875 movl $0x000000e2,%ecx
000000000000987a movq %rsi,%rdx
000000000000987d wrmsr

00000000000099a8 movl $0x000000e2,%ecx
00000000000099ad wrmsr

0000000000009cc3 movl $0x000000e2,%ecx
0000000000009cc8 wrmsr

000000000000a715 movl $0x000000e2,%ecx
000000000000a71a wrmsr

000000000000aa08 movl $0x000000e2,%ecx
000000000000aa0d wrmsr

0000000000010b44 movl $0x000000e2,%ecx
0000000000010b49 wrmsr

0000000000011faf movl $0x000000e2,%ecx
0000000000011fb4 wrmsr

I'll test momentarily.

What are the ones where there are three rows?

And in case I want to do this, when you find one, how do you know what to replace it with?

[rcork]

Those just had instructions between populating ECX and calling WRMSR. When looking for which locations to patch, we need to look at all the WRMSR operations and then find those where ECX had been set to 0xe2 before the call. Make sense?

[jazzyguy]

It does work, thanks guys!

Rcork, I see what oldnapalms numbers are, the offset for easy finding, but then what are your numbers? I want to compare to see what the three line things look like, but I don't see what your numbers reference.

edit- I now see the thing with the command in the middle. But still. what are your numbers?

Quote

For patching, MachOView will not be enough.

Saving

and searching disassembled code does not work. But you can use otool:

otool -tV -arch x86_64 AICPUPM.kext/Contents/MacOS/AICPUPM > tmp.asm

and then search through tmp.asm in text editor.

One note: addresses here are, hm ... do not know how to say it simply and still be correct ... maybe it's easiest to compare them with MachOView offsets - so just add some constant to them (in above example for 10.7.3 it is hex 0x1000) to get positions of each instruction in the file.

And then last question: how do I actually patch? I see how to save to tmp.asm, but how does that get back inside the kext then?

Also, what is he talking about with the 0x1000? Sorry for the easy questions, but I appreciate it, now I can just about do this on my own if the need ever arises.

[rcork]

They are the RVA (virtual offset). I edited the file directly in MachOView so i didn't need to load up the file in a hex editor (therefore, not needing the file offset).

[jazzyguy]

Alright thanks.

But I thought dmazar said you couldn't edit it in that application?

Actually I see how to change the 0f30, but not how to add a whole new line for another 90

[rcork]

Just replace 0F 30 with 90 90 (two NOP instructions). When you save and then reopen the file, it will then list the NOP instructions on separate lines.

[jazzyguy]

Gotcha. Thanks. I really appreciate the help.

[slave-zeo]

I'll be the first to admit I don't understand about 75% of what you folks are saying BUT what I can say is that I tried the above linked kext (AppleIntelCPUPowerManagement.kext-PATCHED.zip) and my Mt. Lion 10.8 system booted without the need for the NullCPU kext.

Upon booting into the OS I loaded MSRDumper and opened up the console and let the system run for about 15 minuets. Saddly, all I got was one state and it was 16. I would asume my cpu was running at the bare minimum. Still, this is very promising. Thanks for the patched kext!

[oSxFr33k]

slave-zeo, on 18 February 2012 - 07:05 AM, said:

I'll be the first to admit I don't understand about 75% of what you folks are saying BUT what I can say is that I tried the above linked kext (AppleIntelCPUPowerManagement.kext-PATCHED.zip) and my Mt. Lion 10.8 system booted without the need for the NullCPU kext.

Upon booting into the OS I loaded MSRDumper and opened up the console and let the system run for about 15 minuets. Saddly, all I got was one state and it was 16. I would asume my cpu was running at the bare minimum. Still, this is very promising. Thanks for the patched kext!

If you do not get a kernel panic it means the patching was successful!!!  It's main purpose is to patch the AICPUPM to prevent the kernel from panic.  I think the speedstep part is separate and has nothing to do with this patch.  Its your machine's profile, someone correct me if I am wrong?

[oSxFr33k]

@dmazar,

Thanks for your great guide which sparked others for alternate ways to accomplish this.

@oldnapalm,

Thanks for sharing your method.  A perfect and quick way to search.

@rcork,

Thanks for the clarifying how this can all be done in MachOView.  No need for a separate Hex editor.  

I compared my patched 10.7.3 with the one that was patched by flAked and they are 100% the same.

Thanks to the rest of you who motivated others to help us out!!

[slave-zeo]

oSxFr33k, on 18 February 2012 - 07:22 AM, said:

If you do not get a kernel panic it means the patching was successful!!!  It's main purpose is to patch the AICPUPM to prevent the kernel from panic.  I think the speedstep part is separate and has nothing to do with this patch.  Its your machine's profile, someone correct me if I am wrong?

Good deal, then it's a go on the patch I'll have a look at the imac12_2.plist and see whats going on inside it.

Thanks a bunch for the speedy work and replies.

[jazzyguy]

Yeah guys thanks for the works, I was afraid we might struggle with this, and I wouldn't be able to upgrade, but now not only do I know others can do it, I can as well.

Thanks a ton!

[dmazar]

Hi guys, that was fast.  
Did not know it's possible to edit file in MachoView - know now.

OsXFr33k - I never worked with IDA Pro, so not sure, but since it's one of the best disassemblers and more then that, I guess you can do all of it in there also.

Here is a tool equivalent to flAked's patcher, but in Perl. Can be easily edited and modified. Replaces wrmsr's with nop. Handles different versions of AICPUPM by different specification files.

Usage:
> perl patch_aicpupm.pl <AICPUPM_executable> <spec_file>
if permissions are problem, then
> sudo perl patch_aicpupm.pl <AICPUPM_executable> <spec_file>

For example, if you put in the same folder:
- patch_aicpupm.pl
- AppleIntelCPUPowerManagement.kext (ML version)
- Spec-ML-10.8.0-12A128p.txt (patch spec for ML version)

Then you can patch AICPUPM with:

perl patch_aicpupm.pl AppleIntelCPUPowerManagement.kext/Contents/MacOS/AppleIntelCPUPowerManagement Spec-ML-10.8.0-12A128p.txt

Patching of different AICPUPM version can be done by specifying appropriate Spec file. Spec file is just a list of addresses/positions (in hex, one per line) of target wrmsr's in AICPUPM. This does not save us from manually finding places for patch when new AICPUPM arrives - somebody would still need to do that - but if he makes new spec file and share it, anybody could execute that patch. Specially if kext uploading becomes a problem.

Initial files are here - perl file and specs for 10.7.0, 10.7.3 and 10.8.0 (12A128p) .... feel free to test it, fix it, change it, improve it, add new specs ...
I've done some limited tests - seems to work fine, but I'm not 100% sure. Last time doing some perl coding long time ago.

Method: by flAked
Addresses in spec for Lion: from flAked's patcher
Addresses in spec for ML: from oldnapalm and rcork from above posts

Update: there's a universal patcher from el coniglio and oldnapalm here

Attached Files

•  patch_aicpupm-v1.0.zip   5.38K   127 downloads