Ozmosis

[WinstonAce]

Now we just need dsdt find and replace

Thanks.

 

Sent from my ONEPLUS A5000 using Tapatalk

[MakAsus]

I have not tested these driver with Ozmosis. All code based on Clover sources which can be found here.

All properties (in "\EFI\Oz\Defaults.plist") should be same as Clover "KextsToPatch", except its key (changed to: "Defaults:99665243-5AED-4D57-92AF-8C785FBC7558"). "MatchOS" & "MatchBuild" will not work at this time.

 

 

<key>Defaults:99665243-5AED-4D57-92AF-8C785FBC7558</key>
<array>
  <dict>
    ...
  </dict>
  <dict>
    <key>Comment</key>
    <string>ALC892 (1 of 2)</string>
    <key>Disabled</key>
    <true/>
    <key>Find</key>
    <data>
    ixnUEQ==
    </data>
    <key>Name</key>
    <string>com.apple.driver.AppleHDA</string>
    <key>Replace</key>
    <data>
    kgjsEA==
    </data>
  </dict>
  <dict>
    ...
  </dict>
<array>

 

 

 

Where should I place the KextPatcher.efi? Thank you!

[Kynyo]

It should be placed in ROM (Inside BIOS).

[WinstonAce]

I have not tested these driver with Ozmosis. All code based on Clover sources which can be found here.

All properties (in "\EFI\Oz\Defaults.plist") should be same as Clover "KextsToPatch", except its key (changed to: "Defaults:99665243-5AED-4D57-92AF-8C785FBC7558"). "MatchOS" & "MatchBuild" will not work at this time.

 

 

<key>Defaults:99665243-5AED-4D57-92AF-8C785FBC7558</key>
<array>
  <dict>
    ...
  </dict>
  <dict>
    <key>Comment</key>
    <string>ALC892 (1 of 2)</string>
    <key>Disabled</key>
    <true/>
    <key>Find</key>
    <data>
    ixnUEQ==
    </data>
    <key>Name</key>
    <string>com.apple.driver.AppleHDA</string>
    <key>Replace</key>
    <data>
    kgjsEA==
    </data>
  </dict>
  <dict>
    ...
  </dict>
<array>

 

 

 

Thank you

I tried but it doesn't seem to work for me

am I using it right?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
	<dict>
		<key>Comment</key>
		<string>Wi-Fi Region to 0x64</string>
		<key>Disabled</key>
		<false/>
		<key>Find</key>
		<data>D7eH3AQAAA==</data>
		<key>Name</key>
		<string>com.apple.driver.AirPort.Atheros40</string>
		<key>Replace</key>
		<data>uGQAAACQkA==</data>
	</dict>
	<dict>
		<key>Comment</key>
		<string>Remove USB limit MacOS Sierra</string>
		<key>Disabled</key>
		<false/>
		<key>Find</key>
		<data>g710////EA==</data>
		<key>Name</key>
		<string>com.apple.driver.usb.AppleUSBXHCIPCI</string>
		<key>Replace</key>
		<data>g710////Fg==</data>
	</dict>
	<dict>
		<key>Comment</key>
		<string>Remove USB limit MacOS Sierra</string>
		<key>Disabled</key>
		<false/>
		<key>Find</key>
		<data>g32EEA==</data>
		<key>Name</key>
		<string>com.apple.driver.usb.AppleUSBXHCIPCI</string>
		<key>Replace</key>
		<data>g32EFg==</data>
	</dict>
</array>
</plist>

[ammoune78]

 

Thank you

I tried but it doesn't seem to work for me

 

 

AFAIK it should be in Defaults.plist here: /Efi/Oz/Defaults.plist, like that:

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Defaults:1F8E0C02-58A9-4E34-AE22-2B63745FA101</key>
	<dict>
		<key>AAPL,ig-platform-id</key>
		<integer>220332035</integer>
	</dict>
	<key>Defaults:4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102</key>
	<dict>
		<key>BaseBoardAssetTag</key>
		<string>Base Board Asset Tag#</string>
	</dict>
	<key>Defaults:7C436110-AB2A-4BBB-A880-FE41995C9F82</key>
	<dict>
		<key>boot-args</key>
		<string>-lilubeta -alcbeta nvda_drv=1</string>
		<key>csr-active-config</key>
		<integer>127</integer>
	</dict>
	<key>Defaults:99665243-5AED-4D57-92AF-8C785FBC7558</key>
	<dict>
		<key>Comment</key>
		<string>Wi-Fi Region to 0x64</string>
		<key>Disabled</key>
		<false/>
		<key>Find</key>
		<data>
		D7eH3AQAAA==
		</data>
		<key>Name</key>
		<string>com.apple.driver.AirPort.Atheros40</string>
		<key>Replace</key>
		<data>
		uGQAAACQkA==
		</data>
	</dict>
	<key>Timestamp</key>
	<integer>0</integer>
	<key>Version</key>
	<string>1.0.1</string>
</dict>
</plist>

As it will read Defaults.plist and it will search this:

	<key>Defaults:99665243-5AED-4D57-92AF-8C785FBC7558</key>
	<dict>
	</dict>

So you can boot to shell and:

- load kextpatcher.efi (each boot) .. or

- with bcfg (semi permanent)

[cecekpawon]

No man, just create new "Defaults:99665243-5AED-4D57-92AF-8C785FBC7558" dict in EFI\Oz\Defaults.plist and append your array of patches there (sample included).

I extended to be able to patches kernel as well. Boot into shell add the driver (ex: fs0:\EFI\driver.efi):

fs0:
cd EFI
bcfg driver dump
bcfg driver add #num driver.efi "driver"

*** Im not sure about *.ffs, try at your own risk

 

Edited June 30, 2017 by cecekpawon

[ammoune78]

No man, just create new "Defaults:99665243-5AED-4D57-92AF-8C785FBC7558" dict in EFI\Oz\Defaults.plist and append your array of patches there (sample included).

I extended to be able to patches kernel as well. Boot into shell add the driver (ex: fs0:\EFI\driver.efi):

fs0:
cd EFI
bcfg driver dump
bcfg driver add #num driver.efi "driver"

*** Im not sure about *.ffs, try at your own risk

 

This is what I did by creating new Defaults:99665243-5AED-4D57-92AF-8C785FBC7558 dictionary in Defaults.plist as i posted before, My MAN 

 

I just forgot to said that the KextPatcher.efi must be actually in /Efi/Oz/KextPatcher.efi   

[WinstonAce]

I tried KextPatcher as ffs in bios...

[TypeThree]

First of all, thanks for the great work this is amazing!!!

I added Kernextpatcher.efi with the shell (bcfg) which worked great, no issues there. Then I tried it out with just some KextPatch, in my case the PortLimitPatch (which I'm not trying to use, it's just a tryout object  ) but I can't get it to work. My Defaults.plist-section looks like this:

...
	<key>Defaults:99665243-5AED-4D57-92AF-8C785FBC7558</key>
	<dict>
		<key>KernelToPatch</key>
		<array/>
		<key>KextsToPatch</key>
		<array>
			<dict>
				<key>Comment</key>
				<string>PortLimitPatch</string>
				<key>Disabled</key>
				<false/>
				<key>Find</key>
				<data>
				g710////EA== (=83BD74FF FFFF10)
                                </data>
				</data>
				<key>Name</key>
				<string>com.apple.driver.usb.AppleUSBXHCIPCI</string>
				<key>Replace</key>
				<data>
				g710////Fg== (=83BD74FF FFFF16)
				</data>
			</dict>
		</array>
	</dict>
 ...

When I boot I get the debug message "KextsToPatch: 1 requested" and so on, but unfortunately nothing changes. I checked XHC in IOReg and the KEXT itself with a Hex Editor but theres no difference. 

2 general questions: Does the name have to be the Package-ID or is the kext-name enough? And does the patcher grab data out of the Defaults on every single boot or is a nvram reset necessary if changes are made? Thanks to cecekpawon and everybody involved again and keep up the great work!

[cecekpawon]

<data>g710////Fg== (=83BD74FF FFFF16)</data>

-- or --

<data>g710////Fg==</data>

?

My plist lib should support self close tag like:

<key>KernelToPatch</key>
<array/>

I checked XHC in IOReg and the KEXT itself with a Hex Editor but theres no difference

 

This will only patch prelinkedkernel,

 

2 general questions: Does the name have to be the Package-ID or is the kext-name enough? And does the patcher grab data out of the Defaults on every single boot or is a nvram reset necessary if changes are made? Thanks to cecekpawon and everybody involved again and keep up the great work!

 

Preferred BundleIdentifier (like "com.apple.driver.usb.AppleUSBXHCIPCI"), but kext filename should work too.

Kernextpatcher will always try to read "EFI\Oz\Defaults.plist" as long its exists, so nothing to do with Oz or NVRAM.

Edited June 30, 2017 by cecekpawon

[TypeThree]

It's

<data>g710////Fg==</data>

I just added 83BD74FF FFFF16 to the code above to illustrate the connection to the screenshot from the hex editor. But as your patcher patches the prelinkedkernel (which I really like), the kext as hex thingy is irrelevant. The changes made in the prelinkedkernel should be visible in behaviour of XHC in IOReg though and unfortunately they're not. Your plist lib does seem like it supports self close tag since KernelToPatch doesnt appear in debug screen when Defaults.plist is configurated as above.

Thanks for your clarification of the patchers behaviour!

[crusher]

something like this

[mhaeuser]

so nothing to do with Oz or NVRAM.

Why do you use Defaults.plist then?

[cecekpawon]

@WinstonAce @ammoune78 @TypeThree I finally test this driver with Oz & it doesnt work (failed to catch ExitBootServices, also test with DumpUefiCalls & its failed too). So yeah, I decide to throw this project into a microwave, xDEADx. Sorry & thanks for testing.

 

Why do you use Defaults.plist then?

 

Just a bad answer from my unjailbroken iphone 5s, sorry man.

[mhaeuser]

@WinstonAce @ammoune78 @TypeThree I finally test this driver with Oz & it doesnt work (failed to catch ExitBootServices, also test with DumpUefiCalls & its failed too). So yeah, I decide to throw this project into a microwave, xDEADx. Sorry & thanks for testing.

How can you fail to catch it? Did you use an event or an override? Both should work.

[ammoune78]

@WinstonAce @ammoune78 @TypeThree I finally test this driver with Oz & it doesnt work (failed to catch ExitBootServices, also test with DumpUefiCalls & its failed too). So yeah, I decide to throw this project into a microwave, xDEADx. Sorry & thanks for testing.

 

 

Just a bad answer from my unjailbroken iphone 5s, sorry man.

 

My MAN, for this "So yeah, I decide to throw this project into a microwave, xDEADx", it sounds like you have to take some rest instead of throwing it! I know who you are cecek, but as i've seen today, you're not the one that i know, keep relaxed MAN! 

 

I"ll push the like for what you do, not for going to throw this project! Always respect you BRO, you're THE MAN     

[davidm71]

Speaking of not giving up I tried to install HS again and this time I waited a little bit longer to view the post verbose messages. Interestingly enough the USB installer posted something like 'ACPI_Platform_Plugin:: wait for service(resourcematching(AppleIntelCPUPowerManagement)) Timed out' and 'IOPlatformPluginUtil: Getcpuidinfo - this is an unknown cpu model 0x3c' and it still was able to load the installer despite those messages!

 

However after the install was finished and I rebooted twice I got the same 'Invalid Firewire GUID 000000000000' message again and this time I let it run a little longer to get 'Kext Stall: AppleACPICPU'

 

Thanks

[ammoune78]

Speaking of not giving up I tried to install HS again and this time I waited a little bit longer to view the post verbose messages. Interestingly enough the USB installer posted something like 'ACPI_Platform_Plugin:: wait for service(resourcematching(AppleIntelCPUPowerManagement)) Timed out' and 'IOPlatformPluginUtil: Getcpuidinfo - this is an unknown cpu model 0x3c' and it still was able to load the installer despite those messages!

 

However after the install was finished and I rebooted twice I got the same 'Invalid Firewire GUID 000000000000' message again and this time I let it run a little longer to get 'Kext Stall: AppleACPICPU'

 

Thanks

 

 

David, the first message appear if you don't use "SSDT for PowerManagement"! 

[davidm71]

David, the first message appear if you don't use "SSDT for PowerManagement"! 

 

I once created an SSDT using ssDTPRGN script and merged it into my DSDT. Maybe I should start over and create new separate DSDT and SSDT like was suggested. Still using Clover to drop the MATS table so relying on Clover until I can update my Amiboardinfo file. The strange thing is my bios got corrupted again after a failed boot of high sierra. Is that possible in that can these powermangement apple kexts mess with my bios files and corrupt it?

 

Thanks

[ammoune78]

I once created an SSDT using ssDTPRGN script and merged it into my DSDT. Maybe I should start over and create new separate DSDT and SSDT like was suggested. Still using Clover to drop the MATS table so relying on Clover until I can update my Amiboardinfo file. The strange thing is my bios got corrupted again after a failed boot of high sierra. Is that possible in that can these powermangement apple kexts mess with my bios files and corrupt it?

 

Thanks

 

No it has nothing to do on your bios file and can't corrupt it, but I suggest you to use SSDT right for your board from RampagDev website, instead of waiting your DSDT get patched!

[cecekpawon]

How can you fail to catch it? Did you use an event or an override? Both should work.

 

I use StartImage override like Aptiofix, do filtering LoadedImage FilePath contain "boot.efi"/"bootbase.efi" and then register OnExitBootServices event.

 

Heres some snippets:

 

 

 

STATIC
VOID
EFIAPI
OnExitBootServices (
  IN EFI_EVENT  Event,
  IN VOID       *Context
) {
  //LOADER_ENTRY   *Entry = (LOADER_ENTRY *)Context;

  DBG ("**** ExitBootServices called\n");
  DBG_PAUSE (2);

  gKernelInfo = AllocateZeroPool (sizeof (KERNEL_INFO));

  // Scan BootArgs & locate prelinkedkernel
  if (KernelAndKextPatcherInit ()) {
    // Check allowed patches & apply
    FilterKernelPatches ();
    FilterKextPatches ();
  }
}


---


STATIC
EFI_STATUS
EventsInitialize () {
  EFI_STATUS    Status;
  VOID          *Registration = NULL;

  //
  // Register notify for exit boot services
  //
  Status = gBS->CreateEvent (
                  EVT_SIGNAL_EXIT_BOOT_SERVICES,
                  TPL_CALLBACK,
                  OnExitBootServices,
                  NULL,
                  &gExitBootServiceEvent
                );

  if (!EFI_ERROR (Status)) {
    gBS->RegisterProtocolNotify (
                         &gEfiStatusCodeRuntimeProtocolGuid,
                         gExitBootServiceEvent,
                         &Registration
                       );
  }

  return EFI_SUCCESS;
}


---


STATIC
EFI_STATUS
EFIAPI
KPStartImage (
  IN  EFI_HANDLE  ImageHandle,
  OUT UINTN       *ExitDataSize,
  OUT CHAR16      **ExitData  OPTIONAL
) {
  EFI_STATUS                  Status;
  EFI_LOADED_IMAGE_PROTOCOL   *Image;
  CHAR16                      *FilePathText = NULL;
  BOOLEAN                     StartFlag;

  DBG ("StartImage (%lx)\n", ImageHandle);

  // find out image name from EfiLoadedImageProtocol
  Status = gBS->OpenProtocol (
                  ImageHandle,
                  &gEfiLoadedImageProtocolGuid,
                  (VOID **)&Image,
                  gImageHandle,
                  NULL,
                  EFI_OPEN_PROTOCOL_GET_PROTOCOL
                );

  FilePathText = DevicePathToStr (Image->FilePath);

  StartFlag = (
                (StriStr (FilePathText, L"boot.efi") != NULL) ||
                (StriStr (FilePathText, L"bootbase.efi") != NULL)
              );

  if (StartFlag) {
    //DBG ("**** boot.efi\n");
    //DBG_PAUSE (5);
    EventsInitialize (); // Register OnExitBootServices event
  }

  Status = gKPStartImage (ImageHandle, ExitDataSize, ExitData);


---


EFI_STATUS
EFIAPI
KernextPatcherEntrypoint (
  IN EFI_HANDLE         ImageHandle,
  IN EFI_SYSTEM_TABLE   *SystemTable
) {
  EFI_STATUS              Status;

  // Get SelfRoot path, parsing plist
  Status = InitRefitLib (ImageHandle);

  if (EFI_ERROR (Status)) {
    // Find 1st ESP, parsing plist
    Status = ScanVolumes ();
  }

  if (!EFI_ERROR (Status)) {
    // Plist parsed, install StartImage override
    gKPStartImage = gBS->StartImage;
    gBS->StartImage = KPStartImage;
    gBS->Hdr.CRC32 = 0;
    gBS->CalculateCrc32 (gBS, gBS->Hdr.HeaderSize, &gBS->Hdr.CRC32);
  }

 

 

 

[mhaeuser]

Heres some snippets:

Why is DBG_PAUSE() commented out? Was the code enabled when you tried with Oz? It could be that the verbose stuff is not shown because of a switch to graphics mode via ConsoleControl, did you try log-to-file or block the switch?

[cecekpawon]

DBG_PAUSE(n) is actually only gBS->Stall(n * 1000000) for easy reading while debugging on screen. Yes, I use same binary to test both with Oz & Clover. I have not tried to block the switch, but with "-v" booter commandline Oz should automatically switch to Textmode isnt it? To log-to-file Clover need Memlog lib (too complex right now) which Im also have not tried it out, but I will.

 

Things I have tried:
  - Verbosing & DBG_PAUSE() on KPStartImage (StartImage override) its never been called.
  - ExitBootServices Hooking from https://wikileaks.org/ciav7p1/cms/page_36896783.html
  - Load DumpUefiCalls (which also catch ExitBootServices) with Oz, it will also fail to load / create a log-file.

 

I published the sources here: https://github.com/cecekpawon/CloverPkg/tree/master/Module/KernextPatcher
  ** Its roughly copy paste, too lazy to create libs for this / or Clover other purposes
To build add "-D BUILD_KERNEXTPATCHER=1" in compile.cmd / compile.sh.

[MakAsus]

I use StartImage override like Aptiofix, do filtering LoadedImage FilePath contain "boot.efi"/"bootbase.efi" and then register OnExitBootServices event.

 

 

First of all, thanks for the great work you have done. In the second, I would like to ask you to do the same, for the DDTT patch,  because I can’t replace DSDT in my Bios, and PatchVBios for native resolution ATI Radeon at boot time. Thank you!

[cecekpawon]

Why you dont just drop your "fixed" DSDT.aml into "EFI\Oz\Acpi\Load" & not to touch any OEM value in firmware? You can flash your ATI card to get GOP support & full UEFI booting. Without @Pene PatchVBios is just a myth IMHO >>>