Jump to content

Broadcom bcm57781 - how do I patch the kext for ML 10.8.5?


  • Please log in to reply
56 replies to this topic

#1
Huberer

Huberer

    InsanelyMac Protégé

  • Members
  • Pip
  • 10 posts

Hello,

 

can someone be so kind and explain how I can patch the original IONetworkingFamily.kext for Broadcom bcm57781 to get it work under ML 10.8.5? The one in the database from osx86 doesn't work.

 

Thanks in advance

Huberer



#2
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

Although the BCM57781 which can be found on some of Asrock's 7 series boards is fully compatible to the BCM57765 in recent iMacs or Mac minis (with the exception that the BCM57781 lacks the integrated card reader), Apple's driver refuses to work with this chip but the driver can be easily patched in order to add support for the BCM57781. Unfortunately adding the BCM57781's ID to the drivers match list in Info.plist is not enough because it checks the NIC's device-id, subsystem-id and subsystem-vendor-id reading the corresponding registers in it's PCI configuration space in order to verify that the chip is one of the officially supported ones.

 

In principle this method should work with all members of the BCM57785 family:

  • BCM57781 = 0x16B1
  • BCM57785 = 0x16B5 
  • BCM57785X  = 0x16B5 
  • BCM57761  = 0x16B0
  • BCM57791  = 0x16B2
  • BCM57795  = 0x16B6
  • BCM57795X  = 0x16B6 ​​

 

The basic idea of this patch is to make the driver believe it's got a BCM57765 instead of a BCM57781 so that it will work with this NIC too. In order to read the registers in PCI configuration space the driver calls a subroutine which does the actual work and return the values in a certain CPU register. Therefore I located the subroutine calls in the drivers binary and replaced them with instructions that return the corresponding values of the BCM57765. That's the reason why your BCM57781 will show up as BCM57765 in System profiler.

 

Let's start with the trivial part. We have to add the BCM57781's ID ("pci14e4,16b1") to the kext's match list in it's Info.plist file in order make the driver load. Locate the following text and add the line "<string>pci14e4,16b1</string>" as shown in the code below.

<key>IONameMatch</key>
<array>
    <string>pci14e4,1684</string>
    <string>pci14e4,16b0</string>
    <string>pci14e4,16b4</string>
    <string>pci14e4,1682</string>
    <string>pci14e4,1686</string>
    <string>pci14e4,16b1</string>
</array>

Now comes the tricky part. You'll have to locate 3 instructions which call the subroutine to read the NIC's subsystem-vendor-id, subsystem-id and device-id registers in PCI configuration space and replace them with instructions that return the required values making the driver believe it's working on a BCM57765 instead of a BCM57781. Use your favorite binary editor to apply the patch. It's also possible to create a script for Clover letting the boot loader do the hard work for you. As the locations and the opcodes of the instructions to replace will probably change with every new build of the driver it virtually impossible to create a binary patch that works for different versions of the driver but with a basic understanding of x86 assembler it should be quite easy to find these 3 instructions to patch in coming releases of the driver an adapt the patch to them. The instructions below are for 10.8.3. In case you are looking for the instructions to patch the 10.8.5 driver please see post #15 (http://www.insanelym...1085/?p=1952049) of this thread. Of course don't forget to repair permissions after you applied the patch. Modified instructions for the latest Mavericks beta will follow soon.

 

  1. Change 
       7a8b:	ba 2c 00 00 00       	mov    $0x2c,%edx
       7a90:	e8 bb 90 ff ff       		callq  b50 <kmod_info-0x36138>
       7a95:	66 89 83 92 04 00 00 	mov    %ax,0x492(%rbx)
    

    into 

       7a8b:	ba 2c 00 00 00       	mov    $0x2c,%edx
       7a90:	b8 e4 14 00 00       	mov    $0x14e4,%eax    <--- Move the subsystem-vendor-id into AX
       7a95:	66 89 83 92 04 00 00 	mov    %ax,0x492(%rbx)
    
  2. and 
       7aa6:	ba 2e 00 00 00       	mov    $0x2e,%edx
       7aab:	e8 a0 90 ff ff       		callq  b50 <kmod_info-0x36138>
       7ab0:	66 89 83 94 04 00 00 	mov    %ax,0x494(%rbx)
    

    into 

       7aa6:	ba 2e 00 00 00       	mov    $0x2e,%edx
       7aab:	b8 b4 16 00 00       	mov    $0x16b4,%eax    <--- Move the subsystem-id into AX
       7ab0:	66 89 83 94 04 00 00 	mov    %ax,0x494(%rbx)
    
  3. as well as 
       7b24:	ba 02 00 00 00       	mov    $0x2,%edx
       7b29:	e8 22 90 ff ff       		callq  b50 <kmod_info-0x36138>
       7b2e:	66 89 83 90 04 00 00 	mov    %ax,0x490(%rbx)
    

    into 

       7b24:	ba 02 00 00 00       	mov    $0x2,%edx
       7b29:	b8 b4 16 00 00       	mov    $0x16b4,%eax    <--- Move the device-id into AX
       7b2e:	66 89 83 90 04 00 00 	mov    %ax,0x490(%rbx)
    

Edited by Mieze, 11 November 2013 - 01:36 AM.


#3
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

Here are the instructions for patching the latest 10.9 beta. They are slightly different but you'll recognize soon that the overall structure remains the same. Modifications of the driver's Info.plist are identical.

 

  1. First change 
    613b:	ba 2c 00 00 00       	mov    $0x2c,%edx
    6140:	e8 89 ad ff ff       	callq  ece <__ZN11BCM5701Enet10superClassE-0x1f20a>
    6145:	66 89 83 d2 04 00 00 	mov    %ax,0x4d2(%rbx)
    

    into 

    613b:	ba 2c 00 00 00       	mov    $0x2c,%edx
    6140:	b8 e4 14 00 00       	mov    $0x14e4,%eax
    6145:	66 89 83 d2 04 00 00 	mov    %ax,0x4d2(%rbx)
    
  2. and 
    6156:	ba 2e 00 00 00       	mov    $0x2e,%edx
    615b:	e8 6e ad ff ff       	callq  ece <__ZN11BCM5701Enet10superClassE-0x1f20a>
    6160:	66 89 83 d4 04 00 00 	mov    %ax,0x4d4(%rbx)
    

    into 

    6156:	ba 2e 00 00 00       	mov    $0x2e,%edx
    615b:	b8 b4 16 00 00       	mov    $0x16b4,%eax
    6160:	66 89 83 d4 04 00 00 	mov    %ax,0x4d4(%rbx)
    
  3. Finally change 
    605f:	ba 02 00 00 00       	mov    $0x2,%edx
    6064:	e8 65 ae ff ff       	callq  ece <__ZN11BCM5701Enet10superClassE-0x1f20a>
    6069:	66 89 83 d0 04 00 00 	mov    %ax,0x4d0(%rbx)
    

    into 

    605f:	ba 02 00 00 00       	mov    $0x2,%edx
    6064:	b8 b4 16 00 00       	mov    $0x16b4,%eax
    6069:	66 89 83 d0 04 00 00 	mov    %ax,0x4d0(%rbx)
    


#4
Huberer

Huberer

    InsanelyMac Protégé

  • Members
  • Pip
  • 10 posts

Thanks for posting. Will patch and test the kext in the next days.



#5
kind3rgarten

kind3rgarten

    InsanelyMac Protégé

  • Members
  • Pip
  • 7 posts

Did you ever get this file patched? I am in need of this too



#6
Huberer

Huberer

    InsanelyMac Protégé

  • Members
  • Pip
  • 10 posts

Hello Mieze,

 

today I finally found the time to try to do your patches but I stuck at the "tricky part". You say that ii's necessary to patch the pci configuration space. But this is the problem. Where can I find it. It tried to hexedit IONetworkingFamily and IOPCIFamiliy.kext but I can't find the correct place to edit.

Would you be so kind to show me the way to find this "pci configuration space"

 

Thanks in advance

Huberer



#7
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

Hello Mieze,

 

today I finally found the time to try to do your patches but I stuck at the "tricky part". You say that ii's necessary to patch the pci configuration space. But this is the problem. Where can I find it. It tried to hexedit IONetworkingFamily and IOPCIFamiliy.kext but I can't find the correct place to edit.

Would you be so kind to show me the way to find this "pci configuration space"

 

Thanks in advance

Huberer

 

No, you don't need to patch any other kexts. What you have to do is to patch the instructions where the driver calls the functions which read the configuration registers.

 

Mieze



#8
Huberer

Huberer

    InsanelyMac Protégé

  • Members
  • Pip
  • 10 posts

Sorry, but this is too high for me. Where do I find these instructions? I think I've opened every single data file within the IONetworkingFamily.kext with hexedit but can't find the right place to patch



#9
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

Sorry, but this is too high for me. Where do I find these instructions? I think I've opened every single data file within the IONetworkingFamily.kext with hexedit but can't find the right place to patch

You only have to patch these two files:

 

/System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleBCM5701Ethernet.kext/Contents/Info.plist

 

and

 

/System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleBCM5701Ethernet.kext/Contents/MacOS/AppleBCM5701Ethernet

 

 

Mieze



#10
Huberer

Huberer

    InsanelyMac Protégé

  • Members
  • Pip
  • 10 posts

Thanks, I thought that these are the files to edit. But the next problem is that I don't find the strings. Either with hexfind nor with hexedit. They only show me 8 figures instead of 10 you posted above. Which binary editor do you use?



#11
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

Thanks, I thought that these are the files to edit. But the next problem is that I don't find the strings. Either with hexfind nor with hexedit. They only show me 8 figures instead of 10 you posted above. Which binary editor do you use?

I use 0xED but any other hex editor should work too. By the way, which version of the driver do you try to patch?

 

Mieze



#12
Huberer

Huberer

    InsanelyMac Protégé

  • Members
  • Pip
  • 10 posts

Thanks for the info. I try to patch the driver from ML 10.8.5 (before the supplemental update was released).


Just a quick feed back before I leave. I just could find the string from the third point: e8 22 90 ff ff but it's in A5A8.

The others (1st and second patch) aren't there.

Which version did you use Mieze? (OT: I have to leave - will check here again tomorrow)



#13
Huberer

Huberer

    InsanelyMac Protégé

  • Members
  • Pip
  • 10 posts

@Mieze:

 

Do you have any news? I think your above mentioned describtion is not compatible with the 10.8.5 kext. See my post above.



#14
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

@Mieze:

 

Do you have any news? I think your above mentioned describtion is not compatible with the 10.8.5 kext. See my post above.

 

The patch has been confirmed to work with 10.8.3. Before I stated that it should work with 10.8.5 too I only check the version of the kext. Maybe they have changed something without increasing the version number. I will disassemble the 10.8.5 kext from my iMac in order to verify my instructions. In case I find something new I will post an update.

 

Mieze



#15
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

I'm sorry but I have to correct one of my former posts. It's true that Apple changed the Broadcom driver in 10.8.5, at least they included a new build which requires new patch instructions. Therefore you'll have to follow these instructions in order to patch 10.8.5's Broadcom driver:

 

Change

    78db:	ba 2c 00 00 00       	mov    $0x2c,%edx
    78e0:	e8 5b 92 ff ff       	callq  b40 <_kmod_info-0x363e8>
    78e5:	66 89 83 92 04 00 00 	mov    %ax,0x492(%rbx)

into

    78db:	ba 2c 00 00 00       	mov    $0x2c,%edx
    78e0:	b8 e4 14 00 00       	mov    $0x14e4,%eax
    78e5:	66 89 83 92 04 00 00 	mov    %ax,0x492(%rbx) 

and

    78f6:	ba 2e 00 00 00       	mov    $0x2e,%edx
    78fb:	e8 40 92 ff ff       	callq  b40 <_kmod_info-0x363e8>
    7900:	66 89 83 94 04 00 00 	mov    %ax,0x494(%rbx) 

into

    78f6:	ba 2e 00 00 00       	mov    $0x2e,%edx
    78fb:	b8 b4 16 00 00       	mov    $0x16b4,%eax
    7900:	66 89 83 94 04 00 00 	mov    %ax,0x494(%rbx) 

Finally change

    7974:	ba 02 00 00 00       	mov    $0x2,%edx
    7979:	e8 c2 91 ff ff       	callq  b40 <_kmod_info-0x363e8>
    797e:	66 89 83 90 04 00 00 	mov    %ax,0x490(%rbx)

into

    7974:	ba 02 00 00 00       	mov    $0x2,%edx
    7979:	b8 b4 16 00 00       	mov    $0x16b4,%eax
    797e:	66 89 83 90 04 00 00 	mov    %ax,0x490(%rbx)


#16
Col. Steve Austin

Col. Steve Austin

    InsanelyMac Protégé

  • Members
  • Pip
  • 7 posts
  • Gender:Male

Hi Mieze, I have a BCM57781 on my Asrock 77E-ITX which worked fine with 10.8.   I had already gathered that the locations would be different for 10.8.5 & I'm using 0xED too.  your correction above is actually identical to the original patch since in both cases, it's the middle 5 bytes that are being replaced with (mov $0x14e4,%eax) and (mov $0x16b4,%eax) twice, is that right?  Anyway applying the patch to info.plist + AppleBCM5701Ethernet binary of a virgin 10.8.5 IONetworkingFamily.kext still refuses to work.  in fact it's not even recognised in SystemInfo which is strange.  I have triple checked the files with 0xED and both addresses and contents match your last post.  Is there anything else that needs to be done?

 

Thanks for your help

Serge



#17
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

Hi Mieze, I have a BCM57781 on my Asrock 77E-ITX which worked fine with 10.8.   I had already gathered that the locations would be different for 10.8.5 & I'm using 0xED too.  your correction above is actually identical to the original patch since in both cases, it's the middle 5 bytes that are being replaced with (mov $0x14e4,%eax) and (mov $0x16b4,%eax) twice, is that right?  Anyway applying the patch to info.plist + AppleBCM5701Ethernet binary of a virgin 10.8.5 IONetworkingFamily.kext still refuses to work.  in fact it's not even recognised in SystemInfo which is strange.  I have triple checked the files with 0xED and both addresses and contents match your last post.  Is there anything else that needs to be done?

 

Thanks for your help

Serge

 

If the kext doesn't load at all the Info.plist is not correct. Use "kextstat" in Terminal to verify it has been loaded. If it loads but refuses to work you'll find the reason why in your kernel logs.

 

Mieze



#18
Col. Steve Austin

Col. Steve Austin

    InsanelyMac Protégé

  • Members
  • Pip
  • 7 posts
  • Gender:Male

Thanks for the quick reply. I had switch to the old non functioning 10.8 version (169.254.xxx.xxx) which at least loads.  

 

kextstat | grep BCM

 

confirmed it, so I switched back to the 10.8.5 patched version and the same command shows that it's not loaded.  I edited a new info.plist using nano this time.  still not loading.  I'm at a loss as to why??

 

I've attached a patched copy, if it's ok.  I'd appreciate if you could have a look, to check that I'm not going blind or crazy.

Thanks in advance

 

Serge

Attached Files



#19
Mieze

Mieze

    Giant Cat

  • Coders
  • 519 posts
  • Gender:Female
  • Location:Germany
  • Interests:Cats

Thanks for the quick reply. I had switch to the old non functioning 10.8 version (169.254.xxx.xxx) which at least loads.  

 

kextstat | grep BCM

 

confirmed it, so I switched back to the 10.8.5 patched version and the same command shows that it's not loaded.  I edited a new info.plist using nano this time.  still not loading.  I'm at a loss as to why??

 

I've attached a patched copy, if it's ok.  I'd appreciate if you could have a look, to check that I'm not going blind or crazy.

Thanks in advance

 

Serge

Please also post a dump of IOReg and your kernel logs.

 

Mieze



#20
Col. Steve Austin

Col. Steve Austin

    InsanelyMac Protégé

  • Members
  • Pip
  • 7 posts
  • Gender:Male

Hi Mieze

 

I'll get those together, meanwhile this may be significant:  I was trying to install my Audio drivers and a certain MB was failing the solution to which was:

 

sudo kextcache -update-volume /

 

this was failing with:

 

AppleBCM5701Ethernet.kext - no dependency found for com.apple.iokit.IOEthernetAVBController.

AppleBCM5701Ethernet.kext is missing dependencies (including anyway; dependencies may be available from elsewhere) etc.

 

quick swap to old kext fixed that, but a quick look at system logs (narrowed with ionetworking) shows the kext not loading because some files need to be 644 but are 755 also this:

 

08/10/2013 16:13:11.589 com.apple.kextd[12] Can't load /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleBCM5701Ethernet.kext - failed to resolve dependencies.
08/10/2013 17:07:19.000 kernel[0] Refusing new kext com.apple.iokit.IONetworkingFamily, v3.0: a loaded copy with a different executable UUID is already present.
 
Shall I still send the full logs & ioreg dump?
Cheers
Serge






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

© 2014 InsanelyMac  |   News  |   Forum  |   Downloads  |   OSx86 Wiki  |   Mac Netbook  |   PHP hosting by CatN  |   Designed by Ed Gain  |   Logo by irfan  |   Privacy Policy