Meowthra Posted August 22, 2015 Share Posted August 22, 2015 Method 1 : Binary Patch ================================= A. XCPM Patch ================================= 10.9.5 Opcode Analysis find _xcpm_init INTO addr: ffffff80002fa0dc call sub_ffffff80002fa340 _xcpm_init: ffffff80002fa040 55 push rbp ffffff80002fa041 4889E5 mov rbp, rsp ffffff80002fa044 4156 push r14 ffffff80002fa046 53 push rbx ffffff80002fa047 4189FE mov r14d, edi ffffff80002fa04a 658B1C251C000000 mov ebx, dword [gs:0x1c] ffffff80002fa052 833DB72B5E0000 cmp dword [ds:_xcpm_mode], 0x0 ffffff80002fa059 0F8489000000 je 0xffffff80002fa0e8 ffffff80002fa05f 833D9A2B5E0000 cmp dword [ds:_xcpm_assert_enable], 0x0 ffffff80002fa066 0F85FA000000 jne 0xffffff80002fa166 ffffff80002fa06c 8D4301 lea eax, qword [ds:rbx+0x1] ffffff80002fa06f 8B0DAB2B5E00 mov ecx, dword [ds:_xcpm_ncpus] ffffff80002fa075 39C1 cmp ecx, eax ffffff80002fa077 0F47C1 cmova eax, ecx ffffff80002fa07a 8905A02B5E00 mov dword [ds:_xcpm_ncpus], eax ffffff80002fa080 4869C340030000 imul rax, rbx, 0x340 ffffff80002fa087 488D0DB22B5E00 lea rcx, qword [ds:_xcpm_cpus] ffffff80002fa08e FF840888000000 inc dword [ds:rax+rcx+0x88] ffffff80002fa095 BF40597307 mov edi, 0x7735940 ffffff80002fa09a 833D5F2B5E0000 cmp dword [ds:_xcpm_assert_enable], 0x0 ffffff80002fa0a1 7405 je 0xffffff80002fa0a8 ffffff80002fa0a3 BF50D6DC01 mov edi, 0x1dcd650 ffffff80002fa0a8 48893D99935E00 mov qword [ds:_xcpm_lock_timeout], rdi ffffff80002fa0af 488D0572AC5D00 lea rax, qword [ds:_tscFCvtn2t] ffffff80002fa0b6 488B30 mov rsi, qword [ds:rax] ffffff80002fa0b9 E8A2D4FDFF call _tmrCvt ffffff80002fa0be 4889058B935E00 mov qword [ds:_xcpm_lock_timeout_tsc], rax ffffff80002fa0c5 833D7419530000 cmp dword [ds:_xcpm_SMT_platform], 0x0 ffffff80002fa0cc 488D3D5D1A5300 lea rdi, qword [ds:_xcpm_pkg_scope_msrs] ffffff80002fa0d3 BE07000000 mov esi, 0x7 ffffff80002fa0d8 7413 je 0xffffff80002fa0ed ffffff80002fa0da 31D2 xor edx, edx ffffff80002fa0dc E85F020000 call 0xffffff80002fa340 <<<< Into here ffffff80002fa0e1 F6C301 test bl, 0x1 ffffff80002fa0e4 7521 jne 0xffffff80002fa107 sub_ffffff80002fa340: ffffff80002fa340 55 push rbp ffffff80002fa341 4889E5 mov rbp, rsp ffffff80002fa344 4189D0 mov r8d, edx ffffff80002fa347 85F6 test esi, esi ffffff80002fa349 746C je 0xffffff80002fa3b7 ffffff80002fa34b 4883C728 add rdi, 0x28 ffffff80002fa34f 90 nop ffffff80002fa350 8B05C6285E00 mov eax, dword [ds:_xcpm_cpu_model] ffffff80002fa356 8547DC test dword [ds:rdi+0xffffffffffffffdc], eax ffffff80002fa359 7454 je 0xffffff80002fa3af ffffff80002fa35b 8B4FD8 mov ecx, dword [ds:rdi+0xffffffffffffffd8] ffffff80002fa35e 4585C0 test r8d, r8d ffffff80002fa361 7408 je 0xffffff80002fa36b ffffff80002fa363 4439C1 cmp ecx, r8d ffffff80002fa366 4489C1 mov ecx, r8d ffffff80002fa369 7544 jne 0xffffff80002fa3af ffffff80002fa36b 0F32 rdmsr ffffff80002fa36d 89C0 mov eax, eax ffffff80002fa36f 48C1E220 shl rdx, 0x20 ffffff80002fa373 4809C2 or rdx, rax ffffff80002fa376 488957F8 mov qword [ds:rdi+0xfffffffffffffff8], rdx ffffff80002fa37a 488B47E8 mov rax, qword [ds:rdi+0xffffffffffffffe8] ffffff80002fa37e 4885C0 test rax, rax ffffff80002fa381 7406 je 0xffffff80002fa389 ffffff80002fa383 48F7D0 not rax ffffff80002fa386 4821C2 and rdx, rax ffffff80002fa389 480B57F0 or rdx, qword [ds:rdi+0xfffffffffffffff0] ffffff80002fa38d 4989D1 mov r9, rdx ffffff80002fa390 49C1E920 shr r9, 0x20 ffffff80002fa394 89D0 mov eax, edx ffffff80002fa396 8B4FD8 mov ecx, dword [ds:rdi+0xffffffffffffffd8] ffffff80002fa399 4C89CA mov rdx, r9 ffffff80002fa39c 0F30 wrmsr <<<< here NOP ffffff80002fa39e 8B4FD8 mov ecx, dword [ds:rdi+0xffffffffffffffd8] <<<< here NOP ffffff80002fa3a1 0F32 rdmsr <<<< here NOP ffffff80002fa3a3 89C0 mov eax, eax <<<< here NOP ffffff80002fa3a5 48C1E220 shl rdx, 0x20 ffffff80002fa3a9 4809C2 or rdx, rax ffffff80002fa3ac 488917 mov qword [ds:rdi], rdx ffffff80002fa3af 4883C730 add rdi, 0x30 ffffff80002fa3b3 FFCE dec esi ffffff80002fa3b5 7599 jne 0xffffff80002fa350 ffffff80002fa3b7 5D pop rbp ffffff80002fa3b8 C3 ret Find 0F308B4FD80F3289C0 Replae 909090909090909090 10.9.5 XCPM Patch sudo perl -pi -e 's|\x0F\x30\x8B\x4F\xD8\x0F\x32\x89\xC0|\x90\x90\x90\x90\x90\x90\x90\x90\x90|g' /mach_kernel 10.10.5 Opcode Analysis find _xcpm_init INTO addr: ffffff800043c53f call sub_ffffff800043cb90 ffffff800043c490 55 push rbp ffffff800043c491 4889E5 mov rbp, rsp ffffff800043c494 4157 push r15 ffffff800043c496 4156 push r14 ffffff800043c498 4154 push r12 ffffff800043c49a 53 push rbx ffffff800043c49b 4189FE mov r14d, edi ffffff800043c49e 65448B3C251C000000 mov r15d, dword [gs:0x1c] ffffff800043c4a7 833DE2E76A0000 cmp dword [ds:_xcpm_mode], 0x0 ffffff800043c4ae 0F84F2000000 je 0xffffff800043c5a6 ffffff800043c4b4 833DBDE76A0000 cmp dword [ds:_xcpm_assert_enable], 0x0 ffffff800043c4bb 0F8533010000 jne 0xffffff800043c5f4 ffffff800043c4c1 8B05D9E76A00 mov eax, dword [ds:_xcpm_ncpus] ffffff800043c4c7 418D4F01 lea ecx, qword [ds:r15+0x1] ffffff800043c4cb 39C8 cmp eax, ecx ffffff800043c4cd 0F47C8 cmova ecx, eax ffffff800043c4d0 890DCAE76A00 mov dword [ds:_xcpm_ncpus], ecx ffffff800043c4d6 4969C780030000 imul rax, r15, 0x380 ffffff800043c4dd 488D0DDCE76A00 lea rcx, qword [ds:_xcpm_cpus] ffffff800043c4e4 FF840888000000 inc dword [ds:rax+rcx+0x88] ffffff800043c4eb BF40597307 mov edi, 0x7735940 ffffff800043c4f0 833D81E76A0000 cmp dword [ds:_xcpm_assert_enable], 0x0 ffffff800043c4f7 7405 je 0xffffff800043c4fe ffffff800043c4f9 BF50D6DC01 mov edi, 0x1dcd650 ffffff800043c4fe 48893D03586B00 mov qword [ds:_xcpm_lock_timeout], rdi ffffff800043c505 488B3524806A00 mov rsi, qword [ds:_tscFCvtn2t] ffffff800043c50c E82F51FDFF call _tmrCvt ffffff800043c511 488905F8576B00 mov qword [ds:_xcpm_lock_timeout_tsc], rax ffffff800043c518 8B1D12996100 mov ebx, dword [ds:_xcpm_SMT_platform] ffffff800043c51e 83FB00 cmp ebx, 0x0 ffffff800043c521 410F94C4 sete r12b ffffff800043c525 0F20E0 mov rax, cr4 ffffff800043c528 480D00010000 or rax, 0x100 ffffff800043c52e 0F22E0 mov cr4, rax ffffff800043c531 488D3DE8996100 lea rdi, qword [ds:_xcpm_pkg_scope_msrs] ffffff800043c538 BE07000000 mov esi, 0x7 ffffff800043c53d 31D2 xor edx, edx ffffff800043c53f E84C060000 call sub_ffffff800043cb90 <<<< Into here ffffff800043c544 83FB00 cmp ebx, 0x0 ffffff800043c547 740B je 0xffffff800043c554 sub_ffffff800043cb90: ffffff800043cb90 55 push rbp ffffff800043cb91 4889E5 mov rbp, rsp ffffff800043cb94 4157 push r15 ffffff800043cb96 4156 push r14 ffffff800043cb98 4155 push r13 ffffff800043cb9a 4154 push r12 ffffff800043cb9c 53 push rbx ffffff800043cb9d 50 push rax ffffff800043cb9e 4189D6 mov r14d, edx ffffff800043cba1 4189F7 mov r15d, esi ffffff800043cba4 4889FB mov rbx, rdi ffffff800043cba7 4585FF test r15d, r15d ffffff800043cbaa 0F849B000000 je 0xffffff800043cc4b ffffff800043cbb0 4883C328 add rbx, 0x28 ffffff800043cbb4 4C8D25C6D95400 lea r12, qword [ds:0xffffff800098a581] ; "%s: programming MSR 0x%x\\n" ffffff800043cbbb 4C8D2DD9D95400 lea r13, qword [ds:0xffffff800098a59b] ; "xcpm_program_msrs" ffffff800043cbc2 66666666662E0F1F840000000000 nop qword [cs:rax+rax+0x0] ffffff800043cbd0 8B05C6E06A00 mov eax, dword [ds:_xcpm_cpu_model] ffffff800043cbd6 8543DC test dword [ds:rbx+0xffffffffffffffdc], eax ffffff800043cbd9 7467 je 0xffffff800043cc42 ffffff800043cbdb 4585F6 test r14d, r14d ffffff800043cbde 7406 je 0xffffff800043cbe6 ffffff800043cbe0 443973D8 cmp dword [ds:rbx+0xffffffffffffffd8], r14d ffffff800043cbe4 755C jne 0xffffff800043cc42 ffffff800043cbe6 833D1B91610000 cmp dword [ds:0xffffff8000a55d08], 0x0 ffffff800043cbed 7410 je 0xffffff800043cbff ffffff800043cbef 8B53D8 mov edx, dword [ds:rbx+0xffffffffffffffd8] ffffff800043cbf2 31C0 xor eax, eax ffffff800043cbf4 4C89E7 mov rdi, r12 ffffff800043cbf7 4C89EE mov rsi, r13 ffffff800043cbfa E8B1D54E00 call _kprintf ffffff800043cbff 8B4BD8 mov ecx, dword [ds:rbx+0xffffffffffffffd8] ffffff800043cc02 0F32 rdmsr ffffff800043cc04 89D1 mov ecx, edx ffffff800043cc06 48C1E120 shl rcx, 0x20 ffffff800043cc0a 89C2 mov edx, eax ffffff800043cc0c 4809CA or rdx, rcx ffffff800043cc0f 488953F8 mov qword [ds:rbx+0xfffffffffffffff8], rdx ffffff800043cc13 488B43E8 mov rax, qword [ds:rbx+0xffffffffffffffe8] ffffff800043cc17 4885C0 test rax, rax ffffff800043cc1a 7406 je 0xffffff800043cc22 ffffff800043cc1c 48F7D0 not rax ffffff800043cc1f 4821C2 and rdx, rax ffffff800043cc22 480B53F0 or rdx, qword [ds:rbx+0xfffffffffffffff0] ffffff800043cc26 8B4BD8 mov ecx, dword [ds:rbx+0xffffffffffffffd8] ffffff800043cc29 89D0 mov eax, edx ffffff800043cc2b 48C1EA20 shr rdx, 0x20 ffffff800043cc2f 0F30 wrmsr <<<< here NOP ffffff800043cc31 8B4BD8 mov ecx, dword [ds:rbx+0xffffffffffffffd8] <<<< here NOP ffffff800043cc34 0F32 rdmsr <<<< here NOP ffffff800043cc36 48C1E220 shl rdx, 0x20 ffffff800043cc3a 89C0 mov eax, eax <<<< here NOP ffffff800043cc3c 4809D0 or rax, rdx ffffff800043cc3f 488903 mov qword [ds:rbx], rax ffffff800043cc42 4883C330 add rbx, 0x30 ffffff800043cc46 41FFCF dec r15d ffffff800043cc49 7585 jne 0xffffff800043cbd0 ffffff800043cc4b 4883C408 add rsp, 0x8 ffffff800043cc4f 5B pop rbx ffffff800043cc50 415C pop r12 ffffff800043cc52 415D pop r13 ffffff800043cc54 415E pop r14 ffffff800043cc56 415F pop r15 ffffff800043cc58 5D pop rbp ffffff800043cc59 C3 ret Find 0F308B4BD80F3248C1E22089C0 Replae 9090909090909048C1E2209090 10.10.5 XCPM Patch sudo perl -pi -e 's|\x0F\x30\x8B\x4B\xD8\x0F\x32\x48\xC1\xE2\x20\x89\xC0|\x90\x90\x90\x90\x90\x90\x90\x48\xC1\xE2\x20\x90\x90|g' /kernel ================================= B. Fake CPUFAMILY To IVYBRIDGE Patch ================================= HASWELL TO IVYBRIDGE 10.9.5 Find: mov ebx, 0x10b282dc Replae: mov ebx, 0x1f65e835 10.10.5 Find: mov ebx, 0x10b282dc Replae: mov ebx, 0x1f65e835 Find BBDC82B210 Replae BB35E8651F 10.9.5 sudo perl -pi -e 's|\xbb\xdc\x82\xb2\xdc|\xbb\x35\xe8\x65\x1f|g' /mach_kernel 10.10.5 sudo perl -pi -e 's|\xbb\xdc\x82\xb2\xdc|\xbb\x35\xe8\x65\x1f|g' /kernel Method 2 : Modify XNU Source Rebuild Kernel ================================= Fake CPUFAMILY To IVYBRIDGE ================================= xnu/osfmk/i386/cpuid.c static uint32_t cpuid_set_cpufamily(i386_cpu_info_t *info_p) { uint32_t cpufamily = CPUFAMILY_UNKNOWN; switch (info_p->cpuid_family) { case 6: switch (info_p->cpuid_model) { case 15: cpufamily = CPUFAMILY_INTEL_MEROM; break; case 23: cpufamily = CPUFAMILY_INTEL_PENRYN; break; case CPUID_MODEL_NEHALEM: case CPUID_MODEL_FIELDS: case CPUID_MODEL_DALES: case CPUID_MODEL_NEHALEM_EX: cpufamily = CPUFAMILY_INTEL_NEHALEM; break; case CPUID_MODEL_DALES_32NM: case CPUID_MODEL_WESTMERE: case CPUID_MODEL_WESTMERE_EX: cpufamily = CPUFAMILY_INTEL_WESTMERE; break; case CPUID_MODEL_SANDYBRIDGE: case CPUID_MODEL_JAKETOWN: cpufamily = CPUFAMILY_INTEL_SANDYBRIDGE; break; case CPUID_MODEL_IVYBRIDGE: case CPUID_MODEL_IVYBRIDGE_EP: cpufamily = CPUFAMILY_INTEL_IVYBRIDGE; break; case CPUID_MODEL_HASWELL: case CPUID_MODEL_HASWELL_ULT: case CPUID_MODEL_CRYSTALWELL: //cpufamily = CPUFAMILY_INTEL_HASWELL; <<<<< Here cpufamily = CPUFAMILY_INTEL_IVYBRIDGE; org.chameleon.Boot.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>GraphicsEnabler</key> <string>Yes</string> <key>InjectIntel-ig</key> <string>0000260a</string> <key>Kernel</key> <string>/kernel</string> <key>Kernel Flags</key> <string>-v -f</string> </dict> </plist> kernel-10105-Haswell.zip mach_kernel-1095-Haswell.zip 3 1 Link to comment Share on other sites More sharing options...
spakk Posted August 22, 2015 Share Posted August 22, 2015 Tora Chi Yo, you're awesome! Link to comment Share on other sites More sharing options...
gils83 Posted August 22, 2015 Share Posted August 22, 2015 thanks Tora Chi Yo Link to comment Share on other sites More sharing options...
oswaldini Posted August 23, 2015 Share Posted August 23, 2015 Why don't simply use Fake CPUID in Clover ? http://www.insanelymac.com/forum/topic/282787-clover-v2-instructions/?p=2036384 Link to comment Share on other sites More sharing options...
Pike R. Alpha Posted August 23, 2015 Share Posted August 23, 2015 I'm confused. First. Apple never released the source code for XCPM and I blogged about this on 13 October 2013 for the first time, and a couple of times later. So how does this work... without haven the source code? I also blogged about added support for HASWELL(ULT) processors, since 10.9 so what's up with all this? Link to comment Share on other sites More sharing options...
RehabMan Posted August 23, 2015 Share Posted August 23, 2015 I'm confused. First. Apple never released the source code for XCPM and I blogged about this on 13 October 2013 for the first time, and a couple of times later. So how does this work... without haven the source code? I also blogged about added support for HASWELL(ULT) processors, since 10.9 so what's up with all this? Just for curiosity sake, I used google 'static uint32_t cpuid_set_cpufamily(i386_cpu_info_t *info_p)'. First result was: http://www.opensource.apple.com/source/xnu/xnu-2422.1.72/osfmk/i386/cpuid.c Link to comment Share on other sites More sharing options...
Meowthra Posted August 31, 2015 Author Share Posted August 31, 2015 Why don't simply use Fake CPUID in Clover ? http://www.insanelymac.com/forum/topic/282787-clover-v2-instructions/?p=2036384 Fake CPUFAMILY To IVYBRIDGE Binary Patch for Chameleon 1 Link to comment Share on other sites More sharing options...
Recommended Posts