Iris Xe iGPU on Tiger Lake successfully loaded ICLLP Frambuffer and VRAM also recognizes 1536MB! + However, some issues.

[jalavoui]

it's the biggest patch in nblue how did u miss it ?
 

tgl

 

icl as comments but tgl as same patch logic

 

 

it works with lots of mods - the 0x1800 flags idk as some won't work

but yeah maybe some combo will unlock this issues

 

problem of messing with this is that this code and others might need patches 

 

this code also as condition

Edited October 23, 2024 by jalavoui

[benmacfreak]

6 hours ago, jalavoui said:

it's the biggest patch in nblue how did u miss it ?
 

tgl

 

icl as comments but tgl as same patch logic

 

 

it works with lots of mods - the 0x1800 flags idk as some won't work

but yeah maybe some combo will unlock this issues

 

problem of messing with this is that this code and others might need patches 

 

this code also as condition

why was there no updated src zip file for nblue jala? just wondering.

[jalavoui]

i'm pushing nblue src as i change it

this1 defaults to tgl for testing

btw blt3d panic is patched

 

 

 

i just exausted my upload space in insanly...

 

here the latest files

 

 

 

 

 

 

 

 

 

what i found out is that tgl logs shows less failures during display setup

still on nblue you guys can change the default framebuffer

 

btw this tgl bad patch (cause of wrong register readings)

its all Visual fault because he doesn't have a working intel laptop to help us.

 

Masta maybe you can help by searching the entire DTK for this functions ?

they must be defined somewhere as the dtk works fine

 

tgl might work for non DSB hardware with some hacks

Edited October 30, 2024 by jalavoui

[benmacfreak]

1 hour ago, jalavoui said:

i'm pushing nblue src as i change it

this1 defaults to tgl for testing

btw blt3d panic is patched

 

NootedBlue-master.zip 418.56 kB · 2 downloads

 

i just exausted my upload space in insanly...

 

here the latest files

 

 

sle_Internal.zip 43.07 MB · 0 downloads

 

HookCase-master.zip 191.12 kB · 0 downloads

 

 

 

what i found out is that tgl logs shows less failures during display setup

still on nblue you guys can change the default framebuffer

 

btw this tgl bad patch (cause of wrong register readings)

its all Visual fault because he doesn't have a working intel laptop to help us.

 

Masta maybe you can help by searching the entire DTK for this functions ?

they must be defined somewhere as the dtk works fine

 

tgl might work for non DSB hardware with some hacks

i have recently aquired a 10th gen xps laptop along side my 11th gen laptop jala, given visual hasnt a intel laptop, what do you need help wise? i've not done much with xcode or kext development BUT i can donate some time if you need.

[jalavoui]

hmm i think you should join the asus thread because probably you will have same issues for setup os x 

or skip it if you managed to load nblue and get logs

 

any os version is fine cause we're testing DTK files

Edited October 24, 2024 by jalavoui

[benmacfreak]

16 minutes ago, jalavoui said:

hmm i think you should join the asus thread because probably you will have same issues for setup os x 

or skip it if you managed to load nblue and get logs

yeah i have only arch linux on my 11th gen rn, i have sonoma 14.7 on a usb rn with my 11th gen EFI, is sonoma ok for this or should i use ventura? doesn't matter to me. alright ill put sonoma on then.

Edited October 24, 2024 by benmacfreak

[Mastachief]

I figure its one of these, I'm checking with Ghidra.

 

AppleIntelTGLGraphics.kext
AppleIntelTGLGraphicsFramebuffer.kext
AppleIntelGraphicsPowerManagement.kext
AppleIntelGraphicsGLDriver.bundle
AppleIntelTGLGraphicsVADriver.bundle

 

okay,

 

checking.

Edited October 24, 2024 by Mastachief

[jalavoui]

they're called from AppleIntelTGLGraphicsFramebuffer.kext. but there must be a file in the DTK with the original functions

 

in theory they should be in one of this files

 

 

can you guys check yours linux logs for this ?

Edited October 25, 2024 by jalavoui

[Visual Ehrmanntraut]

13 hours ago, jalavoui said:

they must be defined somewhere as the dtk works fine

◎ rg --binary "AppleIntelBaseController15WriteRegister32" ~/Developer/.AppleInternal/GoldenGateSpike/System/Library/Extensions/                                                                                ⌂ 09:22
/Users/visual/Developer/.AppleInternal/GoldenGateSpike/System/Library/Extensions/AppleIntelICLLPGraphicsFramebuffer.kext/Contents/MacOS/AppleIntelICLLPGraphicsFramebuffer_kasan: binary file matches (found "\0" byte around offset 5)


◎ rg --binary "AppleIntelBaseController14ReadRegister32" ~/Developer/.AppleInternal/GoldenGateSpike/System/Library/Extensions/                                                                                 ⌂ 09:23
/Users/visual/Developer/.AppleInternal/GoldenGateSpike/System/Library/Extensions/AppleIntelICLLPGraphicsFramebuffer.kext/Contents/MacOS/AppleIntelICLLPGraphicsFramebuffer_kasan: binary file matches (found "\0" byte around offset 5)

 

[jalavoui]

brew install rg

 

but the match is misleading as it can be found on other framebuffers

 

 

i'm thinking on getting the code using lldb with a breakpoint

better ask this guy

 

looking at this code refs from bninja the calls are almost mmio address but there are exceptions

using mmio address or base class (this) to read/write made no diferrence so far. maybe cause the code is never called (camelliatcon, banksiatcon)

 

now this ones are important. if the code of hookcase is wrong we got a problem

 

 

i'll focus on this 64 readings as they do matter

 

Visual can you show a decent decompile of void AppleIntelBaseController::FBMemMgr_Init(void) , AppleIntelBaseController::FBMemMgr_DumpGTTPage() and AppleIntelBaseController::FBMemMgr_AllocSysMem(void) from TGL

my bninja is not configured to show dependencies like yours.

Edited October 25, 2024 by jalavoui

[Mastachief]

I searched through the functions and found some dsb functions, but it's not the one one we are looking for, it might be stripped....I used ghidra and even ida pro to analyze.

[Visual Ehrmanntraut]

On 10/25/2024 at 3:07 PM, jalavoui said:

looking at this code refs from bninja the calls are almost mmio address but there are exceptions

that's just a flaw with Binary Ninja, the type system doesn't influence the integer display system, so it may display numbers as addresses in the binary

[jalavoui]

allright i'll w8 for someone with the forbidden mac read this thread and post some logs / ioreg

 

meanwhile

#define SFUSE_STRAP _MMIO(0xc2014)

 

 

i wonder if this work with sys.kc from the dtk image

might point to icl frame so better test for hwSetupDSBMemory() also

 

Edited October 27, 2024 by jalavoui

[dosdude1]

On 10/26/2024 at 2:33 PM, jalavoui said:

allright i'll w8 for someone with the forbidden mac read this thread and post some logs / ioreg

 

meanwhile

#define SFUSE_STRAP _MMIO(0xc2014)

 

 

i wonder if this work with sys.kc from the dtk image

might point to icl frame so better test for hwSetupDSBMemory() also

 

Let me know what you need; the DTK dump you all got these files from is from one of my DTKs. I can boot it and do whatever you need. I also have the full dump for that one, and one from another prototype DTK with an even earlier build of Big Sur.

[jalavoui]

great news !

 

The dtk boot log and ioreg would be great. maybe acpi tables

 

2nd big issue we have is the missing functions that we ported to hookcase.kext

 

here they are. externall calls used by AppleIntelTGLGraphicsFramebuffer

 

i think hopper or binary ninja might help get the pseudo code.

 

maybe loading the dtk /System/Library/KernelCollections/SystemKernelExtensions.kc on bninja

or using hopper to load the dyld cache (probably no AppleIntelTGLGraphicsFramebuffer in cache)

 

i'm still not sure on best way to find the code inside those external functions.

 

hope you can give it a try

 

tks

Edited October 28, 2024 by jalavoui

[dosdude1]

2 hours ago, jalavoui said:

great news !

 

The dtk boot log and ioreg would be great. maybe acpi tables

 

2nd big issue we have is the missing functions that we ported to hookcase.kext

 

here they are. externall calls used by AppleIntelTGLGraphicsFramebuffer

 

i think hopper or binary ninja might help get the pseudo code.

 

maybe loading the dtk /System/Library/KernelCollections/SystemKernelExtensions.kc on bninja

or using hopper to load the dyld cache (probably no AppleIntelTGLGraphicsFramebuffer in cache)

 

i'm still not sure on best way to find the code inside those external functions.

 

hope you can give it a try

 

tks

 

IOReg I don't think would show anything, as the DTK of course does not have any Intel hardware, so there would be nothing of the sort in the device tree, and as such no respective kext loaded. Also, the DTK does not have or utilize ACPI in any way, all it has is the signed device tree image stored on NAND. It is an A12Z-based device, and is much more similar to an iPad or iPhone than it is to an Intel-based Mac.

 

I'm not really sure the best way to find the binary containing those functions either, but I have sent you a DM with links to those two internal builds I mentioned earlier. So feel free to take a look at those.

[jalavoui]

right it's arm arch so no acpi table and ioreg won't show much. loading sys.kc from boot will show arm version of the kext

 

hmmm i need to think on something that works for x64

 

reading https://theapplewiki.com/wiki/GoldenGate_20A2261g

 

there is a command that allows collect lots of info from mac os

dosdude can you try run sudo sysdiagnose -f ~/Desktop/

maybe this helps

 

i forgot the main question

does dosdude mac actualy uses AppleIntelTGLGraphicsFramebuffer.kext ?

we're testing the debug version that supports boot arg IGLogLevel=8 but i think dtk doesnt use it to boot

 

Edited October 28, 2024 by jalavoui

[Mastachief]

Hi dosdude, is it possible for you to do a system dump using the latest version of darwin dumper v3.1.1? I know that A12Z Bionic is a 64-bit ARM-based SOc

 

You can enable the "Make Dumps Private" option, by enabling the privacy option it will mask all the sensitive data like the IOPlatformSerialNumber, IOPlatformUUID, IOMACAddress(s), USB Serial Number(s), SystemSerialNumber, serial-number, fmm-mobileme-token-FMM, MLB and ROM efi vars and CustomUUID in the dumped files and report.

 

 

Jala, do you use Kernel Address Sanitizer or any other tool for detecting memory errors? This would help tremendously....https://github.com/google/sanitizers/wiki/AddressSanitizer

Edited October 28, 2024 by Mastachief

[dosdude1]

5 hours ago, Mastachief said:

Hi dosdude, is it possible for you to do a system dump using the latest version of darwin dumper v3.1.1? I know that A12Z Bionic is a 64-bit ARM-based SOc

 

You can enable the "Make Dumps Private" option, by enabling the privacy option it will mask all the sensitive data like the IOPlatformSerialNumber, IOPlatformUUID, IOMACAddress(s), USB Serial Number(s), SystemSerialNumber, serial-number, fmm-mobileme-token-FMM, MLB and ROM efi vars and CustomUUID in the dumped files and report.

 

 

Jala, do you use Kernel Address Sanitizer or any other tool for detecting memory errors? This would help tremendously....https://github.com/google/sanitizers/wiki/AddressSanitizer

 

Here is the Darwin Dumper output from the DTK.

DarwinDumper_3.1.1_1969.12.31_17.06.38_eperm-d995af6e2ef02770_Unknown_WhoKnows_Unknown_20A2314a_hablamossf.zip

[jalavoui]

darwin dumper is very old tool and provides almost no info of the system. can you try sudo sysdiagnose -f ~/Desktop/ ?

 

 

masta there is a old 386_backtrace from NRed https://github.com/NyanCatTW1/NootedRed/blob/da5a3695118ef8ade79d7317abebf008c14f3f6f/NootedRed/kern_nred.cpp#L202

i think visual as something related to this in some nred release. better ask him?

 

currently tgl frame as an error related with register reading. this is the code of a "read"

ofc current hacks of readreg32 don't solve this and the driver fails to setup planes/scaler, etc

this is related to port reading as the register is ivar6+ 0x7008

when this is fixed and parts of DG1 code are disabled tgl can be usefull for other cards

 

mmio field is defined here and passed to  AppleIntelRegisterAccessManager

 

then this call

is probably same as old NRed code

same logic

 

this must be an easy fix, but i just can't see it

Edited October 28, 2024 by jalavoui

[Visual Ehrmanntraut]

Getting information from the DTK obviously will not help, it's an iPad put in a Mac Mini case, it has no Intel iGPU.

If you want to look for implementation of the undefined functions, look at SKL.

[Visual Ehrmanntraut]

AppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister16Em.txtAppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister16Emj.txtAppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister32EPVvm.txtAppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister32Em.txtAppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister32EPVvmj.txtAppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister64EPVvmy.txtAppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister32Emj.txt

[Visual Ehrmanntraut]

AppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController9getPMTNowEv.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister64EPVvmy.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister32Emj.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister32EPVvmj.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister32Em.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister32EPVvm.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister16Emj.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister16Em.txtAppleIntelICLLPGraphicsFramebuffer.__ZN17AppleIntelPortHAL13probePortModeEv.txt

[Visual Ehrmanntraut]

and with comments
AppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister64EPVvmy.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister32Emj.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister32EPVvmj.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister32Em.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister32EPVvm.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController15WriteRegister16Emj.txtAppleIntelICLLPGraphicsFramebuffer.__ZN31AppleIntelFramebufferController14ReadRegister16Em.txtAppleIntelICLLPGraphicsFramebuffer.__ZN17AppleIntelPortHAL13probePortModeEv.txtAppleIntelSKLGraphicsFramebuffer.__ZN31AppleIntelFramebufferController9getPMTNowEv.txt

and the data_.... += 1; {censored} is LLVM performance counters, just ignore them

[Visual Ehrmanntraut]

relevant Linux definitions for probePortMode
 

// i915_reg_defs.h
#define _PICK_EVEN(__index, __a, __b) ((__a) + (__index) * ((__b) - (__a)))
  
#define _PICK_EVEN_2RANGES(__index, __c_index, __a, __b, __c, __d)		\
	(BUILD_BUG_ON_ZERO(!__is_constexpr(__c_index)) +			\
	 ((__index) < (__c_index) ? _PICK_EVEN(__index, __a, __b) :		\
				   _PICK_EVEN((__index) - (__c_index), __c, __d)))
  
#define _MMIO(r) ((const i915_reg_t){ .reg = (r) })

// intel_mg_phy_regs.h
#define FIA1_BASE			0x163000
#define FIA2_BASE			0x16E000
#define FIA3_BASE			0x16F000
#define _FIA(fia)			_PICK_EVEN_2RANGES((fia), 1,		\
							   FIA1_BASE, FIA1_BASE,\
							   FIA2_BASE, FIA3_BASE)
#define _MMIO_FIA(fia, off)		_MMIO(_FIA(fia) + (off))

// i915_reg.h
#define PORT_TX_DFLEXDPSP(fia)			_MMIO_FIA((fia), 0x008A0)
#define   MODULAR_FIA_MASK			(1 << 4)
#define   TC_LIVE_STATE_TBT(idx)		(1 << ((idx) * 8 + 6))
#define   TC_LIVE_STATE_TC(idx)			(1 << ((idx) * 8 + 5))
#define   DP_LANE_ASSIGNMENT_SHIFT(idx)		((idx) * 8)
#define   DP_LANE_ASSIGNMENT_MASK(idx)		(0xf << ((idx) * 8))
#define   DP_LANE_ASSIGNMENT(idx, x)		((x) << ((idx) * 8))