advance KernelPM for Catalina

Signed-off-by: SergeySlice <sergey.slice@gmail.com>
This commit is contained in:
SergeySlice 2020-05-09 07:59:38 +03:00
parent 533136a0ad
commit 4ed54a19cd

View File

@ -658,6 +658,7 @@ const UINT8 CataSearchModel[] = {0x44, 0x89, 0xE0, 0xC0, 0xE8, 0x04};
const UINT8 CataSearchExt[] = {0x44, 0x89, 0xE0, 0xC1, 0xE8, 0x10};
const UINT8 CataReplaceMovEax[] = {0xB8, 0x00, 0x00, 0x00, 0x00, 0x90}; // mov eax, val || nop
BOOLEAN LOADER_ENTRY::PatchCPUID(UINT8* bytes, const UINT8* Location, INT32 LenLoc,
const UINT8* Search4, const UINT8* Search10, const UINT8* ReplaceModel,
const UINT8* ReplaceExt, INT32 Len)
@ -773,7 +774,7 @@ BOOLEAN LOADER_ENTRY::KernelPatchPm(VOID *kernelData)
INTN Num = SearchAndReplace(&Kernel[procLocation], 0x400, findJmp, sizeof(findJmp), patchJmp, 0);
DBG_RT("==> found %lld patterns\n", Num);
//2. procedure xcpm_init
// indirect call to _xcpm_core_scope_msrs
// indirect call to _xcpm_core_scope_msrs and to _xcpm_SMT_scope_msrs
// 488D3DDA317600 lea rdi, qword [ds:_xcpm_core_scope_msrs]
// BE0B000000 mov esi, 0xb => replace to eb0a
// 31D2 xor edx, edx
@ -787,18 +788,30 @@ BOOLEAN LOADER_ENTRY::KernelPatchPm(VOID *kernelData)
DBG_RT("=> xcpm_core_scope_msrs found at %llx\n", patchLocation1);
if (Kernel[patchLocation1 + 7] == 0xE8) {
DBG_RT("=> patch applied\n");
for (int i=0; i < 0x10; ++i) {
DBG_RT("%02x", Kernel[patchLocation1 + i]);
}
DBG_RT("\n");
// for (int i=0; i < 0x10; ++i) {
// DBG_RT("%02x", Kernel[patchLocation1 + i]);
// }
// DBG_RT("\n");
Kernel[patchLocation1] = 0xEB;
Kernel[patchLocation1 + 1] = 0x0A;
} else {
DBG_RT("=> pattern not good\n");
// for (int i=0; i < 0x10; ++i) {
// DBG_RT("%02x", Kernel[patchLocation1 + i]);
// }
// DBG_RT("\n");
}
}
UINTN symbol2 = searchProc(Kernel, "xcpm_SMT_scope_msrs");
patchLocation1 = FindRelative32(Kernel, procLocation, 0x200, symbol2);
if (patchLocation1 != 0) {
DBG_RT("=> xcpm_SMT_scope_msrs found at %llx\n", patchLocation1);
if (Kernel[patchLocation1 + 7] == 0xE8) {
DBG_RT("=> SMT patch applied\n");
Kernel[patchLocation1] = 0xEB;
Kernel[patchLocation1 + 1] = 0x0A;
} else {
DBG_RT("=> pattern not good\n");
for (int i=0; i < 0x10; ++i) {
DBG_RT("%02x", Kernel[patchLocation1 + i]);
}
DBG_RT("\n");
}
}
@ -1293,6 +1306,11 @@ BOOLEAN LOADER_ENTRY::BroadwellEPM(VOID *kernelData, BOOLEAN use_xcpm_idle)
KernelCPUIDPatch(kern);
DBG("Searching _xcpm_pkg_scope_msr ...\n");
// proc: _xcpm_init
// ffffff8000468825 488D3D54527F00 lea rdi, qword [ds:_xcpm_pkg_scope_msrs]
// ffffff800046882c BE07000000 mov esi, 0x7
// ffffff8000468831 31D2 xor edx, edx
// ffffff8000468833 E838FDFFFF call sub_ffffff8000468570
if (os_version >= AsciiOSVersionToUint64("10.12")) {
// 10.12+
patchLocation = 0; // clean out the value just in case
@ -1349,15 +1367,15 @@ BOOLEAN LOADER_ENTRY::HaswellLowEndXCPM(VOID *kernelData, BOOLEAN use_xcpm_idle)
return TRUE;
}
// _xcpm_idle
if (use_xcpm_idle) {
// _xcpm_idle //this is a part of KernelPM
/* if (use_xcpm_idle) {
DBG("HWPEnable - ON.\n");
comment = "_xcpm_idle";
const UINT8 find[] = { 0xB9, 0xE2, 0x00, 0x00, 0x00, 0x0F, 0x30 };
const UINT8 repl[] = { 0xB9, 0xE2, 0x00, 0x00, 0x00, 0x90, 0x90 };
applyKernPatch(kern, find, sizeof(find), repl, comment);
}
*/
comment = "_xcpm_bootstrap";
if (os_version <= AsciiOSVersionToUint64("10.12.5")) {
// 10.12 - 10.12.5