mirror of
https://github.com/CloverHackyColor/CloverBootloader.git
synced 2024-12-24 16:27:42 +01:00
1225 lines
49 KiB
C++
1225 lines
49 KiB
C++
#include "Platform.h"
|
|
#include "kext_inject.h"
|
|
#include "DataHubCpu.h"
|
|
|
|
#ifndef DEBUG_ALL
|
|
#define KEXT_INJECT_DEBUG 1
|
|
#else
|
|
#define KEXT_INJECT_DEBUG DEBUG_ALL
|
|
#endif
|
|
|
|
#if KEXT_INJECT_DEBUG == 2
|
|
#define DBG(...) printf(__VA_ARGS__);
|
|
#elif KEXT_INJECT_DEBUG == 1
|
|
#define DBG(...) DebugLog(KEXT_INJECT_DEBUG, __VA_ARGS__)
|
|
#else
|
|
#define DBG(...)
|
|
#endif
|
|
|
|
// runtime debug
|
|
//
|
|
#define OLD_EXTRA_KEXT_PATCH 0
|
|
|
|
////////////////////
|
|
// globals
|
|
////////////////////
|
|
LIST_ENTRY gKextList = INITIALIZE_LIST_HEAD_VARIABLE (gKextList);
|
|
|
|
|
|
////////////////////
|
|
// before booting
|
|
////////////////////
|
|
EFI_STATUS EFIAPI ThinFatFile(IN OUT UINT8 **binary, IN OUT UINTN *length, IN cpu_type_t archCpuType)
|
|
{
|
|
UINT32 nfat, swapped, size = 0;
|
|
FAT_HEADER *fhp = (FAT_HEADER *)*binary;
|
|
FAT_ARCH *fap = (FAT_ARCH *)(*binary + sizeof(FAT_HEADER));
|
|
cpu_type_t fapcputype;
|
|
UINT32 fapoffset;
|
|
UINT32 fapsize;
|
|
|
|
swapped = 0;
|
|
if (fhp->magic == FAT_MAGIC) {
|
|
nfat = fhp->nfat_arch;
|
|
} else if (fhp->magic == FAT_CIGAM) {
|
|
nfat = SwapBytes32(fhp->nfat_arch);
|
|
swapped = 1;
|
|
//already thin
|
|
} else if (fhp->magic == THIN_X64){
|
|
if (archCpuType == CPU_TYPE_X86_64) {
|
|
return EFI_SUCCESS;
|
|
}
|
|
return EFI_NOT_FOUND;
|
|
} else if (fhp->magic == THIN_IA32){
|
|
if (archCpuType == CPU_TYPE_I386) {
|
|
return EFI_SUCCESS;
|
|
}
|
|
return EFI_NOT_FOUND;
|
|
} else {
|
|
MsgLog("Thinning fails\n");
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
|
|
for (; nfat > 0; nfat--, fap++) {
|
|
if (swapped) {
|
|
fapcputype = SwapBytes32(fap->cputype);
|
|
fapoffset = SwapBytes32(fap->offset);
|
|
fapsize = SwapBytes32(fap->size);
|
|
} else {
|
|
fapcputype = fap->cputype;
|
|
fapoffset = fap->offset;
|
|
fapsize = fap->size;
|
|
}
|
|
if (fapcputype == archCpuType) {
|
|
*binary = (*binary + fapoffset);
|
|
size = fapsize;
|
|
break;
|
|
}
|
|
}
|
|
if (length != 0) *length = size;
|
|
|
|
return EFI_SUCCESS;
|
|
}
|
|
|
|
void toLowerStr(CHAR8 *tstr, IN CONST CHAR8 *str) {
|
|
UINT16 cnt = 0;
|
|
|
|
for (cnt = 0; *str != '\0' && cnt <= 0xFF; cnt++, str++, tstr++) {
|
|
if (*str >= 'A' && *str <= 'Z')
|
|
*tstr = 'a' + (*str - 'A');
|
|
else
|
|
*tstr = *str;
|
|
}
|
|
*tstr = '\0';
|
|
}
|
|
|
|
BOOLEAN checkOSBundleRequired(UINT8 loaderType, TagPtr dict)
|
|
{
|
|
BOOLEAN inject = TRUE;
|
|
TagPtr osBundleRequiredTag;
|
|
XString8 osbundlerequired;
|
|
|
|
osBundleRequiredTag = GetProperty(dict,"OSBundleRequired");
|
|
if (osBundleRequiredTag) {
|
|
osbundlerequired = osBundleRequiredTag->string;
|
|
osbundlerequired.lowerAscii();
|
|
}
|
|
|
|
if (OSTYPE_IS_OSX_RECOVERY(loaderType) ||
|
|
OSTYPE_IS_OSX_INSTALLER(loaderType)) {
|
|
if ( osbundlerequired != "root"_XS8 &&
|
|
osbundlerequired != "local"_XS8 &&
|
|
osbundlerequired != "console"_XS8 &&
|
|
osbundlerequired != "network-root"_XS8 ) {
|
|
inject = FALSE;
|
|
}
|
|
}
|
|
|
|
return inject;
|
|
}
|
|
|
|
//extern VOID KernelAndKextPatcherInit(IN LOADER_ENTRY *Entry);
|
|
//extern VOID AnyKextPatch(UINT8 *Driver, UINT32 DriverSize, CHAR8 *InfoPlist, UINT32 InfoPlistSize, INT32 N, LOADER_ENTRY *Entry);
|
|
|
|
EFI_STATUS LOADER_ENTRY::LoadKext(IN EFI_FILE *RootDir, IN CONST CHAR16 *FileName, IN cpu_type_t archCpuType, IN OUT VOID *kext_v)
|
|
{
|
|
EFI_STATUS Status;
|
|
UINT8* infoDictBuffer = NULL;
|
|
UINTN infoDictBufferLength = 0;
|
|
UINT8* executableFatBuffer = NULL;
|
|
UINT8* executableBuffer = NULL;
|
|
UINTN executableBufferLength = 0;
|
|
CHAR8* bundlePathBuffer = NULL;
|
|
UINTN bundlePathBufferLength = 0;
|
|
XStringW TempName;
|
|
XStringW Executable;
|
|
TagPtr dict = NULL;
|
|
TagPtr prop = NULL;
|
|
BOOLEAN NoContents = FALSE;
|
|
BOOLEAN inject = FALSE;
|
|
_BooterKextFileInfo *infoAddr = NULL;
|
|
_DeviceTreeBuffer *kext = (_DeviceTreeBuffer *)kext_v;
|
|
|
|
TempName = SWPrintf("%ls\\%ls", FileName, L"Contents\\Info.plist");
|
|
// snwprintf(TempName, 512, L"%s\\%s", FileName, "Contents\\Info.plist");
|
|
Status = egLoadFile(RootDir, TempName.wc_str(), &infoDictBuffer, &infoDictBufferLength);
|
|
if (EFI_ERROR(Status)) {
|
|
//try to find a planar kext, without Contents
|
|
TempName = SWPrintf("%ls\\%ls", FileName, L"Info.plist");
|
|
// snwprintf(TempName, 512, L"%s\\%s", FileName, "Info.plist");
|
|
infoDictBufferLength = 0;
|
|
Status = egLoadFile(RootDir, TempName.wc_str(), &infoDictBuffer, &infoDictBufferLength);
|
|
if (EFI_ERROR(Status)) {
|
|
MsgLog("Failed to load extra kext : %ls status=%s\n", TempName.wc_str(), strerror(Status));
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
NoContents = TRUE;
|
|
}
|
|
if(ParseXML((CHAR8*)infoDictBuffer,&dict,(UINT32)infoDictBufferLength)!=0) {
|
|
FreePool(infoDictBuffer);
|
|
MsgLog("Failed to load extra kext (failed to parse Info.plist): %ls\n", FileName);
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
|
|
inject = checkOSBundleRequired(LoaderType, dict);
|
|
if(!inject) {
|
|
MsgLog("Skipping kext injection by OSBundleRequired : %ls\n", FileName);
|
|
return EFI_UNSUPPORTED;
|
|
}
|
|
|
|
prop = GetProperty(dict,"CFBundleExecutable");
|
|
if(prop!=0) {
|
|
Executable.takeValueFrom(prop->string);
|
|
// AsciiStrToUnicodeStrS(prop->string, Executable, 256);
|
|
if (NoContents) {
|
|
TempName = SWPrintf("%ls\\%ls", FileName, Executable.wc_str());
|
|
// snwprintf(TempName, 512, "%s\\%s", FileName, Executable);
|
|
} else {
|
|
TempName = SWPrintf("%ls\\%ls\\%ls", FileName, L"Contents\\MacOS", Executable.wc_str());
|
|
// snwprintf(TempName, 512, L"%s\\%s\\%s", FileName, "Contents\\MacOS",Executable);
|
|
}
|
|
Status = egLoadFile(RootDir, TempName.wc_str(), &executableFatBuffer, &executableBufferLength);
|
|
if (EFI_ERROR(Status)) {
|
|
FreePool(infoDictBuffer);
|
|
MsgLog("Failed to load extra kext (executable not found): %ls\n", FileName);
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
executableBuffer = executableFatBuffer;
|
|
if (ThinFatFile(&executableBuffer, &executableBufferLength, archCpuType)) {
|
|
FreePool(infoDictBuffer);
|
|
FreePool(executableBuffer);
|
|
MsgLog("Thinning failed: %ls\n", FileName);
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
}
|
|
bundlePathBufferLength = StrLen(FileName) + 1;
|
|
bundlePathBuffer = (__typeof__(bundlePathBuffer))AllocateZeroPool(bundlePathBufferLength);
|
|
UnicodeStrToAsciiStrS(FileName, bundlePathBuffer, bundlePathBufferLength);
|
|
|
|
kext->length = (UINT32)(sizeof(_BooterKextFileInfo) + infoDictBufferLength + executableBufferLength + bundlePathBufferLength);
|
|
infoAddr = (_BooterKextFileInfo *)AllocatePool(kext->length);
|
|
infoAddr->infoDictPhysAddr = sizeof(_BooterKextFileInfo);
|
|
infoAddr->infoDictLength = (UINT32)infoDictBufferLength;
|
|
infoAddr->executablePhysAddr = (UINT32)(sizeof(_BooterKextFileInfo) + infoDictBufferLength);
|
|
infoAddr->executableLength = (UINT32)executableBufferLength;
|
|
infoAddr->bundlePathPhysAddr = (UINT32)(sizeof(_BooterKextFileInfo) + infoDictBufferLength + executableBufferLength);
|
|
infoAddr->bundlePathLength = (UINT32)bundlePathBufferLength;
|
|
kext->paddr = (UINT32)(UINTN)infoAddr; // Note that we cannot free infoAddr because of this
|
|
CopyMem((CHAR8 *)infoAddr + sizeof(_BooterKextFileInfo), infoDictBuffer, infoDictBufferLength);
|
|
CopyMem((CHAR8 *)infoAddr + sizeof(_BooterKextFileInfo) + infoDictBufferLength, executableBuffer, executableBufferLength);
|
|
CopyMem((CHAR8 *)infoAddr + sizeof(_BooterKextFileInfo) + infoDictBufferLength + executableBufferLength, bundlePathBuffer, bundlePathBufferLength);
|
|
FreePool(infoDictBuffer);
|
|
FreePool(executableFatBuffer);
|
|
FreePool(bundlePathBuffer);
|
|
|
|
return EFI_SUCCESS;
|
|
}
|
|
|
|
EFI_STATUS LOADER_ENTRY::AddKext(IN EFI_FILE *RootDir, IN CONST CHAR16 *FileName, IN cpu_type_t archCpuType)
|
|
{
|
|
EFI_STATUS Status;
|
|
KEXT_ENTRY *KextEntry;
|
|
|
|
KextEntry = (__typeof__(KextEntry))AllocatePool (sizeof(KEXT_ENTRY));
|
|
KextEntry->Signature = KEXT_SIGNATURE;
|
|
Status = LoadKext(RootDir, FileName, archCpuType, &KextEntry->kext);
|
|
if(EFI_ERROR(Status)) {
|
|
FreePool(KextEntry);
|
|
} else {
|
|
InsertTailList (&gKextList, &KextEntry->Link);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
UINT32 GetListCount(LIST_ENTRY const* List)
|
|
{
|
|
LIST_ENTRY *Link;
|
|
UINT32 Count=0;
|
|
|
|
if(!IsListEmpty(List)) {
|
|
for (Link = List->ForwardLink; Link != List; Link = Link->ForwardLink)
|
|
Count++;
|
|
}
|
|
|
|
return Count;
|
|
}
|
|
|
|
UINT32 GetKextCount()
|
|
{
|
|
return (UINT32)GetListCount(&gKextList);
|
|
}
|
|
|
|
UINT32 GetKextsSize()
|
|
{
|
|
LIST_ENTRY *Link;
|
|
KEXT_ENTRY *KextEntry;
|
|
UINT32 kextsSize=0;
|
|
|
|
if(!IsListEmpty(&gKextList)) {
|
|
for (Link = gKextList.ForwardLink; Link != &gKextList; Link = Link->ForwardLink) {
|
|
KextEntry = CR(Link, KEXT_ENTRY, Link, KEXT_SIGNATURE);
|
|
kextsSize += RoundPage(KextEntry->kext.length);
|
|
}
|
|
}
|
|
return kextsSize;
|
|
}
|
|
|
|
VOID LOADER_ENTRY::LoadPlugInKexts(IN EFI_FILE *RootDir, IN CONST CHAR16 *DirName, IN cpu_type_t archCpuType, IN BOOLEAN Force)
|
|
{
|
|
REFIT_DIR_ITER PlugInIter;
|
|
EFI_FILE_INFO *PlugInFile;
|
|
XStringW FileName;
|
|
if ((RootDir == NULL) || (DirName == NULL)) {
|
|
return;
|
|
}
|
|
DirIterOpen(RootDir, DirName, &PlugInIter);
|
|
while (DirIterNext(&PlugInIter, 1, L"*.kext", &PlugInFile)) {
|
|
if (PlugInFile->FileName[0] == '.' || StrStr(PlugInFile->FileName, L".kext") == NULL)
|
|
continue; // skip this
|
|
FileName = SWPrintf("%ls\\%ls", DirName, PlugInFile->FileName);
|
|
// snwprintf(FileName, 512, "%s\\%s", DirName, PlugInFile->FileName);
|
|
MsgLog(" %ls PlugIn kext: %ls\n", Force ? L"Force" : L"Extra", FileName.wc_str());
|
|
AddKext( RootDir, FileName.wc_str(), archCpuType);
|
|
}
|
|
DirIterClose(&PlugInIter);
|
|
}
|
|
|
|
VOID LOADER_ENTRY::AddKexts(const XStringW& SrcDir, const XStringW& Path, cpu_type_t archCpuType)
|
|
{
|
|
XStringW FileName;
|
|
XStringW PlugInName;
|
|
SIDELOAD_KEXT *CurrentKext;
|
|
SIDELOAD_KEXT *CurrentPlugInKext;
|
|
EFI_STATUS Status;
|
|
|
|
MsgLog("Preparing kexts injection from %ls\n", SrcDir.wc_str());
|
|
CurrentKext = InjectKextList;
|
|
while (CurrentKext) {
|
|
// DBG(" current kext name=%ls path=%ls, match against=%ls\n", CurrentKext->FileName, CurrentKext->KextDirNameUnderOEMPath, Path);
|
|
if ( CurrentKext->KextDirNameUnderOEMPath == Path ) {
|
|
FileName = SWPrintf("%ls\\%ls", SrcDir.wc_str(), CurrentKext->FileName.wc_str());
|
|
// snwprintf(FileName, 512, "%s\\%s", SrcDir, CurrentKext->FileName);
|
|
if (!(CurrentKext->MenuItem.BValue)) {
|
|
// inject require
|
|
MsgLog("->Extra kext: %ls (v.%ls)\n", FileName.wc_str(), CurrentKext->Version.wc_str());
|
|
Status = AddKext(SelfVolume->RootDir, FileName.wc_str(), archCpuType);
|
|
if(!EFI_ERROR(Status)) {
|
|
// decide which plugins to inject
|
|
CurrentPlugInKext = CurrentKext->PlugInList;
|
|
while (CurrentPlugInKext) {
|
|
PlugInName = SWPrintf("%ls\\%ls\\%ls", FileName.wc_str(), L"Contents\\PlugIns", CurrentPlugInKext->FileName.wc_str());
|
|
// snwprintf(PlugInName, 512, L"%s\\%s\\%s", FileName, "Contents\\PlugIns", CurrentPlugInKext->FileName);
|
|
if (!(CurrentPlugInKext->MenuItem.BValue)) {
|
|
// inject PlugIn require
|
|
MsgLog(" |-- PlugIn kext: %ls (v.%ls)\n", PlugInName.wc_str(), CurrentPlugInKext->Version.wc_str());
|
|
AddKext(SelfVolume->RootDir, PlugInName.wc_str(), archCpuType);
|
|
} else {
|
|
MsgLog(" |-- Disabled plug-in kext: %ls (v.%ls)\n", PlugInName.wc_str(), CurrentPlugInKext->Version.wc_str());
|
|
}
|
|
CurrentPlugInKext = CurrentPlugInKext->Next;
|
|
} // end of plug-in kext injection
|
|
}
|
|
} else {
|
|
// disable current kext injection
|
|
if ( SrcDir.containsIC(L"Off") ) {
|
|
MsgLog("Disabled kext: %ls (v.%ls)\n", FileName.wc_str(), CurrentKext->Version.wc_str());
|
|
}
|
|
}
|
|
}
|
|
CurrentKext = CurrentKext->Next;
|
|
} // end of kext injection
|
|
|
|
}
|
|
|
|
EFI_STATUS LOADER_ENTRY::LoadKexts()
|
|
{
|
|
XStringW SrcDir;
|
|
REFIT_DIR_ITER PlugInIter;
|
|
EFI_FILE_INFO *PlugInFile;
|
|
XStringW FileName;
|
|
XStringW PlugIns;
|
|
// CONST CHAR16 *Arch = NULL;
|
|
// CONST CHAR16 *Ptr = NULL;
|
|
#if defined(MDE_CPU_X64)
|
|
cpu_type_t archCpuType=CPU_TYPE_X86_64;
|
|
#else
|
|
cpu_type_t archCpuType=CPU_TYPE_I386;
|
|
#endif
|
|
UINTN mm_extra_size;
|
|
VOID *mm_extra;
|
|
UINTN extra_size;
|
|
VOID *extra;
|
|
|
|
|
|
// Make Arch point to the last appearance of "arch=" in LoadOptions (which is what boot.efi will use).
|
|
// if (LoadOptions.notEmpty()) {
|
|
// for (Ptr = StrStr(LoadOptions, L"arch="); Ptr != NULL; Arch = Ptr + StrLen(L"arch="), Ptr = StrStr(Arch, L"arch="));
|
|
// }
|
|
|
|
// if (Arch != NULL && StrnCmp(Arch,L"x86_64",StrLen(L"x86_64")) == 0) {
|
|
if (LoadOptions.contains("arch=x86_64")) {
|
|
archCpuType = CPU_TYPE_X86_64;
|
|
// } else if (Arch != NULL && StrnCmp(Arch,L"i386",StrLen(L"i386")) == 0) {
|
|
} else if (LoadOptions.contains("arch=i386")) {
|
|
archCpuType = CPU_TYPE_I386;
|
|
} else if (OSVersion.notEmpty()) {
|
|
UINT64 os_version = AsciiOSVersionToUint64(OSVersion);
|
|
if (os_version >= AsciiOSVersionToUint64("10.8"_XS8)) {
|
|
archCpuType = CPU_TYPE_X86_64; // For OSVersion >= 10.8, only x86_64 exists
|
|
} else if (os_version < AsciiOSVersionToUint64("10.7"_XS8)) {
|
|
archCpuType = CPU_TYPE_I386; // For OSVersion < 10.7, use default of i386
|
|
}
|
|
}
|
|
|
|
// Force kexts to load
|
|
if ( KernelAndKextPatches.ForceKexts.notEmpty() ) {
|
|
for (size_t i = 0; i < KernelAndKextPatches.ForceKexts.size(); ++i) {
|
|
MsgLog(" Force kext: %ls\n", KernelAndKextPatches.ForceKexts[i].wc_str());
|
|
if (Volume && Volume->RootDir) {
|
|
// Check if the entry is a directory
|
|
if (StrStr(KernelAndKextPatches.ForceKexts[i].wc_str(), L".kext") == NULL) {
|
|
DirIterOpen(Volume->RootDir, KernelAndKextPatches.ForceKexts[i].wc_str(), &PlugInIter);
|
|
while (DirIterNext(&PlugInIter, 1, L"*.kext", &PlugInFile)) {
|
|
if (PlugInFile->FileName[0] == '.' || StrStr(PlugInFile->FileName, L".kext") == NULL)
|
|
continue; // skip this
|
|
FileName = SWPrintf("%ls\\%ls", KernelAndKextPatches.ForceKexts[i].wc_str(), PlugInFile->FileName);
|
|
// snwprintf(FileName, 512, "%s\\%s", KernelAndKextPatches.ForceKexts[i], PlugInFile->FileName);
|
|
MsgLog(" Force kext: %ls\n", FileName.wc_str());
|
|
AddKext( Volume->RootDir, FileName.wc_str(), archCpuType);
|
|
PlugIns = SWPrintf("%ls\\Contents\\PlugIns", FileName.wc_str());
|
|
// snwprintf(PlugIns, 512, "%s\\Contents\\PlugIns", FileName);
|
|
LoadPlugInKexts(Volume->RootDir, PlugIns.wc_str(), archCpuType, TRUE);
|
|
}
|
|
DirIterClose(&PlugInIter);
|
|
} else {
|
|
AddKext( Volume->RootDir, KernelAndKextPatches.ForceKexts[i].wc_str(), archCpuType);
|
|
PlugIns = SWPrintf("%ls\\Contents\\PlugIns", KernelAndKextPatches.ForceKexts[i].wc_str());
|
|
// snwprintf(PlugIns, 512, "%s\\Contents\\PlugIns", KernelAndKextPatches.ForceKexts[i]);
|
|
LoadPlugInKexts(Volume->RootDir, PlugIns.wc_str(), archCpuType, TRUE);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
XStringW UniOSVersion;
|
|
UniOSVersion = OSVersion;
|
|
DBG("UniOSVersion == %ls\n", UniOSVersion.wc_str());
|
|
|
|
XStringW UniShortOSVersion;
|
|
// XString8 ShortOSVersion;
|
|
if (AsciiOSVersionToUint64(OSVersion) < AsciiOSVersionToUint64("10.10"_XS8)) {
|
|
// OSVersion that are earlier than 10.10(form: 10.x.y)
|
|
// ShortOSVersion.strncpy(OSVersion.c_str(), 4);
|
|
UniShortOSVersion.strncpy(OSVersion.c_str(), 4);
|
|
} else {
|
|
// ShortOSVersion.strncpy(OSVersion.c_str(), 5);
|
|
UniShortOSVersion.strncpy(OSVersion.c_str(), 5);
|
|
}
|
|
// DBG("ShortOSVersion == %s\n", ShortOSVersion.c_str());
|
|
DBG("UniShortOSVersion == %ls\n", UniShortOSVersion.wc_str());
|
|
|
|
// syscl - allow specific load inject kext
|
|
// Clover/Kexts/Other is for general injection thus we need to scan both Other and OSVersion folder
|
|
SrcDir = GetOtherKextsDir(TRUE);
|
|
if ( SrcDir.notEmpty() ) {
|
|
AddKexts(SrcDir, L"Other"_XSW, archCpuType);
|
|
} else {
|
|
DBG("GetOtherKextsDir(TRUE) return NULL\n");
|
|
}
|
|
// slice: CLOVER/kexts/Off keep disabled kext which can be allowed
|
|
SrcDir = GetOtherKextsDir(FALSE);
|
|
if ( SrcDir.notEmpty() ) {
|
|
AddKexts(SrcDir, L"Off"_XSW, archCpuType);
|
|
} else {
|
|
DBG("GetOtherKextsDir(FALSE) return NULL\n");
|
|
}
|
|
|
|
// Add kext from 10
|
|
{
|
|
XStringW OSAllVersionKextsDir;
|
|
XStringW OSShortVersionKextsDir;
|
|
XStringW OSVersionKextsDirName;
|
|
XStringW DirName;
|
|
XStringW DirPath;
|
|
OSAllVersionKextsDir = SWPrintf("%ls\\kexts\\10", OEMPath.wc_str());
|
|
// snwprintf(OSAllVersionKextsDir, sizeof(OSAllVersionKextsDir), "%s\\kexts\\10", OEMPath);
|
|
AddKexts(OSAllVersionKextsDir, L"10"_XSW, archCpuType);
|
|
|
|
if (OSTYPE_IS_OSX_INSTALLER(LoaderType)) {
|
|
DirName = SWPrintf("10_install");
|
|
// snwprintf(DirName, sizeof(DirName), "10_install");
|
|
} else if (OSTYPE_IS_OSX_RECOVERY(LoaderType)) {
|
|
DirName = SWPrintf("10_recovery");
|
|
// snwprintf(DirName, sizeof(DirName), "10_recovery");
|
|
} else {
|
|
DirName = SWPrintf("10_normal");
|
|
// snwprintf(DirName, sizeof(DirName), "10_normal");
|
|
}
|
|
DirPath = SWPrintf("%ls\\kexts\\%ls", OEMPath.wc_str(), DirName.wc_str());
|
|
// snwprintf(DirPath, sizeof(DirPath), "%s\\kexts\\%s", OEMPath, DirName);
|
|
AddKexts(DirPath, DirName, archCpuType);
|
|
|
|
|
|
// Add kext from 10.{version}
|
|
|
|
OSShortVersionKextsDir = SWPrintf("%ls\\kexts\\%ls", OEMPath.wc_str(), UniShortOSVersion.wc_str());
|
|
// snwprintf(OSShortVersionKextsDir, sizeof(OSShortVersionKextsDir), "%s\\kexts\\%s", OEMPath, UniShortOSVersion);
|
|
AddKexts( OSShortVersionKextsDir, UniShortOSVersion, archCpuType);
|
|
|
|
if (OSTYPE_IS_OSX_INSTALLER(LoaderType)) {
|
|
DirName = SWPrintf("%ls_install", UniShortOSVersion.wc_str());
|
|
// snwprintf(DirName, sizeof(DirName), "%s_install", UniShortOSVersion);
|
|
} else if (OSTYPE_IS_OSX_RECOVERY(LoaderType)) {
|
|
DirName = SWPrintf("%ls_recovery", UniShortOSVersion.wc_str());
|
|
// snwprintf(DirName, sizeof(DirName), "%s_recovery", UniShortOSVersion);
|
|
} else {
|
|
DirName = SWPrintf("%ls_normal", UniShortOSVersion.wc_str());
|
|
// snwprintf(DirName, sizeof(DirName), "%s_normal", UniShortOSVersion);
|
|
}
|
|
DirPath = SWPrintf("%ls\\kexts\\%ls", OEMPath.wc_str(), DirName.wc_str());
|
|
// snwprintf(DirPath, sizeof(DirPath), "%s\\kexts\\%s", OEMPath, DirName);
|
|
AddKexts(DirPath, DirName, archCpuType);
|
|
|
|
|
|
// Add kext from :
|
|
// 10.{version}.0 if NO minor version
|
|
// 10.{version}.{minor version} if minor version is > 0
|
|
|
|
if ( UniShortOSVersion == OSVersion ) {
|
|
OSVersionKextsDirName = SWPrintf("%s.0", OSVersion.c_str());
|
|
// snwprintf(OSVersionKextsDirName, sizeof(OSVersionKextsDirName), "%a.0", OSVersion);
|
|
} else {
|
|
OSVersionKextsDirName = SWPrintf("%s", OSVersion.c_str());
|
|
// snwprintf(OSVersionKextsDirName, sizeof(OSVersionKextsDirName), "%a", OSVersion);
|
|
}
|
|
|
|
DirPath = SWPrintf("%ls\\kexts\\%ls", OEMPath.wc_str(), OSVersionKextsDirName.wc_str());
|
|
// snwprintf(DirPath, sizeof(DirPath), "%s\\kexts\\%s", OEMPath, OSVersionKextsDirName);
|
|
AddKexts(DirPath, OSVersionKextsDirName, archCpuType);
|
|
|
|
if ( OSTYPE_IS_OSX_INSTALLER(LoaderType)) {
|
|
DirName = SWPrintf("%ls_install", OSVersionKextsDirName.wc_str());
|
|
// snwprintf(DirName, sizeof(DirName), "%s_install", OSVersionKextsDirName);
|
|
} else if (OSTYPE_IS_OSX_RECOVERY(LoaderType)) {
|
|
DirName = SWPrintf("%ls_recovery", OSVersionKextsDirName.wc_str());
|
|
// snwprintf(DirName, sizeof(DirName), "%s_recovery", OSVersionKextsDirName);
|
|
} else {
|
|
DirName = SWPrintf("%ls_normal", OSVersionKextsDirName.wc_str());
|
|
// snwprintf(DirName, sizeof(DirName), "%s_normal", OSVersionKextsDirName);
|
|
}
|
|
DirPath = SWPrintf("%ls\\kexts\\%ls", OEMPath.wc_str(), DirName.wc_str());
|
|
// snwprintf(DirPath, sizeof(DirPath), "%s\\kexts\\%s", OEMPath, DirName);
|
|
AddKexts(DirPath, DirName, archCpuType);
|
|
}
|
|
|
|
|
|
// reserve space in the device tree
|
|
if (GetKextCount() > 0) {
|
|
mm_extra_size = GetKextCount() * (sizeof(DeviceTreeNodeProperty) + sizeof(_DeviceTreeBuffer));
|
|
mm_extra = (__typeof__(mm_extra))AllocateZeroPool(mm_extra_size - sizeof(DeviceTreeNodeProperty));
|
|
/*Status = */LogDataHub(&gEfiMiscSubClassGuid, L"mm_extra", mm_extra, (UINT32)(mm_extra_size - sizeof(DeviceTreeNodeProperty)));
|
|
extra_size = GetKextsSize();
|
|
extra = (__typeof__(extra))AllocateZeroPool(extra_size - sizeof(DeviceTreeNodeProperty) + EFI_PAGE_SIZE);
|
|
/*Status = */LogDataHub(&gEfiMiscSubClassGuid, L"extra", extra, (UINT32)(extra_size - sizeof(DeviceTreeNodeProperty) + EFI_PAGE_SIZE));
|
|
// MsgLog("count: %d \n", GetKextCount());
|
|
// MsgLog("mm_extra_size: %d \n", mm_extra_size);
|
|
// MsgLog("extra_size: %d \n", extra_size);
|
|
// MsgLog("offset: %d \n", extra_size - sizeof(DeviceTreeNodeProperty) + EFI_PAGE_SIZE);
|
|
//no more needed
|
|
FreePool(mm_extra);
|
|
FreePool(extra);
|
|
}
|
|
|
|
// SIDELOAD_KEXT *CurrentKext = NULL;
|
|
// SIDELOAD_KEXT *CurrentPlugInKext = NULL;
|
|
// SIDELOAD_KEXT *Next = NULL;
|
|
// //No more InjectKextList needed. Will free the list
|
|
// while (InjectKextList) {
|
|
// CurrentKext = InjectKextList->Next;
|
|
// CurrentPlugInKext = InjectKextList->PlugInList;
|
|
// while (CurrentPlugInKext) {
|
|
// Next = CurrentPlugInKext->Next;
|
|
// FreePool(CurrentPlugInKext->FileName);
|
|
// FreePool(CurrentPlugInKext->KextDirNameUnderOEMPath);
|
|
// FreePool(CurrentPlugInKext->Version);
|
|
// FreePool(CurrentPlugInKext);
|
|
// CurrentPlugInKext = Next;
|
|
// }
|
|
// FreePool(InjectKextList->FileName);
|
|
// FreePool(InjectKextList->KextDirNameUnderOEMPath);
|
|
// FreePool(InjectKextList->Version);
|
|
// FreePool(InjectKextList);
|
|
// InjectKextList = CurrentKext;
|
|
// }
|
|
delete InjectKextList;
|
|
InjectKextList = NULL;
|
|
return EFI_SUCCESS;
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
* Adler32 from Chameleon, not used
|
|
*/
|
|
#define BASE 65521L /* largest prime smaller than 65536 */
|
|
#define NMAX 5000
|
|
// NMAX (was 5521) the largest n such that 255n(n+1)/2 + (n+1)(BASE-1) <= 2^32-1
|
|
|
|
#define DO1(buf,i) {s1 += buf[i]; s2 += s1;}
|
|
#define DO2(buf,i) DO1(buf,i); DO1(buf,i+1);
|
|
#define DO4(buf,i) DO2(buf,i); DO2(buf,i+2);
|
|
#define DO8(buf,i) DO4(buf,i); DO4(buf,i+4);
|
|
#define DO16(buf) DO8(buf,0); DO8(buf,8);
|
|
#if 0
|
|
static UINT32 Adler32(unsigned char *buf, long len)
|
|
{
|
|
unsigned long s1 = 1; // adler & 0xffff;
|
|
unsigned long s2 = 0; // (adler >> 16) & 0xffff;
|
|
unsigned long result;
|
|
long k;
|
|
|
|
while (len > 0) {
|
|
k = len < NMAX ? len : NMAX;
|
|
len -= k;
|
|
while (k >= 16) {
|
|
DO16(buf);
|
|
buf += 16;
|
|
k -= 16;
|
|
}
|
|
if (k != 0) do {
|
|
s1 += *buf++;
|
|
s2 += s1;
|
|
} while (--k);
|
|
s1 %= BASE;
|
|
s2 %= BASE;
|
|
}
|
|
result = (s2 << 16) | s1;
|
|
// result is in big endian
|
|
return (UINT32)result;
|
|
}
|
|
|
|
typedef struct {
|
|
UINT32 Magic;
|
|
UINT32 Signature;
|
|
UINT32 Length;
|
|
UINT32 Adler32;
|
|
UINT32 Version;
|
|
UINT32 NumKexts;
|
|
UINT32 CpuType;
|
|
UINT32 CpuSubtype;
|
|
} MKextHeader;
|
|
|
|
typedef struct {
|
|
UINT32 PlistOffset;
|
|
UINT32 PlistCompressedSize;
|
|
UINT32 PlistFullSize;
|
|
UINT32 PlistModifiedSeconds;
|
|
UINT32 BinaryOffset;
|
|
UINT32 BinaryCompressedSize;
|
|
UINT32 BinaryFullSize;
|
|
UINT32 BinaryModifiedSeconds;
|
|
} MKextFile;
|
|
|
|
#define MKEXT_MAGIC 0x54584b4d
|
|
#define MKEXT_SIGNATURE 0x58534f4d
|
|
#define MKEXT_VERSION_1 0x00800001
|
|
|
|
int LOADER_ENTRY::is_mkext_v1(UINT8* drvPtr)
|
|
{
|
|
_DeviceTreeBuffer *dtb = (_DeviceTreeBuffer*) (((UINT8*)drvPtr) + sizeof(DeviceTreeNodeProperty));
|
|
MKextHeader* mkext_ptr = (MKextHeader*)(UINTN)(dtb->paddr);
|
|
|
|
if (mkext_ptr->Magic == MKEXT_MAGIC
|
|
&& mkext_ptr->Signature == MKEXT_SIGNATURE
|
|
&& mkext_ptr->Version == MKEXT_VERSION_1) {
|
|
DBG_RT("MKext_v1 found at paddr=0x%08x, length=0x%08x\n", dtb->paddr, dtb->length);
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
void LOADER_ENTRY::patch_mkext_v1(UINT8 *drvPtr)
|
|
{
|
|
_DeviceTreeBuffer *dtb = (_DeviceTreeBuffer*) (((UINT8*)drvPtr) + sizeof(DeviceTreeNodeProperty));
|
|
MKextHeader* mkext_ptr = (MKextHeader*)(UINTN)dtb->paddr;
|
|
|
|
UINT32 mkext_len = SwapBytes32(mkext_ptr->Length);
|
|
UINT32 mkext_numKexts = SwapBytes32(mkext_ptr->NumKexts);
|
|
|
|
LIST_ENTRY *Link;
|
|
KEXT_ENTRY *KextEntry;
|
|
if(!IsListEmpty(&gKextList)) {
|
|
for (Link = gKextList.ForwardLink; Link != &gKextList; Link = Link->ForwardLink) {
|
|
KextEntry = CR(Link, KEXT_ENTRY, Link, KEXT_SIGNATURE);
|
|
MKextFile *mkext_insert = (MKextFile*)((UINT8*)mkext_ptr + sizeof(MKextHeader) + mkext_numKexts * sizeof(MKextFile));
|
|
|
|
// free some space
|
|
CopyMem((UINT8*)mkext_insert + sizeof(MKextFile),
|
|
(UINT8*)mkext_insert,
|
|
mkext_len - (sizeof(MKextHeader) + mkext_numKexts * sizeof(MKextFile)));
|
|
mkext_len += sizeof(MKextFile);
|
|
|
|
// update the offsets to reflect 0x20 bytes moved above
|
|
for (UINT32 i = 0; i < mkext_numKexts; i++) {
|
|
MKextFile *kext_base = (MKextFile*)((UINT8*)mkext_ptr + sizeof(MKextHeader) + i * sizeof(MKextFile));
|
|
UINT32 plist_offset = SwapBytes32(kext_base->PlistOffset) + sizeof(MKextFile);
|
|
UINT32 binary_offset = SwapBytes32(kext_base->BinaryOffset) + sizeof(MKextFile);
|
|
kext_base->PlistOffset = SwapBytes32(plist_offset);
|
|
kext_base->BinaryOffset = SwapBytes32(binary_offset);
|
|
}
|
|
|
|
// copy kext data (plist+binary)
|
|
CopyMem((UINT8*)mkext_ptr + mkext_len,
|
|
(UINT8*)(KextEntry->kext.paddr + sizeof(_BooterKextFileInfo)),
|
|
(UINT32)((_BooterKextFileInfo*)(UINTN)(KextEntry->kext.paddr))->infoDictLength
|
|
+ (UINT32)((_BooterKextFileInfo*)(UINTN)(KextEntry->kext.paddr))->executableLength);
|
|
|
|
// insert kext offsets
|
|
mkext_insert->PlistOffset = SwapBytes32(mkext_len);
|
|
mkext_len += ((_BooterKextFileInfo*)(UINTN)(KextEntry->kext.paddr))->infoDictLength;
|
|
mkext_insert->PlistCompressedSize = 0;
|
|
mkext_insert->PlistFullSize = SwapBytes32((UINT32)((_BooterKextFileInfo*)(UINTN)(KextEntry->kext.paddr))->infoDictLength);
|
|
mkext_insert->PlistModifiedSeconds = 0;
|
|
mkext_insert->BinaryOffset = SwapBytes32(mkext_len);
|
|
mkext_len += ((_BooterKextFileInfo*)(UINTN)(KextEntry->kext.paddr))->executableLength;
|
|
mkext_insert->BinaryCompressedSize = 0;
|
|
mkext_insert->BinaryFullSize = SwapBytes32((UINT32)((_BooterKextFileInfo*)(UINTN)(KextEntry->kext.paddr))->executableLength);
|
|
mkext_insert->BinaryModifiedSeconds = 0;
|
|
mkext_numKexts ++;
|
|
|
|
// update the header
|
|
mkext_ptr->Length = SwapBytes32(mkext_len);
|
|
mkext_ptr->NumKexts = SwapBytes32(mkext_numKexts);
|
|
|
|
// update the checksum
|
|
mkext_ptr->Adler32 = SwapBytes32(Adler32((UINT8*)mkext_ptr + 0x10, mkext_len - 0x10));
|
|
|
|
// update the memory-map reference
|
|
dtb->length = mkext_len;
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
////////////////////
|
|
// OnExitBootServices
|
|
////////////////////
|
|
EFI_STATUS LOADER_ENTRY::InjectKexts(IN UINT32 deviceTreeP, IN UINT32* deviceTreeLength)
|
|
{
|
|
UINT8 *dtEntry = (UINT8*)(UINTN) deviceTreeP;
|
|
UINTN dtLen = (UINTN) *deviceTreeLength;
|
|
|
|
DTEntry platformEntry;
|
|
DTEntry memmapEntry;
|
|
CHAR8 *ptr;
|
|
OpaqueDTPropertyIterator OPropIter;
|
|
DTPropertyIterator iter = &OPropIter;
|
|
DeviceTreeNodeProperty *prop = NULL;
|
|
|
|
UINT8 *infoPtr = 0;
|
|
UINT8 *extraPtr = 0;
|
|
UINT8 *drvPtr = 0;
|
|
UINTN offset = 0;
|
|
|
|
LIST_ENTRY *Link;
|
|
KEXT_ENTRY *KextEntry;
|
|
UINTN KextBase = 0;
|
|
_DeviceTreeBuffer *mm;
|
|
_BooterKextFileInfo *drvinfo;
|
|
|
|
UINT32 KextCount;
|
|
UINTN Index;
|
|
|
|
|
|
DBG_RT("\nInjectKexts: ");
|
|
DBG("\nInjectKexts: ");
|
|
KextCount = GetKextCount();
|
|
if (KextCount == 0) {
|
|
DBG_RT("no kexts to inject.\nPausing 5 secs ...\n");
|
|
if (KernelAndKextPatches.KPDebug) {
|
|
gBS->Stall(5000000);
|
|
}
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
DBG_RT("%d kexts ...\n", KextCount);
|
|
|
|
// kextsBase = Desc->PhysicalStart + (((UINTN) Desc->NumberOfPages) * EFI_PAGE_SIZE);
|
|
// kextsPages = EFI_SIZE_TO_PAGES(kext.length);
|
|
// Status = gBS->AllocatePages(AllocateAddress, EfiLoaderData, kextsPages, &kextsBase);
|
|
// if (EFI_ERROR(Status)) { MsgLog("Kext inject: could not allocate memory\n"); return Status; }
|
|
// Desc->NumberOfPages += kextsPages;
|
|
// CopyMem((VOID*)kextsBase, (VOID*)(UINTN)kext.paddr, kext.length);
|
|
// drvinfo = (_BooterKextFileInfo*) kextsBase;
|
|
// drvinfo->infoDictPhysAddr += (UINT32)kextsBase;
|
|
// drvinfo->executablePhysAddr += (UINT32)kextsBase;
|
|
// drvinfo->bundlePathPhysAddr += (UINT32)kextsBase;
|
|
|
|
DTInit(dtEntry, deviceTreeLength);
|
|
if(!EFI_ERROR(DTLookupEntry(NULL,"/chosen/memory-map", &memmapEntry))) {
|
|
if(!EFI_ERROR(DTCreatePropertyIterator(memmapEntry, iter))) {
|
|
while(!EFI_ERROR(DTIterateProperties(iter, &ptr))) {
|
|
prop = iter->CurrentProperty;
|
|
drvPtr = (UINT8*) prop;
|
|
if(strncmp(prop->Name, "Driver-", 7)==0 || strncmp(prop->Name, "DriversPackage-", 15)==0) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if(!EFI_ERROR(DTLookupEntry(NULL, "/efi/platform", &platformEntry))) {
|
|
if(!EFI_ERROR(DTCreatePropertyIterator(platformEntry, iter))) {
|
|
while(!EFI_ERROR(DTIterateProperties(iter, &ptr))) {
|
|
prop = iter->CurrentProperty;
|
|
if(strncmp(prop->Name, "mm_extra", 8)==0) {
|
|
infoPtr = (UINT8*)prop;
|
|
}
|
|
if(strncmp(prop->Name, "extra", 5)==0) {
|
|
extraPtr = (UINT8*)prop;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (drvPtr == 0 || infoPtr == 0 || extraPtr == 0 || drvPtr > infoPtr || drvPtr > extraPtr || infoPtr > extraPtr) {
|
|
printf("\nInvalid device tree for kext injection\n");
|
|
gBS->Stall(5000000);
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
// make space for memory map entries
|
|
platformEntry->NumProperties -= 2;
|
|
offset = sizeof(DeviceTreeNodeProperty) + ((DeviceTreeNodeProperty*) infoPtr)->Length;
|
|
CopyMem(drvPtr+offset, drvPtr, infoPtr-drvPtr);
|
|
|
|
// make space behind device tree
|
|
// platformEntry->nProperties--;
|
|
offset = sizeof(DeviceTreeNodeProperty)+((DeviceTreeNodeProperty*) extraPtr)->Length;
|
|
CopyMem(extraPtr, extraPtr+offset, dtLen-(UINTN)(extraPtr-dtEntry)-offset);
|
|
*deviceTreeLength -= (UINT32)offset;
|
|
|
|
KextBase = RoundPage(dtEntry + *deviceTreeLength);
|
|
if(!IsListEmpty(&gKextList)) {
|
|
Index = 1;
|
|
for (Link = gKextList.ForwardLink; Link != &gKextList; Link = Link->ForwardLink) {
|
|
KextEntry = CR(Link, KEXT_ENTRY, Link, KEXT_SIGNATURE);
|
|
|
|
CopyMem((VOID*) KextBase, (VOID*)(UINTN) KextEntry->kext.paddr, KextEntry->kext.length);
|
|
drvinfo = (_BooterKextFileInfo*) KextBase;
|
|
drvinfo->infoDictPhysAddr += (UINT32) KextBase;
|
|
drvinfo->executablePhysAddr += (UINT32) KextBase;
|
|
drvinfo->bundlePathPhysAddr += (UINT32) KextBase;
|
|
|
|
memmapEntry->NumProperties++;
|
|
prop = ((DeviceTreeNodeProperty*) drvPtr);
|
|
prop->Length = sizeof(_DeviceTreeBuffer);
|
|
mm = (_DeviceTreeBuffer*) (((UINT8*)prop) + sizeof(DeviceTreeNodeProperty));
|
|
mm->paddr = (UINT32)KextBase;
|
|
mm->length = KextEntry->kext.length;
|
|
snprintf(prop->Name, 31, "Driver-%X", (UINT32)KextBase);
|
|
|
|
drvPtr += sizeof(DeviceTreeNodeProperty) + sizeof(_DeviceTreeBuffer);
|
|
KextBase = RoundPage(KextBase + KextEntry->kext.length);
|
|
DBG_RT(" %llu - %s\n", Index, (CHAR8 *)(UINTN)drvinfo->bundlePathPhysAddr);
|
|
DBG(" %llu - %s\n", Index, (CHAR8 *)(UINTN)drvinfo->bundlePathPhysAddr);
|
|
if (gSettings.KextPatchesAllowed) {
|
|
CHAR8 SavedValue;
|
|
CHAR8 *InfoPlist = (CHAR8*)(UINTN)drvinfo->infoDictPhysAddr;
|
|
SavedValue = InfoPlist[drvinfo->infoDictLength];
|
|
InfoPlist[drvinfo->infoDictLength] = '\0';
|
|
// KernelAndKextPatcherInit();
|
|
for (size_t i = 0; i < KernelAndKextPatches.KextPatches.size(); i++) {
|
|
if ((KernelAndKextPatches.KextPatches[i].Data.size() > 0) &&
|
|
(AsciiStrStr(InfoPlist, KernelAndKextPatches.KextPatches[i].Name.c_str()) != NULL)) {
|
|
AnyKextPatch(
|
|
(UINT8*)(UINTN)drvinfo->executablePhysAddr,
|
|
drvinfo->executableLength,
|
|
InfoPlist,
|
|
drvinfo->infoDictLength,
|
|
i
|
|
);
|
|
}
|
|
}
|
|
InfoPlist[drvinfo->infoDictLength] = SavedValue;
|
|
}
|
|
Index++;
|
|
}
|
|
}
|
|
|
|
DBG_RT("Done.\n");
|
|
Stall(5000000);
|
|
return EFI_SUCCESS;
|
|
}
|
|
|
|
|
|
////////////////////////////////////
|
|
//
|
|
// KernelBooterExtensionsPatch to load extra kexts besides kernelcache
|
|
//
|
|
//
|
|
|
|
// Snow Leopard i386
|
|
const UINT8 KBESnowSearchEXT_i386[] = { 0xE8, 0xED, 0xF9, 0xFF, 0xFF, 0xEB, 0x08, 0x89, 0x1C, 0x24 };
|
|
const UINT8 KBESnowReplaceEXT_i386[] = { 0xE8, 0xED, 0xF9, 0xFF, 0xFF, 0x90, 0x90, 0x89, 0x1C, 0x24 };
|
|
|
|
// Snow Leopard X64
|
|
const UINT8 KBESnowSearchEXT_X64[] = { 0xE8, 0x5A, 0xFB, 0xFF, 0xFF, 0xEB, 0x08, 0x48, 0x89, 0xDF };
|
|
const UINT8 KBESnowReplaceEXT_X64[] = { 0xE8, 0x5A, 0xFB, 0xFF, 0xFF, 0x90, 0x90, 0x48, 0x89, 0xDF };
|
|
|
|
// Lion i386
|
|
const UINT8 KBELionSearchEXT_i386[] = { 0xE8, 0xAA, 0xFB, 0xFF, 0xFF, 0xEB, 0x08, 0x89, 0x34, 0x24 };
|
|
const UINT8 KBELionReplaceEXT_i386[] = { 0xE8, 0xAA, 0xFB, 0xFF, 0xFF, 0x90, 0x90, 0x89, 0x34, 0x24 };
|
|
|
|
// Lion X64
|
|
const UINT8 KBELionSearchEXT_X64[] = { 0xE8, 0x0C, 0xFD, 0xFF, 0xFF, 0xEB, 0x08, 0x48, 0x89, 0xDF };
|
|
const UINT8 KBELionReplaceEXT_X64[] = { 0xE8, 0x0C, 0xFD, 0xFF, 0xFF, 0x90, 0x90, 0x48, 0x89, 0xDF };
|
|
|
|
|
|
//
|
|
// We can not rely on OSVersion global variable for OS version detection,
|
|
// since in some cases it is not correct (install of ML from Lion, for example).
|
|
// So, we'll use "brute-force" method - just try to patch.
|
|
// Actually, we'll at least check that if we can find only one instance of code that
|
|
// we are planning to patch.
|
|
//
|
|
// Fully reworked by Sherlocks. 2019.06.23
|
|
//
|
|
|
|
|
|
VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch()
|
|
{
|
|
// UINTN Num = 0;
|
|
UINTN NumSnow_i386_EXT = 0;
|
|
UINTN NumSnow_X64_EXT = 0;
|
|
UINTN NumLion_i386_EXT = 0;
|
|
UINTN NumLion_X64_EXT = 0;
|
|
UINTN patchLocation2 = 0, patchLocation3 = 0;
|
|
|
|
|
|
DBG_RT("\nPatching kernel for injected kexts...\n");
|
|
|
|
if (is64BitKernel) {
|
|
NumSnow_X64_EXT = SearchAndCount(KernelData, KERNEL_MAX_SIZE, KBESnowSearchEXT_X64, sizeof(KBESnowSearchEXT_X64));
|
|
NumLion_X64_EXT = SearchAndCount(KernelData, KERNEL_MAX_SIZE, KBELionSearchEXT_X64, sizeof(KBELionSearchEXT_X64));
|
|
} else {
|
|
NumSnow_i386_EXT = SearchAndCount(KernelData, KERNEL_MAX_SIZE, KBESnowSearchEXT_i386, sizeof(KBESnowSearchEXT_i386));
|
|
NumLion_i386_EXT = SearchAndCount(KernelData, KERNEL_MAX_SIZE, KBELionSearchEXT_i386, sizeof(KBELionSearchEXT_i386));
|
|
}
|
|
|
|
if (NumSnow_i386_EXT + NumSnow_X64_EXT + NumLion_i386_EXT + NumLion_X64_EXT > 1) {
|
|
// more then one pattern found - we do not know what to do with it
|
|
// and we'll skipp it
|
|
// DBG_RT("\nERROR patching kernel for injected kexts:\nmultiple patterns found (Snowi386: %llu, SnowX64: %llu, Lioni386: %llu, LionX64: %llu) - skipping patching!\n", NumSnow_i386_EXT, NumSnow_X64_EXT, NumLion_i386_EXT, NumLion_X64_EXT);
|
|
// Stall(10000000);
|
|
return;
|
|
}
|
|
|
|
// X64
|
|
if (is64BitKernel) {
|
|
if (NumSnow_X64_EXT == 1) {
|
|
/*Num=*/ SearchAndReplace(KernelData, KERNEL_MAX_SIZE, KBESnowSearchEXT_X64, sizeof(KBESnowSearchEXT_X64), KBESnowReplaceEXT_X64, 1);
|
|
// DBG_RT("==> kernel Snow Leopard X64: %llu replaces done.\n", Num);
|
|
} else if (NumLion_X64_EXT == 1) {
|
|
/*Num=*/ SearchAndReplace(KernelData, KERNEL_MAX_SIZE, KBELionSearchEXT_X64, sizeof(KBELionSearchEXT_X64), KBELionReplaceEXT_X64, 1);
|
|
// DBG_RT("==> kernel Lion X64: %llu replaces done.\n", Num);
|
|
} else {
|
|
// EXT - load extra kexts besides kernelcache.
|
|
#if OLD_EXTRA_KEXT_PATCH
|
|
UINT32 patchLocation1 = 0;
|
|
for (UINT32 i = 0; i < 0x1000000; i++) {
|
|
// 01 00 31 FF BE 14 00 05
|
|
if (Kernel[i+0] == 0x01 && Kernel[i+1] == 0x00 && Kernel[i+2] == 0x31 &&
|
|
Kernel[i+3] == 0xFF && Kernel[i+4] == 0xBE && Kernel[i+5] == 0x14 &&
|
|
Kernel[i+6] == 0x00 && Kernel[i+7] == 0x05) {
|
|
DBG_RT("==> found EXT Base (10.8 - recent macOS)\n");
|
|
for (UINT32 y = i; y < 0x1000000; y++) {
|
|
// E8 XX 00 00 00 EB XX XX
|
|
if (Kernel[y+0] == 0xE8 && Kernel[y+2] == 0x00 && Kernel[y+3] == 0x00 &&
|
|
Kernel[y+4] == 0x00 && Kernel[y+5] == 0xEB) {
|
|
//(Kernel[y+7] == 0x48 || Kernel[y+7] == 0xE8)) { // 48:10.8-10.9/E8:10.10+
|
|
patchLocation1 = y;
|
|
DBG_RT("==> found EXT (10.8 - recent macOS) at 0x%08x\n", patchLocation1);
|
|
break;
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!patchLocation1) {
|
|
DBG_RT("==> can't find EXT (10.8 - recent macOS), kernel patch aborted.\n");
|
|
gBS->Stall(3000000);
|
|
}
|
|
|
|
if (patchLocation1) {
|
|
DBG_RT("==> patched EXT (10.8 - recent macOS) location=%x\n", patchLocation1);
|
|
for (i = 5; i < 7; i++) {
|
|
// E8 XX 00 00 00 EB XX XX
|
|
// E8 XX 00 00 00 90 90 XX
|
|
Kernel[patchLocation1 + i] = 0x90;
|
|
}
|
|
}
|
|
#else
|
|
//Capitan
|
|
// procedure at 950950, len = fffffffffffff3f0
|
|
// proclen=256, end=256 startLen=0
|
|
// found start at 0x950950
|
|
// found pattern: 1
|
|
// address: 0095098b
|
|
// bytes:eb05
|
|
|
|
// BS
|
|
// E8 ?? 00 00 00 EB 05 E8 -->
|
|
// E8 ?? 00 00 00 90 90 E8.
|
|
|
|
UINTN procLocation = searchProc("readStartupExtensions"_XS8);
|
|
const UINT8 findJmp[] = {0xEB, 0x05};
|
|
const UINT8 patchJmp[] = {0x90, 0x90};
|
|
DBG("==> readStartupExtensions at %llx\n", procLocation);
|
|
if (!SearchAndReplace(&KernelData[procLocation], 0x100, findJmp, 2, patchJmp, 1)) {
|
|
DBG("load kexts not patched\n");
|
|
for (UINTN j=procLocation+0x2b; j<procLocation+0x4b; ++j) {
|
|
DBG("%02x ", KernelData[j]);
|
|
}
|
|
DBG("\n");
|
|
// Stall(10000000);
|
|
//second attempt brute force for 10.16
|
|
// const UINT8 findJmp2[] = {0xEB, 0x05, 0xE8, 0x7D, 0x03};
|
|
// const UINT8 patchJmp2[] = {0x90, 0x90, 0xE8, 0x7D, 0x03};
|
|
// if (!SearchAndReplace(&KernelData[0], KERNEL_MAX_SIZE, findJmp2, 5, patchJmp2, 1)) {
|
|
// DBG("load kexts 2 not patched\n");
|
|
// } else {
|
|
// DBG("load kexts 2 patched !!!\n");
|
|
// }
|
|
} else {
|
|
DBG("load kexts patched \n");
|
|
// for (UINTN j=procLocation+0x3b; j<procLocation+0x5b; ++j) {
|
|
// DBG_RT("%02x", Kernel[j]);
|
|
// }
|
|
// DBG_RT("\n");
|
|
}
|
|
Stall(12000000);
|
|
#endif
|
|
// SIP - bypass kext check by System Integrity Protection.
|
|
//the pattern found in __ZN6OSKext14loadExecutableEv: // OSKext::loadExecutable()
|
|
// iMac2017:Catalina sergey$ ./FindMask kernel -p loadExecutable -e 1000 -f 488500740048000048,FFFF00FF00FF0000FF
|
|
// descending
|
|
// procedure at 7a1ed0, len = ffffffffffff4b50
|
|
// proclen=4096, end=4096 startLen=0
|
|
// found start at 0x7a1ed0
|
|
// found pattern: 1
|
|
// address: 007a29b7
|
|
// bytes:4885c074224889c348
|
|
|
|
|
|
//Capitan
|
|
// ffffff800084897b 4885DB test rbx, rbx
|
|
// ffffff800084897e 7470 je 0xffffff80008489f0 -> patch to not jump
|
|
// 7412 jmp ffffff8000848992
|
|
// ; Basic Block Input Regs: rbx - Killed Regs: rax rdi
|
|
// ffffff8000848980 488B03 mov rax, qword [ds:rbx]
|
|
// ffffff8000848983 4889DF mov rdi, rbx
|
|
// ffffff8000848986 FF5028 call qword [ds:rax+0x28]
|
|
// ffffff8000848989 483B1DE04F2B00 cmp rbx, qword [ds:0xffffff8000afd970]
|
|
// ffffff8000848990 745E je 0xffffff80008489f0 -> patch to not jump
|
|
// ; Basic Block Input Regs: r13 - Killed Regs: rax rbx rdi
|
|
// ffffff8000848992 498B4500 mov rax, qword [ds:r13+0x0]
|
|
// procedure at 6487f0, len = 7250
|
|
// proclen=512, end=512 startLen=0
|
|
// found start at 0x6487f0
|
|
// found pattern: 1
|
|
// address: 0064897b
|
|
// bytes:4885db7470
|
|
|
|
#if OLD_EXTRA_KEXT_PATCH
|
|
for (UINT32 i = 0; i < 0x1000000; i++) {
|
|
// 45 31 FF 41 XX 01 00 00 DC 48
|
|
if (Kernel[i+0] == 0x45 && Kernel[i+1] == 0x31 && Kernel[i+3] == 0x41 &&
|
|
//(Kernel[i+4] == 0xBF || Kernel[i+4] == 0xBE) && // BF:10.11/BE:10.12+
|
|
Kernel[i+5] == 0x01 && Kernel[i+6] == 0x00 && Kernel[i+7] == 0x00 &&
|
|
Kernel[i+8] == 0xDC && Kernel[i+9] == 0x48) {
|
|
|
|
DBG_RT("==> found loadExecutable (10.11 - recent macOS) at %x\n", i);
|
|
for (UINT32 y = i; y < 0x100000; y++) {
|
|
// 48 85 XX 74 XX 48 XX XX 48
|
|
if (Kernel[y+0] == 0x48 && Kernel[y+1] == 0x85 && Kernel[y+3] == 0x74 &&
|
|
Kernel[y+5] == 0x48 && Kernel[y+8] == 0x48) {
|
|
patchLocation2 = y;
|
|
DBG_RT("==> found SIP (10.11 - 10.14) at 0x%08x\n", patchLocation2);
|
|
break;
|
|
// 00 85 C0 0F 84 XX 00 00 00 49 //???? - not found in Catalina
|
|
} else if (Kernel[y+0] == 0x00 && Kernel[y+1] == 0x85 && Kernel[y+2] == 0xC0 &&
|
|
Kernel[y+3] == 0x0F && Kernel[y+4] == 0x84 && Kernel[y+9] == 0x49) {
|
|
patchLocation2 = y;
|
|
DBG_RT("==> found SIP (10.15 - recent macOS) at 0x%08x\n", patchLocation2);
|
|
break;
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
#else
|
|
// BS
|
|
// E8 ?? ?? ?? 00 85 C0 0F 84 ?? 00 00 00 49 8B 45 -->
|
|
// E8 ?? ?? ?? 00 85 C0 90 90 90 90 90 90 49 8B 45.
|
|
|
|
const UINT8 find3[] = {0x48, 0x85, 00, 0x74, 00, 0x48, 00, 00, 0x48 };
|
|
const UINT8 mask3[] = {0xFF, 0xFF, 00, 0xFF, 00, 0xFF, 00, 00, 0xFF };
|
|
#endif
|
|
|
|
//ffffff80009a2267 488D35970D2400 lea rsi, qword [ds:0xffffff8000be3005] ; "com.apple.private.security.kext-management"
|
|
//ffffff80009a226e E89D780D00 call _IOTaskHasEntitlement
|
|
//ffffff80009a2273 85C0 test eax, eax =>change to eb06 -> jmp .+6
|
|
//ffffff80009a2275 0F843C010000 je 0xffffff80009a23b7
|
|
//ffffff80009a227b
|
|
UINTN taskLocation = searchProc("IOTaskHasEntitlement"_XS8);
|
|
procLocation = searchProc("loadExecutable"_XS8);
|
|
patchLocation2 = FindMemMask(&KernelData[procLocation], 0x500, find3, sizeof(find3), mask3, sizeof(mask3));
|
|
DBG("IOTaskHasEntitlement at 0x%llx, loadExecutable at 0x%llx\n", taskLocation, procLocation);
|
|
DBG("find3 at 0x%llx\n", patchLocation2);
|
|
if (patchLocation2 != KERNEL_MAX_SIZE) {
|
|
DBG_RT("=> patch SIP applied\n");
|
|
patchLocation2 += procLocation;
|
|
KernelData[patchLocation2 + 3] = 0xEB;
|
|
if (KernelData[patchLocation2 + 4] == 0x6C) {
|
|
KernelData[patchLocation2 + 4] = 0x15;
|
|
} else {
|
|
KernelData[patchLocation2 + 4] = 0x12;
|
|
}
|
|
} else {
|
|
patchLocation2 = FindRelative32(KernelData, procLocation, 0x700, taskLocation);
|
|
DBG("else search relative at 0x%llx\n", patchLocation2);
|
|
if (patchLocation2 != 0) {
|
|
DBG_RT("=> patch2 SIP applied\n");
|
|
KernelData[patchLocation2] = 0xEB;
|
|
KernelData[patchLocation2 + 1] = 0x06;
|
|
} else {
|
|
DBG_RT("=> patch2 SIP not applied\n");
|
|
const UINT8 find7[] = {0xE8, 0x00, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x84, 0xFF, 0x00, 0x00, 0x00, 0x49, 0x8B, 0x45 };
|
|
const UINT8 mask7[] = {0xFF, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
|
|
patchLocation2 = FindMemMask(&KernelData[0], KERNEL_MAX_SIZE, find7, sizeof(find7), mask7, sizeof(mask7));
|
|
DBG("found call to TE at 0x%llx\n", patchLocation2);
|
|
KernelData[0 + patchLocation2 + 7] = 0xEB;
|
|
KernelData[0 + patchLocation2 + 8] = 0x04;
|
|
|
|
}
|
|
}
|
|
Stall(10000000);
|
|
|
|
/*
|
|
//Capitan: 48 85 db 74 70 48 8b 03 48
|
|
if (patchLocation2) {
|
|
if (taskFound) {
|
|
UINT8 jmp = Kernel[patchLocation2 + 4];
|
|
const UINT8 repl4[] = {0xB8, 0x01, 0x00, 0x00, 0x00, 0xEB};
|
|
CopyMem(&Kernel[patchLocation2], repl4, sizeof(repl4));
|
|
Kernel[patchLocation2 + 6] = jmp;
|
|
DBG_RT("=> mojave SIP applyed\n");
|
|
} else
|
|
if (Kernel[patchLocation2 + 0] == 0x48 && Kernel[patchLocation2 + 1] == 0x85) {
|
|
|
|
Kernel[patchLocation2 + 3] = 0xEB;
|
|
DBG_RT("==> patched SIP (10.11 - 10.14)\n");
|
|
if (Kernel[patchLocation2 + 4] == 0x6C) {
|
|
// 48 85 XX 74 6C 48 XX XX 48
|
|
// 48 85 XX EB 15 48 XX XX 48
|
|
Kernel[patchLocation2 + 4] = 0x15; // 10.14.4-10.14.6
|
|
} else {
|
|
// 48 85 XX 74 XX 48 XX XX 48
|
|
// 48 85 XX EB 12 48 XX XX 48
|
|
Kernel[patchLocation2 + 4] = 0x12; // 10.11-10.14.3
|
|
}
|
|
// PMheart
|
|
} else if (Kernel[patchLocation2 + 0] == 0x00 && Kernel[patchLocation2 + 1] == 0x85) {
|
|
DBG_RT("==> patched SIP (10.15 - recent macOS)\n");
|
|
for (i = 3; i < 9; i++) {
|
|
// 00 85 C0 0F 84 XX 00 00 00 49
|
|
// 00 85 C0 90 90 90 90 90 90 49
|
|
Kernel[patchLocation2 + i] = 0x90;
|
|
}
|
|
}
|
|
}
|
|
Stall(9000000);
|
|
*/
|
|
//Slice - hope this patch useful for some system that I have no.
|
|
// KxldUnmap by vit9696
|
|
// Avoid race condition in OSKext::removeKextBootstrap when using booter kexts without keepsyms=1.
|
|
procLocation = searchProc("removeKextBootstrap"_XS8);
|
|
const UINT8 find5[] = {0x00, 0x0F, 0x85, 00, 00, 0x00, 0x00, 0x48 };
|
|
const UINT8 mask5[] = {0xFF, 0xFF, 0xFF, 00, 00, 0xFF, 0xFF, 0xFF };
|
|
patchLocation3 = FindMemMask(&KernelData[procLocation], 0x300, find5, sizeof(find5), mask5, sizeof(mask5));
|
|
DBG("removeKextBootstrap at 0x%llx\n", patchLocation3);
|
|
|
|
/*
|
|
for (UINT32 i = 0; i < 0x1000000; i++) {
|
|
// 55 48 89 E5 41 57 41 56 41 54 53 //10
|
|
// 48 83 EC 30 48 C7 45 B8 XX XX XX //21
|
|
// XX XX XX XX XX XX XX XX XX XX XX //32
|
|
// XX XX XX XX XX XX XX XX XX XX XX //43
|
|
// XX XX XX XX XX XX XX XX XX FF XX //54
|
|
// XX XX XX XX XX XX XX XX XX FF FF //65
|
|
if (Kernel[i+0] == 0x55 && Kernel[i+1] == 0x48 && Kernel[i+2] == 0x89 &&
|
|
Kernel[i+3] == 0xE5 && Kernel[i+4] == 0x41 && Kernel[i+5] == 0x57 &&
|
|
Kernel[i+6] == 0x41 && Kernel[i+7] == 0x56 && Kernel[i+8] == 0x41 &&
|
|
Kernel[i+9] == 0x54 && Kernel[i+10] == 0x53 && Kernel[i+11] == 0x48 &&
|
|
Kernel[i+12] == 0x83 && Kernel[i+13] == 0xEC && Kernel[i+14] == 0x30 &&
|
|
Kernel[i+15] == 0x48 && Kernel[i+16] == 0xC7 && Kernel[i+17] == 0x45 &&
|
|
Kernel[i+18] == 0xB8 && Kernel[i+53] == 0xFF && Kernel[i+64] == 0xFF && Kernel[i+65] == 0xFF) {
|
|
DBG_RT("==> found KxldUnmap Base (10.14 - recent macOS)\n");
|
|
for (UINT32 y = i; y < 0x1000000; y++) {
|
|
// 00 0F 85 XX XX 00 00 48
|
|
if (Kernel[y+0] == 0x00 && Kernel[y+1] == 0x0F && Kernel[y+2] == 0x85 &&
|
|
Kernel[y+5] == 0x00 && Kernel[y+6] == 0x00 && Kernel[y+7] == 0x48) {
|
|
patchLocation3 = y;
|
|
DBG_RT("==> found KxldUnmap (10.14 - recent macOS) at 0x%08x\n", patchLocation3);
|
|
break;
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
*/
|
|
//BS
|
|
//FF 80 3D ?? ?? ?? 00 00 0F 85 ?? 01 00 00 41 -->
|
|
//FF 80 3D ?? ?? ?? 00 00 90 E9 ?? 01 00 00 41.
|
|
/*
|
|
if (patchLocation3 == KERNEL_MAX_SIZE) {
|
|
DBG_RT("==> can't find KxldUnmap (10.14 - 10.15)\n");
|
|
Stall(3000000);
|
|
const UINT8 find6[] = {0xFF, 0x80, 0x3D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x85, 0x00, 0x01, 0x00, 0x00, 0x41 };
|
|
const UINT8 mask6[] = {0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0xFF, 0xFF };
|
|
patchLocation3 = FindMemMask(&KernelData[0], KERNEL_MAX_SIZE, find6, sizeof(find6), mask6, sizeof(mask6));
|
|
DBG("find mask 6 at 0x%llx\n", patchLocation3);
|
|
if (patchLocation3 != KERNEL_MAX_SIZE) {
|
|
KernelData[0 + patchLocation3 + 8] = 0x90;
|
|
KernelData[0 + patchLocation3 + 9] = 0xE9;
|
|
}
|
|
} else {
|
|
*/
|
|
//The patch is not needed for bigsur
|
|
if (patchLocation3 != KERNEL_MAX_SIZE) {
|
|
DBG("==> patched KxldUnmap (10.14 - 10.15)\n");
|
|
// 00 0F 85 XX XX 00 00 48
|
|
// 00 90 E9 XX XX 00 00 48
|
|
KernelData[procLocation + patchLocation3 + 1] = 0x90;
|
|
KernelData[procLocation + patchLocation3 + 2] = 0xE9;
|
|
}
|
|
}
|
|
} else {
|
|
// i386
|
|
if (NumSnow_i386_EXT == 1) {
|
|
/*Num=*/ SearchAndReplace(KernelData, KERNEL_MAX_SIZE, KBESnowSearchEXT_i386, sizeof(KBESnowSearchEXT_i386), KBESnowReplaceEXT_i386, 1);
|
|
// DBG_RT("==> kernel Snow Leopard i386: %llu replaces done.\n", Num);
|
|
} else if (NumLion_i386_EXT == 1) {
|
|
/*Num=*/ SearchAndReplace(KernelData, KERNEL_MAX_SIZE, KBELionSearchEXT_i386, sizeof(KBELionSearchEXT_i386), KBELionReplaceEXT_i386, 1);
|
|
// DBG_RT("==> kernel Lion i386: %llu replaces done.\n", Num);
|
|
} else {
|
|
DBG_RT("==> ERROR: NOT patched - unknown kernel.\n");
|
|
}
|
|
}
|
|
|
|
DBG_RT("Pausing 5 secs ...\n");
|
|
Stall(5000000);
|
|
}
|