2021-02-05 09:30:43 +00:00
|
|
|
#!/usr/bin/env python3
|
2021-06-10 10:40:48 +00:00
|
|
|
# SPDX-License-Identifier: MIT
|
|
|
|
import sys, pathlib
|
|
|
|
sys.path.append(str(pathlib.Path(__file__).resolve().parents[1]))
|
2021-01-14 18:56:45 +00:00
|
|
|
|
2021-05-04 13:45:18 +00:00
|
|
|
import argparse, pathlib, time
|
2021-03-04 13:40:48 +00:00
|
|
|
|
2021-04-14 12:13:19 +00:00
|
|
|
parser = argparse.ArgumentParser(description='Mach-O loader for m1n1')
|
2021-11-01 09:53:07 +00:00
|
|
|
parser.add_argument('-q', '--quiet', action="store_true", help="Disable framebuffer")
|
2021-12-17 13:30:42 +00:00
|
|
|
parser.add_argument('-n', '--no-sepfw', action="store_true", help="Do not preserve SEPFW")
|
2021-05-07 17:39:32 +00:00
|
|
|
parser.add_argument('-c', '--call', action="store_true", help="Use call mode")
|
2022-03-09 15:30:15 +00:00
|
|
|
parser.add_argument('-r', '--raw', action="store_true", help="Image is raw")
|
2022-08-19 19:45:33 +00:00
|
|
|
parser.add_argument('-E', '--entry-point', action="store", type=int, help="Entry point for the raw image", default=0x800)
|
2022-11-25 06:27:55 +00:00
|
|
|
parser.add_argument('-x', '--xnu', action="store_true", help="Set up for chainloading XNU")
|
2021-03-04 13:40:48 +00:00
|
|
|
parser.add_argument('payload', type=pathlib.Path)
|
2021-05-07 17:39:32 +00:00
|
|
|
parser.add_argument('boot_args', default=[], nargs="*")
|
2021-03-04 13:40:48 +00:00
|
|
|
args = parser.parse_args()
|
|
|
|
|
2021-06-10 10:40:48 +00:00
|
|
|
from m1n1.setup import *
|
|
|
|
from m1n1.tgtypes import BootArgs
|
|
|
|
from m1n1.macho import MachO
|
|
|
|
from m1n1 import asm
|
2021-01-14 18:56:45 +00:00
|
|
|
|
2022-03-09 15:30:15 +00:00
|
|
|
new_base = u.base
|
2021-01-14 18:56:45 +00:00
|
|
|
|
2022-03-09 15:30:15 +00:00
|
|
|
if args.raw:
|
|
|
|
image = args.payload.read_bytes()
|
2022-03-27 09:33:00 +00:00
|
|
|
image += b"\x00\x00\x00\x00"
|
2022-08-19 19:45:33 +00:00
|
|
|
entry = new_base + args.entry_point
|
2022-03-09 15:30:15 +00:00
|
|
|
else:
|
|
|
|
macho = MachO(args.payload.read_bytes())
|
|
|
|
image = macho.prepare_image()
|
2022-03-27 09:33:00 +00:00
|
|
|
image += b"\x00\x00\x00\x00"
|
2022-03-09 15:30:15 +00:00
|
|
|
entry = macho.entry
|
|
|
|
entry -= macho.vmin
|
|
|
|
entry += new_base
|
2021-01-14 18:56:45 +00:00
|
|
|
|
2021-11-01 09:53:07 +00:00
|
|
|
if args.quiet:
|
|
|
|
p.iodev_set_usage(IODEV.FB, 0)
|
|
|
|
|
2023-08-16 07:30:52 +00:00
|
|
|
sepfw_start, sepfw_length = 0, 0
|
|
|
|
preoslog_start, preoslog_size = 0, 0
|
|
|
|
|
|
|
|
if not args.no_sepfw:
|
2021-12-17 13:30:42 +00:00
|
|
|
sepfw_start, sepfw_length = u.adt["chosen"]["memory-map"].SEPFW
|
2023-08-16 07:30:52 +00:00
|
|
|
if hasattr(u.adt["chosen"]["memory-map"], "preoslog"):
|
|
|
|
preoslog_start, preoslog_size = u.adt["chosen"]["memory-map"].preoslog
|
2021-04-14 12:13:19 +00:00
|
|
|
|
|
|
|
image_size = align(len(image))
|
|
|
|
sepfw_off = image_size
|
|
|
|
image_size += align(sepfw_length)
|
2023-08-16 07:30:52 +00:00
|
|
|
preoslog_off = image_size
|
|
|
|
image_size += align(preoslog_size)
|
2021-04-14 12:13:19 +00:00
|
|
|
bootargs_off = image_size
|
2021-05-07 17:39:32 +00:00
|
|
|
bootargs_size = 0x4000
|
|
|
|
image_size += bootargs_size
|
2021-04-14 12:13:19 +00:00
|
|
|
|
|
|
|
print(f"Total region size: 0x{image_size:x} bytes")
|
|
|
|
image_addr = u.malloc(image_size)
|
|
|
|
|
|
|
|
print(f"Loading kernel image (0x{len(image):x} bytes)...")
|
|
|
|
u.compressed_writemem(image_addr, image, True)
|
|
|
|
p.dc_cvau(image_addr, len(image))
|
|
|
|
|
2021-12-17 13:30:42 +00:00
|
|
|
if not args.no_sepfw:
|
2021-04-14 12:13:19 +00:00
|
|
|
print(f"Copying SEPFW (0x{sepfw_length:x} bytes)...")
|
|
|
|
p.memcpy8(image_addr + sepfw_off, sepfw_start, sepfw_length)
|
2021-05-05 18:33:35 +00:00
|
|
|
print(f"Adjusting addresses in ADT...")
|
|
|
|
u.adt["chosen"]["memory-map"].SEPFW = (new_base + sepfw_off, sepfw_length)
|
2023-08-16 07:30:52 +00:00
|
|
|
u.adt["chosen"]["memory-map"].BootArgs = (new_base + bootargs_off, bootargs_size)
|
|
|
|
if hasattr(u.adt["chosen"]["memory-map"], "preoslog"):
|
|
|
|
p.memcpy8(image_addr + preoslog_off, preoslog_start, preoslog_size)
|
|
|
|
u.adt["chosen"]["memory-map"].preoslog = (new_base + preoslog_off, preoslog_size)
|
|
|
|
|
|
|
|
for name in ("mtp", "aop"):
|
|
|
|
if name in u.adt["/arm-io"]:
|
|
|
|
iop = u.adt[f"/arm-io/{name}"]
|
|
|
|
nub = u.adt[f"/arm-io/{name}/iop-{name}-nub"]
|
|
|
|
if iop.segment_names.endswith(";__OS_LOG"):
|
|
|
|
iop.segment_names = iop.segment_names[:-9]
|
|
|
|
nub.segment_names = nub.segment_names[:-9]
|
|
|
|
iop.segment_ranges = iop.segment_ranges[:-32]
|
|
|
|
nub.segment_ranges = nub.segment_ranges[:-32]
|
|
|
|
|
|
|
|
print("Setting secondary CPU RVBARs...")
|
|
|
|
|
|
|
|
rvbar = entry & ~0xfff
|
2024-10-25 15:24:10 +00:00
|
|
|
for cpu in u.adt["cpus"]:
|
|
|
|
if cpu.state == "running":
|
|
|
|
continue
|
2023-08-16 07:30:52 +00:00
|
|
|
addr, size = cpu.cpu_impl_reg
|
|
|
|
print(f" {cpu.name}: [0x{addr:x}] = 0x{rvbar:x}")
|
|
|
|
p.write64(addr, rvbar)
|
|
|
|
|
|
|
|
u.push_adt()
|
2021-04-14 12:13:19 +00:00
|
|
|
|
2021-05-07 17:39:32 +00:00
|
|
|
print("Setting up bootargs...")
|
2021-04-14 12:13:19 +00:00
|
|
|
tba = u.ba.copy()
|
2021-05-01 06:15:43 +00:00
|
|
|
|
2021-12-17 13:30:42 +00:00
|
|
|
tba.top_of_kernel_data = new_base + image_size
|
2021-04-14 12:13:19 +00:00
|
|
|
|
2021-05-07 17:39:32 +00:00
|
|
|
if len(args.boot_args) > 0:
|
|
|
|
boot_args = " ".join(args.boot_args)
|
|
|
|
if "-v" in boot_args.split():
|
|
|
|
tba.video.display = 0
|
|
|
|
else:
|
|
|
|
tba.video.display = 1
|
|
|
|
print(f"Setting boot arguments to {boot_args!r}")
|
|
|
|
tba.cmdline = boot_args
|
|
|
|
|
2022-11-25 06:27:55 +00:00
|
|
|
if args.xnu:
|
|
|
|
# Fix virt_base, since we often install m1n1 with it set to 0 which xnu does not like
|
|
|
|
tba.virt_base = 0xfffffe0010000000 + (tba.phys_base & (32 * 1024 * 1024 - 1))
|
|
|
|
tba.devtree = u.ba.devtree - u.ba.virt_base + tba.virt_base
|
|
|
|
|
2021-04-14 12:13:19 +00:00
|
|
|
iface.writemem(image_addr + bootargs_off, BootArgs.build(tba))
|
|
|
|
|
|
|
|
print(f"Copying stub...")
|
|
|
|
|
|
|
|
stub = asm.ARMAsm(f"""
|
|
|
|
1:
|
2021-11-26 04:58:39 +00:00
|
|
|
ldp x4, x5, [x1], #16
|
2021-04-14 12:13:19 +00:00
|
|
|
stp x4, x5, [x2]
|
|
|
|
dc cvau, x2
|
|
|
|
ic ivau, x2
|
2021-11-26 04:58:39 +00:00
|
|
|
add x2, x2, #16
|
|
|
|
sub x3, x3, #16
|
2021-04-14 12:13:19 +00:00
|
|
|
cbnz x3, 1b
|
|
|
|
|
|
|
|
ldr x1, ={entry}
|
|
|
|
br x1
|
|
|
|
""", image_addr + image_size)
|
|
|
|
|
|
|
|
iface.writemem(stub.addr, stub.data)
|
|
|
|
p.dc_cvau(stub.addr, stub.len)
|
|
|
|
p.ic_ivau(stub.addr, stub.len)
|
|
|
|
|
2021-05-01 06:15:43 +00:00
|
|
|
print(f"Entry point: 0x{entry:x}")
|
2021-01-14 18:56:45 +00:00
|
|
|
|
2022-12-16 09:37:25 +00:00
|
|
|
if args.xnu and p.display_is_external():
|
|
|
|
if p.display_start_dcp() >= 0:
|
|
|
|
p.display_shutdown(0)
|
2022-11-25 06:27:55 +00:00
|
|
|
|
2021-05-04 13:45:18 +00:00
|
|
|
if args.call:
|
|
|
|
print(f"Shutting down MMU...")
|
|
|
|
try:
|
|
|
|
p.mmu_shutdown()
|
|
|
|
except ProxyCommandError:
|
|
|
|
pass
|
|
|
|
print(f"Jumping to stub at 0x{stub.addr:x}")
|
|
|
|
p.call(stub.addr, new_base + bootargs_off, image_addr, new_base, image_size, reboot=True)
|
|
|
|
else:
|
2021-06-04 06:00:24 +00:00
|
|
|
print(f"Reloading into stub at 0x{stub.addr:x}")
|
|
|
|
p.reload(stub.addr, new_base + bootargs_off, image_addr, new_base, image_size)
|
2021-01-14 18:56:45 +00:00
|
|
|
|
|
|
|
iface.nop()
|
|
|
|
print("Proxy is alive again")
|