Chameleon Commit Details - 646 - Chameleon open source boot loader project.

Date:

2010-11-22 05:32:53 (13 years 5 months ago)

Author:

Evan Lojewski

Commit:

646

Parents:

645

Message:

cpuid_set_info cpuid_model location is no read from binary. Fixes previously broken kernel patching on 10.6.2+

Changes:

M	/branches/meklort/i386/modules/KernelPatcher/kernel_patcher.c

File differences

-401
402 402
403 403
404
404 405
405 
406 406
407 407
408 408
... ...
424 424
425 425
426 426
427 
427
428 428
429 429
430 430
... ...
464 464
465 465
466 466
467 
467
468
468 469
469 470
470 
471 
472 
473 
471
472
473
474
474 475
475 
476 
476
477
477 478
478 479
479 480
... ...
491 492
492 493
493 494
494 
495 
496 
497 
498 495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
499 519
500 520
501 521
502 522
503 523
504 
505 
524
506 525
507 526
508 527
... ...
552 571
553 572
554 573
555 
574
556 575
557 
576
558 577
559 578
560 579
+␊
␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; //␉(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);␊
␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊
␉UInt32 addrLocation = patchLocation;␊
␉␊
␉␊
␊
␉UInt32 jumpLocation = 0;␊
␉␊

␉panicAddr -= (UInt32)kernelData;␊
␊
␉␊
␉␊
␊
␉//TODO: don't assume it'll always work (Look for *next* function address in symtab and fail once it's been reached)␊
␉while(  ␊
␉␉  (bytes[patchLocation -1] != 0xE8) ||␊

␉␉/* ␊
␉␉ * Inpersonate the specified CPU FAMILY and CPU Model␊
␉␉ */␊
␉␉␊
␉␉//␉␉␉␉␉␉␉␉␉cpuid_cpufamily_addr, impersonateFamily␉␉␉␉␉␉␉␉␉cpuid_model_addr␉  impersonateModel␊
␉␉//char new_bytes[] = {0xC7, 0x05, 0x__, 0x__, 0x__, 0x__, 0x__, 0x__, 0x__, 0x__, 0x90, 0x90, 0xC7, 0x05, 0x__, 0x__, 0x__, 0x__, 0x__, 0x01, 0x00, 0x02};␊
␉␉// bytes[patchLocation - 17] = 0xC7;␉// already here... not needed to be done␊
␉␉// bytes[patchLocation - 16] = 0x05;␉// see above␊
␉␉UInt32 cpuid_cpufamily_addr =␉bytes[patchLocation - 15] << 0  |␊
␉␉bytes[patchLocation - 14] << 8  |␊
␉␉bytes[patchLocation - 13] << 16 |␊
␉␉bytes[patchLocation - 12] << 24;␊
␉␉//UInt32 cpuid_cpufamily_addr =␉bytes[patchLocation - 15] << 0  |␊
␉␉//␉␉␉␉␉␉␉␉bytes[patchLocation - 14] << 8  |␊
␉␉//␉␉␉␉␉␉␉␉bytes[patchLocation - 13] << 16 |␊
␉␉//␉␉␉␉␉␉␉␉bytes[patchLocation - 12] << 24;␊
␉␉␊
␉␉// NOTE: may change, determined based on cpuid_info struct␊
␉␉UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 299; ␊
␉␉// NOTE: may change, determined based on cpuid_info struct: TODO: read from binary␊
␉␉//UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 295; ␊
␉␉␊
␉␉␊
␉␉// cpufamily␊

␉␉␊
␉␉bytes[patchLocation - 5] = 0xC7;␊
␉␉bytes[patchLocation - 4] = 0x05;␊
␉␉bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;␊
␉␉bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;␉␊
␉␉bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;␊
␉␉bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;␊
␉␉␊
␉␉// Locate cpuid_addr_addr -> first four bytes after 8b 45 d8 25 f0 00 00 00 c1 e8 04 a2␊
␉␉while(bytes[addrLocation -12] != 0x8B ||␊
␉␉␉  bytes[addrLocation -11] != 0x45 ||␊
␉␉␉  bytes[addrLocation -10] != 0xD8 ||␊
␉␉␉  bytes[addrLocation -9] != 0x25 ||␊
␉␉␉  bytes[addrLocation -8] != 0xF0 ||␊
␉␉␉  bytes[addrLocation -7] != 0x00 ||␊
␉␉␉  bytes[addrLocation -6] != 0x00 ||␊
␉␉␉  bytes[addrLocation -5] != 0x00 ||␊
␉␉␉  bytes[addrLocation -4] != 0xC1 ||␊
␉␉␉  bytes[addrLocation -3] != 0xE8 ||␊
␉␉␉  bytes[addrLocation -2] != 0x04 ||␊
␉␉␉  bytes[addrLocation -1] != 0xA2)␊
␉␉{␊
␉␉␉// TODO: break if location is too large␊
␉␉␉addrLocation++;␊
␉␉}␉␉␊
␉␉␊
␉␉bytes[patchLocation - 3] = bytes[addrLocation];␊
␉␉bytes[patchLocation - 2] = bytes[addrLocation+1];␉␊
␉␉bytes[patchLocation - 1] = bytes[addrLocation+2];␊
␉␉bytes[patchLocation - 0] = bytes[addrLocation+3];␊
␉␉␊
␉␉// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes␊
␉␉// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.␊
␉␉bytes[patchLocation + 1] = impersonateModel;␉// cpuid_model␊
␉␉bytes[patchLocation + 2] = 0x01;␉// cpuid_extmodel␊
␉␉bytes[patchLocation + 3] = 0x00;␉// cpuid_extfamily␊
␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␊
␉␉␊
␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␉␉␊
␉}␊
␉else if(impersonateFamily && impersonateModel)␊
␉{␊

␉␉␉␊
␉␉␉␊
␉␉␉␊
␉␉␉patchLocation = jumpLocation;␊
␉␉␉//patchLocation = jumpLocation;␊
␉␉␉// We now have 14 bytes available for a patch␊
␉␉␉␊
␊
␉␉}␊
␉␉else ␊
␉␉{␊
 ...
 ...
 ...
 ...
 ␊
 ␉UInt32 patchLocation = symbol ? symbol->addr - textAddress + textSection: 0; //␉(kernelSymbolAddresses[SYMBOL_CPUID_SET_INFO] - textAddress + textSection);␊
 ␉patchLocation -= (UInt32)kernelData;␉// Remove offset␊
+␉UInt32 addrLocation = patchLocation;␊
 ␉␊
-␉␊
 ␊
 ␉UInt32 jumpLocation = 0;␊
 ␉␊
 ␉panicAddr -= (UInt32)kernelData;␊
 ␊
 ␉␊
-␉␊
+␊
 ␉//TODO: don't assume it'll always work (Look for *next* function address in symtab and fail once it's been reached)␊
 ␉while(  ␊
 ␉␉  (bytes[patchLocation -1] != 0xE8) ||␊
 ␉␉/* ␊
 ␉␉ * Inpersonate the specified CPU FAMILY and CPU Model␊
 ␉␉ */␊
-␉␉␊
+␉␉//␉␉␉␉␉␉␉␉␉cpuid_cpufamily_addr, impersonateFamily␉␉␉␉␉␉␉␉␉cpuid_model_addr␉  impersonateModel␊
+␉␉//char new_bytes[] = {0xC7, 0x05, 0x__, 0x__, 0x__, 0x__, 0x__, 0x__, 0x__, 0x__, 0x90, 0x90, 0xC7, 0x05, 0x__, 0x__, 0x__, 0x__, 0x__, 0x01, 0x00, 0x02};␊
 ␉␉// bytes[patchLocation - 17] = 0xC7;␉// already here... not needed to be done␊
 ␉␉// bytes[patchLocation - 16] = 0x05;␉// see above␊
-␉␉UInt32 cpuid_cpufamily_addr =␉bytes[patchLocation - 15] << 0  |␊
-␉␉bytes[patchLocation - 14] << 8  |␊
-␉␉bytes[patchLocation - 13] << 16 |␊
-␉␉bytes[patchLocation - 12] << 24;␊
+␉␉//UInt32 cpuid_cpufamily_addr =␉bytes[patchLocation - 15] << 0  |␊
+␉␉//␉␉␉␉␉␉␉␉bytes[patchLocation - 14] << 8  |␊
+␉␉//␉␉␉␉␉␉␉␉bytes[patchLocation - 13] << 16 |␊
+␉␉//␉␉␉␉␉␉␉␉bytes[patchLocation - 12] << 24;␊
 ␉␉␊
-␉␉// NOTE: may change, determined based on cpuid_info struct␊
-␉␉UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 299; ␊
+␉␉// NOTE: may change, determined based on cpuid_info struct: TODO: read from binary␊
+␉␉//UInt32 cpuid_model_addr = cpuid_cpufamily_addr - 295; ␊
 ␉␉␊
 ␉␉␊
 ␉␉// cpufamily␊
 ␉␉␊
 ␉␉bytes[patchLocation - 5] = 0xC7;␊
 ␉␉bytes[patchLocation - 4] = 0x05;␊
-␉␉bytes[patchLocation - 3] = (cpuid_model_addr & 0x000000FF) >> 0;␊
-␉␉bytes[patchLocation - 2] = (cpuid_model_addr & 0x0000FF00) >> 8;␉␊
-␉␉bytes[patchLocation - 1] = (cpuid_model_addr & 0x00FF0000) >> 16;␊
-␉␉bytes[patchLocation - 0] = (cpuid_model_addr & 0xFF000000) >> 24;␊
 ␉␉␊
+␉␉// Locate cpuid_addr_addr -> first four bytes after 8b 45 d8 25 f0 00 00 00 c1 e8 04 a2␊
+␉␉while(bytes[addrLocation -12] != 0x8B ||␊
+␉␉␉  bytes[addrLocation -11] != 0x45 ||␊
+␉␉␉  bytes[addrLocation -10] != 0xD8 ||␊
+␉␉␉  bytes[addrLocation -9] != 0x25 ||␊
+␉␉␉  bytes[addrLocation -8] != 0xF0 ||␊
+␉␉␉  bytes[addrLocation -7] != 0x00 ||␊
+␉␉␉  bytes[addrLocation -6] != 0x00 ||␊
+␉␉␉  bytes[addrLocation -5] != 0x00 ||␊
+␉␉␉  bytes[addrLocation -4] != 0xC1 ||␊
+␉␉␉  bytes[addrLocation -3] != 0xE8 ||␊
+␉␉␉  bytes[addrLocation -2] != 0x04 ||␊
+␉␉␉  bytes[addrLocation -1] != 0xA2)␊
+␉␉{␊
+␉␉␉// TODO: break if location is too large␊
+␉␉␉addrLocation++;␊
+␉␉}␉␉␊
+␉␉␊
+␉␉bytes[patchLocation - 3] = bytes[addrLocation];␊
+␉␉bytes[patchLocation - 2] = bytes[addrLocation+1];␉␊
+␉␉bytes[patchLocation - 1] = bytes[addrLocation+2];␊
+␉␉bytes[patchLocation - 0] = bytes[addrLocation+3];␊
+␉␉␊
 ␉␉// Note: I could have just copied the 8bit cpuid_model in and saved about 4 bytes␊
 ␉␉// so if this function need a different patch it's still possible. Also, about ten bytes previous can be freed.␊
 ␉␉bytes[patchLocation + 1] = impersonateModel;␉// cpuid_model␊
 ␉␉bytes[patchLocation + 2] = 0x01;␉// cpuid_extmodel␊
 ␉␉bytes[patchLocation + 3] = 0x00;␉// cpuid_extfamily␊
-␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␊
-␉␉␊
+␉␉bytes[patchLocation + 4] = 0x02;␉// cpuid_stepping␉␉␊
 ␉}␊
 ␉else if(impersonateFamily && impersonateModel)␊
 ␉{␊
 ␉␉␉␊
 ␉␉␉␊
 ␉␉␉␊
-␉␉␉patchLocation = jumpLocation;␊
+␉␉␉//patchLocation = jumpLocation;␊
 ␉␉␉// We now have 14 bytes available for a patch␊
-␉␉␉␊
+␊
 ␉␉}␊
 ␉␉else ␊
 ␉␉{␊

Download the corresponding diff file