Chameleon

Chameleon Commit Details

Date:2010-11-22 07:51:11 (8 years 6 months ago)
Author:Evan Lojewski
Commit:647
Parents: 646
Message:Kext patcher update. Fixed bug with HDA patches, untested on 10.6.2 pre kexts. Fixed bug with gma 3150 kext, patch now works on all 10.6.x installs. I need to clean up the patcher / make an api still
Changes:
M/branches/meklort/i386/modules/KextPatcher/hex_editor.c
M/branches/meklort/i386/modules/KextPatcher/kext_patcher.c

File differences

branches/meklort/i386/modules/KextPatcher/kext_patcher.c
4747
4848
4949
50
51
5250
51
52
53
5354
5455
5556
......
137138
138139
139140
140
141141
142142
143
143144
144
145
145146
146147
147148
148
149149
150150
151151
......
372372
373373
374374
375
375
376376
377377
378378
......
383383
384384
385385
386
386
387387
388388
389
389
390390
391391
392392
393393
394394
395
395
396396
397397
398398
......
451451
452452
453453
454
454
455455
456456
457457
458
458
459459
460460
461461
......
472472
473473
474474
475
475
476476
477477
478478
......
486486
487487
488488
489
490489
491
492490
493491
494492
......
527525
528526
529527
530
531
528
532529
533530
534531
......
536533
537534
538535
539
536
540537
541538
542539
......
558555
559556
560557
561
558
562559
563560
564561
565562
566563
567
564
565
568566
569567
570568
......
575573
576574
577575
576
577
578
578579
579580
580581
......
667668
668669
669670
671
672
673
670674
671
672675
673676
677
678
679
674680
675681
682
683
684
685
686
676687
677
688
678689
690
691
692
679693
680694
681695
......
684698
685699
686700
701
702
703
704
687705
688
689
690
706
691707
708
709
710
692711
693712
694
695
696
697
698
699
700
701
702
703
704
705
706
713
714
715
707716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
708746
709
710747
711748
712749
......
736773
737774
738775
739
776
740777
741778
742779
......
752789
753790
754791
755
792
756793
757794
758795
uint16_t patch_gma_deviceid = 0;
uint16_t patch_bcm_deviceid = 0;
// TODO: add detection code / a method for users to enter the id
uint16_t patch_hda_codec = 0;
// TODO: add detection code
uint16_t patch_hda_codec = 0x00;
#define NEEDS_PATCHING(patch_bcm_deviceid || patch_gma_deviceid || patch_hda_codec)
typedef struct z_mem {
{
const char* hda_codec;
int len = 0;
if (getValueForKey(kHDACodec, &hda_codec, &len, &bootInfo->bootConfig))
{
patch_hda_codec = 0;
int index = 0;
while(len)
while(len--)
{
patch_hda_codec <<= 4;
patch_hda_codec |= chartohex(hda_codec[index]);
len--;
index++;
}
}
}
else
{
//return patch_gma_kexts(plist, plistbuffer, start);
}
}
}
else if(patch_hda_codec && strcmp(bundleID, "com.apple.driver.AppleHDA") == 0)
{
//return patch_hda_kext(plist, plistbuffer, start);
return patch_hda_kext(plist, plistbuffer, start);
}
/*
else if(patch_hda_codec && strcmp(bundleID, "com.apple.driver.AppleHDAController") == 0)
{
return patch_hda_controller(plist, plistbuffer, start);
}
*/
return false;
}
char* orig_string = "0x04020000&amp;0xFFFE0000"; //XMLCastString(match_class);
DBG("Attemting to replace '%s' with '%s'\n", orig_string, new_str);
printf("Attemting to replace '%s' with '%s'\n", orig_string, new_str);
// TODO: verify string doesn't exist first.
replace_string(orig_string, new_str, plistbuffer + XMLCastStringOffset(match_class), 10240);
replace_string(orig_string, new_str, plistbuffer + XMLCastStringOffset(match_class), 1024);
return true;
z_stream zstream;
bool zstream_inited = false;
switch(0xFF00 & patch_hda_codec)
switch(patch_hda_codec & 0xFF00)
{
case 0x0200:
find_codec = 0x0262;
find_codec = 0x0885;
break;
}
if(!find_codec) return false;// notify caller that we aren't patching the kext
executable_offset = XMLCastInteger(XMLGetProperty(plist, kMKEXTExecutableKey));
kext = (void*)((char*)start + executable_offset);
DBG("Inflated result is %d, in: %d bytes, out: %d bytes, full: %d\n", zlib_result, zstream.total_in, zstream.total_out, full_size);
replace_word(0x10EC | (find_codec << 16), 0xE10EC | (patch_hda_codec << 16), executable, zstream.total_out);
int times = replace_word(0x10EC0000 | (find_codec), 0x10EC0000 | (patch_hda_codec), executable, zstream.total_out);
if (zstream_inited) inflateEnd(&zstream);
zstream.next_out = (UInt8*)compressed_data;
zstream.avail_in = full_size;
zstream.avail_out = compressed_size;
zstream.avail_out = compressed_size<<1;
zstream.zalloc = Z_NULL;
zstream.zfree = Z_NULL;
zstream.opaque = Z_NULL;
if (zlib_result == Z_STREAM_END)
{
DBG("Deflated result is %d, in: %d bytes, out: %d bytes, full: %d\n", zlib_result, zstream.total_in, zstream.total_out, full_size);
DBG("Deflated result is %d, avail: %d bytes, out: %d bytes, full: %d\n", zlib_result, compressed_size, zstream.total_out, full_size);
}
else if (zlib_result == Z_OK)
{
/* deflate filled output buffer, meaning the data doesn't compress.
*/
DBG("Deflated result is %d, in: %d bytes, out: %d bytes, full: %d\n", zlib_result, zstream.total_in, zstream.total_out, full_size);
DBG("Buffer FULL: deflated result is %d, avail: %d bytes, out: %d bytes, full: %d\n", zlib_result, compressed_size, zstream.total_out, full_size);
printf("Unable to patch AppleHDA\n"
}
else if (zlib_result != Z_STREAM_ERROR)
if (zstream_inited) deflateEnd(&zstream);
if(zstream.total_out < compressed_size) kext->compressed_size = MKEXT_SWAP(zstream.total_out);
free(executable);
return true;
DBG("Inflated result is %d, in: %d bytes, out: %d bytes, full: %d\n", zlib_result, zstream.total_in, zstream.total_out, full_size);
char* newstring = malloc(strlen("0x00008086") + 1);
sprintf(newstring, "0x%04x", 0x8086 | (patch_gma_deviceid << 16));
if(XMLGetProperty(personality, (const char*)"Intel915"))
{
verbose("Patching AppleIntelGMA960.kext\n");
//getc();
personality =XMLGetProperty(personality, (const char*)"Intel915");
// IOAccelerator kext
offset =XMLCastStringOffset(XMLGetProperty(personality, (const char*)"IOPCIPrimaryMatch"));
replace_string("0x27A28086", newstring, plistbuffer + offset, 10240);
replace_word(0x27A28086, 0x8086 | (patch_gma_deviceid << 16), executable, zstream.total_out);
}
else
else if(XMLGetProperty(personality, (const char*)"AppleIntelIntegratedFramebuffer"))
{
verbose("Patching AppleIntelIntegratedFramebuffer\n");
//getc();
personality =XMLGetProperty(personality, (const char*)"AppleIntelIntegratedFramebuffer");
// Framebuffer Kext
// Cursor corruption fix.
// This patch changes the cursor address from
// a physical address (used in the gma950) to an offset (used in the gma3150).
//s{0x8b, 0x55, 0x08, 0x83, 0xba, 0xb0, 0x00, 0x00, 0x00, 0x01, 0x7e, 0x36, 0x89, 0x04, 0x24, 0xe8, 0x6b, 0xbc, 0xff, 0xff};
char find_bytes[] = {0x8b, 0x55, 0x08, 0x83, 0xba, 0xb0, 0x00, 0x00, 0x00, 0x01, 0x7e, 0x36, 0x89, 0x04, 0x24, 0xe8/*, 0x32, 0xbb, 0xff, 0xff*/};// getPhysicalAddress() and more
char new_bytes[] = {0xb8, 0x00, 0x00, 0x00, 0x02, 0xEB, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};// jump past getPhysicalAddress binding. NOTE: last six bytes are unusable
replace_bytes(find_bytes, sizeof(find_bytes), new_bytes, sizeof(new_bytes), executable, zstream.total_out);
char find_bytes[] = {0x8b, 0x55, 0x08, 0x83, 0xba, 0xb0, 0x00, 0x00, 0x00, 0x01, 0x7e, 0x36, 0x89, 0x04, 0x24, 0xe8, 0x32, 0xbb, 0xff, 0xff};// getPhysicalAddress() and more
char new_bytes[] = {0xb8, 0x00, 0x00, 0x00, 0x02, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xEB, 0x04, 0x00, 0x00, 0x00, 0x00};// jump past getPhysicalAddress binding. NOTE: last six bytes are unusable
replace_bytes(find_bytes, sizeof(find_bytes), new_bytes, sizeof(new_bytes), executable, zstream.total_out);
}
offset =XMLCastStringOffset(XMLGetProperty(personality, (const char*)"IOPCIPrimaryMatch"));
replace_string("0x27A28086", newstring, plistbuffer + offset, 10240);
replace_word(0x27A28086, 0x8086 | (patch_gma_deviceid << 16), executable, zstream.total_out);
}
#if DEBUG_KEXT_PATCHER
char* pcimatch =XMLCastString(XMLGetProperty(personality, (const char*)"IOPCIPrimaryMatch"));
#endif
offset =XMLCastStringOffset(XMLGetProperty(personality, (const char*)"IOPCIPrimaryMatch"));
char* newstring = malloc(strlen("0x00008086") + 1);
sprintf(newstring, "0x%04x", 0x8086 | (patch_gma_deviceid << 16));
DBG("Replacing %s with %s\n", "0x00008086", newstring);
replace_string("0x27A28086", newstring, plistbuffer + offset, 10240);
replace_word(0x27A28086, 0x8086 | (patch_gma_deviceid << 16), executable, zstream.total_out);
else if(XMLGetProperty(personality, (const char*)"Intel965"))
{
verbose("Patching AppleIntelGMAX3100.kext\n");
personality =XMLGetProperty(personality, (const char*)"Intel965");
offset =XMLCastStringOffset(XMLGetProperty(personality, (const char*)"IOPCIPrimaryMatch"));
//printf("Intel965\n");
//printf("Replacing %c%c%c%c\n", (plistbuffer + offset)[0], (plistbuffer + offset)[1], (plistbuffer + offset)[2], (plistbuffer + offset)[3]);
//getc();
//return true;
replace_string("0x2a028086", newstring, plistbuffer + offset, 10240);
//replace_word(0x2A028086, 0x8086 | (patch_gma_deviceid << 16), executable, zstream.total_out);
}
else if(XMLGetProperty(personality, (const char*)"AppleIntelGMAX3100FB"))
{
verbose("Patching AppleIntelGMAX3100FB.kext\n");
//getc();
personality =XMLGetProperty(personality, (const char*)"AppleIntelGMAX3100FB");
offset =XMLCastStringOffset(XMLGetProperty(personality, (const char*)"IOPCIPrimaryMatch"));
replace_string("0x2A028086", newstring, plistbuffer + offset, 10240);
replace_word(0x2A028086, 0x8086 | (patch_gma_deviceid << 16), executable, zstream.total_out);
}
else
{
return false;
}
if (zstream_inited) inflateEnd(&zstream);
if (zlib_result == Z_STREAM_END)
{
DBG("Deflated result is %d, in: %d bytes, out: %d bytes, full: %d\n", zlib_result, zstream.total_in, zstream.total_out, full_size);
DBG("Deflated result is %d, avail: %d bytes, out: %d bytes, full: %d\n", zlib_result, compressed_size, zstream.total_out, full_size);
}
else if (zlib_result == Z_OK)
{
printf("ZLIB Deflate Error: %s\n", zstream.msg);
getc();
}
//kext->compressed_size = MKEXT_SWAP(zstream.total_out);
if(zstream.total_out < compressed_size) kext->compressed_size = MKEXT_SWAP(zstream.total_out);
branches/meklort/i386/modules/KextPatcher/hex_editor.c
9898
9999
100100
101
101
102
102103
103104
104105
!replace ||
!exec ||
!length ||
find_size != replace_size) return;
find_size > replace_size)// Allow find_size to be less than replace_size. Will overwrite bytes including and *after* located pattern
return;
char* search = exec;

Archive Download the corresponding diff file

Revision: 647