Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AirPlay to Mac with macOS 12.1 and iMac14,x #783

Open
khronokernel opened this issue Dec 9, 2021 · 4 comments
Open

AirPlay to Mac with macOS 12.1 and iMac14,x #783

khronokernel opened this issue Dec 9, 2021 · 4 comments
Labels
back-end Core functionality help wanted Extra attention is needed

Comments

@khronokernel
Copy link
Member

khronokernel commented Dec 9, 2021
edited
Loading

With the first beta of macOS 12.1, FeatureUnlock.kext started having patching issues with with regards to enabling AirPlay to Mac support on pre-Skylake machines.

Upon further inspection, we found the issue to be our iMac patch set:

static const uint8_t kSideCarAirPlayiMacOriginal[] = {
    // iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,2 iMac14,3 iMac14,4 iMac15,1 iMac16,1 iMac16,2
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x34, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x35, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x36, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x36, 0x2C, 0x32, 0x00,
};

Specifically the early iMac14,x family:

    // iMac14,1 iMac14,2 iMac14,3 iMac14,4
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x34, 0x00,

The cause of this issue is due to the page size limitation of cs_validate_page, as patching data on the edge of the array can result in issues when sections of the dyld grow or shrink.

Work-Arounds

Currently with OCLP 0.3.2, I've added a new build of FeatureUnlock that splits the iMac patch set into 3 portions:

static const uint8_t kSideCarAirPlayiMacPart1Original[] = {
    // iMac13,1 iMac13,2 iMac13,3
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
};

static const uint8_t kSideCarAirPlayiMacPart2Original[] = {
    // iMac14,1 iMac14,2 iMac14,3 iMac14,4
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x34, 0x00,
};

static const uint8_t kSideCarAirPlayiMacPart3Original[] = {
    // iMac15,1 iMac16,1 iMac16,2
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x35, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x36, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x36, 0x2C, 0x32, 0x00,
};

This means that whenever we receive a patch failure for iMac14,x, only that model family is affected. Unfortunately this still means iMac14,x users will not have AirPlay to Mac on 12.1 and newer.

Additionally we have attempted to patch out the model check in AirPlaySupport.framework within the dyld, but have been unsuccessful.

Additional Testing

// Good 12.1 Beta 1 (21C5021h):
// iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x34, 0x2C,

// Good 12.1 Beta 2 (21C5031d):
// iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,2 iMac14,3
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x33,

// Good 12.1 Beta 3 (21C5039b):
// iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,2 iMac14,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C,

   
// Good 12.1 RC 1:
// iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,2 iMac14,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C,

-----------------------------------------------------------

// Bad 12.1 Beta 1 (21C5021h):
// iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,2
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4E, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32,

// Bad 12.1 Beta 2 (21C5031d):
// iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,2 iMac14,3 
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x33, 0x00,

// Bad 12.1 Beta 3 (21C5039b):
// iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,2 iMac14,3
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x33,

// Bad 12.1 RC 1:
// iMac13,1 iMac13,2 iMac13,3 iMac14,1 iMac14,2 iMac14,3
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x33, 0x2C, 0x33, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x31, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x32, 0x00,
    0x69, 0x4D, 0x61, 0x63, 0x31, 0x34, 0x2C, 0x33,
@khronokernel khronokernel added help wanted Extra attention is needed back-end Core functionality labels Dec 9, 2021
@khronokernel khronokernel mentioned this issue Dec 9, 2021
Closed
@Monkiey Monkiey mentioned this issue Dec 16, 2021
Closed
@thierryrama

This comment has been minimized.

Sign in to view
@spida007

This comment has been minimized.

Sign in to view
@marcpbailey

This comment has been minimized.

Sign in to view
@dortania dortania locked as spam and limited conversation to collaborators Feb 1, 2022
@flagersgit
Copy link
Collaborator

It may be beneficial to work on the virtual memory level instead of pointers to individual pages.
XNU provides a vm_shared_region_vm_map function, which may be used to obtain a vm_map_t for a given shared region.

As, on Big Sur and newer, the shared cache is static and may not change (through Signed & Read-only System Volume and dylib binaries no longer on disk), every process will, in virtually all cases, use the same shared region.

XNU also provides a vm_shared_region_get function, which may be used to obtain a vm_shared_region_t for a given Mach task, for which we can use launchd after obtaining its task with its pid.

After all of this, vm_map_(write|read)_user may be used to scan the shared region for our find and replace.
However, my fear is that the shared region pager may prevent this. Specifically, the page-out handler.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
back-end Core functionality help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@thierryrama @marcpbailey @flagersgit @khronokernel @spida007