add lldb scripts to fix boot delay and bypass the secure root check

zhuowei · Jul 21, 2018 · 9512807 · 9512807
1 parent 3247770
commit 9512807
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/fixbootdelay_lldbscript_doc.txt b/fixbootdelay_lldbscript_doc.txt
@@ -0,0 +1,8 @@
+At boot, XNU waits 30 seconds for an RTC device, using IOService::resourceMatching("IORTC") and waitForService.
+
+We patch the two calls to waitForService - the first in IOKitInitializeTime and the second in AppleARMPE::getGMTTimeOfDay to wait for 1 second instead.
+
+XNU also waits to check if the root device is secure in IOSecureBSDRoot with a call to pe->callPlatformFunction. This call hangs,
+so the last breakpoint breaks just before the call, skips it, and pretend it returned true.
+
+The included offsets are for the iPhone X iOS 12 beta 4 kernelcache.
diff --git a/lldbit.sh b/lldbit.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+# from xnu's README.md
+exec lldb lz_comp2/kcache_out.bin -o "process connect --plugin gdb-remote connect://127.0.0.1:1234" -s lldbscript.lldb
diff --git a/lldbscript.lldb b/lldbscript.lldb
@@ -0,0 +1,17 @@
+b *0xFFFFFFF007433BE8
+breakpoint command add
+print $x1=1000000000
+c
+DONE
+b *0xFFFFFFF005FA5D84
+breakpoint command add
+print ((uint32_t*)0xFFFFFFF0058083A8)[0] = 1
+c
+DONE
+b *0xfffffff00743e434
+breakpoint command add
+print $pc=0xfffffff00743e438
+print $x0=1
+c
+DONE
+b *0xfffffff00743e834