Skip to content
Browse files

add lldb scripts to fix boot delay and bypass the secure root check

  • Loading branch information
zhuowei committed Jul 21, 2018
1 parent 3247770 commit 95128070a3482d9e8b8404966e6ad5ff138dd133
Showing with 28 additions and 0 deletions.
  1. +8 −0 fixbootdelay_lldbscript_doc.txt
  2. +3 −0
  3. +17 −0 lldbscript.lldb
@@ -0,0 +1,8 @@
At boot, XNU waits 30 seconds for an RTC device, using IOService::resourceMatching("IORTC") and waitForService.

We patch the two calls to waitForService - the first in IOKitInitializeTime and the second in AppleARMPE::getGMTTimeOfDay to wait for 1 second instead.

XNU also waits to check if the root device is secure in IOSecureBSDRoot with a call to pe->callPlatformFunction. This call hangs,
so the last breakpoint breaks just before the call, skips it, and pretend it returned true.

The included offsets are for the iPhone X iOS 12 beta 4 kernelcache.
@@ -0,0 +1,3 @@
# from xnu's
exec lldb lz_comp2/kcache_out.bin -o "process connect --plugin gdb-remote connect://" -s lldbscript.lldb
@@ -0,0 +1,17 @@
b *0xFFFFFFF007433BE8
breakpoint command add
print $x1=1000000000
b *0xFFFFFFF005FA5D84
breakpoint command add
print ((uint32_t*)0xFFFFFFF0058083A8)[0] = 1
b *0xfffffff00743e434
breakpoint command add
print $pc=0xfffffff00743e438
print $x0=1
b *0xfffffff00743e834

0 comments on commit 9512807

Please sign in to comment.