Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
add lldb scripts to fix boot delay and bypass the secure root check
- Loading branch information
Showing
with
28 additions
and 0 deletions.
- +8 −0 fixbootdelay_lldbscript_doc.txt
- +3 −0 lldbit.sh
- +17 −0 lldbscript.lldb
| @@ -0,0 +1,8 @@ | ||
| At boot, XNU waits 30 seconds for an RTC device, using IOService::resourceMatching("IORTC") and waitForService. | ||
|
|
||
| We patch the two calls to waitForService - the first in IOKitInitializeTime and the second in AppleARMPE::getGMTTimeOfDay to wait for 1 second instead. | ||
|
|
||
| XNU also waits to check if the root device is secure in IOSecureBSDRoot with a call to pe->callPlatformFunction. This call hangs, | ||
| so the last breakpoint breaks just before the call, skips it, and pretend it returned true. | ||
|
|
||
| The included offsets are for the iPhone X iOS 12 beta 4 kernelcache. |
| @@ -0,0 +1,3 @@ | ||
| #!/bin/sh | ||
| # from xnu's README.md | ||
| exec lldb lz_comp2/kcache_out.bin -o "process connect --plugin gdb-remote connect://127.0.0.1:1234" -s lldbscript.lldb |
| @@ -0,0 +1,17 @@ | ||
| b *0xFFFFFFF007433BE8 | ||
| breakpoint command add | ||
| print $x1=1000000000 | ||
| c | ||
| DONE | ||
| b *0xFFFFFFF005FA5D84 | ||
| breakpoint command add | ||
| print ((uint32_t*)0xFFFFFFF0058083A8)[0] = 1 | ||
| c | ||
| DONE | ||
| b *0xfffffff00743e434 | ||
| breakpoint command add | ||
| print $pc=0xfffffff00743e438 | ||
| print $x0=1 | ||
| c | ||
| DONE | ||
| b *0xfffffff00743e834 |