Add raw binary support to HV scripts

amarioguy · marcan · commit 0cf1f393ed14 · 2022-07-30T14:18:39.000+09:00
Signed-off-by: amarioguy &lt;arminders208@outlook.com&gt;
diff --git a/proxyclient/m1n1/hv/__init__.py b/proxyclient/m1n1/hv/__init__.py
@@ -1494,51 +1494,8 @@ def enable_time_stealing(self):
     def disable_time_stealing(self):
         self.p.hv_set_time_stealing(False)
 
-    def load_macho(self, data, symfile=None):
-        if isinstance(data, str):
-            data = open(data, "rb")
-
-        self.macho = macho = MachO(data)
-        if symfile is not None:
-            if isinstance(symfile, str):
-                symfile = open(symfile, "rb")
-            syms = MachO(symfile)
-            macho.add_symbols("com.apple.kernel", syms)
-            self.xnu_mode = True
-
-        self.symbol_dict = macho.symbols
-        self.symbols = [(v, k) for k, v in macho.symbols.items()]
-        self.symbols.sort()
-
-        def load_hook(data, segname, size, fileoff, dest):
-            if segname != "__TEXT_EXEC":
-                return data
-
-            print(f"Patching segment {segname}...")
 
-            a = array.array("I", data)
-
-            output = []
-
-            p = 0
-            while (p := data.find(b"\x20\x00", p)) != -1:
-                if (p & 3) != 2:
-                    p += 1
-                    continue
-
-                opcode = a[p // 4]
-                inst = self.hvc((opcode & 0xffff))
-                off = fileoff + (p & ~3)
-                if off >= 0xbfcfc0:
-                    print(f"  0x{off:x}: 0x{opcode:04x} -> hvc 0x{opcode:x} (0x{inst:x})")
-                    a[p // 4] = inst
-                p += 4
-
-            print("Done.")
-            return a.tobytes()
-
-        #image = macho.prepare_image(load_hook)
-        image = macho.prepare_image()
+    def load_raw(self, image, entryoffset=0x800):
         sepfw_start, sepfw_length = self.u.adt["chosen"]["memory-map"].SEPFW
         tc_start, tc_size = self.u.adt["chosen"]["memory-map"].TrustCache
         if hasattr(self.u.adt["chosen"]["memory-map"], "preoslog"):
@@ -1571,8 +1528,8 @@ def load_hook(data, segname, size, fileoff, dest):
 
         print(f"Physical memory: 0x{phys_base:x} .. 0x{mem_top:x}")
         print(f"Guest region start: 0x{guest_base:x}")
-
-        self.entry = macho.entry - macho.vmin + guest_base
+        
+        self.entry = guest_base + entryoffset
 
         print(f"Mapping guest physical memory...")
         self.add_tracer(irange(self.ram_base, self.u.ba.phys_base - self.ram_base), "RAM-LOW", TraceMode.OFF)
@@ -1610,8 +1567,6 @@ def load_hook(data, segname, size, fileoff, dest):
         self.tba.devtree = self.adt_base - phys_base + self.tba.virt_base
         self.tba.top_of_kernel_data = guest_base + image_size
 
-        self.sym_offset = macho.vmin - guest_base + self.tba.phys_base - self.tba.virt_base
-
         self.iface.writemem(guest_base + self.bootargs_off, BootArgs.build(self.tba))
 
         print("Setting secondary CPU RVBARs...")
@@ -1621,6 +1576,55 @@ def load_hook(data, segname, size, fileoff, dest):
             print(f"  {cpu.name}: [0x{addr:x}] = 0x{rvbar:x}")
             self.p.write64(addr, rvbar)
 
+
+    def load_macho(self, data, symfile=None):
+        if isinstance(data, str):
+            data = open(data, "rb")
+
+        self.macho = macho = MachO(data)
+        if symfile is not None:
+            if isinstance(symfile, str):
+                symfile = open(symfile, "rb")
+            syms = MachO(symfile)
+            macho.add_symbols("com.apple.kernel", syms)
+            self.xnu_mode = True
+
+        self.symbol_dict = macho.symbols
+        self.symbols = [(v, k) for k, v in macho.symbols.items()]
+        self.symbols.sort()
+
+        def load_hook(data, segname, size, fileoff, dest):
+            if segname != "__TEXT_EXEC":
+                return data
+
+            print(f"Patching segment {segname}...")
+
+            a = array.array("I", data)
+
+            output = []
+
+            p = 0
+            while (p := data.find(b"\x20\x00", p)) != -1:
+                if (p & 3) != 2:
+                    p += 1
+                    continue
+
+                opcode = a[p // 4]
+                inst = self.hvc((opcode & 0xffff))
+                off = fileoff + (p & ~3)
+                if off >= 0xbfcfc0:
+                    print(f"  0x{off:x}: 0x{opcode:04x} -> hvc 0x{opcode:x} (0x{inst:x})")
+                    a[p // 4] = inst
+                p += 4
+
+            print("Done.")
+            return a.tobytes()
+
+        #image = macho.prepare_image(load_hook)
+        image = macho.prepare_image()
+        self.load_raw(image, entryoffset=(macho.entry - macho.vmin))
+
+
     def update_pac_mask(self):
         tcr = TCR(self.u.mrs(TCR_EL12))
         valid_bits = (1 << (64 - tcr.T1SZ)) - 1
diff --git a/proxyclient/tools/run_guest.py b/proxyclient/tools/run_guest.py
@@ -14,6 +14,7 @@
 parser.add_argument('-d', '--debug-xnu', action="store_true")
 parser.add_argument('-l', '--logfile', type=pathlib.Path)
 parser.add_argument('-C', '--cpus', default=None)
+parser.add_argument('-r', '--raw', action="store_true")
 parser.add_argument('payload', type=pathlib.Path)
 parser.add_argument('boot_args', default=[], nargs="*")
 args = parser.parse_args()
@@ -61,7 +62,10 @@
 symfile = None
 if args.symbols:
     symfile = args.symbols.open("rb")
-hv.load_macho(args.payload.open("rb"), symfile=symfile)
+if args.raw:
+    hv.load_raw(args.payload.read_bytes())
+else:
+    hv.load_macho(args.payload.open("rb"), symfile=symfile)
 
 PMU(u).reset_panic_counter()
 
