Jump to content

Clover General discussion


ErmaC
30,171 posts in this topic

Recommended Posts

I have 2 systems with HD 3000 and my experience is that glitches and/or gfx artifacts (random black lines/spots etc) can be caused by an improper EDID - or conversely fixed by an alternate/proper EDID. without going into detail, besides EDID there are other causes of glitches and there are plenty of other threads that discuss this topic.

 

Been there, done that.

 

I extracted my EDID from linux and injected it in Clover and faked the display ID to match the Color LCD of the Macbook (610 9cf2) and love the Color profile. The default is too cool (bluish)  for my taste.

 

I still get some glitches with the EDID injection.

Link to comment
Share on other sites

I'm not sure it makes much sense. It alone is not going to protect from the vulnerability, because the problem is in the actual silicon of the chip, so the memory map can be side-channeled through speculation. The memory map needs to be separated from any other memory map if you want to not have this vulnerability.

 

So you would say patching the microcode alone is useless? I was under the impression that it would be better than nothing. At least its the code that runs directly on the CPU, so it should help at least a bit. Of course since  this bug is deeply rooted in the hardware and cannot be really fixed, the only solution is to redesign the chips itself. But that could take quite some time, so ANY mitigation in the meantime would be welcome. I think I understand at least a bit how the exploit works, and I would say it is one of the worst things I ever saw.

Link to comment
Share on other sites

So you would say patching the microcode alone is useless? I was under the impression that it would be better than nothing. At least its the code that runs directly on the CPU, so it should help at least a bit. Of course since  this bug is deeply rooted in the hardware and cannot be really fixed, the only solution is to redesign the chips itself. But that could take quite some time, so ANY mitigation in the meantime would be welcome. I think I understand at least a bit how the exploit works, and I would say it is one of the worst things I ever saw.

 

I would say that most likely it's just adding additional instructions to CPUs like PCIDs or something similar to make the performance hit less. The problem lies in the architecture, in the pipeline of the cpu, even the microcode has to be executed in the pipeline - everything does. The vulnerability is that the pipeline tries to make predictions based on speculation of previous instructions, it however does not verify the privilege domain and can be allowed to execute instructions from say the user domain in the kernel domain, etc. This even allows a virtual machine to attack the host machine.... Search google for "cache side-channel attack".

 

I really have enough now of High Sierra. So much software is buggy, laggy, unstable now. nvidia graphics driver behaviour is weird. Maybe I'll try the new security patch if the recent nvidia arrives. But I think that it will be the same. So going back to a solid and stable 10.12.6 pre-spectre.

 

I think it will stabilize out but truthfully why would you go back to a state that has a known vulnerability that could be exploited?

 

Usually got kernelcache erros with new aptiofix 2 using clover 4369. Had to boot twice at minimum for system to go forward.

 

Select a slide value.

Link to comment
Share on other sites

Been there, done that.

 

I extracted my EDID from linux and injected it in Clover and faked the display ID to match the Color LCD of the Macbook (610 9cf2) and love the Color profile. The default is too cool (bluish)  for my taste.

 

I still get some glitches with the EDID injection.

 

i did the same thing for the color profile. different topic.  but it sounds like means you injected/used the same built-in EDID from the LCD that macOS finds. i am talking about replacing the built-in EDID with a modified EDID. can be done with DSDT and/or Clover. That is a use a EDID with different timings, blanking time, spacing etc. the standard LCD edid glitches like crazy and eventually get total gfx freeze (BRSNC in log etc). my guide for Lenovo T420 has examples. I also use EDID with just RGB mode so now I don't get acid wash color flicker on certain apps - was getting that using LCD+External. (thanks vusun).

 

High Sierra does seem more prone to HD 3000 gfx issues -  as i ran artifact free fro about 3 or 4 years on 10.10, 10.11 and 10.12 without issue. but all of sudden High Sierra has issues?! For example, I was using EDID injection on my mini-mac5 hack for years now by adding AAPL00,override-no-connect "trick" for headless boot - but had to remove that otherwise i get wicked artifacts. oh well.

  • Like 1
Link to comment
Share on other sites

I would say that most likely it's just adding additional instructions to CPUs like PCIDs or something similar to make the performance hit less. The problem lies in the architecture, in the pipeline of the cpu, even the microcode has to be executed in the pipeline - everything does. The vulnerability is that the pipeline tries to make predictions based on speculation of previous instructions, it however does not verify the privilege domain and can be allowed to execute instructions from say the user domain in the kernel domain, etc. This even allows a virtual machine to attack the host machine.... Search google for "cache side-channel attack".

 

 

I think it will stabilize out but truthfully why would you go back to a state that has a known vulnerability that could be exploited?

 

 

Select a slide value.

Not working, same behaviour. Replaced osxaptiofix2drv from Clover r4334. All good!

Link to comment
Share on other sites

i did the same thing for the color profile. different topic.  but it sounds like means you injected/used the same built-in EDID from the LCD that macOS finds. i am talking about replacing the built-in EDID with a modified EDID. can be done with DSDT and/or Clover. That is a use a EDID with different timings, blanking time, spacing etc. the standard LCD edid glitches like crazy and eventually get total gfx freeze (BRSNC in log etc). my guide for Lenovo T420 has examples. I also use EDID with just RGB mode so now I don't get acid wash color flicker on certain apps - was getting that using LCD+External. (thanks vusun).

 

High Sierra does seem more prone to HD 3000 gfx issues -  as i ran artifact free fro about 3 or 4 years on 10.10, 10.11 and 10.12 without issue. but all of sudden High Sierra has issues?! For example, I was using EDID injection on my mini-mac5 hack for years now by adding AAPL00,override-no-connect "trick" for headless boot - but had to remove that otherwise i get wicked artifacts. oh well.

 

Where can I learn to make those edits? I made a dump from linux of my EDID but I don't know how to patch it. I know how to inject it with clover, tho.

Link to comment
Share on other sites

in my case if I use osxaptiofix2drv with slide=0 .. show does print work

without slide=0 .. boot normal and can reach the desktop

 

so the question is without slide=0 is no problem or we still use slide=XXX ?

 

edited: Sorry I can boot with slide=128

 

thanks all to dev You're fantastic :thumbsup_anim:

  • Like 1
Link to comment
Share on other sites

You must use old AptioFix or AptioFix2 pre r4369 for anything older than ML.

 

EDIT: Also just don't use AptioFix after r4369 at all. It will produce side effects.

 

i checked side effect.

new aptiofix has lang issue on osx. shown eng+kor combination.

now i return back old aptiofix to boot both SL and HS

 

thanks

Link to comment
Share on other sites

i wonder one.

if we set lang in config without emul, always shown lang set window.

 

 

SherlocksuiMBP2:~ sherlocks$ nvram -p

fakesmc-key-MSWr-ui8 %00

fakesmc-key-RPlt-ch8* j130%00%00%00%00

fakesmc-key-RBr -ch8* 2016mb%00%00

EFILoginHiDPI %00%00%00%00

fakesmc-key-#KEY-ui32 %00%00%00%11

SystemAudioVolumeDB %de

fakesmc-key-BATP-flag %00

fakesmc-key-MSTc-ui8 %00

fakesmc-key-BNum-ui8 %01

security-mode none

csr-active-config w%00%00%00

fakesmc-key-$Num-ui8 %01

fakesmc-key-MSFW-ui8 %01%00

fakesmc-key-REV -ch8* %026%0f%00%00%97

fakesmc-key-MSPS-ui16 %00%03

fmm-computer-name Sherlocks%ec%9d%98 MacBook Pro (2)

backlight-level i%05

bootercfg (%00

fakesmc-key-$Adr-ui32 %00%00%03%00

fakesmc-key-EPCI-ui32 %09 %f0%00

bluetoothActiveControllerInfo z%e0%89%04%00%00%00%000%14%ac%d1%b8%e2%a4%d0

fakesmc-key-MSAc-ui16 %00%00

boot-args

SystemAudioVolume (

fakesmc-key-RMde-char A

fakesmc-key-BBIN-ui8 %01

flagstate %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00

specialbootdevice %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%00%17%03%12%0a%00%01%00%00%00%00%00%04%01*%00%02%00%00%00%00H%06%00%00%00%00%00%00(*%08%00%00%00%00%8f%0a5%8c%c6P%e6C%ad%a6^%16p%d2e%d9%02%02%04%03$%00%f7%fct%be|%0b%f3I%91G%01%f4%04.hB%bd%d2_[%80%18%0e6%8a%cd%f1%f1_%b8%9c%b7%7f%ff%04%00

 

fakesmc-key-BEMB-flag %01

 

 

i can't see prev-lang:kbd part. if i use emul, system set i want to lang.

 

because of this part?

https://sourceforge.net/p/cloverefiboot/code/HEAD/tree/rEFIt_UEFI/Platform/DataHubCpu.c#l212

 

can we consider it?

 

thanks in advance.

 

EDIT1

seems that it causes lang complex(kor+eng) like this.

post-980913-0-09787000-1515556560_thumb.png

i first see this issue since new aptiov2 without emul

 

EDIT2

new aptiov2 + emul

 

 

SherlocksuiMBP2:~ sherlocks$ nvram -p

fakesmc-key-BEMB-flag %01

fakesmc-key-RPlt-ch8* j130%00%00%00%00

fakesmc-key-RBr -ch8* 2016mb%00%00

EFILoginHiDPI %00%00%00%00

fakesmc-key-#KEY-ui32 %00%00%00%11

SystemAudioVolumeDB %de

fakesmc-key-BATP-flag %00

EmuVariableUefiPresent Yes

fakesmc-key-MSTc-ui8 %00

prev-lang:kbd ko:0

fakesmc-key-BNum-ui8 %01

security-mode none

csr-active-config w%00%00%00

fakesmc-key-$Num-ui8 %01

fakesmc-key-MSFW-ui8 %01%00

fakesmc-key-REV -ch8* %026%0f%00%00%97

fakesmc-key-MSPS-ui16 %00%03

fmm-computer-name Sherlocks%ec%9d%98 MacBook Pro (2)

backlight-level i%05

bootercfg (%00

fakesmc-key-$Adr-ui32 %00%00%03%00

fakesmc-key-EPCI-ui32 %09 %f0%00

bluetoothActiveControllerInfo z%e0%89%04%00%00%00%000%14%ac%d1%b8%e2%a4%d0

fakesmc-key-MSAc-ui16 %00%00

boot-args

SystemAudioVolume (

fakesmc-key-RMde-char A

fakesmc-key-BBIN-ui8 %01

specialbootdevice %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%00%17%03%12%0a%00%01%00%00%00%00%00%04%01*%00%02%00%00%00%00H%06%00%00%00%00%00%00(*%08%00%00%00%00%8f%0a5%8c%c6P%e6C%ad%a6^%16p%d2e%d9%02%02%04%03$%00%f7%fct%be|%0b%f3I%91G%01%f4%04.hB%bd%d2_[%80%18%0e6%8a%cd%f1%f1_%b8%9c%b7%7f%ff%04%00

flagstate %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00

 

fakesmc-key-MSWr-ui8 %00

 

 

i see prev-lang:kbd ko:0 in nvram

but still

post-980913-0-60167100-1515557218_thumb.png

 

EDIT3

post-980913-0-36999600-1515558281_thumb.png

i have to lang reset from setting after update macos10.13.3 beta4 with aptiov2 except emul

1. go setting and lang

2. add english

3. select kor lang(already exist) and remove english lang.

4. reboot

5. get full kor lang on osx

 

there is no problem of lang on this combination before.

old aptiov2+osxemuvaribalesuefi.efi

 

i'm still suspecting this part.

https://sourceforge.net/p/cloverefiboot/code/HEAD/tree/rEFIt_UEFI/Platform/DataHubCpu.c#l212

Link to comment
Share on other sites

@stinga11

From clover bootmenu

Shell icon

Thanks for answering. I understand what needs to be done but I do not know how to enter to the clover shell.

Link to comment
Share on other sites

About spectre / meltdown slowdown:

https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/

 

Properly benchmarked. It means that all syscalls will be drastically slower, so assumingly audio i/o, disk i/o, memory allocation?. The speed will be even more reduced with 10.13.3, since it contains more security mechanisms. I hope they will continue to trying to find faster ways, but i doubt that, because they already developed for the last 6 months or so.

 

I am still not entirely sure, why it seens to be not enough to simply patch the outside communicating apps like browser, email, etc.

 

Please notice that running geekbench is not an accurate measuring for this problem.

Link to comment
Share on other sites

Yeah, it's not persistent unless it's flashed with the firmware. ...

 

 

It alone is not going to protect from the vulnerability, because the problem is in the actual silicon of the chip, so the memory map can be side-channeled through speculation. The memory map needs to be separated from any other memory map if you want to not have this vulnerability.

"Cache me outside, how 'bout dat?"  :wink_anim: 

 

Thanks for all your great work Apianti, Slice, Vit, RM, RHM, DFritz, CCPW, et al.

 

Now, about plug and play Thunderbolt...?

  • Like 1
Link to comment
Share on other sites

Hey guys, is there a standard way to pass arguments to the binary of a macos kext? Or a standard section for that in the info.plist of the kext?

There are several ways. All of them "standard".

Constant parameters written into info.plist IOKitPersonality section. See hundreds macOS examples.

Tunable parameters can be passed through DeviceTree. This is the way TouchPad get options from PrefPane.

DynamicParameters can be passed changed by IOUserClient interface. (RadeonDump for example).

As well it can be shared memory access (VoodooHDA PrefPane).

Moreover it can be SMC exchange, Apple's way.

Or other methods...

 

Now, about plug and play Thunderbolt...?

IOPCIFamily.kext assumes fixed PCIe configuration while Thunderbolt devices assumed to be PCIe devices.

  • Like 1
Link to comment
Share on other sites

There are several ways. All of them "standard".

Constant parameters written into info.plist IOKitPersonality section. See hundreds macOS examples.

Tunable parameters can be passed through DeviceTree. This is the way TouchPad get options from PrefPane.

DynamicParameters can be passed changed by IOUserClient interface. (RadeonDump for example).

As well it can be shared memory access (VoodooHDA <-> PrefPane).

Moreover it can be SMC exchange, Apple's way.

Or other methods...

 

Thanks a lot for that info!  I was referring to these findings in NVDAResmanWeb.kext. What would you assume is the correct way to pass these arguments to that kext?

Link to comment
Share on other sites

 

Ha, I know why!

 

On your config.plist you have to set Scan > tool  to true:

<key>Scan</key>
		<dict>
			<key>Entries</key>
			<true/>
			<key>Legacy</key>
			<true/>
			<key>Linux</key>
			<false/>
			<key>Tool</key>
			<true/>
		</dict>
  • Like 1
Link to comment
Share on other sites

 

Ha, I know why!

 

On your config.plist you have to set Scan > tool  to true:

<key>Scan</key>
		<dict>
			<key>Entries</key>
			<true/>
			<key>Legacy</key>
			<true/>
			<key>Linux</key>
			<false/>
			<key>Tool</key>
			<true/>
		</dict>

Thank you, that was it. I never could have guessed.

 

EDIT : My available available region is: 0000000100000000 (00000000) I guess I do not need any slide value.

  • Like 1
Link to comment
Share on other sites

i wonder one.

if we set lang in config without emul, always shown lang set window.

 

 

SherlocksuiMBP2:~ sherlocks$ nvram -p

fakesmc-key-MSWr-ui8 %00

fakesmc-key-RPlt-ch8* j130%00%00%00%00

fakesmc-key-RBr -ch8* 2016mb%00%00

EFILoginHiDPI %00%00%00%00

fakesmc-key-#KEY-ui32 %00%00%00%11

SystemAudioVolumeDB %de

fakesmc-key-BATP-flag %00

fakesmc-key-MSTc-ui8 %00

fakesmc-key-BNum-ui8 %01

security-mode none

csr-active-config w%00%00%00

fakesmc-key-$Num-ui8 %01

fakesmc-key-MSFW-ui8 %01%00

fakesmc-key-REV -ch8* %026%0f%00%00%97

fakesmc-key-MSPS-ui16 %00%03

fmm-computer-name Sherlocks%ec%9d%98 MacBook Pro (2)

backlight-level i%05

bootercfg (%00

fakesmc-key-$Adr-ui32 %00%00%03%00

fakesmc-key-EPCI-ui32 %09 %f0%00

bluetoothActiveControllerInfo z%e0%89%04%00%00%00%000%14%ac%d1%b8%e2%a4%d0

fakesmc-key-MSAc-ui16 %00%00

boot-args

SystemAudioVolume (

fakesmc-key-RMde-char A

fakesmc-key-BBIN-ui8 %01

flagstate %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00

specialbootdevice %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%00%17%03%12%0a%00%01%00%00%00%00%00%04%01*%00%02%00%00%00%00H%06%00%00%00%00%00%00(*%08%00%00%00%00%8f%0a5%8c%c6P%e6C%ad%a6^%16p%d2e%d9%02%02%04%03$%00%f7%fct%be|%0b%f3I%91G%01%f4%04.hB%bd%d2_[%80%18%0e6%8a%cd%f1%f1_%b8%9c%b7%7f%ff%04%00

 

fakesmc-key-BEMB-flag %01

 

 

i can't see prev-lang:kbd part. if i use emul, system set i want to lang.

 

because of this part?

https://sourceforge.net/p/cloverefiboot/code/HEAD/tree/rEFIt_UEFI/Platform/DataHubCpu.c#l212

 

can we consider it?

 

thanks in advance.

 

EDIT1

seems that it causes lang complex(kor+eng) like this.

i first see this issue since new aptiov2 without emul

 

EDIT2

new aptiov2 + emul

 

 

SherlocksuiMBP2:~ sherlocks$ nvram -p

fakesmc-key-BEMB-flag %01

fakesmc-key-RPlt-ch8* j130%00%00%00%00

fakesmc-key-RBr -ch8* 2016mb%00%00

EFILoginHiDPI %00%00%00%00

fakesmc-key-#KEY-ui32 %00%00%00%11

SystemAudioVolumeDB %de

fakesmc-key-BATP-flag %00

EmuVariableUefiPresent Yes

fakesmc-key-MSTc-ui8 %00

prev-lang:kbd ko:0

fakesmc-key-BNum-ui8 %01

security-mode none

csr-active-config w%00%00%00

fakesmc-key-$Num-ui8 %01

fakesmc-key-MSFW-ui8 %01%00

fakesmc-key-REV -ch8* %026%0f%00%00%97

fakesmc-key-MSPS-ui16 %00%03

fmm-computer-name Sherlocks%ec%9d%98 MacBook Pro (2)

backlight-level i%05

bootercfg (%00

fakesmc-key-$Adr-ui32 %00%00%03%00

fakesmc-key-EPCI-ui32 %09 %f0%00

bluetoothActiveControllerInfo z%e0%89%04%00%00%00%000%14%ac%d1%b8%e2%a4%d0

fakesmc-key-MSAc-ui16 %00%00

boot-args

SystemAudioVolume (

fakesmc-key-RMde-char A

fakesmc-key-BBIN-ui8 %01

specialbootdevice %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%00%17%03%12%0a%00%01%00%00%00%00%00%04%01*%00%02%00%00%00%00H%06%00%00%00%00%00%00(*%08%00%00%00%00%8f%0a5%8c%c6P%e6C%ad%a6^%16p%d2e%d9%02%02%04%03$%00%f7%fct%be|%0b%f3I%91G%01%f4%04.hB%bd%d2_[%80%18%0e6%8a%cd%f1%f1_%b8%9c%b7%7f%ff%04%00

flagstate %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00

 

fakesmc-key-MSWr-ui8 %00

 

 

i see prev-lang:kbd ko:0 in nvram

but still

 

EDIT3

i have to lang reset from setting after update macos10.13.3 beta4 with aptiov2 except emul

1. go setting and lang

2. add english

3. select kor lang(already exist) and remove english lang.

4. reboot

5. get full kor lang on osx

 

there is no problem of lang on this combination before.

old aptiov2+osxemuvaribalesuefi.efi

 

i'm still suspecting this part.

https://sourceforge.net/p/cloverefiboot/code/HEAD/tree/rEFIt_UEFI/Platform/DataHubCpu.c#l212

 

Well, when you installed and had emulated NVRAM you selected some value, remember? When you stopped emulating NVRAM that value was left in nvram.plist somewhere, different value was written from clover if you set language key, and if you set ":0" after that means US ANSI keyboard, I believe. So it makes sense you would need to go in and set the correct language and keyboard settings again, since they were kinda removed from your NVRAM by side effect of the switch back to native from emulated. Read like three lines below where you linked in the source.

 

About spectre / meltdown slowdown:

https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/

 

Properly benchmarked. It means that all syscalls will be drastically slower, so assumingly audio i/o, disk i/o, memory allocation?. The speed will be even more reduced with 10.13.3, since it contains more security mechanisms. I hope they will continue to trying to find faster ways, but i doubt that, because they already developed for the last 6 months or so.

 

I am still not entirely sure, why it seens to be not enough to simply patch the outside communicating apps like browser, email, etc.

 

Please notice that running geekbench is not an accurate measuring for this problem.

 

Because what app doesn't communicate with icloud now or some other apple service? Their newest FIRMWARE for the iMacPro will require internet... I think that the entirety of the operating systems developer community and the chip engineers who have discussed the best way to solve this have probably come up with the best solution, separating the memory spaces so that they cannot be attacked. They will develop ways to make system calls less frequently and overall you are probably not even really going to notice anything once it settles down. Don't forget that software has a life cycle and macOS is currently going through a redesign phase anyway so it is kinda good that it happens during now, their next release will most likely be very excellent.

 

"Cache me outside, how 'bout dat?"  :wink_anim:

 

So dumb... lol.  :no:

 

Thanks for all your great work Apianti, Slice, Vit, RM, RHM, DFritz, CCPW, et al.

 

Now, about plug and play Thunderbolt...?

 

What about it? I mean like is it a thing? Or does it work? Or what? I mean that's not very specific....

 

Thank you, that was it. I never could have guessed.

 

What did you think the tool scan did then?

 

EDIT : My available available region is: 0000000100000000 (00000000) I guess I do not need any slide value.

 

That is not a valid region because it is above the 4GB barrier that a 32bit address can represent. You need to find a region in the range 0x100000 to 0x20200000.

  • Like 2
Link to comment
Share on other sites

Well, when you installed and had emulated NVRAM you selected some value, remember? When you stopped emulating NVRAM that value was left in nvram.plist somewhere, different value was written from clover if you set language key, and if you set ":0" after that means US ANSI keyboard, I believe. So it makes sense you would need to go in and set the correct language and keyboard settings again, since they were kinda removed from your NVRAM by side effect of the switch back to native from emulated. Read like three lines below where you linked in the source.

 

you are right.
i just confirmed it. if i remove EmuVariableUefi-64.efi
there is no prev-lang:kbd key in nvram.
before i update beta4, i removed EmuVariableUefi-64.efi and nvram.plist to surely check where is problem.
 
and default kor lang before update beta4. when updating beta4, i saw english word example "install 14 minutes left".
after finished beta4, then booted, i just saw eng+kor combination of system part. example reboot dialog above pic.
 
when used EmuVariableUefi-64.efi, always correct lang shown example "설치 14분 남았습니다"
after finished beta4, then booted, i saw correct kor lang of system part without eng.
 
i used this combination of EmuVariableUefi-64.efi+old aptioV2 long time.
now, i returned old aptioV2 to avoid this issue after update lang issue. also i didn't notice keyboard problem that you mentioned keyboard. i just checked lang part.

<key>Language</key>

<string>ko:0</string>

 
thanks
 
EDIT1
this issue happen new aptiov1 and aptiv2.
i tested skylake laptop and sandy laptop.
Link to comment
Share on other sites

×
×
  • Create New...