[80% Solved] Iris Xe iGPU on Tiger Lake successfully loaded ICLLP Frambuffer and VRAM also recognizes 1536MB! + However, some issues.

[Visual Ehrmanntraut]

we want devs not testers

[benmacfreak]

4 minutes ago, Visual Ehrmanntraut said:

we want devs not testers

well that's not me visual sorry, i can only test sorry bud..

[Visual Ehrmanntraut]

@jalavoui This is what I have so far for hwSetupDSBMemory.

Still working on finding out what I need to do afterwards (likely write this to a bunch of registers)

[Visual Ehrmanntraut]

Actually no, I think this is likely wrong. 

Edited September 11 by Visual Ehrmanntraut

[jalavoui]

uint32_t AppleIntelBaseController::hwSetupDSBMemory(class AppleIntelBaseController* this)
{
  
    //intel_dsb_prepare(state, crtc, INTEL_DSB_0, 1024);
    unsigned int size=DSB_BUF_SIZE;
    
    IOOptionBits options =
         kIODirectionInOut | kIOMemoryPhysicallyContiguous | kIOMapInhibitCache;
    
    mach_vm_address_t fDSBOffset = getMember<mach_vm_address_t>(this,  0xc50);//0x4180000
    
    IOMemoryDescriptor* ioMemory = IOMemoryDescriptor::withAddressRange(fDSBOffset, size, kIODirectionIn, NULL);
    
     IODMACommand *cmd = IODMACommand::withSpecification(
         kIODMACommandOutputHost64, 64, 0, IODMACommand::kMapped, 0, 1);
     cmd->setMemoryDescriptor(ioMemory);
     cmd->prepare();

     IODMACommand::Segment64 seg;
     UInt64 ofs = 0;
     UInt32 numSegs = 1;

     if (cmd->gen64IOVMSegments(&ofs, &seg, &numSegs) != kIOReturnSuccess) {
       cmd->complete();
       cmd->release();
       cmd = NULL;
         ioMemory->complete();
         ioMemory->release();
         ioMemory = NULL;
       return 1;
     }

 
    return 0;
}

i can't follow linux code but isnt this supposed tobe some dma allocation ?

this wont crash but doesnt seem todo nothing usefull. #define DSB_BUF_SIZE    (2 * PAGE_SIZE) so its someting small

Edited September 11 by jalavoui

[Visual Ehrmanntraut]

42 minutes ago, jalavoui said:

uint32_t AppleIntelBaseController::hwSetupDSBMemory(class AppleIntelBaseController* this)
{
  
    //intel_dsb_prepare(state, crtc, INTEL_DSB_0, 1024);
    unsigned int size=DSB_BUF_SIZE;
    
    IOOptionBits options =
         kIODirectionInOut | kIOMemoryPhysicallyContiguous | kIOMapInhibitCache;
    
    mach_vm_address_t fDSBOffset = getMember<mach_vm_address_t>(this,  0xc50);//0x4180000
    
    IOMemoryDescriptor* ioMemory = IOMemoryDescriptor::withAddressRange(fDSBOffset, size, kIODirectionIn, NULL);
    
     IODMACommand *cmd = IODMACommand::withSpecification(
         kIODMACommandOutputHost64, 64, 0, IODMACommand::kMapped, 0, 1);
     cmd->setMemoryDescriptor(ioMemory);
     cmd->prepare();

     IODMACommand::Segment64 seg;
     UInt64 ofs = 0;
     UInt32 numSegs = 1;

     if (cmd->gen64IOVMSegments(&ofs, &seg, &numSegs) != kIOReturnSuccess) {
       cmd->complete();
       cmd->release();
       cmd = NULL;
         ioMemory->complete();
         ioMemory->release();
         ioMemory = NULL;
       return 1;
     }

 
    return 0;
}

i can't follow linux code but isnt this supposed tobe some dma allocation ?

this wont crash but doesnt seem todo nothing usefull. #define DSB_BUF_SIZE    (2 * PAGE_SIZE) so its someting small

This ain't it chief

[jalavoui]

yeah i was having bad dreams

[Visual Ehrmanntraut]

#define DSB_SL_BASE(pipe, id) (0x70B00 + (pipe) * 0x1000 + (id) * 0x100)
#define REG_DSB_CHICKEN(pipe, id) (DSB_SL_BASE(pipe, id) + 0xF0)
#define DSB_CHICKEN_SKIP_WAITS_EN (1U << 23)
#define DSB_CHICKEN_CTRL_WAIT_SAFE_WINDOW (1U << 15)
#define DSB_CHICKEN_CTRL_NO_WAIT_VBLANK (1U << 14)
#define DSB_CHICKEN_INST_WAIT_SAFE_WINDOW (1U << 7)
#define DSB_CHICKEN_INST_NO_WAIT_VBLANK (1U << 6)

#define PIPE_COUNT 3
#define DSB_MAX 3

// Previous definition was uint64_t. This is insufficient storage, memory
// corruption was happening.
uint32_t[DSB_MAX] AppleIntelDisplayPath::DSBEngineBusyStatus = {0};

IOReturn AppleIntelFramebufferController::hwSetupDSBMemory() {
  bool fVRRSupport = getMember<bool>(this, 0x1B5A);

  uint32_t chickenBits = fVRRSupport ? DSB_CHICKEN_SKIP_WAITS_EN |
                                           DSB_CHICKEN_CTRL_WAIT_SAFE_WINDOW |
                                           DSB_CHICKEN_CTRL_NO_WAIT_VBLANK |
                                           DSB_CHICKEN_INST_WAIT_SAFE_WINDOW |
                                           DSB_CHICKEN_INST_NO_WAIT_VBLANK
                                     : DSB_CHICKEN_SKIP_WAITS_EN;

  for (uint32_t pipe = 0; pipe < PIPE_COUNT; pipe++) {
    for (uint32_t dsb = 0; dsb < DSB_MAX; dsb++) {
      WriteRegister32(REG_DSB_CHICKEN(pipe, dsb), chickenBits);
    }
  }

  return kIOReturnSuccess;
}

Maybe

Wait, typo

 

Now it should be fine @jalavoui

Edited September 11 by Visual Ehrmanntraut

[BitBass]

2 hours ago, Visual Ehrmanntraut said:

we want devs not testers

Alrighty then...go pound sand it is...

[Visual Ehrmanntraut]

The rest of the logic is already here. The DSB region is carved out from GTT by FBMemMgr_Init, the HEAD, TAIL and CONTROL is set by fireTxDSB and fireSDPDSB, etc.

[jalavoui]

allright so all can go test the code and report back

[Visual Ehrmanntraut]

Not 100% sure yet. Mostly because this is stuck in my head.

[Visual Ehrmanntraut]

@jalavoui
 

#define DSB_SL_BASE(pipe, id) (0x70B00 + (pipe) * 0x1000 + (id) * 0x100)
#define REG_DSB_CHICKEN(pipe, id) (DSB_SL_BASE(pipe, id) + 0xF0)
#define DSB_CHICKEN_SKIP_WAITS_EN (1U << 23)
#define DSB_CHICKEN_CTRL_WAIT_SAFE_WINDOW (1U << 15)
#define DSB_CHICKEN_CTRL_NO_WAIT_VBLANK (1U << 14)
#define DSB_CHICKEN_INST_WAIT_SAFE_WINDOW (1U << 7)
#define DSB_CHICKEN_INST_NO_WAIT_VBLANK (1U << 6)

#define PIPE_COUNT 3
#define DSB_MAX 3

// Previous definition was uint64_t. This is insufficient storage, memory
// corruption was happening.
uint32_t[DSB_MAX] AppleIntelDisplayPath::DSBEngineBusyStatus = {0};

IOReturn AppleIntelFramebufferController::hwSetupDSBMemory() {
  // Allocate DSB DMA buffer
  IOBufferMemoryDescriptor *&fDSBMemBuf =
      getMember<IOBufferMemoryDescriptor *>(this, 0xCD8);
  if (fDSBMemBuf != nullptr) {
    return kIOReturnSuccess;
  }

  uint32_t fDSBSize = getMember<uint32_t>(this, 0xDCC);
  fDSBMemBuf = IOBufferMemoryDescriptor::withOptions(
      kIOMemoryPhysicallyContiguous | kIOMemoryHostPhysicallyContiguous,
      fDSBSize, page_size);
  if (fDSBMemBuf == nullptr) {
    return kIOReturnNoMemory;
  }

  // Program GTT entries
  if (fDSBSize != 0) {
    uint32_t fIOMemOptions = getMember<uint32_t>(this, 0xCF0);
    uint64_t dsbPhysAddr =
        fDSBMemBuf->getPhysicalSegment(0, nullptr, fIOMemOptions);

    uint64_t fDSBOff = getMember<uint64_t>(this, 0xC50);
    void volatile *fGttMmio = getMember<void volatile *>(this, 0xCA0);

    for (uint64_t offset = 0; offset < fDSBSize; offset += page_size) {
      WriteRegister64(fGttMmio, (offset + fDSBOff) >> 9ULL,
                      ((dsbPhysAddr + offset) & 0x7ffffff000) | 7);
    }
  }

  // Program chicken bits
  bool fVRRSupport = getMember<bool>(this, 0x1B5A);
  uint32_t chickenBits = fVRRSupport ? DSB_CHICKEN_SKIP_WAITS_EN |
                                           DSB_CHICKEN_CTRL_WAIT_SAFE_WINDOW |
                                           DSB_CHICKEN_CTRL_NO_WAIT_VBLANK |
                                           DSB_CHICKEN_INST_WAIT_SAFE_WINDOW |
                                           DSB_CHICKEN_INST_NO_WAIT_VBLANK
                                     : DSB_CHICKEN_SKIP_WAITS_EN;

  for (uint32_t pipe = 0; pipe < PIPE_COUNT; pipe++) {
    for (uint32_t dsb = 0; dsb < DSB_MAX; dsb++) {
      WriteRegister32(REG_DSB_CHICKEN(pipe, dsb), chickenBits);
    }
  }

  return kIOReturnSuccess;
}

 

Edited September 11 by Visual Ehrmanntraut

[jalavoui]

looks a bit more in logic with linux gtt pin map but idk and i hated that linux code 

 

disabling almost all except my portprobe patch gave a kp at usual spot. but that was b4 your gtt pin patch

this is internal tgl frameb not production

 

 

in ghidra a bit easier to check next allocation

 

 

here the offsets - but theyre wrong in ghidra pseudocode

 

 

i can't find the offset youre using for

IOBufferMemoryDescriptor *&fDSBMemBuf = getMember<IOBufferMemoryDescriptor *>(this, 0xCD8);

 

 

Edited September 11 by jalavoui

[Visual Ehrmanntraut]

Please just add the new code into the working code

[Visual Ehrmanntraut]

and remove those cursed bounds checks because the panic is likely coming from there

Edited September 11 by Visual Ehrmanntraut

[jalavoui]

right nvm for the offsets can check later. i've added

extern "C" uint32_t AppleIntelDisplayPath::DSBEngineBusyStatus[DSB_MAX]={0};

 

cause

uint32_t[DSB_MAX] AppleIntelDisplayPath::DSBEngineBusyStatus = {0};

trows a error

 

rest of the code is similiar

 

i think this part of code might be overwritten 

 

uint32_t fDSBSize = getMember<uint32_t>(this, 0xDCC);

      fDSBMemBuf = IOBufferMemoryDescriptor::withOptions(

          kIOMemoryPhysicallyContiguous | kIOMemoryHostPhysicallyContiguous,

          fDSBSize, page_size);

      if (fDSBMemBuf == nullptr) {

        return kIOReturnNoMemory;

      }

 

by this

dam pseudo code ghidra offsets. here are the correct

not the same you used so should be fine (maybe)

 

Edited September 11 by jalavoui

[Visual Ehrmanntraut]

Obviously I checked everything I wrote here. I just put the array syntax in the wrong place because I get confused with other languages like Rust sometimes.

[jalavoui]

panic during start. do you have a opinion for icl code ?

 

undefined4 __thiscall
AppleIntelBaseController::ReadRegister32(AppleIntelBaseController *this,ulong param_1)

{
  char cVar1;
  undefined8 uVar2;
  undefined8 uVar3;
  char *pcVar4;
  undefined8 in_stack_ffffffffffffffd8;
  undefined4 uVar5;
  
  uVar5 = (undefined4)((ulong)in_stack_ffffffffffffffd8 >> 0x20);
  _DAT_001934b8 = _DAT_001934b8 + 1;
  if ((*(byte *)(*(long *)&(this->m_AppleIntelBaseController).field_0xce0 + 0xb2) & 1) != 0) {
    _DAT_001934c8 = _DAT_001934c8 + 1;
    if (param_1 < 0x2000) {
      _DAT_001934d0 = _DAT_001934d0 + 1;
    }
    else {
      _DAT_001934d8 = _DAT_001934d8 + 1;
      if ((param_1 < 0x40000) ||
         ((_DAT_001934d0 = _DAT_001934d0 + 1, 0x1bffff < param_1 &&
          (_DAT_001934e0 = _DAT_001934e0 + 1, param_1 < 0x240000)))) {
        _DAT_001934c0 = _DAT_001934c0 + 1;
        cVar1 = _IntelLogEnabled(2,0xf);
        if (cVar1 == '\0') {
          return 0;
        }
        _DAT_001934f0 = _DAT_001934f0 + 1;
        pcVar4 = "0x%lx MMIO dropped for 2D only part\n";
        uVar2 = 0x4c3;
        uVar3 = 2;
        goto LAB_0006ab99;
      }
    }
  }
  if (param_1 < *(int *)&(this->m_AppleIntelBaseController).field_0xc20 - 4) {
    _DAT_001934b0 = _DAT_001934b0 + 1;
    return *(undefined4 *)(*(long *)&(this->m_AppleIntelBaseController).field_0x9b0 + param_1);
  }
  _DAT_001934f8 = _DAT_001934f8 + 1;
  cVar1 = _IntelLogEnabled(1,0xf);
  if (cVar1 == '\0') {
    return 0;
  }
  _DAT_00193508 = _DAT_00193508 + 1;
  param_1 = CONCAT44(uVar5,(int)param_1);
  pcVar4 = "Invalid register access at offset = %x. Returning without register access\n";
  uVar2 = 0x4ce;
  uVar3 = 1;
LAB_0006ab99:
  _IntelLog(uVar3,0xf,
            "/Library/Caches/com.apple.xbs/Sources/GPUDriversIntel/GPUDriversIntel-16.0.32/IONDRV/IC LLP/AppleIntelFramebuffer/AppleIntelController.cpp"
            ,uVar2,"ReadRegister32",pcVar4,param_1);
  return 0;
}

this doesnt exist in hookcase.

 

gonna check the new panic i got at star()

 

fixed by reverteding code tobe close to your sources but the same kp as posted above at depthfromattribute().

gonna upload sources as nblue is using only 3 patches

 

 

 

and the bins

 

 

 

this is funny if i use nblue patch for depthfromattribute() i end up where i started b4 reverting previous code

here's the kp

 

 

not that i wanna do a tutorial on bypassing kp but if you guys grab the source code and build nblue with this line enabled

{"__ZN31AppleIntelRegisterAccessManager14ReadRegister32Em",raReadRegister32,this->oraReadRegister32}

you pass previous kp will get a kp here

 

 

allright time to let others think about it

this is the way to make the driver produce something we can use to fix it

Edited September 12 by jalavoui

[Craig Hazan]

This is fascinating to follow guys, thanks for sharing your love of code.

[Visual Ehrmanntraut]

11 minutes ago, Craig Hazan said:

This is fascinating to follow guys, thanks for sharing your love of code.

Programming is life!
but also death.

[jalavoui]

hmmm theory

 

[Visual Ehrmanntraut]

5 minutes ago, jalavoui said:

hmmm theory

 

[ArtikDiamond]

6 hours ago, BitBass said:

Alrighty then...go pound sand it is...

Wait a second! Me and some other people managed to boot, install and use macOS normally, you should try too

[jkbuha]

Latest kext hangs just before second boot, as expected I guess...

 

 

Another suggestion: I'm not sure if it's helpful to the devs. With Whatevergreen, I run my Alderlake Ventura setup through an eGPU with an external monitor connected (with full acceleration, etc.), and the LVDS just remains static on the first boot screen or deactivated via FN+F8 on pre-boot. Through this setup, is it possible to include the necessary functionality in the TGL driver to boot the iGPU in basic/vesa (or even text) mode so all the debugging/dumping of the driver can be run off the eGPU device?

 

Edited September 12 by jkbuha