Remap tfp0 #6
Labels
enhancement
New feature or request
Milestone
Comments
|
Also, on why exactly is this needed and why we can't just use kernel_task directly -- see Siguza/hsp4 |
|
I have mapped tfp0 to hsp4 as of 5c4fdda, but it's not fully remapped |
|
@brycebearchell async_wake has "find_port" included :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
"safe" TFP0 isn't full, and only mach_vm APIs work on it.
Try calling mach_ports_lookup on it, for example. Device will panic.
Either make a proper copy, or better: remap it.
See hsp4/v0rtex by Siguza.
The problem with vm_remap APIs is that they don't recurse into submaps properly.
So you have to find zone_map which is a submap of kernel_map for remapping.
kernel_map can be found in kernel_task->vm_map. zone_map can be theoretically detected by walking maps from kernel_map and looking for map where, for example, previously leaked ports/tasks are. However, it's pretty trivial to find in kernel binary.
Also, you can't really call vm_remap -- only mach_vm_remap.
So, you have to create fake tasks with vm_map set to zone_map on first and zone_map or kernel_map on second, make fake ports for them, and call mach_vm_remap.
See coolstar/electra#22 for example.
The text was updated successfully, but these errors were encountered: