amw has joined #asahi-re
<
amw>
roxfan: Thanks - uninstalling the debian python3-construct and using pip3 install construct worked
<
amw>
Now the machodump.py script runs fine... - The standard debian packages don't work and the git clone didn't seem to either...
Tokamak has joined #asahi-re
<
amw>
marcan: Just added some documentation to the RE page on extracting from the kernel.release.t8020 file - please check if ok
<
amw>
I just guessed the offset into the file used based on how you choose your offset :-)
amw has quit [Ping timeout: 240 seconds]
PhilippvK_ has joined #asahi-re
PhilippvK has quit [Ping timeout: 264 seconds]
<
davidrysk[m]>
amw: note that t8020 is for the DTK and t8101 is for the M1 Mac. Also you can use otool -xV if you have the Apple cctools
amw has joined #asahi-re
Tokamak_ has joined #asahi-re
Tokamak has quit [Ping timeout: 246 seconds]
<
amw>
davidrysk: Thanks - that's much easier and allows me to verify my decode
<
amw>
I presume that dtk means = "development transition kit" binary - I didn't even know they shipped multiple kernels on the MacBookAir
<
amw>
Jan: I guess that's the hardware davidrysk was saying the .t8020 which I used in my example on the wiki
<
Jan[m]1>
it may be not for MBA but mini A12
<
Jan[m]1>
don't know if that makes a difference though
<
davidrysk[m]>
DTK does mean developer transition kit (since it's A12)
<
davidrysk[m]>
(t8020 is A12)
<
davidrysk[m]>
(t8101 is A14, t8103 is M1)
<
amw>
That's interesting as my MacBookAir has only t8101 and t8020 files in the /System/Library/Kernels
<
amw>
But my MBA is an M1 based one?
<
davidrysk[m]>
t8101 and t8103 are similar enough
<
davidrysk[m]>
so they just call the kernel .t8101 for M1
<
davidrysk[m]>
t8020 is definitely not M1
<
amw>
davidrysk: ok - There is a third file 16M long called plain "kernel" ?
<
amw>
I don't know how to tell which file is actually running on a Mac - no /proc on Macs :-(
<
davidrysk[m]>
that's probably intel
<
marcan>
the kernel supports both t8101 and t8103
<
davidrysk[m]>
`file` command says that the plain kernel file is intel
Tokamak_ has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<
amw>
Yep - your right and otool shows Intel instructions
TheJollyRoger has joined #asahi-re
kit_ty_kate has quit [Ping timeout: 272 seconds]
amw has quit [Ping timeout: 240 seconds]
amw has joined #asahi-re
amw has quit [Ping timeout: 246 seconds]
<
roxfan2>
iirc there's kmutil(?) which can show some info about currently used kernel
roxfan2 is now known as roxfan
Tokamak has joined #asahi-re
Tokamak has quit [Ping timeout: 264 seconds]
Tokamak has joined #asahi-re
Tokamak has quit [Ping timeout: 246 seconds]
<
davidrysk[m]>
marcan: looking at the symbols in these binaries it boggles me that they're doing this
<
davidrysk[m]>
what's in here: start.o, pinst.o, pmap.o, pcb.o, locore.o, gxf_exceptions.o, machine_routines_asm.o, machine_routines_apple.o, machine_routines_sprr.o, sart.o, t8020dart.o, nvmeppl.o, uat.o, uat_ppl_handoff.o, IOUnifiedAddressTranslator.cpo
<
marcan>
yeah, I know
<
marcan>
it's crazy
<
davidrysk[m]>
someone should file a rdar
TheJollyRoger has quit [Ping timeout: 268 seconds]
TheJollyRoger has joined #asahi-re
<
Bluerise>
marcan: hm, where's that xnu dump?
<
Bluerise>
ah, tarball, nice, thank
<
davidrysk[m]>
also huh. sicily and tonga. sicily is A14 and tonga is M1?
<
davidrysk[m]>
also they didn't redact everything from the source
<
davidrysk[m]>
so it's likely that REing the blob will uncover what certain defines mean
taziden has quit [Ping timeout: 265 seconds]
taziden has joined #asahi-re
amw has joined #asahi-re
irl25519 has joined #asahi-re
amw has quit [Ping timeout: 240 seconds]
irl25519 has quit [Quit: irl25519]
amw has joined #asahi-re
yrlf has joined #asahi-re
taziden has quit [Ping timeout: 240 seconds]
taziden has joined #asahi-re