Load m1n1 at top of kernel data

asdfugil · Siguza · Siguza · commit bb492b004265 · 2025-02-25T02:10:02.000+01:00
m1n1 expects itself to be loaded below top of kernel data, so load it
right at top of kernel data and then update top of kernel so that it is
below top of kernel data.

In particular, its memory allocator start at topOfKernelData and assumes
all memory between that and physBase + memSize is free. More severely,
the chainloading scripts will derive new topOfKernelData from the
current m1n1, so the current approach of loading would actually cause
chainloading to set topOfKernelData to near the end of memory, causing
problems.m1n1 expects itself to be loaded below top of kernel data, so
do it.

Co-authored-by: Siguza &lt;siguza@siguza.net&gt;
Signed-off-by: Nick Chan &lt;towinchenmi@gmail.com&gt;
diff --git a/src/drivers/xnu/xnu.c b/src/drivers/xnu/xnu.c
@@ -1127,7 +1127,6 @@ void xnu_boot(void)
     {
         panic("Cannot boot XNU with TZ0 unlocked");
     }*/
-    gBootArgs->topOfKernelData = gTopOfKernelData;
 }
 
 void xnu_init(void)
diff --git a/src/kernel/entry.c b/src/kernel/entry.c
@@ -284,6 +284,8 @@ __attribute__((noinline)) void pongo_entry_cached(void)
         screen_fill_basecolor();
 }
 
+extern uint64_t gM1N1Base;
+
 /*
 
     Name: pongo_entry
@@ -309,25 +311,28 @@ _Noreturn void pongo_entry(uint64_t *kernel_args, void *entryp, void (*exit_to_e
     set_exception_stack_core0();
     gFramebuffer = (uint32_t*)gBootArgs->Video.v_baseAddr;
     lowlevel_cleanup();
+    gBootArgs->topOfKernelData = gTopOfKernelData;
 
     // Unused space above kernel static area
     void *boot_tramp = (void*)((gTopOfKernelData + 0x3fffULL) & ~0x3fffULL);
     if(gBootFlag == BOOT_FLAG_RAW || gBootFlag == BOOT_FLAG_M1N1)
     {
+        uint64_t entry;
         // We're in EL1 here, but we might need to go back to EL3
         if((__builtin_arm_rsr64("id_aa64pfr0_el1") & 0xf000) != 0)
         {
             __asm__ volatile("smc 0"); // elevate to EL3
         }
-        uint64_t entryOff = 0x800;
         if(gBootFlag == BOOT_FLAG_RAW)
         {
+            entry = (uint64_t)loader_xfer_recv_data - kCacheableView + 0x800000000;
             boot_tramp = NULL;
-            entryOff = 0;
         }
-        // XXX: We should really replace loader_xfer_recv_data with something dedicated here.
-        void *image = (void*)((uint64_t)loader_xfer_recv_data - kCacheableView + 0x800000000 + entryOff);
-        jump_to_image_extended(image, gBootArgs, boot_tramp, gEntryPoint);
+        else
+        {
+            entry = gM1N1Base + 0x800;
+        }
+        jump_to_image_extended((void*)entry, gBootArgs, boot_tramp, gEntryPoint);
     }
     else
     {
diff --git a/src/shell/main.c b/src/shell/main.c
@@ -46,17 +46,22 @@ void pongo_boot_raw(const char *cmd, char *args) {
     task_yield();
 }
 
+uint64_t gM1N1Base;
 extern char gFWVersion[256];
 void pongo_boot_m1n1(const char *cmd, char *args) {
     if (!loader_xfer_recv_count) {
         iprintf("please upload a raw m1n1.bin before issuing this command\n");
         return;
     }
 
-    loader_xfer_recv_count = 0;
     char *fwversion = dt_get_prop("/chosen", "firmware-version", NULL);
     strlcpy(fwversion, gFWVersion, 256);
 
+    void *m1n1 = alloc_static(loader_xfer_recv_count);
+    memmove(m1n1, loader_xfer_recv_data, loader_xfer_recv_count);
+    loader_xfer_recv_count = 0;
+    gM1N1Base = vatophys_static(m1n1);
+
     gBootFlag = BOOT_FLAG_M1N1;
     task_yield();
 }

Original file line number	Diff line number	Diff line change
`@@ -1127,7 +1127,6 @@ void xnu_boot(void)`
`1127`	`1127`	`{`
`1128`	`1128`	`panic("Cannot boot XNU with TZ0 unlocked");`
`1129`	`1129`	`}*/`
`1130`		`- gBootArgs->topOfKernelData = gTopOfKernelData;`
`1131`	`1130`	`}`
`1132`	`1131`
`1133`	`1132`	`void xnu_init(void)`
Original file line number	Diff line number	Diff line change
`@@ -284,6 +284,8 @@ __attribute__((noinline)) void pongo_entry_cached(void)`
`284`	`284`	`screen_fill_basecolor();`
`285`	`285`	`}`
`286`	`286`
	`287`	`+extern uint64_t gM1N1Base;`
	`288`	`+`
`287`	`289`	`/*`
`288`	`290`
`289`	`291`	`Name: pongo_entry`
`@@ -309,25 +311,28 @@ _Noreturn void pongo_entry(uint64_t kernel_args, void entryp, void (*exit_to_e`
`309`	`311`	`set_exception_stack_core0();`
`310`	`312`	`gFramebuffer = (uint32_t*)gBootArgs->Video.v_baseAddr;`
`311`	`313`	`lowlevel_cleanup();`
	`314`	`+ gBootArgs->topOfKernelData = gTopOfKernelData;`
`312`	`315`
`313`	`316`	`// Unused space above kernel static area`
`314`	`317`	`void boot_tramp = (void)((gTopOfKernelData + 0x3fffULL) & ~0x3fffULL);`
`315`	`318`	`if(gBootFlag == BOOT_FLAG_RAW \|\| gBootFlag == BOOT_FLAG_M1N1)`
`316`	`319`	`{`
	`320`	`+ uint64_t entry;`
`317`	`321`	`// We're in EL1 here, but we might need to go back to EL3`
`318`	`322`	`if((__builtin_arm_rsr64("id_aa64pfr0_el1") & 0xf000) != 0)`
`319`	`323`	`{`
`320`	`324`	`__asm__ volatile("smc 0"); // elevate to EL3`
`321`	`325`	`}`
`322`		`- uint64_t entryOff = 0x800;`
`323`	`326`	`if(gBootFlag == BOOT_FLAG_RAW)`
`324`	`327`	`{`
	`328`	`+ entry = (uint64_t)loader_xfer_recv_data - kCacheableView + 0x800000000;`
`325`	`329`	`boot_tramp = NULL;`
`326`		`- entryOff = 0;`
`327`	`330`	`}`
`328`		`- // XXX: We should really replace loader_xfer_recv_data with something dedicated here.`
`329`		`- void image = (void)((uint64_t)loader_xfer_recv_data - kCacheableView + 0x800000000 + entryOff);`
`330`		`- jump_to_image_extended(image, gBootArgs, boot_tramp, gEntryPoint);`
	`331`	`+ else`
	`332`	`+ {`
	`333`	`+ entry = gM1N1Base + 0x800;`
	`334`	`+ }`
	`335`	`+ jump_to_image_extended((void*)entry, gBootArgs, boot_tramp, gEntryPoint);`
`331`	`336`	`}`
`332`	`337`	`else`
`333`	`338`	`{`