netkas.org forum
October 30, 2020, 08:16:09 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Information for registering users http://forum.netkas.org/index.php/topic,2246.0.html
 
   Home   Help Search Login Register  
Pages: 1 2 3 [4] 5 6 ... 15
  Print  
Author Topic: GFX-Strings  (Read 382355 times)
lebidou
Not Newbie
*
Offline Offline

Posts: 27


WWW
« Reply #45 on: December 12, 2007, 09:48:30 PM »

Quote
The total length of lebidou's working string in Hex Fiend is 2552 bytes. The first 4 bytes of the string is FC 09 00 00. 0x09fc == 2556. I'm confused.

something's wrong : the first 4 bytes in my file are F2 09 00 00. Seems to be 2546, wich still wrong, but as I edited it in TextEdit, nothing's guaranted... try F8 09 maybe
« Last Edit: December 12, 2007, 10:34:30 PM by lebidou » Logged

en.gael-philippe.fr -- english version
www.gael-philippe.fr -- version française
Thrawnhex
Jr. Member
**
Offline Offline

Posts: 74


« Reply #46 on: December 12, 2007, 10:49:22 PM »

Maybe it reads only as long as the lenght in the string is given, so if the string is longer then the length hex-value it'll not read until the end... (only a guess)

Btw.: Thanks for the great discussion!

Thrawnhex
Logged
time ed
Jr. Member
**
Offline Offline

Posts: 98


« Reply #47 on: December 12, 2007, 11:04:08 PM »


My bad. Its 0x09f2. Still...

I think you're right. The last 4-6 bytes look like padding. Obviously the string works for lebidou. I'll spend a little more time disecting it. I would be nice to have one from a Mac Pro.

OT: hey lebidou -- where can I get nutella machine? I love that stuff, but its hard to find here...
Logged
lebidou
Not Newbie
*
Offline Offline

Posts: 27


WWW
« Reply #48 on: December 12, 2007, 11:41:27 PM »

The string worked for me but not dual display.

Comparing the ascii code to the NVinjectGO's info.plist values I noticed some were not the same such as inverter. Does someone knows what is inverter and if it could interfer with dual display ?

Moreover there's a NVMT value in the string that's not in NVinject info.plist, and NVPM value in the info.plist that's not in the string. What are they used for ?

And about the nutella machine, the prototype has melt while presenting it to the Nutella's CEO. So we lost the contest... But I'm happy to know you would like to have one.
Logged

en.gael-philippe.fr -- english version
www.gael-philippe.fr -- version française
0xdeadbeef
Not Newbie
*
Offline Offline

Posts: 25


« Reply #49 on: December 13, 2007, 05:45:49 AM »

Maybe it reads only as long as the lenght in the string is given, so if the string is longer then the length hex-value it'll not read until the end... (only a guess)

Btw.: Thanks for the great discussion!

Thrawnhex

I wouldn't rely on that. If the structure is invalid, that could lead to big trouble in the EFIMergeProperties . Make sure you start with a valid copy of a string before you start chopping away it it, then double-check every edit you make.

One more thing: If you are posting hacked gfx strings at least label them clearly and state the starting string and the edits made: how many "¤%"¤ing versions of "Natit.kext" are floating around without anyone knowing what was done to them?  Grin
Logged

Conquering the world - 8 hex digits at a time.
netkas
Administrator
Hero Member
*****
Offline Offline

Posts: 836



« Reply #50 on: December 13, 2007, 11:48:45 AM »

What you need to know about the format of the gfx strings:

The first 4 bytes are a little-endian longword which is the size of the entire string.

Example: size is 4660 bytes == hex: 0x1234 -> 34120000
After that comes some bytes of crud that I don't thing is important for our purposes.

Each property in the gfx string has a name and a value. The name is a UNICODE_STRING that has a little-endian longword length attribute immediately before it. The length attribute includes the 4 bytes needed for itself:

Example "A.T.Y.,.C.r.a.p." => 1C0000004100540059002C0043007200610070000000

The value comes immediately after (also with a length attribute):

=>08000000DEADBEEF

So if you want to remove a property, you need to:
1. Remove the property name + it's length attribute
2. Remove the following value + it's length attribute
3. Enter your new length in the first 4 bytes of the string.

Good luck!

Yeah, that;'s how i done 2600 string, cause originaly it was >64k size. but !
there is two fields  - one for gfx and one for audiocards, both have size and number of command i guess, so need to edit that too, cause i got long property:
    | |   |     |   "ATY,FrameBufferOffset" = <0000000080000000>
    | |   |     |    = <0400000002010c00d041030a0000000001010600001b7fff04002200
000070006c006100740066006f0072006
Logged
netkas
Administrator
Hero Member
*****
Offline Offline

Posts: 836



« Reply #51 on: December 13, 2007, 01:48:46 PM »

ok, i reversed it, it's now close to complete Cheesy
based on 7300 string

Quote
main header
size is 12 bytes (0Ch)
dw = 06f4 - size
dw = 01   - idk what
dw = 03   - guess num of entries

gfx entry
header is 24 h:
dw = 05e1 - length
dw = 18h - num of commands
16-bytes array = 02010C00D041030a0000000001010600  - looks llike signature

unknown entry
header is 24h:
dw = 5a  - length
dw = 1    - num of entries
16-bytes array = 02010C00D041030a0000000001010600  - looks llike signature

sound entry
header is 1eh
dw = ADh - length
dw = 03h   - num of entries
16-bytes array = 02010C00D041030a0000000001010600  - looks llike signature
« Last Edit: December 13, 2007, 01:54:45 PM by netkas » Logged
lebidou
Not Newbie
*
Offline Offline

Posts: 27


WWW
« Reply #52 on: December 13, 2007, 02:53:07 PM »

Thinking it could help, i made ioreg dumps for the four following cases :
- dual screen wtih nvinjectgo
- dual screen with gfx string
- single screen wtih nvinjectgo
- single screen with gfx string

I sent the com.apple.Boot.plist I use with the string.

And for info, the NVinjectGO.kext I use the 0.0.9 from nvinject.free.fr. I never had to modify it.
ioreg-nvinject-dual.txt
ioreg-efi-dual.txt
ioreg-nvinject-single.txt
ioreg-efi-single.txt
com.apple.Boot.plist link corrected
« Last Edit: December 13, 2007, 03:12:52 PM by lebidou » Logged

en.gael-philippe.fr -- english version
www.gael-philippe.fr -- version française
netkas
Administrator
Hero Member
*****
Offline Offline

Posts: 836



« Reply #53 on: December 13, 2007, 03:03:13 PM »

last link - 404 Tongue

Logged
mcmatrix
Not Newbie
*
Offline Offline

Posts: 46


« Reply #54 on: December 13, 2007, 03:20:54 PM »

ok, i reversed it, it's now close to complete Cheesy
based on 7300 string

Quote
main header
size is 12 bytes (0Ch)
dw = 06f4 - size
dw = 01   - idk what
dw = 03   - guess num of entries

gfx entry
header is 24 h:
dw = 05e1 - length
dw = 18h - num of commands
16-bytes array = 02010C00D041030a0000000001010600  - looks llike signature

unknown entry
header is 24h:
dw = 5a  - length
dw = 1    - num of entries
16-bytes array = 02010C00D041030a0000000001010600  - looks llike signature

sound entry
header is 1eh
dw = ADh - length
dw = 03h   - num of entries
16-bytes array = 02010C00D041030a0000000001010600  - looks llike signature

ok here are my trackings:
[main header]:
4bytes (int32) - file size
4bytes (int32) - Huh unknown
4bytes (int32) - this is number of datablocks

[datablock header]
4bytes (int32) - size of block
4bytes (int32) - number of entries (key -> value)
then comes this
02010C00 D041030A 00000000 010106000002 7FFF0400
i think that these are positions in hardware ioregistry "IOACPIPlane:/_SB/PCI0@0/GFX0@20000"

7F FF 04 00 seems to be signature before data

and this sound entry has header:
02010C00 D041030A 00000000 01010600 00 1B 7FFF0400
seems that this device is in ioreg "+-o HDEF@1B  <class IOPCIDevice, registered, matched, active, busy 0, retain 8>"


I have found from internet http://linux.dell.com/efibootmgr/efibootmgr.txt that "In this case, the ACPI HID is "0A0341d0" and the UID is "0"."
interesting? Smiley

http://www.ndt-uk.net/etc/files/ioreg.txt some ioreg dump from internet

my research is based x3100 dump from here

iam working on a little program to convert gfx string to xml plist and back Smiley
« Last Edit: December 13, 2007, 03:25:25 PM by mcmatrix » Logged
netkas
Administrator
Hero Member
*****
Offline Offline

Posts: 836



« Reply #55 on: December 13, 2007, 05:58:17 PM »

so, in that part of datablock header
02010C00 D041030A 00000000 01010600 00 1B 7FFF0400

only 00 1b sounds usefull, btw, for 2600pro it's 00 00

so, there is only one unknown values only now, i guess we can keep it as 1. maybe it's number of such strings(big blocks, not a datablocks), and it's always  1, in this case
Logged
mcmatrix
Not Newbie
*
Offline Offline

Posts: 46


« Reply #56 on: December 13, 2007, 06:11:45 PM »

Ok the decoding part is done.

out of program:

Start decoding gfx data...
========= GFX header =========
filesize : 2858
id : 1
count of blocks : 3
==============================
------- GFX block --------
blocksize : 272
records : 5
ioreg??? (22): 02010C00D041030A0000000001010600001B7FFF0400
***************************
   'layout-id' (10) -> '36000000' (4)
   'PinConfigurations' (18) -> '4001109050402B01410110901001A09020308B0160E04B0130E0CB01' (28)
   'AFGLowPowerState' (17) -> '03000000' (4)
   'MaximumBootBeepVolume' (22) -> '37' (1)
   'platformFamily' (15) -> '00' (1)
------- GFX block --------
blocksize : 82
records : 1
ioreg??? (28): 02010C00D041030A0000000001010600001E0101060000037FFF0400
***************************
   'fwtune' (7) -> '00000008E3E3000000000808E3E3180100004008200000BF' (24)
------- GFX block --------
blocksize : 2492
records : 41
ioreg??? (22): 02010C00D041030A000000000101060000027FFF0400
***************************
   'AAPL00,blackscreen-preferences' (31) -> '00000008' (4)
   'AAPL01,blackscreen-preferences' (31) -> '00000008' (4)
   'AAPL01,BootDisplay' (19) -> '01000000' (4)
   'AAPL01,Pipe' (12) -> '01000000' (4)
   'AAPL01,IODisplayMode' (21) -> '00100080' (4)
   'AAPL01,EDID' (12) -> '00FFFFFFFFFFFF0006105F9C0000000008100103801D12780A2F309758538B2925505400000001010101010101010101010101010101BC1B00A050201730302036001EB310000018000000010006102000000000000000000A20000000FE004C503133335758312D544C4131000000FE00436F6C6F72204C43440A20202000C2' (128)
   'AAPL01,Stretched' (17) -> '00000000' (4)
   'AAPL01,Interlace' (17) -> '00000000' (4)
   'AAPL01,Refresh' (15) -> '3B000000' (4)
   'AAPL01,Depth' (13) -> '20000000' (4)
   'AAPL01,Width' (13) -> '00050000' (4)
   'AAPL01,Height' (14) -> '20030000' (4)
   'AAPL01,CurrentDisplay' (22) -> '00000000' (4)
   'AAPL01,BacklightIntensity' (26) -> '64000000' (4)
   'AAPL01,InverterCurrent' (23) -> '00000000' (4)
   'AAPL01,Dither' (14) -> '00000000' (4)
   'AAPL01,Inverter' (16) -> '00000000' (4)
   'AAPL01,PixelFormat' (19) -> '00000000' (4)
   'AAPL01,LinkFormat' (18) -> '00000000' (4)
   'AAPL01,DataJustify' (19) -> '01000000' (4)
   'AAPL01,DualLink' (16) -> '00000000' (4)
   'AAPL01,LinkType' (16) -> '00000000' (4)
   'AAPL01,InverterFrequency' (25) -> '08520000' (4)
   'AAPL01,T6' (10) -> '90010000' (4)
   'AAPL01,T5' (10) -> '00000000' (4)
   'AAPL01,T4' (10) -> '01000000' (4)
   'AAPL01,T3' (10) -> 'C8000000' (4)
   'AAPL01,T2' (10) -> 'C8000000' (4)
   'AAPL01,T1' (10) -> '01000000' (4)
   'AAPL01,T0' (10) -> '00000000' (4)
   'AAPL,aux-power-connected' (25) -> '01000000' (4)
   'AAPL,BacklightRestore' (22) -> '01000000' (4)
   'AAPL,SelfRefreshSupported' (26) -> '01000000' (4)
   'AAPL,NumFramebuffers' (21) -> '02000000' (4)
   'AAPL,HasLid' (12) -> '01000000' (4)
   'AAPL,HasPanel' (14) -> '01000000' (4)
   'AAPL,DisplayConfig' (19) -> '1300000000000001210000000000000041000000000000008100000000000000' (32)
   'AAPL,NumDisplays' (17) -> '04000000' (4)
   'AAPL,backlight-control' (23) -> '01000000' (4)
   'saved-config
   'saved-timing1' (14) -> '00100080000000000000000000000000000000000000000000000000000000000000000000000000C05F3B0400000000C05F3B0400000000C05F3B040000000000050000A000000030000000200000002003000017000000030000000600000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000' (160)
Done.

Now comes hard part. Converting to plist and from plist to bin.
Iam not verry good on CoreFoundation part so learning takes little time Smiley

Netkas if you are interested i may share my code. Its very beta code yet.
« Last Edit: December 13, 2007, 06:15:22 PM by mcmatrix » Logged
mcmatrix
Not Newbie
*
Offline Offline

Posts: 46


« Reply #57 on: December 13, 2007, 07:37:28 PM »

Now creating plist file is working.
Little sample from program:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>02010C00D041030A000000000101060000027FFF0400</key>
   <dict>
      <key>AAPL,BacklightRestore</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL,DisplayConfig</key>
      <data>
      EwAAAAAAAAEhAAAAAAAAAEEAAAAAAAAAgQAAAAAAAAA=
      </data>
      <key>AAPL,HasLid</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL,HasPanel</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL,NumDisplays</key>
      <data>
      BAAAAA==
      </data>
      <key>AAPL,NumFramebuffers</key>
      <data>
      AgAAAA==
      </data>
      <key>AAPL,SelfRefreshSupported</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL,aux-power-connected</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL,backlight-control</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL00,blackscreen-preferences</key>
      <data>
      AAAACA==
      </data>
      <key>AAPL01,BacklightIntensity</key>
      <data>
      ZAAAAA==
      </data>
      <key>AAPL01,BootDisplay</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL01,CurrentDisplay</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,DataJustify</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL01,Depth</key>
      <data>
      IAAAAA==
      </data>
      <key>AAPL01,Dither</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,DualLink</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,EDID</key>
      <data>
      AP///////wAGEF+cAAAAAAgQAQOAHRJ4Ci8wl1hTiyklUFQAAAABAQEBAQEB
      AQEBAQEBAQEBvBsAoFAgFzAwIDYAHrMQAAAYAAAAAQAGECAAAAAAAAAAAAog
      AAAA/gBMUDEzM1dYMS1UTEExAAAA/gBDb2xvciBMQ0QKICAgAMI=
      </data>
      <key>AAPL01,Height</key>
      <data>
      IAMAAA==
      </data>
      <key>AAPL01,IODisplayMode</key>
      <data>
      ABAAgA==
      </data>
      <key>AAPL01,Interlace</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,Inverter</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,InverterCurrent</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,InverterFrequency</key>
      <data>
      CFIAAA==
      </data>
      <key>AAPL01,LinkFormat</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,LinkType</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,Pipe</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL01,PixelFormat</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,Refresh</key>
      <data>
      OwAAAA==
      </data>
      <key>AAPL01,Stretched</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,T0</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,T1</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL01,T2</key>
      <data>
      yAAAAA==
      </data>
      <key>AAPL01,T3</key>
      <data>
      yAAAAA==
      </data>
      <key>AAPL01,T4</key>
      <data>
      AQAAAA==
      </data>
      <key>AAPL01,T5</key>
      <data>
      AAAAAA==
      </data>
      <key>AAPL01,T6</key>
      <data>
      kAEAAA==
      </data>
      <key>AAPL01,Width</key>
      <data>
      AAUAAA==
      </data>
      <key>AAPL01,blackscreen-preferences</key>
      <data>
      AAAACA==
      </data>
      <key>saved-config</key>
      <data>
      AAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAYQAABfnAAAAAAAAMBfOwSgBQAAAAUAAKAFAAAwBQAAUAUA
      ADcDAAAgAwAANwMAACMDAAApAwAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAA
      AAAAAGQAAAAAEACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
      </data>
      <key>saved-timing1</key>
      <data>
      ABAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMBfOwQA
      AAAAwF87BAAAAADAXzsEAAAAAAAFAACgAAAAMAAAACAAAAAgAwAAFwAAAAMA
      AAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
      </data>
   </dict>
   <key>02010C00D041030A0000000001010600001B7FFF0400</key>
   <dict>
      <key>AFGLowPowerState</key>
      <data>
      AwAAAA==
      </data>
      <key>MaximumBootBeepVolume</key>
      <data>
      Nw==
      </data>
      <key>PinConfigurations</key>
      <data>
      QAEQkFBAKwFBARCQEAGgkCAwiwFg4EsBMODLAQ==
      </data>
      <key>layout-id</key>
      <data>
      NgAAAA==
      </data>
      <key>platformFamily</key>
      <data>
      AA==
      </data>
   </dict>
   <key>02010C00D041030A0000000001010600001E0101060000037FFF0400</key>
   <dict>
      <key>fwtune</key>
      <data>
      AAAACOPjAAAAAAgI4+MYAQAAQAggAAC/
      </data>
   </dict>
</dict>
</plist>

I put this signature to block header. Now i need to do datatype detection (data, integer, string) and then the hard part convert plist back to binary form.
Logged
netkas
Administrator
Hero Member
*****
Offline Offline

Posts: 836



« Reply #58 on: December 13, 2007, 08:18:50 PM »

yeah, i would like to get decryption code

btw, we do not need that block, with fwtune
so we can give it up.

and about this things

ioreg??? (22): 02010C00D041030A0000000001010600001B7FFF0400
ioreg??? (22): 02010C00D041030A000000000101060000027FFF0400

no need to display iot whole imho
just smth like
pci device - 1B or 02 (18th byte of array)
and then generation for specified pci device (like 00 for most videocards or 02 for gma cards or 1b for soun cards)
Logged
lebidou
Not Newbie
*
Offline Offline

Posts: 27


WWW
« Reply #59 on: December 13, 2007, 08:43:40 PM »

Looking at the dumps i've made I noticed that when I use the gfx string, it always acts like if there were only one display, even with an external display plugged in.

I was wondering if it could be because the original string (the one from the iMac with 7600GT) was grabbed from a machine without an external display plugged in.

Could someone get the gfx-string form an iMac with 7600GT and an external display plugged ?

Thanx
Logged

en.gael-philippe.fr -- english version
www.gael-philippe.fr -- version française
Pages: 1 2 3 [4] 5 6 ... 15
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!