Last active
December 13, 2023 16:26
-
-
Save wh1te4ever/5292792825b46f178d7fb84dc009f79c to your computer and use it in GitHub Desktop.
KFD offsets for tvOS 16.5 - AppleTV6,2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef dynamic_info_h | |
| #define dynamic_info_h | |
| struct dynamic_info { | |
| const char* kern_version; | |
| const char* build_version; | |
| const char* device_id; | |
| // struct fileglob | |
| u64 fileglob__fg_ops; | |
| u64 fileglob__fg_data; | |
| // struct fileops | |
| u64 fileops__fo_kqfilter; | |
| // struct fileproc | |
| // u64 fileproc__fp_iocount; | |
| // u64 fileproc__fp_vflags; | |
| // u64 fileproc__fp_flags; | |
| // u64 fileproc__fp_guard_attrs; | |
| // u64 fileproc__fp_glob; | |
| // u64 fileproc__fp_guard; | |
| // u64 fileproc__object_size; | |
| // struct fileproc_guard | |
| u64 fileproc_guard__fpg_guard; | |
| // struct kqworkloop | |
| u64 kqworkloop__kqwl_state; | |
| u64 kqworkloop__kqwl_p; | |
| u64 kqworkloop__kqwl_owner; | |
| u64 kqworkloop__kqwl_dynamicid; | |
| u64 kqworkloop__object_size; | |
| // struct pmap | |
| u64 pmap__tte; | |
| u64 pmap__ttep; | |
| // struct proc | |
| u64 proc__p_list__le_next; | |
| u64 proc__p_list__le_prev; | |
| u64 proc__p_pid; | |
| u64 proc__p_fd__fd_ofiles; | |
| u64 proc__object_size; | |
| // struct pseminfo | |
| u64 pseminfo__psem_usecount; | |
| u64 pseminfo__psem_uid; | |
| u64 pseminfo__psem_gid; | |
| u64 pseminfo__psem_name; | |
| u64 pseminfo__psem_semobject; | |
| // struct psemnode | |
| // u64 psemnode__pinfo; | |
| // u64 psemnode__padding; | |
| // u64 psemnode__object_size; | |
| // struct semaphore | |
| u64 semaphore__owner; | |
| // struct specinfo | |
| u64 specinfo__si_rdev; | |
| // struct task | |
| u64 task__map; | |
| u64 task__threads__next; | |
| u64 task__threads__prev; | |
| u64 task__itk_space; | |
| u64 task__object_size; | |
| // struct thread | |
| u64 thread__task_threads__next; | |
| u64 thread__task_threads__prev; | |
| u64 thread__map; | |
| u64 thread__thread_id; | |
| u64 thread__object_size; | |
| // struct uthread | |
| u64 uthread__object_size; | |
| // struct vm_map_entry | |
| u64 vm_map_entry__links__prev; | |
| u64 vm_map_entry__links__next; | |
| u64 vm_map_entry__links__start; | |
| u64 vm_map_entry__links__end; | |
| u64 vm_map_entry__store__entry__rbe_left; | |
| u64 vm_map_entry__store__entry__rbe_right; | |
| u64 vm_map_entry__store__entry__rbe_parent; | |
| // struct vnode | |
| u64 vnode__v_un__vu_specinfo; | |
| // struct _vm_map | |
| u64 _vm_map__hdr__links__prev; | |
| u64 _vm_map__hdr__links__next; | |
| u64 _vm_map__hdr__links__start; | |
| u64 _vm_map__hdr__links__end; | |
| u64 _vm_map__hdr__nentries; | |
| u64 _vm_map__hdr__rb_head_store__rbh_root; | |
| u64 _vm_map__pmap; | |
| u64 _vm_map__hint; | |
| u64 _vm_map__hole_hint; | |
| u64 _vm_map__holes_list; | |
| u64 _vm_map__object_size; | |
| // kernelcache static addresses | |
| u64 kernelcache__kernel_base; | |
| u64 kernelcache__cdevsw; | |
| u64 kernelcache__gPhysBase; | |
| u64 kernelcache__gPhysSize; | |
| u64 kernelcache__gVirtBase; | |
| u64 kernelcache__perfmon_devices; | |
| u64 kernelcache__perfmon_dev_open; | |
| u64 kernelcache__ptov_table; | |
| u64 kernelcache__vm_first_phys_ppnum; | |
| u64 kernelcache__vm_pages; | |
| u64 kernelcache__vm_page_array_beginning_addr; | |
| u64 kernelcache__vm_page_array_ending_addr; | |
| u64 kernelcache__vn_kqfilter; | |
| }; | |
| const struct dynamic_info kern_versions[] = { | |
| { | |
| .kern_version = "Darwin Kernel Version 22.5.0: Mon Apr 24 20:11:56 PDT 2023; root:xnu-8796.123.1~1/RELEASE_ARM64_T8010", | |
| .build_version = "20L563", | |
| .device_id = "AppleTV6,2", | |
| .fileglob__fg_ops = 0x0028, | |
| .fileglob__fg_data = 0x0038, | |
| .fileops__fo_kqfilter = 0x0030, | |
| // .fileproc__fp_iocount = 0x0000, | |
| // .fileproc__fp_vflags = 0x0004, | |
| // .fileproc__fp_flags = 0x0008, | |
| // .fileproc__fp_guard_attrs = 0x000a, | |
| // .fileproc__fp_glob = 0x0010, | |
| // .fileproc__fp_guard = 0x0018, | |
| // .fileproc__object_size = 0x0020, | |
| .fileproc_guard__fpg_guard = 0x0008, | |
| .kqworkloop__kqwl_state = 0x0010, | |
| .kqworkloop__kqwl_p = 0x0018, | |
| .kqworkloop__kqwl_owner = 0x00d0, | |
| .kqworkloop__kqwl_dynamicid = 0x00e8, | |
| .kqworkloop__object_size = 0x0108, | |
| .pmap__tte = 0x0000, | |
| .pmap__ttep = 0x0008, | |
| .proc__p_list__le_next = 0x0000, | |
| .proc__p_list__le_prev = 0x0008, | |
| .proc__p_pid = 0x0060, //tvOS 16.5 FFFFFFF0075E5A28, 14PM FFFFFFF0081ADEE4 | |
| .proc__p_fd__fd_ofiles = 0xf8, //tvOS16.5 FFFFFFF00734A828, 14PM FFFFFFF007F13290 | |
| .proc__object_size = 0x720, //guess.. tvOS 16.5 FFFFFFF0075DF378(0x718), 14PM FFFFFFF0081A7860 (0x728) | |
| .pseminfo__psem_usecount = 0x0004, | |
| .pseminfo__psem_uid = 0x000c, | |
| .pseminfo__psem_gid = 0x0010, | |
| .pseminfo__psem_name = 0x0014, | |
| .pseminfo__psem_semobject = 0x0038, //v | |
| // .psemnode__pinfo = 0x0000, | |
| // .psemnode__padding = 0x0008, | |
| // .psemnode__object_size = 0x0010, | |
| .semaphore__owner = 0x0028, //v | |
| .specinfo__si_rdev = 0x0018, //vnode_specrdev | |
| .task__map = 0x0028, //_get_task_map | |
| .task__threads__next = 0x0058, //v tvOS16.5 FFFFFFF007244D50, 14PM FFFFFFF007E06D48 | |
| .task__threads__prev = 0x0060, //v calculate task__threads__next + 8 | |
| .task__itk_space = 0x0300, //v tvOS16.5 FFFFFFF007262280, 14PM FFFFFFF007E245EC | |
| .task__object_size = 0x05f8, //v tvOS16.5 FFFFFFF00722E330, 14PM FFFFFFF007DF0578 | |
| .thread__task_threads__next = 0x0380, //v tvOS16.5 FFFFFFF007235530, 14PM FFFFFFF007DF7B30 | |
| .thread__task_threads__prev = 0x0388, //v calculate thread__task_threads__next + 8 | |
| .thread__map = 0x398,//v, //tvOS16.5 FFFFFFF007240620, 14PM FFFFFFF007E02B20 | |
| .thread__thread_id = 0x430, //v, tvOS16.5 FFFFFFF007232968, 14PM FFFFFFF007DF4EDC | |
| .thread__object_size = 0x4D8, //v //tvOS16.5 FFFFFFF0072420C0, 14PM FFFFFFF007E04528 | |
| .uthread__object_size = 0x200, //v //tvOS16.5 FFFFFFF0072452CC, 14PM FFFFFFF007E074A8 | |
| .vm_map_entry__links__prev = 0x0000, //v check start | |
| .vm_map_entry__links__next = 0x0008, | |
| .vm_map_entry__links__start = 0x0010, | |
| .vm_map_entry__links__end = 0x0018, | |
| .vm_map_entry__store__entry__rbe_left = 0x0020, | |
| .vm_map_entry__store__entry__rbe_right = 0x0028, | |
| .vm_map_entry__store__entry__rbe_parent = 0x0030, //v check end | |
| .vnode__v_un__vu_specinfo = 0x0078, //vnode_specrdev | |
| ._vm_map__hdr__links__prev = 0x0010, //v check start | |
| ._vm_map__hdr__links__next = 0x0018, | |
| ._vm_map__hdr__links__start = 0x0020, | |
| ._vm_map__hdr__links__end = 0x0028, //v check end | |
| ._vm_map__hdr__nentries = 0x0030, //XXX | |
| ._vm_map__hdr__rb_head_store__rbh_root = 0x0038, //tvOS16.5 FFFFFFF0072DBA98, 14PM 16.5 FFFFFFF007EA1978 | |
| ._vm_map__pmap = 0x0040, //find _get_task_pmap | |
| ._vm_map__hint = 0x78, //vv tvOS16.5 FFFFFFF0072A0E8C, 14PM FFFFFFF007E646A0 | |
| ._vm_map__hole_hint = 0x80, //vv tvOS16.5 FFFFFFF00729F090, 14PM 16.5 FFFFFFF007E62750 | |
| ._vm_map__holes_list = 0x88, //vv tvOS16.5 FFFFFFF0072998B8, 14PM 16.5 FFFFFFF007E5CD8C | |
| ._vm_map__object_size = 0xa0, //tvOS 16.5 FFFFFFF0072998F8, 14PM 16.5 FFFFFFF007E5CDD0 | |
| .kernelcache__kernel_base = 0xfffffff007004000, | |
| //As always been there | |
| .kernelcache__cdevsw = 0xFFFFFFF007878E60, | |
| //can be found at _spec_write + 4C; To find out, xref strings "spec_vnops.c", "spec_write type @%s:%d" | |
| .kernelcache__gPhysBase = 0xFFFFFFF007152C00, | |
| //can be found at loc_FFFFFFF007310E90; To find out, xref strings "arm_vm_init.c", "phystokv_range", "%s: illegal PA: 0x%llx; phys base 0x%llx, size 0x%llx @%s:%d" | |
| .kernelcache__gPhysSize = 0xFFFFFFF007152C08, | |
| //can be found at sub_FFFFFFF007310EF8 + 1A8; To find out, xref strings "arm_vm_init.c", "ml_static_vtop", "%s: illegal VA: %p; virt base 0x%llx, size 0x%llx @%s:%d" | |
| .kernelcache__gVirtBase = 0xFFFFFFF007150E18, | |
| //can be found at sub_FFFFFFF007310CA0 + 20C; To find out, xref strings "arm_vm_init.c", "phystokv_range", "%s: illegal PA: 0x%llx; phys base 0x%llx, size 0x%llx @%s:%d" | |
| .kernelcache__perfmon_devices = 0xFFFFFFF0078BA900, | |
| //can be found at sub_FFFFFFF007324698 + 7C; To find out, xref strings "perfmon: attempt to open unsupported source: 0x%x @%s:%d" | |
| .kernelcache__perfmon_dev_open = 0xFFFFFFF007324698, | |
| //can be located at sub_FFFFFFF007324698; To find out, xref strings "perfmon: attempt to open unsupported source: 0x%x @%s:%d" | |
| .kernelcache__ptov_table = 0xFFFFFFF0071069A8, | |
| //can be found at _ml_static_ptovirt_0 + 18; To find out, xref strings "arm_vm_init.c", "phystokv", "%s: illegal PA: 0x%llx; phys base 0x%llx, size 0x%llx @%s:%d" | |
| .kernelcache__vm_first_phys_ppnum = 0xFFFFFFF0078B9F30, | |
| //can be found at sub_FFFFFFF007288F74 + 2B00; "vm_fault: unexpected error 0x%x from vm_fault_page()" | |
| .kernelcache__vm_pages = 0xFFFFFFF007103ED0, | |
| //can be found at sub_FFFFFFF0072B3860 + 1F8; To find out, xref strings "vm_object.c", "object %p all_reusable: can't update pmap stats @%s:%d" | |
| .kernelcache__vm_page_array_beginning_addr = 0xFFFFFFF007105938, | |
| //can be found at sub_FFFFFFF007292E44 + 270; To find out, xref strings "com.apple.xnu.vmtc_telemetry" | |
| .kernelcache__vm_page_array_ending_addr = 0xFFFFFFF0078B9F28, | |
| //can be found at sub_FFFFFFF007292E44 + 280; To find out, xref strings "com.apple.xnu.vmtc_telemetry" | |
| .kernelcache__vn_kqfilter = 0xFFFFFFF00736F394, //xref fg_offset_lock_wait | |
| }, | |
| }; | |
| #endif /* dynamic_info_h */ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment