Giters

zhuowei / LearningIOSurfaceAccelerator

Learning how to use IOSurfaceAccelerator

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Learning IOSurfaceAccelerator's comm output API.

Currently crashes on macOS 13 beta 22A5266r with a (non-exploitable) null pointer dereference with ASE (Apple Scaling Engine???) enabled, since I don't know how to use ASEProcessing to generate a set of valid ASE inbound params.

This calls the userspace IOSurfaceAccelerator framework instead of calling the userclient directly: I didn't want to figure out the layout of the userclient's TransformSurfaceData argument.

Notes

Other documentation about the IOSurfaceAccelerator framework and AppleM2ScalerCSC driver:

Notes about how the comm output api works:

M2ScalerScalingASEControl::collectASEApiOutput_gatedContext
-> AppleM2ScalerCSCDriver::completeRequest_gatedContext

The length (0xa60 in 13.3.1) is written in __ZN18M2ScalerCSCRequest28validateAndInitializeCommAPIEPK19AppleM2ScalerCSCHal

also written in
__ZN30M2ScalerScalingASEControlMSR1024getASEStats_gatedContextEP18M2ScalerCSCRequest

length read in
__ZN25M2ScalerScalingASEControl24getASEStats_gatedContextEP18M2ScalerCSCRequest

-> __ZN22AppleM2ScalerCSCDriver24perfControllerWorkSubmitEP18M2ScalerCSCRequest might also write to it??

For getting the memory used by the ASE/HDR APIs:
Probably M2ScalerCSCRequest::mapAPIParams since this mentions "HDR/ASE API ERROR" -> reads from 0x910, etc to make memory descriptors
-> M2ScalerCSCRequest::validateAndInitializeCommAPI
--> AppleM2ScalerCSCDriver::transformGeneral
---> AppleM2ScalerCSCDriver::prepareTransform -> writes to 0x910, etc from TransformSurfaceData 0xd8, etc
----> AppleM2ScalerCSCDriver::transform_surface
-----> IOSurfaceAcceleratorClient::transformSurface_asynchronous/synchronous
-> IOSurfaceAcceleratorClient::user_transform_surface
-> sizeof TransformSurfaceData = 170

About

Learning how to use IOSurfaceAccelerator

Languages

Language:Swift 65.5%Language:C 28.0%Language:Shell 6.5%