AMCC Panic #112
Description
I am attempting to boot the kernel from iOS 14.0 (18A188, xnu_development-6604.0.0.0.2~10) in the emulator but I get the following panic:
panic(cpu 0 caller 0xfffffff009678464): /AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c:125 Assertion failed: err == kSuccess
Log:
info: Loading iOS 14.0.0...
info: Kernel virtual low: 0xfffffff004000000
info: Kernel virtual high: 0xfffffff00a3972a8
KPF: Found AMFI hashtype check
info: Found AMFI (Leaf)
info: lookup_in_trust_cache_module @ 0xfffffff007e68a5c
info: Found mac_mount
kpf_mac_mount_callback: failed to find NOP point
info: Found AMFI (Leaf)
info: lookup_in_static_trust_cache @ 0xfffffff00968b2bc
Missing patch: trustcache16
t8030_amcc_setup: warning: amcc registers unavailable? iOS 13?
t8030_memory_setup: warning: carveout-memory-map unavailable? iOS 13?
info: boot_mode: 0
info: auto-boot=true
info: Kernel virtual base: 0xfffffff004000000
info: Kernel physical base: 0x0000000800000000
info: Kernel virtual slide: 0x0000000000000000
info: Kernel physical slide: 0x0000000000000000
info: Kernel entry point: 0x00000008044604f0
info: Device tree physical base: 0x000000080daac000
info: Device tree virtual base: 0xfffffff011aac000
info: Device tree size: 0x0000000000024000
info: mem_size: 0xf7cc8000
info: Boot args: [debug=0x14e kextlog=0xffff serial=3 -v rd=md0 wdt=-1]
kprintf initialized
Serial mode specified: 00000003
initialize_screen: b=8F7CC8000, w=0000033C, h=00000700, r=00000CF0, d=00000000
pe_arm_init_interrupts: args: 0xfffffff0098abb80
pe_arm_map_interrupt_controller: soc_phys: 0x200000000
pe_arm_map_interrupt_controller: found interrupt-controller
pe_arm_map_interrupt_controller: gPicBase: 0xfffffff1366b0000
pe_arm_map_interrupt_controller: found timer
pe_arm_map_interrupt_controller: gTimerBase: 0xfffffff1366b8000
Darwin Kernel Version 20.0.0: Tue Dec 10 18:13:01 PST 2019; root:xnu_development-6604.0.0.0.2~10/DEVELOPMENT_ARM64_T8030
pmap_startup() init/release time: 31188 microsec
pmap_startup() delayed init/release of 0 pages
vm_page_bootstrap: 228995 free pages, 15151 wired pages, (up to 0 of which are delayed free)
zone leak detection disabled
zalloc: allocating memory for zone names buffer
"vm_compressor_mode" is 32
IOKit IOMD setownership ENABLED
oslog_init completed, 16 chunks, 8 io pages
Telemetry: Sampling all tasks once per 1 second
Scheduler: Default of amp
Setting scheduler priority decay band limit 18
standard timeslicing quantum is 10000 us
standard background quantum is 2500 us
WQ[wql_init]: init linktable with max:262144 elements (8388608 bytes)
WQ[wqp_init]: init prepost table with max:262144 elements (8388608 bytes)
mig_table_max_displ = 53
Limiting task physical memory footprint to 2098 MB
Limiting task physical memory warning to 95%
ATM subsystem is initialized
BANK subsystem is initialized
IPC_PTHREAD_PRIORITY subsystem is initialized
kdp_core zlib memory 0x8000
Registered coredump handler for kernel
Serial requested, consistent debug disabled or debug boot arg not present, configuring debugging over serial
Initializing serial KDP
panic(cpu 0 caller 0xfffffff009678464): /AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c:125 Assertion failed: err == kSuccess
Debugger message: panic
Memory ID: 0x0
OS version: Not set yet
Kernel version: Darwin Kernel Version 20.0.0: Tue Dec 10 18:13:01 PST 2019; root:xnu_development-6604.0.0.0.2~10/DEVELOPMENT_ARM64_T8030
Kernel UUID: D80DB4C0-9094-371E-8F15-BA9312885B8D
iBoot version: ChefKiss QEMU Apple Silicon
secure boot?: YES
Paniclog version: 13
mach_absolute_time: 0x4de5b1
Epoch Time: sec usec
Boot : 0x00000000 0x00000000
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x00000000 0x00000000
Panicked task 0xffffffe000a8fcf0: 874 pages, 10 threads: NULL bsd_info pointer
unknown task
Panicked thread: 0xfffffff009918310, backtrace: 0xffffffe060332500, tid: 101
lr: 0xfffffff007d03348 fp: 0xffffffe060332590
lr: 0xfffffff007e6fd78 fp: 0xffffffe0603325b0
lr: 0xfffffff007e62274 fp: 0xffffffe060332640
lr: 0xfffffff00845e670 fp: 0xffffffe060332650
lr: 0xfffffff007d02924 fp: 0xffffffe0603329c0
lr: 0xfffffff007d02d68 fp: 0xffffffe060332a20
lr: 0xfffffff00967849c fp: 0xffffffe060332a40
lr: 0xfffffff009678464 fp: 0xffffffe060332a70
lr: 0xfffffff007e55b18 fp: 0xffffffe060332ab0
lr: 0xfffffff007e556f4 fp: 0xffffffe060333b20
lr: 0xfffffff007e66b18 fp: 0xffffffe060333b50
lr: 0xfffffff007d33dd0 fp: 0xffffffe060333c90
lr: 0xfffffff0084648f8 fp: 0x0000000000000000
** Stackshot Succeeded ** Bytes Traced 4352 **
handshake structure not initialized
Please go to https://panic.apple.com to report this panic
Boot command:
./qemu-system-aarch64-unsigned -M t8030,trustcache=static_tc,ticket=root_ticket.der,sep-fw=sep-firmware.n104.RELEASE.new.img4,sep-rom=AppleSEPROM-Cebu-B1,kaslr-off=true \
-kernel kernelcache.im4p -dtb devicetree.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v rd=md0 wdt=-1" -initrd arm64eSURamDisk.dmg \
-smp 7 -m 4G -serial mon:stdio -display cocoa,zoom-to-fit=on,zoom-interpolation=on,show-cursor=on \
-drive file=sep_nvram,if=pflash,format=raw \
-drive file=sep_ssc,if=pflash,format=raw \
-drive file=nvme.1,format=raw,if=none,id=drive.1 -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096
It appears that a check within the kernel for "rorgn data" fails resulting in this panic. Below is the pseudocode for this check.
_DWORD *find_rorgn_data()
{
_DWORD *result; // x0
__int64 v1; // x8
_QWORD *v2; // [xsp+8h] [xbp-28h] BYREF
int v3; // [xsp+14h] [xbp-1Ch] BYREF
__int64 v4; // [xsp+18h] [xbp-18h] BYREF
v4 = 0LL;
v3 = 0;
v2 = 0LL;
result = (_DWORD *)find_rorgn_data_amcc_rorgn;
if ( !find_rorgn_data_amcc_rorgn )
{
if ( (unsigned int)DTLookupEntry(0LL, "/chosen", &v4) != 1 )
Assert(
"/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c",
122,
"err == kSuccess");
if ( (unsigned int)DTGetProperty(v4, "iboot-handoff", &v2, &v3) != 1 )
Assert(
"/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c",
125,
"err == kSuccess");
result = (_DWORD *)io_map_with_prot(*v2, v2[1], 7LL, 1LL);
if ( *result != 1213163110 )
Assert(
"/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c",
130,
"handoff_region->magic == HANDOFF_T_MAGIC");
if ( result[1] != 1 )
Assert(
"/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c",
131,
"handoff_region->version == HANDOFF_T_VERSION");
if ( result )
{
v1 = (unsigned int)result[11];
if ( (_DWORD)v1 )
result = (_DWORD *)((char *)result + v1);
else
result = 0LL;
}
if ( *result != 1751216754 )
Assert(
"/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c",
135,
"handoff_amcc_rorgn->magic == HANDOFF_AMCC_RORGN_T_MAGIC");
if ( result[1] != 1 )
Assert(
"/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c",
136,
"handoff_amcc_rorgn->version == HANDOFF_AMCC_RORGN_T_VERSION");
if ( result[4] >= 0x11u )
Assert(
"/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c",
137,
"handoff_amcc_rorgn->num_amcc <= MAX_AMCC");
if ( result[5] >= 0x11u )
Assert(
"/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_development/xnu-6604.0.0.0.2/osfmk/arm64/amcc_rorgn.c",
138,
"handoff_amcc_rorgn->planes_per_amcc <= MAX_PLANE");
find_rorgn_data_amcc_rorgn = (__int64)result;
}
return result;
}