DMCUB service patch leads to crash in macOS Catalina

[Zormeister]

macOS Version

Catalina

What is your CPU's model?

AMD Ryzen 5 5625U

Please describe the behaviour in detail.

Used the latest NRed CI, alongside the initial DMCUB patch build.

This resulted in a crash.

Sorry for not having reported this earlier, I didn't want to flood the GitHub issues too much, hopefully this'll be the last FB-breaking issue.

What should've happened instead?

It should've booted to LoginWindow

If applicable, attach the .gpuRestart, .panic, etc file related to this issue.

Kernel-2024-11-19-174451.txt

[VisualEhrmanntraut]

Sorry for not having reported this earlier, I didn't want to flood the GitHub issues too much, hopefully this'll be the last FB-breaking issue.

Unfortunately I don't have a Renoir-based device so I can't catch the issues myself. The QC testers don't seem to have Catalina installed. Maybe you're the only one actually using Catalina, at least on a Renoir-based device.

[VisualEhrmanntraut]

@Zormeister That log you've shared says "macOS 13.6.9 (22G830)", not macOS 10.15.

[VisualEhrmanntraut]

Oh, but the XNU version in the panic text is 19.6.0, which is Catalina. Confusing.

[VisualEhrmanntraut]

Anyways Error code: 0x2 CR2 = 0xc0800 -> write to not present address 0xc0800 and that log says __ZN14AmdDalServices10initializeEv + 0xc3 But none of those instructions are writes

[Zormeister]

@Zormeister That log you've shared says "macOS 13.6.9 (22G830)", not macOS 10.15.

I keep rebooting back into macOS Ventura to fetch these logs, hence the incident report build being 13.6.9 as opposed to 10.15.7, 19H2026 or 19H15

[Zormeister]

@VisualEhrmanntraut

Did some manual debugging, Patch 1 seems to be borked on Catalina for whatever reason.

I disabled Patch 1, which resulted in booting to LoginWindow and being able to use the OS. As a sanity check, I re-enabled Patch 1 and disabled Patch 2, leading to the same crash in the panic log.

[VisualEhrmanntraut]

No shit, but that patch is just replacing cmp dword ptr [rcx + 0x2c], 0x8f with cmp eax, eax followed by a bunch of NOPs.

[VisualEhrmanntraut]

@Zormeister Does this work?

NootedRed-1.0.0-RESEARCH_RELEASE.zip

[VisualEhrmanntraut]

Added additional patch, to disable DMCUB firmware loading from DAL. The default is off in Big Sur and newer, but on in Catalina, for some reason.

[VisualEhrmanntraut]

Re-uploaded, because I made a copy paste error.

[Zormeister]

aight, can test soon

[Zormeister]

Same kernel panic with that build.

[VisualEhrmanntraut]

Well, don't see anything else that could be wrong, it supports DCN 2.1. I suggest getting a dmesg log from before the kernel panic.

[Zormeister]

Alright, I'll get to that at some point.

[Zormeister]

dmesg-21-11-2024 08.15.54.txt dmesg-21-11-2024 08.47.55.txt

[VisualEhrmanntraut]

Don't see any log from the framebuffer before the crash, I would've expected some kind of error. If only we could attach a debugger.

[Zormeister]

Sucks because the only networking I/O available is the unsupported WLAN card, USB Ethernet would maybe do the trick if I went out of may way to get one that works with Catalina

Resolving the unlabelled address might point in the right direction, though I'm not entirely sure

[VisualEhrmanntraut]

Doesn't matter because the KDK kernel doesn't boot even though the AMD vanilla patches apply, at least last time I tried. I would guess that there are some additional checks failing.

[Zormeister]

Random tangent, but the unspecified address led me on a bit of a chase.

The address specified looks to be within the boundaries of the kernel itself, so I decided to disassemble the kernel and try and find the address.

Anyways, from a glance it looks like it's some memset call maybe?

Math:

• KAddr = SlidKAddr - SlideAddr

[VisualEhrmanntraut]

I know it's a kernel address, it's at the same range where the IOKit functions in the trace also are. I didn't have the kernel on hand, so I didn't bother attempting to look which function it was. I also theorised that it was some trap handler, rather than something like memset. This is useful information however, thanks.

[VisualEhrmanntraut]

Maybe the a1879 one?

[Zormeister]

Maybe, I don't know for sure.

[VisualEhrmanntraut]

@Zormeister Can you try this?

NootedRed-1.0.0-RESEARCH_RELEASE.zip

[Zormeister]

Same general panic, however the CR2 value changed to 0x00000000000afc00

Kernel-2024-11-21-214429.txt

[VisualEhrmanntraut]

I guess that's technically progress.