IntelBTPatcher: Add patcher workaround to support new Intel bluetooth firmwares including new BT 5.1, BT 5.2 and BT 5.3.

Author: zxystd

IntelBTPatcher/Info.plist

@@ -40,6 +40,8 @@
 	<dict>
 		<key>as.vit9696.Lilu</key>
 		<string>1.2.0</string>
+		<key>com.apple.iokit.IOUSBHostFamily</key>
+		<string>1.2</string>
 		<key>com.apple.kpi.bsd</key>
 		<string>12.0.0</string>
 		<key>com.apple.kpi.dsep</key>

IntelBTPatcher/IntelBTPatcher.cpp

@@ -2,7 +2,7 @@
 //  IntelBTPatcher.cpp
 //  IntelBTPatcher
 //
-//  Created by qcwap on 2021/2/8.
+//  Created by zxystd <[email protected]> on 2021/2/8.
 //
 
 #include <Headers/kern_api.hpp>
@@ -37,7 +37,7 @@ PluginConfiguration ADDPR(config) {
     bootargBeta,
     arrsize(bootargBeta),
     KernelVersion::MountainLion,
-    KernelVersion::Monterey,
+    KernelVersion::Ventura,
     []() {
         ibtPatcher.init();
     }
@@ -54,14 +54,37 @@ static KernelPatcher::KextInfo IntelBTPatcher_IOBluetoothInfo {
     KernelPatcher::KextInfo::Unloaded
 };
 
+static const char *IntelBTPatcher_IOUSBHostFamily[] {
+    "/System/Library/Extensions/IOUSBHostFamily.kext/Contents/MacOS/IOUSBHostFamily" };
+
+static KernelPatcher::KextInfo IntelBTPatcher_IOUsbHostInfo {
+    "com.apple.iokit.IOUSBHostFamily",
+    IntelBTPatcher_IOUSBHostFamily,
+    1,
+    {true, true},
+    {},
+    KernelPatcher::KextInfo::Unloaded
+};
+
+void *CIntelBTPatcher::_hookPipeInstance = nullptr;
+AsyncOwnerData *CIntelBTPatcher::_interruptPipeAsyncOwner = nullptr;
+bool CIntelBTPatcher::_randomAddressInit = false;
+
 bool CIntelBTPatcher::init()
 {
     DBGLOG(DRV_NAME, "%s", __PRETTY_FUNCTION__);
     callbackIBTPatcher = this;
-    lilu.onKextLoadForce(&IntelBTPatcher_IOBluetoothInfo, 1,
-    [](void *user, KernelPatcher &patcher, size_t index, mach_vm_address_t address, size_t size) {
-        callbackIBTPatcher->processKext(patcher, index, address, size);
-    }, this);
+    if (getKernelVersion() < KernelVersion::Monterey) {
+        lilu.onKextLoadForce(&IntelBTPatcher_IOBluetoothInfo, 1,
+        [](void *user, KernelPatcher &patcher, size_t index, mach_vm_address_t address, size_t size) {
+            callbackIBTPatcher->processKext(patcher, index, address, size);
+        }, this);
+    } else {
+        lilu.onKextLoadForce(&IntelBTPatcher_IOUsbHostInfo, 1,
+        [](void *user, KernelPatcher &patcher, size_t index, mach_vm_address_t address, size_t size) {
+            callbackIBTPatcher->processKext(patcher, index, address, size);
+        }, this);
+    }
     return true;
 }
 
@@ -91,15 +114,224 @@ void CIntelBTPatcher::processKext(KernelPatcher &patcher, size_t index, mach_vm_
             }
 
         }
+    } else {
+        if (IntelBTPatcher_IOUsbHostInfo.loadIndex == index) {
+            SYSLOG(DRV_NAME, "%s", IntelBTPatcher_IOUsbHostInfo.id);
+            
+            KernelPatcher::RouteRequest hostDeviceRequest {
+            "__ZN15IOUSBHostDevice13deviceRequestEP9IOServiceRN11StandardUSB13DeviceRequestEPvP18IOMemoryDescriptorRjP19IOUSBHostCompletionj",
+                newHostDeviceRequest,
+                oldHostDeviceRequest
+            };
+            patcher.routeMultiple(index, &hostDeviceRequest, 1, address, size);
+            if (patcher.getError() == KernelPatcher::Error::NoError) {
+                SYSLOG(DRV_NAME, "routed %s", hostDeviceRequest.symbol);
+            } else {
+                SYSLOG(DRV_NAME, "failed to resolve %s, error = %d", hostDeviceRequest.symbol, patcher.getError());
+                patcher.clearError();
+            }
+            
+            KernelPatcher::RouteRequest asyncIORequest {
+            "__ZN13IOUSBHostPipe2ioEP18IOMemoryDescriptorjP19IOUSBHostCompletionj",
+                newAsyncIO,
+                oldAsyncIO
+            };
+            patcher.routeMultiple(index, &asyncIORequest, 1, address, size);
+            if (patcher.getError() == KernelPatcher::Error::NoError) {
+                SYSLOG(DRV_NAME, "routed %s", asyncIORequest.symbol);
+            } else {
+                SYSLOG(DRV_NAME, "failed to resolve %s, error = %d", asyncIORequest.symbol, patcher.getError());
+                patcher.clearError();
+            }
+            
+            KernelPatcher::RouteRequest initPipeRequest {
+            "__ZN13IOUSBHostPipe28initWithDescriptorsAndOwnersEPKN11StandardUSB18EndpointDescriptorEPKNS0_37SuperSpeedEndpointCompanionDescriptorEP22AppleUSBHostControllerP15IOUSBHostDeviceP18IOUSBHostInterfaceht",
+                newInitPipe,
+                oldInitPipe
+            };
+            patcher.routeMultiple(index, &initPipeRequest, 1, address, size);
+            if (patcher.getError() == KernelPatcher::Error::NoError) {
+                SYSLOG(DRV_NAME, "routed %s", initPipeRequest.symbol);
+            } else {
+                SYSLOG(DRV_NAME, "failed to resolve %s, error = %d", initPipeRequest.symbol, patcher.getError());
+                patcher.clearError();
+            }
+            
+            KernelPatcher::RouteRequest syncIORequest {
+            "__ZN13IOUSBHostPipe2ioEP18IOMemoryDescriptorjRjj",
+                newSyncIO,
+                oldSyncIO
+            };
+            patcher.routeMultiple(index, &syncIORequest, 1, address, size);
+            if (patcher.getError() == KernelPatcher::Error::NoError) {
+                SYSLOG(DRV_NAME, "routed %s", syncIORequest.symbol);
+            } else {
+                SYSLOG(DRV_NAME, "failed to resolve %s, error = %d", syncIORequest.symbol, patcher.getError());
+                patcher.clearError();
+            }
+        }
     }
 }
 
+#pragma mark - For Bigsur-, patch unhandled 0x2019 opcode
+
+#define HCI_OP_LE_START_ENCRYPTION 0x2019
+
 IOReturn CIntelBTPatcher::newFindQueueRequest(void *that, unsigned short arg1, void *addr, unsigned short arg2, bool arg3, void **hciRequestPtr)
 {
     IOReturn ret = FunctionCast(newFindQueueRequest, callbackIBTPatcher->oldFindQueueRequest)(that, arg1, addr, arg2, arg3, hciRequestPtr);
-    if (ret != 0 && arg1 == 0x2019) {
+    if (ret != 0 && arg1 == HCI_OP_LE_START_ENCRYPTION) {
         ret = FunctionCast(newFindQueueRequest, callbackIBTPatcher->oldFindQueueRequest)(that, arg1, addr, 0xffff, arg3, hciRequestPtr);
         DBGLOG(DRV_NAME, "%s ret: %d arg1: 0x%04x arg2: 0x%04x arg3: %d ptr: %p", __FUNCTION__, ret, arg1, arg2, arg3, *hciRequestPtr);
     }
     return ret;
 }
+
+#pragma mark - For Monterey+ patch for intercept HCI REQ and RESP
+
+StandardUSB::DeviceRequest randomAddressRequest;
+// Hardcoded Random Address HCI Command
+const uint8_t randomAddressHci[9] = {0x05, 0x20, 0x06, 0x94, 0x50, 0x64, 0xD0, 0x78, 0x6B}; 
+IOBufferMemoryDescriptor *writeHCIDescriptor = nullptr;
+
+#define MAX_HCI_BUF_LEN             255
+#define HCI_OP_RESET                0x0c03
+#define HCI_OP_LE_SET_SCAN_PARAM    0x200B
+#define HCI_OP_LE_SET_SCAN_ENABLE   0x200C
+
+IOReturn CIntelBTPatcher::newHostDeviceRequest(void *that, IOService *provider, StandardUSB::DeviceRequest &request, void *data, IOMemoryDescriptor *descriptor, unsigned int &length, IOUSBHostCompletion *completion, unsigned int timeout)
+{
+    HciCommandHdr *hdr = nullptr;
+    uint32_t hdrLen = 0;
+    char hciBuf[MAX_HCI_BUF_LEN] = {0};
+    
+    if (data == nullptr) {
+        if (descriptor != nullptr && descriptor->getLength() > 0) {
+            descriptor->readBytes(0, hciBuf, min(descriptor->getLength(), MAX_HCI_BUF_LEN));
+            hdrLen = (uint32_t)min(descriptor->getLength(), MAX_HCI_BUF_LEN);
+        }
+        hdr = (HciCommandHdr *)hciBuf;
+        if (hdr->opcode == HCI_OP_LE_SET_SCAN_PARAM) {
+            if (!_randomAddressInit) {
+                randomAddressRequest.bmRequestType = makeDeviceRequestbmRequestType(kRequestDirectionOut, kRequestTypeClass, kRequestRecipientInterface);
+                randomAddressRequest.bRequest = 0xE0;
+                randomAddressRequest.wIndex = 0;
+                randomAddressRequest.wValue = 0;
+                randomAddressRequest.wLength = 9;
+                length = 9;
+                if (writeHCIDescriptor == nullptr)
+                    writeHCIDescriptor = IOBufferMemoryDescriptor::withBytes(randomAddressHci, 9, kIODirectionOut);
+                writeHCIDescriptor->prepare(kIODirectionOut);
+                IOReturn ret = FunctionCast(newHostDeviceRequest, callbackIBTPatcher->oldHostDeviceRequest)(that, provider, randomAddressRequest, nullptr, writeHCIDescriptor, length, nullptr, timeout);
+                writeHCIDescriptor->complete();
+                const char *randAddressDump = _hexDumpHCIData((uint8_t *)randomAddressHci, 9);
+                if (randAddressDump) {
+                    SYSLOG(DRV_NAME, "[PATCH] Sending Random Address HCI %lld %s", ret, randAddressDump);
+                    IOFree((void *)randAddressDump, 9 * 3 + 1);
+                }
+                _randomAddressInit = true;
+                SYSLOG(DRV_NAME, "[PATCH] Resend LE SCAN PARAM HCI %lld", ret);
+            }
+        }
+#if 0 // We don't need to fake Random address request to Public address, and it is not really fix the issue with Intel fatal firmware error after HCI_OP_LE_SET_SCAN_ENABLE.
+        else if (hdr->opcode == HCI_OP_LE_SET_SCAN_ENABLE) {
+            hdr->data[5] = 0x00;
+            SYSLOG(DRV_NAME, "[FAKE REQ]: RANDOM->PUBLIC done\n");
+        }
+#endif
+    } else {
+        hdr = (HciCommandHdr *)data;
+        hdrLen = request.wLength - 3;
+    }
+    if (hdr) {
+        // HCI reset, we need to send Random address again
+        if (hdr->opcode == HCI_OP_RESET)
+            _randomAddressInit = false;
+#if DEBUG
+        DBGLOG(DRV_NAME, "[%s] bRequest: 0x%x direction: %s type: %s recipient: %s wValue: 0x%02x wIndex: 0x%02x opcode: 0x%04x len: %d length: %d async: %d", provider->getName(), request.bRequest, requestDirectionNames[(request.bmRequestType & kDeviceRequestDirectionMask) >> kDeviceRequestDirectionPhase], requestRecipientNames[(request.bmRequestType & kDeviceRequestRecipientMask) >> kDeviceRequestRecipientPhase], requestTypeNames[(request.bmRequestType & kDeviceRequestTypeMask) >> kDeviceRequestTypePhase], request.wValue, request.wIndex, hdr->opcode, hdr->len, request.wLength, completion != nullptr);
+        if (hdrLen) {
+            const char *dump = _hexDumpHCIData((uint8_t *)hdr, hdrLen);
+            if (dump) {
+                DBGLOG(DRV_NAME, "[Request]: %s", dump);
+                IOFree((void *)dump, hdrLen * 3 + 1);
+            }
+        }
+#endif
+    }
+    return FunctionCast(newHostDeviceRequest, callbackIBTPatcher->oldHostDeviceRequest)(that, provider, request, data, descriptor, length, completion, timeout);
+}
+
+// Succeeded HCI command result of HCI_OP_LE_SET_SCAN_ENABLE, on Monterey+ this will return status 0x12 if we don't set the Random address before
+const uint8_t fakeLEScanEnableResp[6] = {0x0E, 0x04, 0x02, 0x0C, 0x20, 0x00};
+
+static void asyncIOCompletion(void* owner, void* parameter, IOReturn status, uint32_t bytesTransferred)
+{
+    AsyncOwnerData *asyncOwner = (AsyncOwnerData *)owner;
+    IOMemoryDescriptor* dataBuffer = asyncOwner->dataBuffer;
+    DBGLOG(DRV_NAME, "[COMPLETE] status: %d bytesTransferred: %d", status, bytesTransferred);
+    if (dataBuffer && bytesTransferred) {
+        void *buffer = IOMalloc(bytesTransferred);
+        dataBuffer->readBytes(0, buffer, bytesTransferred);
+        const char *dump = _hexDumpHCIData((uint8_t *)buffer, bytesTransferred);
+        if (dump) {
+            DBGLOG(DRV_NAME, "[Response]: %s", dump);
+            IOFree((void *)dump, bytesTransferred * 3 + 1);
+        }
+        HciResponse *resp = (HciResponse *)buffer;
+        if (resp->opcode == 0x200C && resp->data[0]) {
+            SYSLOG(DRV_NAME, "[FAKE RESP]: done");
+            dataBuffer->writeBytes(0, fakeLEScanEnableResp, 6);
+        }
+        IOFree(buffer, bytesTransferred);
+    }
+    if (asyncOwner->action)
+        asyncOwner->action(asyncOwner->owner, parameter, status, bytesTransferred);
+}
+
+IOReturn CIntelBTPatcher::
+newAsyncIO(void *that, IOMemoryDescriptor* dataBuffer, uint32_t dataBufferLength, IOUSBHostCompletion* completion, uint32_t completionTimeoutMs)
+{
+    IOReturn ret = kIOReturnSuccess;
+    if (that == _hookPipeInstance && completion) {
+        _interruptPipeAsyncOwner->action = completion->action;
+        _interruptPipeAsyncOwner->owner = completion->owner;
+        _interruptPipeAsyncOwner->dataBuffer = dataBuffer;
+        completion->action = asyncIOCompletion;
+        completion->owner = _interruptPipeAsyncOwner;
+        ret = FunctionCast(newAsyncIO, callbackIBTPatcher->oldAsyncIO)(that, dataBuffer, dataBufferLength, completion, completionTimeoutMs);
+        if (ret != kIOReturnSuccess)
+            SYSLOG(DRV_NAME, "%s failed ret: %lld", __FUNCTION__, ret);
+        return ret;
+    }
+    return FunctionCast(newAsyncIO, callbackIBTPatcher->oldAsyncIO)(that, dataBuffer, dataBufferLength, completion, completionTimeoutMs);
+}
+
+IOReturn CIntelBTPatcher::
+newSyncIO(void *that, IOMemoryDescriptor *dataBuffer, uint32_t dataBufferLength, uint32_t &bytesTransferred, uint32_t completionTimeoutMs)
+{
+    return FunctionCast(newSyncIO, callbackIBTPatcher->oldSyncIO)(that, dataBuffer, dataBufferLength, bytesTransferred, completionTimeoutMs);
+}
+
+#define VENDOR_USB_INTEL 0x8087
+
+int CIntelBTPatcher::
+newInitPipe(void *that, StandardUSB::EndpointDescriptor const *descriptor, StandardUSB::SuperSpeedEndpointCompanionDescriptor const *superDescriptor, AppleUSBHostController *controller, IOUSBHostDevice *device, IOUSBHostInterface *interface, unsigned char a7, unsigned short a8)
+{
+    int ret = FunctionCast(newInitPipe, callbackIBTPatcher->oldInitPipe)(that, descriptor, superDescriptor, controller, device, interface, a7, a8);
+    if (device) {
+        const StandardUSB::DeviceDescriptor *deviceDescriptor = device->getDeviceDescriptor();
+        if (deviceDescriptor &&
+            deviceDescriptor->idVendor == VENDOR_USB_INTEL) {
+            uint8_t epType = StandardUSB::getEndpointType(descriptor);
+            DBGLOG(DRV_NAME, "GOT YOU Intel bluetooth pid: %d ep type: %d", deviceDescriptor->iProduct, epType);
+            if (epType == kIOUSBEndpointTypeInterrupt) {
+                SYSLOG(DRV_NAME, "GOT YOU Interrupt PIPE");
+                CIntelBTPatcher::_hookPipeInstance = that;
+                if (!CIntelBTPatcher::_interruptPipeAsyncOwner)
+                    CIntelBTPatcher::_interruptPipeAsyncOwner = new AsyncOwnerData;
+                CIntelBTPatcher::_randomAddressInit = false;
+            }
+        }
+    }
+    return ret;
+}

IntelBTPatcher/IntelBTPatcher.hpp

@@ -2,18 +2,77 @@
 //  IntelBTPatcher.h
 //  IntelBTPatcher
 //
-//  Created by qcwap on 2021/2/8.
+//  Created by zxystd <[email protected]> on 2021/2/8.
 //
 
 #ifndef IntelBTPatcher_h
 #define IntelBTPatcher_h
 
 #include <Headers/kern_patcher.hpp>
 
-#define DRV_NAME "IntelBTPatcher"
+#include <IOKit/usb/IOUSBHostDevice.h>
+
+#define DRV_NAME "ibtp"
 
 class BluetoothDeviceAddress;
 
+typedef struct {
+    void *owner;
+    IOMemoryDescriptor *dataBuffer;
+    IOUSBHostCompletionAction action;
+} AsyncOwnerData;
+
+typedef struct __attribute__((packed))
+{
+    uint16_t    opcode;    /* OCF & OGF */
+    uint8_t     len;
+    uint8_t     data[];
+} HciCommandHdr;
+
+typedef struct __attribute__((packed))
+{
+    uint8_t     evt;
+    uint8_t     len;
+} HciEventHdr;
+
+typedef struct __attribute__((packed)) 
+{
+    HciEventHdr evt;
+    uint8_t     numCommands;
+    uint16_t    opcode;
+    uint8_t     data[];
+} HciResponse;
+
+const char *requestDirectionNames[] = {
+    "OUT",
+    "IN"
+};
+
+const char *requestTypeNames[] = {
+    "Standard",
+    "Class",
+    "Vendor"
+};
+
+const char *requestRecipientNames[] = {
+    "Device",
+    "Interface",
+    "Endpoint",
+    "Other"
+};
+
+const char* _hexDumpHCIData(uint8_t *buf, size_t len)
+{
+    ssize_t str_len = len * 3 + 1;
+    char *str = (char*)IOMalloc(str_len);
+    if (!str)
+        return nullptr;
+    for (size_t i = 0; i < len; i++)
+    snprintf(str + 3 * i, (len - i) * 3, "%02x ", buf[i]);
+    str[MAX(str_len - 2, 0)] = 0;
+    return str;
+}
+
 class CIntelBTPatcher {
 public:
     bool init();
@@ -22,7 +81,22 @@ class CIntelBTPatcher {
     void processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t address, size_t size);
     static IOReturn newFindQueueRequest(void *that, unsigned short arg1, void *addr, unsigned short arg2, bool arg3, void **hciRequestPtr);
 
+    static IOReturn newHostDeviceRequest(void *that, IOService *provider, StandardUSB::DeviceRequest &request, void *data, IOMemoryDescriptor *descriptor, unsigned int &length,IOUSBHostCompletion *completion, unsigned int timeout);
+    static IOReturn newAsyncIO(void *that, IOMemoryDescriptor* dataBuffer, uint32_t dataBufferLength, IOUSBHostCompletion* completion, uint32_t completionTimeoutMs);
+    static IOReturn newSyncIO(void *that, IOMemoryDescriptor* dataBuffer, uint32_t dataBufferLength, uint32_t& bytesTransferred, uint32_t completionTimeoutMs);
+    static int newInitPipe(void *that, StandardUSB::EndpointDescriptor const *descriptor, StandardUSB::SuperSpeedEndpointCompanionDescriptor const *superDescriptor,AppleUSBHostController *controller, IOUSBHostDevice *device, IOUSBHostInterface *interface, unsigned char, unsigned short);
+
+    
     mach_vm_address_t oldFindQueueRequest {};
+    mach_vm_address_t oldHostDeviceRequest {};
+    mach_vm_address_t oldAsyncIO {};
+    mach_vm_address_t oldSyncIO {};
+    mach_vm_address_t oldInitPipe {};
+    
+private:
+    static void *_hookPipeInstance;
+    static AsyncOwnerData *_interruptPipeAsyncOwner;
+    static bool _randomAddressInit;
 };
 
 #endif /* IntelBTPatcher_h */