Skip to content

jelliot/mac-pixel-clock-patch

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 

Repository files navigation

Mac Pixel Clock Patcher

Updated with Yosemite Beta support!

This will remove the 165 pixel clock limiter on your display driver to support 4k @ 30Hz over HDMI. An Active DisplayPort to HDMI adapter is often needed for this to work.

Original forum thread here.

Based on the original, and the mavericks update.

How to install this patch

Download the .command file

Download it into your Downloads folder. Open Terminal and run:

cd ~/Downloads

chmod +x macPixelClockPatcher.command

./macPixelClockPatcher.command

You will be asked to enter your password to approve changes in your system.

Pay attention to the output - it should say it detected unpatched IOKit and NVIDIA driver on (your OS X version) and patch it.

Reboot your system.

After reboot, you should be able to get custom resolutions with over 165 MHz pixel clock to work using SwitchResX (not required after 10.9).

Instructions for updating the command for newer versions of IOKit

Instructions for how to reproduce the IOKit patch on a newer version of the binary:

First, take the md5 hash of IOKit for storing in this file md5 -q /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

For OS X 10.9.2, the result is 9804392bbe8ba4b589175be56889c6c7

copy IOKit local and disassemble it

cp /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit .
otool -vt IOKit > IOKit.asm

Open up that file and look for the function _CheckTimingWithRange. You can tell because the line begins with the function name and ends in a colon: _CheckTimingWithRange:

Find the very first jump instruction in the function. In this case it is labelled JNE, which means jump if not equal. The instruction before is a comparison, and a literal translation to C would be expressed as: if(value1 != value2) goto result;

Now we look at the address it's jumping to. In this case it's 0x17341

Go down to that instruction, and you’ll see that there’s a gap between the last jump instruction before it and this block. That block is the cleanup section that returns a good response. This function is structured such that error cases and success share the same return block, with a success block just before the return block.

We want to patch this function so that it always returns a good response, which means changing the first instruction to jump to the good block, which is the first instruction to follow the very last jump to 0x17341. The address of this block is 0x17327

Jump instructions in this code are relative, se we need to calculate the offset being used by the current instruction, and also the address that will be used by the replacement instruction.

Relative jump instructions are stored as an offset to the following instruction. So, in the case of the following code block: Address 1 JMP to 3 2 Do Nothing 3 Do Something

The jump instruction would be encoded as 'Jump +1', since 2 is the address of the next instruction. This is because the processor automatically adds the distance to the next instruction with each instruction run, so it will be included into the starting calculation.

For the existing code, we have the following information:

Instruction:                  JNE 0x17341
Address of instruction:       0x16f9e
Address of next instruction:  0x16fa4
Relative difference:          0x39d (925)

Given that we want to jump to 0x17327 instead, which is 26 bytes of address closer (0x17341 - 0x17327), you might think that we need to work with a relative difference of 0x383 (899) but there's a slight catch.

The instruction that is there, JNE, takes two bytes to express, and the new instruction, JMP, is a single byte instruction. That means that if we don't want to mess with the rest of the program, we have to pad with an instruction that does nothing, NOP, for No OPeration.

Since the next instruction is now the NOP, which is now one byte closer, we must recalculate the offset using a relative difference of 0x384 or 900.

The final two things you need to know to patch IOKit are the opcodes for the three instructions, and the endianness of the architecture.

JNE is 0x0F 0x85, JMP is 0xE9, and NOP is 0x90.

Intel x86 is little endian, which means the small byte of a multi-byte number comes first (the little end comes first). This means that the four byte offset 0x0000039D will be in the instruction stream as 0x9D 0x03 0x00 0x00

So, finally, the existing instruction is JNE +925, or JNE +0x39D, which is encoded as:

(0F 85) JNE (9D 39 00 00) +925
0F 85 9D 39 00 00

The instructions we want to replace it with are JMP +900, NOP, or JMP +0x384, NOP, which is encoded as:

(E9) JMP (84 03 00 00) +900 (90) NOP
E9 84 03 00 00 90

Converting this into a perl command like below, you'll notice that the before and after bytes are exactly the same as in the 10.9.1 version. We test this by patching the local copy of IOKit with thw following command

perl -i.bak -pe '$before = qr"\x0F\x85\x9D\x03\x00\x00"s;s/$before/\xE9\x84\x03\x00\x00\x90/g' IOKit

We'll disassemble the newly patched file to make sure it does what we expect: otool -vt IOKit > IOKit_new.asm

We compare the two versions: diff -u IOKit.asm IOKit_new.asm

Looking at the output shows that the only difference is replacing the JNE with the two instructions, JMP (or JMPQ) and NOP.

The final step is taking the md5 hash of the new version and updating the command file:

md5 -q /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
45d8fc0e1210f0672297a7716478990e

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%