Just to say, I am in no way convinced this deallocate/reallocate approach will be stable. It may work a large percentage of the time but likely there will be weird unexplained crashes from time to time.

This is because we don't just write out jit once and then we're done. We have to write it out multiple times as you play games. This means a lot of little windows where another process could sneak in and allocate our slice of memory. And we'd have to dump the entire jit and recompile from scratch at this point if reallocating in the same spot failed, causing poor preformance in the best case. Hopefully being on 64 bit makes this unlikely but that remains to be seen.

So just want to say I don't expect strong stability from this workaround.

-[Unknown]

@unknownbrackets Yeah, like I said — no one's actually even tried to implement this yet — PPSSPP would be the first.

What you say is definitely _possible_, but hopefully it doesn't happen :/

@angelXwind Many thanks for researching this, it's quite interesting.

Why do you need vm_deallocate rather than just MAP_JIT?

(Also, pedantic note: SIP = Rootless ≠ KPP. SIP is for OS X. Also, KPP is not based on any unknown hardware features but just on standard ARM TrustZone stuff.)

Thanks for the detailed post @angelXwind !

I'll try some tricks with the JIT once I've merged your pull request.

I do also have my doubts that any vm_deallocate / MAP_JIT trickery would work as that would defeat Apple's prohibition against JIT, and if that works with no kernel changes, that means that Apple's mitigations are seriously buggy.

@hrydgard The deallocation/reallocation trick won't work on un-jailbroken devices. It only works here because part of what Pangu9 is doing is applying "patches" to... something else (okay, that entire latter part uses all the wrong terminology, but you get the point)

@comex Ah, I was told that KPP was a part of SIP that only existed in iOS. Good to know, I've updated the post.

Not yet confirmed, but it seems like this is working for Play (PS2 emulator):
https://github.com/jpd002/Play--CodeGen/blob/master/src/MemoryFunction.cpp#L49

Notably, this code doesn't seem to reuse a chunk, which won't work for us well, but maybe it's more solvable than we thought?

-[Unknown]

Hm, if that works, then we should probably be reasonably fine - we can just unprotect and reprotect when we need to change pages (if it only allow X or W, not X and W at the same time). Might be a little bit slow at startup when a lot of blocks are created in succession.

Still waiting (patiently :) for @angelXwind 's pull request before I start playing with this.

I wouldn't expect that to work on iOS 9, but I still haven't looked into what Substrate is doing so what do I know.

tested all my games with the recent ppsspp update and now can boot fine but all games crash before reach the menu (just before start play intro videos).
other guy have the same issue:
games will crash at FFMPEG free function. After comment av_freep function calls no crash founded(but should have memory leak..)

Probably the iOS ffmpeg needs updating. I tried to keep the leak fixes compatible with old ffmpegs, but obviously did not test. I think it's better to just update everyone, as I think iOS lacks the GHA fix right now anyway.

-[Unknown]

Will it be fixed for ios 9? And how soon?

So besides iOS 9 being horrid in terms of homebrew development, I am getting really frustrated with iOS devices. I mean, it takes me the same time to make a build of something for every popular OS. Except iOS. I have to fart around with workarounds and version detection and jailbreak methods and all this other crap. When will this get better? And why are there no open-source jailbreak tools for iOS 9?

ERGH. :disappointed:

Not to rush anyone but I would love an update sometime around about the progress of this fix.

This is open source. The best way to get an update on this is to provide one. If you're not a programmer, you can always become one.

Asking for an update here won't make it come any faster. PPSSPP relies on the community for iOS support, and this issue will be closed or updated if something happens, but until then you should either try to become part of the solution or at least not get in the way. Asking for updates helps no one.

I will say, holding your breath until it improves would probably be unhealthy. If you can't stand your phone not being able to run emulators, maybe you're using the wrong phone, or maybe you shouldn't have installed the updated OS yet. iOS is simply not a friendly land for emulators.

-[Unknown]

@unknownbrackets Although, to be fair he would also have to be able to fix all the issues with jailbreaks as well.

Sure. I didn't say it wouldn't be hard. A lot of effort is probably going to be required to make an update materialize here, one way or another.

I do think one potential issue is that the iOS libraries in ppsspp-ffmpeg haven't been updated since 2013. I'm not sure, though.

-[Unknown]

just get andriod phone u can play nds emulator high resloution without frameskip better than ios now stop worry about psp emulator god sake its finsh wait ios 10 u cant do jailbreak.

@unknownbrackets I would say that is definitely an issue! FFMPEG has had probably a bazillion commits that could fix issues, improve FFMPEG, or add new features to PPSSPP. Maybe we should create an issue for that? :question:

@asbel123 It isn't that bad, and waiting for the next version of iOS is liking asking people who have an unmodified PS Vita or PS3 to wait for the next system update to run custom firmware. It's kind of counter productive since the people who run the software never make it easier, they only make it harder. :disappointed:

Android is obviously the superior platform for emulators and open-source development. That doesn't mean that people who have iOS devices shouldn't get the same thing. It just becomes much harder when Apple consistently makes it harder for people to do anything with an unmodified device. Even if you do have a modified device, it still has many bugs and problems (mainly caused by Apple, of course). Telling people to switch devices isn't very practical since most people spend their money pretty wisely. And if you already have something, then you might as well get your money's worth. Besides, the iOS issues are mainly caused by wonky jailbreak methods and much tighter security on Apple's part. :lock:

@asbel123 or a 3DS ;)

@comex Or a real PSP, for that matter. Or even a Vita! They are all great systems.

Hey guys i can install/play ppsspp 1.1.1 from ipwnstore.me (paid app) in ios 9.0.2 jalibroken
And working perfect.
I tried to codesigh the latest build from github but it crahes in videos.

My iphone is jalibroken but its detect as not jalibroken in v1.1.1. Strange since the commit to disabled JIT for ios 9 was meged in recent builds.

Im willing to guess that the reason it detects as not jailbroken in ppsspp is that the jit will not work and causes crashes on ios 9

@hrydgard @angelXwind @vgturtle127 @unknownbrackets Sorry for summoning you. Our friend , @brujo5 , has some interesting pics of ppsspp 1.1.1 working on jail broken devices .

yes, but the commit that disabled jit for ios 9 was merged in more recent build. (more recent than 1.1.1)

i use the v1.1.1

aah, sorry. my mistake. dont know how i missed you saying it was 1.1.1

@angelXwind

Please, tell me if you need something!!

@Fadi5555 This requires you to buy a paid app "approximately" every year to run though, which I have an issue with. First of all, how are these even running if no jailbreak is required? There is no information on how the applications are run without using jailbreaks or certificates. Second, you have to pay each year. I think that is self-explanatory. Third, does this enable things like JIT recompilers and stuff? Probably not without a jailbreak.

I just have no faith in it, the English is really bad on the website, there are grammatical errors everywhere, nothing is explained, yet they want my money. For all I know, they could be running this all through the web browser.

I'm just saying you guys should be a bit skeptical.

@brujo5 How well does it work even without the jailbreak JIT?

(The way those services work is that they use the money to buy developer accounts from Apple, and hand out the 100 device slots allowed for testing per account. Certainly against the terms of service, but that hasn't stopped them so far. However, recently Apple started allowing any user to generate development certificates from Xcode without needing to pay, so it shouldn't be necessary to use them as long as this continues. This doesn't enable JIT in a normal sense, but it might be possible to do a really hacky workaround and actually have the app hold the certificate and sign JIT code on the fly.)

@comex Good to know. Thanks @comex !

Does Apple have a simple utility that generates dev certs, or is it embedded in Xcode?

I don't think it's possible to dynamically sign code on the device.

Keep in mind that this issue, afaiu, only affects 64 bit devices. If the device that's working is 32 bit, it's not really surprising. This is all written in the initial message.

-[Unknown]

my device is 64 bit (iphone 6S) installed ppsspp via ipwnstore and working, also no crashes in videos at least in build 1.1.1 (of curse Jit disabled).

I try when get home. But dont expect play games like god of war, ffantasy type 0, dante inferno, the 3rd birthday,dvz vs tag, tomb raider, kingdom hearts etc. Or any other intensive CPU/GPU demanding game
Work slow also in ip6S.

ok here is http://www.speedyshare.com/4rJvm/Payload.ipa

I also downloaded from ipwnstore I am on ios 9.1. Mine still crashes at game start... Any ideas?

iPhone 6 Ppsspp crashes when you load a rom on v1.1.1 from ipwnstore.me on iOS 9.0.2 jailbroken

In my device work perfect

iPad Air 9.0.2 jailbroken crashes when you load Roms too

Here another test. Ip6S jalibroken

That really sucks! Shame really not sure why that is... Tried every solution just crashes

Is there a way to sign iOS 8.4 shsh blobs. So I can downgrade on my iPhone 6
Thanks

Nope, as far as I remember, SHSH blobs are no longer used in the restore process on any ios after 7

I found another way but need the tweak tsprotector 8 (paid tweak)

1- deleted the ppsspp from cydia (if you have installed)
2- install ppsspp.ipa http://www.speedyshare.com/4rJvm/Payload.ipa
3- open cydia and buy tsprotector 8
4- configure like this

5- play.

Damn it I updated to the 9.1 firmware... I hope they find a jailbreak soon

@erks89 They already have exploits, but none of them are useful yet until they can find additional exploits to "jailbreak the entire system" for lack of a better way to put it.

Hey ! I was following this topic since his creation , and I'm here to bring some light ! Actually i'm using brujo5's 2nd way on my iphone 5c running ios 9.0.2 jailbroken and i was able to play few games like yu gi oh tag force without a single crash ! I even tried to play with my brother on local multiplayer with the built-in ad hoc server and it works well ! I think we should check this custom build made by ipwnstore , we can find something that can fix the current issue on most ios devices i hope.

Plus, i'm currently using a trial version of tsProtector, so don't worry, if you plan to use the way posted by brujo5 you can actually do it without pay something ! Yay. :DD.

(Sorry for my bad english, i'm a young french guy who just want to help out :) )

@Amaestris The issue isn't necessarily getting something to work, it's getting something to work that is both easy to do, reliable, and free. I'm not sure pirating hacks is a good idea. :laughing:

I mean, I get what you're saying. I never would pay for a modification like this, just because it doesn't make much sense. I consider all that stuff a temporary fix until a good ol' untethered jailbreak comes out that doesn't require me to do anything except launch it in DFU mode and install using the normal methods.

I may be in the minority on this, but I feel like iOS needs to be fully "unjailed" before use. As of now, there are temporary fixes and band aid solutions, but nothing that would interest me enough to even think of developing for iOS (not that anything could excite me enough to start developing for iOS anyway since Apple hates developers and user freedom, but whatever).

Ok i have an idea what if you guys try to find or make a cydia tweak that is able to break the kernal patch protection and acess dynarec jit.

Sorry if im completely wrong im only 15
but yea maybe someone can make a cydia tweak that can break the KPP and allow full acess.Sorry again if im completely wrong

@JohnW1ck although I may appear as a hypocrite from an earlier comment I am 100% sure that's really easier said than done.

Maybe pangu with release a tweak that breaks the KPP without having to rejailbreak with TaiG
Ideas Anyone?

Ideas anyone?

Nobody here is going to jailbreak iOS by themselves, I think we will have to wait until somebody more familiar with the software to figure it all out. iPhone Dev Team, Chrono Dev Team, etc.

the good news is that yo can go ingame/play without crash.

so ppsspp dev latest 1.1.1-488 is usable now (no jit) in ARM64 devices

@Fadi5555 We could probably build an iOS emulator by the time we get a jailbreak worthy enough to use. :laughing:

JIT is present and usable on x86 devices right ? I mean, actually only x64 devices don't have the JIT because of this patch technique made by pangu right ? Correct me if i'm wrong :l , i'm asking that because on the ipwnstore ppsspp app, i do have the JIT ON so ... Maybe it only can be solved by a better jailbreak after all.

Also, for those of you using 32-bit ARM devices (armv7, armv7s) on iOS 9, I've pushed a commit that restores JIT for 32-bit ARM.

Basically, what happened was that in the commit that i made to disable JIT on arm64, I ended up accidentally disabling JIT indiscriminately for all iOS 9 devices, which (as you can guess) basically destroyed performance for 32-bit ARM.

So yeah, that's fixed now.

@Amaestris Yeah, everything is working except some iOS devices.

@angelXwind Thank you so much! I was wondering about that. :laughing:

noob question: can I patch VM_PROTECT for JIT manually? If yes, how?

If there was a simple solution, I'm sure it would have been posted here, so the answer is no.

Hey guys there is something called the Happy Chick emulator which basic compiles a lot of emulators together, It has the PPSSPP emulator and it works! I have no idea why. I saw it in on YouTube. So I'd check it out

@AceAgentZero That is an unofficial build, and they include copyrighted material with the application. As such, I wouldn't necessarily recommend it.

@vgturtle127 Do you know how they did it?

@AceAgentZero What do you mean?

@vgturtle127 I mean the problem with the current build of PPSSPP is because JIT won't work. How come PPSSPP works in that app. Even though it's basic the same thing? Don't quote me I am not 100%

@AceAgentZero I don't know, it depends. What device you are on, what iOS version you are running, etc.

It may not work, it may just be faster because of the games you tried, settings you used, etc.

There are a lot of factors. If it works for you, great. But I'd like to know why it works before I try it on a device I paid money for (I don't own any iOS devices, and I don't really plan to, but I was just saying).

Regardless, like I said it contains copyrighted material and also is unofficially built. I know this app is installed on the GPD XD by default, that's where I have come into contact with it.

If somebody has updated the jailbreak to unlock the full potential of the iOS 9+ devices, that would be really great. I wish all the iOS devices were as easy to jailbreak as Android devices are to root, that would make my tensions with Apple almost disappear...

@vgturtle127 I am running this on IOS 9.1 jailbroken IPhone 6. I know this uses a 64 bit so the whole Kernal patch thing doesn't work out for me. If you want proof I can screenshot it but I understand :P iPhones are too dam expensive

@AceAgentZero That's fine, I believe you. I'm not sure how they got it to work, though. What jailbreak did you use?

@vgturtle127 It was the pangu jailbreak. The very first one for iOS 9. Imo I should have never upgraded. It was for the stupid Apple Music lol

@AceAgentZero Apple Music? Ew. :laughing:

I can't get my hands on an .ipa or I might try to learn more...

Henrik (@hrydgard) has implemented what is probably the next-best thing for people without jit support on iOS devices - a faster interpreter. This basically does _some_ of the things the jit did, and some optimization passes, before actually interpreting.

It's still buggy, but the latest git builds have it under developer tools. It won't reach jit speeds, but it's typically a good bit faster than the old interpreter.

I'll repeat: it's still buggy, and under development. The name under the settings is "IR interpreter."

-[Unknown]

Don't forget, with some help from @unknownbrackets :)

But yeah, it's a surprising amount faster than I thought it would be. As unknown says, still a large factor away from the JIT, but it should bring a lot more games into the playable category on non-JIT iOS.

That looks promising. I don't have any iOS device that could validate if it could work for PPSSPP.

Note that I don't see any reason this behavior can't be patched for iOS 9.4/10/whatever. Can't say if it will be or not, and seems worth implementing - just warning for anyone hoping this might be a "permanent" fix. It probably isn't.

I don't know the answer to the non-jailbroken question. I think you have to compile it yourself.

-[Unknown]

@unknownbrackets if you're referring to the ptrace 'bypass', that is expected behaviour for iOS as debugserver (on-device utility that communicates with debuggers) needs to disable codesigning for various reasons such as setting breakpoints. calling ptrace() notifies the system to relax codesigning checks for this reason, which coincidentally allows newly created unsigned pages to be executed.

Right. I'm just saying that if Apple continues to consider jit a security issue, they may fix that coincidence in a future release. Hopefully not.

Anyone have an affected device and a compiler to try it?

-[Unknown]

Hi,

I don't have a compiler for iOS, but I do have an afflicted device (6S on jailbroken 9.0.2).
If the feature to be tested is on v1.22-693 or whatever dev-working version is pushed on cydia, I can test things.

From the first test I've done in this limited time, I've ran VC3 with the IR interpreter, rest of the settings were left on default. Menus and video cutscenes show 60FPS, while normal gameplay reach the expected 30FPS. The only thing that I've noticed is the stuttering sound, but as I recall this also happened back when JIT was enabled on another mobile platform. If there is some specific testing to be done, let me know! Keep up the good work guys! :)

I have a afflicted device!Im running a jailbroken ios 9.0.2 iphone 5s if this JIT needs testing i will be glad to test it.But as above i do not have a compiler :/

Try the IR Interpreter for now.

v1.22-758 caused the IR interpreter to be more unstable. Loading a game consistently crashes 2-3x before succeeding. Also, performance has downgraded and sound more jittery.

If you're seeing crashes, create a new issue. That's not related to arm64 jit on iOS.

Make sure to include: what game or games, the last version that worked, the first version that stopped working, and whether you've tried without using old savestates / other instructions to make it easy for others to experience your problem too. That way someone can fix it.

-[Unknown]

@unknownbrackets did you or another contributor ever test out caling ptrace(0,0,0,0)?
When I tested it for my own app it works but if you are mapping a lot of code repeatedly it becomes very slow so I would recommend mapping as much as possible in one go.

You said a while ago that you thought this coincidence may get patched, but it turns out this is not a coincidence and is fully expected behaviour. The new ipad swift playgrounds app uses the same method to allow swift code entered into the app to be executed (presumably also JIT compiled).

Also please note this ptrace call requires the entitlement get-task-allow to be set which I think is set automatically if signed with a developer certificate, and otherwise unavailable unless jailbroken

The only iOS device I have is an iPhone 3GS - so I have not tested this. No one else has reported testing this so far - it'd be posted here if someone did.

It'd be great if someone wanted to test - this is open source, after all. PPSSPP should compile fairly easily in Xcode. FFmpeg is already compiled for you - we try to make it easy.

https://github.com/hrydgard/ppsspp/wiki/Build-instructions

-[Unknown]

Well i wouldnt know what to do with the FFmpeg im barely touching on coding but if anyone could do this for me i can test this on my iphone 5s ios 9.0.2 and see if it works great without any problems.

I see iOS 9.2-9.3.3 jailbreak news
https://translate.google.com/translate?sl=zh-CN&tl=en&js=y&prev=_t&hl=zh-TW&ie=UTF-8&u=http%3A%2F%2Fnews.mydrivers.com%2F1%2F492%2F492592.htm&edit-text=&act=url

I have a 6s plus jailbroken (pangu) on 9.2 and a 6 plus not jailbroken on 9.2.1.
I also have xcode and the ppsspp code is compiling and I'm able to deploy on these devices.
What can I do to help you out?

Well, based on Razzile's comment above, see this file:
https://github.com/hrydgard/ppsspp/blob/33b392821c1f86f58e7f4b1440f23c00240ca8a4/ios/main.mm#L97

Try adding this right before @autoreleasepool {:

syscall(26, 0, 0, 0, 0);

And then at the top of the same file, add:

#include <sys/syscall.h>
#include <unistd.h>

Next, remove these lines of code:

https://github.com/hrydgard/ppsspp/blob/33b392821c1f86f58e7f4b1440f23c00240ca8a4/Core/Config.cpp#L975-L979

And lastly, replace these lines of code:

https://github.com/hrydgard/ppsspp/blob/33b392821c1f86f58e7f4b1440f23c00240ca8a4/ios/ViewController.mm#L115-L119

With:

iosCanUseJit = true;

If it doesn't work, you might need to try putting the syscall other places. Make sure to enable jit in developer settings in case it's off.

Also, be careful. Someone else who has tried something like this with a different emulator said:

One weird thing is after adding the syscall my iPad is completely unusable until I restart it after I close iNDS. Buttons stop working and it stops responding to events. If I tap a button or icon the animation happens but nothing else. It also refuses to unlock after I lock it telling me my passcode is incorrect.

If you experience this, apparently hard resetting the device fixes it.

-[Unknown]

Thanks @unknownbrackets Still no luck :(
PPSSPP crashes in RunLoopUntil() with EXC_BAD_ACCESS

if ppsspp still crashes whit jit enabled that means it's not an full jalibreak as in previous versions.

for that razon @angelXwind had blocked the use of jit for 64 bit devices.

@brujo5 mapping a JIT region can be done even on jailed devices, as long as the get-task-allow entitlement is present and ptrace() is called (aka if the app is signed with a developer account)

Okay, then try adding syscall(26, 0, 0, 0, 0); underneath PROFILE_THIS_SCOPE("jit");. You'll need to add those same two header lines to the top too.

That will be kinda frequent but it might not be too bad. If that works we should try to find somewhere else it can go that doesn't run as often (maybe above or below this line.)

Does it crash the same way on the 6S and the 6?

-[Unknown]

@unknownbrackets could it be possible that it crashes due to how you are mapping JIT pages? I'm not sure how you are doing it in PPSSPP but this ptrace code will only allow a page mapped as R/RW and then remapped as RX to execute as far as i can tell

@Fadi5555 i was the one to tell William :P it's the same method i posted above

@unknownbrackets @Razzile seems like you guys are making some serious progress with arm64 jit. Any progress on its implementation into PPSSPP? Perhaps in a forked project?

I don't know the first thing about PPSSPP haha, I just thought I'd share my findings 😄

@Razzile Oh I see. Still, looking at your Hello_World_JIT seems like you can really assist @hrydgard with JIT implementation. I looked at the code myself and it seems pretty straight forward.

funny you should mention that because the method used in that code doesn't work on iOS, at least not unjailbroken (haven't tested jailbroken). To get JIT to work on iOS you need to use a slightly different version of the code that's been posted above somewhere or in the iNDS issues

@Razzile Oh I see. I read the code above and it seems legit. Why hasn't anyone implemented it in the official PPSSPP yet? Or at least fork the repository and implement it so that some users may use it?

@unknownbrackets any updates on the implementation into the official PPSSPP?

Please remember guys, this isn't a request thread.

On a total different note: I noticed that between the IR interpreter and JIT on the PC, the IR interpreter actually had more performance in a particular case: when playing games with atrac3+ audio meaning JIT isn't always better (at least in this case).

I'm going to attempt to get JIT working on PPSSPP shortly. I will post my progress soon (need to go through the code)

We don't need any more information. We need someone with an iOS device to do it.

You apparently have an iOS device, right? Sounds like you're in exactly the right place to get it done - you're even presenting proof of how it's done and the people you need to contact to learn to get it done. You also seem quite passionate about this issue - replying frequently, emailing tons of people each time. I'm sure you are excited and motivated to get this done.

If you don't know programming yet - don't worry. I didn't either, until I started programming. And I didn't even have consistent access to the internet then - I bet you do. So you'll probably have a much easier time than I did.

On the other hand, I don't have an iOS device. Nmzik already confirmed that the only idea I could commit doesn't work. So I guess it's waiting on you, @Fadi5555 - good luck.

-[Unknown]

@Fadi5555 I don't think that's what he's saying at all. He's just trying to say that since doesn't possess a device for testing and since you're so passionate about the issue, maybe you might try a hand at it yourself. It's as simple as that.

@unknownbrackets Thank you for your help! Still doesn't work - still I'm getting the same error. I just want you to know that following code works perfectly on latest iOS.

uint8_t codetest[] = {0xE7,0x23,0x00,0xB9,0xE7,0x23,0x40,0xB9,0xC0,0x03,0x5F,0xD6}; //ldr str ret arm64
void *mem = mmap(NULL, 1024, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
memcpy(mem, codetest, sizeof(codetest));
mprotect(mem, 1024, PROT_READ | PROT_EXEC);
void (*func)() = (void(*)())mem;
func();

Btw, you don't need to use syscall(26, 0, 0, 0, 0) ptrace or other stuff... (Is it for unjailbroken MAYBE?)
You should always call "mprotect()" otherwise you will have "EXC_BAD_ACCESS" error.
For example, If you create a pointer with mapped area with flag PROT_EXEC, like :
void *mem = mmap(NULL, 1024, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0) https://github.com/hrydgard/ppsspp/blob/eaeddc6c23cf86514f45199659ecc7396c91a3c0/Common/MemoryUtil.cpp#L157

• it won't work! You should ALWAYS call mprotect() with "PROT_READ | PROT_EXEC" flag after this.

Just trying to be helpful :)))

Hmm, we are supposed to be calling mprotect.

https://github.com/hrydgard/ppsspp/blob/eaeddc6c23cf86514f45199659ecc7396c91a3c0/Common/MemoryUtil.cpp#L272

That really came from Dolphin which does the exact same thing (it's been there since 2008):
https://github.com/dolphin-emu/dolphin/blob/a51c992e6168fa7e10e2ada6168d7f1b38aad961/Source/Core/Common/MemoryUtil.cpp#L62

It looks like WriteProtectMemory and UnWriteProtectMemory are not being called - try adding them?

-[Unknown]

@Nmzik call to ptrace is needed on unjailbroken to lower codesign enforcement, otherwise call to mprotect will fail and/or the cpage won't actually be marked as RX

If you look at the pull request for Dolphin on iOS (Not mine, conradev fixed JIT), you'll see how to correctly do it.

Also the new 64 bit iOS devices have a page size of 16384. You need to align the pointer passed in to memprotect to point to the beginning of a page. I bet your memprotect call is returning an error if you print the output.

Also code=2 on bad access means you do not have the correct protection for the page your using, weather read, write, or execute. If this happens it means your calls to mprotect failed or were not called

I don't have time to test, but something like this should work.

uint8_t codetest[] = {0xE7,0x23,0x00,0xB9,0xE7,0x23,0x40,0xB9,0xC0,0x03,0x5F,0xD6}; //ldr str ret arm64
void *mem = mmap(NULL, 1024, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
memcpy(mem, codetest, sizeof(codetest));
opPtr = (uintptr_t *)((uintptr_t)mem & 0xFFFFC000); //Align to page
mprotect(opPtr, 16384 * 2, PROT_READ | PROT_EXEC);
void (*func)() = (void(*)())mem;
func();

@WilliamLCobb do you not still need to call ptrace? my experience on jailed 9.3.3 was mprotect would fail if ptrace wasn't called for the reasons mentioned in the iNDS thread.
Not tried jailbroken 9.3.3

You might, I haven't had time to look. It should be easy to check.
If you don't have to then you need to use MAP_JIT

Calling ptrace and running what I posted above (assuming there are no syntax errors) It should work on any device and any iOS version

MAP_JIT seemed to fail for me when jailed but would work when jailbroken with pangu 9.0 jb, just if anyone was interested

EDIT: just like to point out I haven't tried MAP_JIT after calling ptrace. It could work and also remove the need to keep editing page protections

@unknownbrackets YES. WriteProtectMemory and UnWriteProtectMemory are not being called (Added simple check). Thats means mprotect() is not being called too... What's going on?????

@Fadi5555 If you keep talking,no one would fix it.

Can somone please explain why ppsspp doesn't work on ios 9 64 bit devices so that commoners (like myself) who don't know anything about coding can understand the issue and perhaps provide help even if miniscule.

Correct me if I'm wrong in this very simplified explanation.

If I understand Karen correctly from the opening post, there is this feature called Kernel Patch Protection (KPP) which checksums the kernel constantly. Think of it as if you were playing a game of and there is somebody who is constantly tracking the state of the game and writing everything on a piece of paper.
Now JIT (Dynarec) apparently requires the kernel to be patched to work. In our example it would be trying to sneak an illegal move in the game. If the person tracking the game notices this anomaly, he will get mad and basically flips the table causing the game to 'crash'. On 32 bit devices, the jailbreak (in our example) tells the person tracking the moves it is perfectly fine. Sadly it's not that trivial to do the same for 64 bit devices.

@Fadi5555 William just gave an entire summary on how its done in the messages above. I'd do it myself but I really hate working with mac and wouldn't be able to test.

just like to chip in and say that I don't think KPP has anything to do with traditional JIT not working, seeing as JIT code is completely unrelated to anything in the kernel. The best explanation i can think of is an increase in general application security and/or stricter codesign checks and enforcement

@Razzile Exactly, based on the code @WilliamLCobb posted above, I think it's safe to say that all you have to do to get JIT working is that anytime you map executable memory, all you have to do is adjust and align the pointer to the beginning of the page and pass it to mprotect (with the right flags) and it should work (ptrace or not, haven't test) but it's as simple as that to avoid bad access.

@Fadi5555 I'm sure he knows this thread exists and people want JIT, no need to mention him constantly :)

https://ghostbin.com/paste/hpzgh

@unknownbrackets, @hrydgard you could use this dirty example of what needs to be changed to get recompiler work on iOS 9 32/64 when properly signed with sane entitlements. It also fixes the nonsense about jailbreak requirement for all the previous versions. When running without a jailbreak, which is messing up the environment, and without a debugger one is supposed to enable tracing himself.

The only build variant tested was armv7s architecture since you default to it.

_Whenever I need opensource software run properly I have to do it myself, I am too lucky I guess :)_

@vit9696
Hardcoding alignment of 4K for all BSD/Linux systems might not be the ideal solution (although it will presumably work on ARM Android and iOS). It should probably use sysconf(_SC_PAGESIZE). But do any non page-aligned pointers even get passed to that function? Or did you add that as a preventative measure?

edit: well it seems that MEM_PAGE_MASK is already defined and round_page are already there for the purpose of abstracting the platforms

Although all memory passed to it should really already be aligned, so if the cases you added aren't you may want to align on the calling site.

@Bigpet it's not something that is to be merged in, see the comment ^^.
I needed ppsspp and had like 30 mins of spare time to get a certain game running without many lags.

The value is certainly invalid at least for arm64 (when compiled as a native arm64 binary) on iOS 9 and newer, since it is 16k. A cross-platform way is indeed to call sysconf or something like that but iOS, macOS and some Linuxes define PAGE_SIZE which is going to be faster to use. I do not remember by heart where it is but should be in some vm-prefixed header supposedly.

As for the pointers being passed to the function the answer is pretty much. enterDispatcher was 16-byte aligned for some unknown reason, and jitted_ was simply unaligned if I remember correctly. The overall code quality is a bit far from perfect, and the place I put protection changers in was more like 'get it work quickly' and 'hint others where they should look at' than a solution. Because of two things:
— it could cause random crashes if it changes the protection of the nearby lying memory (that much is obvious if you want to write to it);
— changing the protection too frequently might be a little tough for the performance (that is not obvious because it needs some profiling results).

@vit9696 Quite a nice start, thanks.
I've tested it and I saw a speed increase of about 30-50% compared to the IR Interpreter. Still not fluidly playable, but this is the first step. Need to reduce unnecessary mprotect calls and call it only if it's needed – to get more performance out of it.

@Fadi5555 Yes, but it's not 100% stable.

Thank you @vit9696

So if I can guess what's happening is that this:

mprotect(ptr, size, allowExecute ? (PROT_READ | PROT_WRITE | PROT_EXEC) : PROT_WRITE | PROT_READ);

on iOS9 has the same effect as this:

 mprotect(ptr, size, allowExecute ? (PROT_READ | PROT_EXEC) : (PROT_WRITE | PROT_READ));

which means that a page can't be EXEC and WRITE at the same time. This would explain why your changes work.

We could make this work with considerably less page-protection-switching than in your patch though. If we are really careful the overhead probably won't be too noticable.

Fortunately this situation is quite easy to simulate on other platforms (by simply restricting ourselves to the above calls to mprotect) so I might have another look soon.

So if I can guess what's happening is that this

Correct. iOS enforces W^X on any recent version not just on iOS 9. However, previous jailbreaks patched the kernel to allow this. Now with several sections protected by kpp it is much harder and they do not. Very few people bothered running PPSSPP on unjailbroken devices previously (supposedly due to this reason), and if this gets fixed I suggest providing PPSSPP binaries not only as deb packages but as ipas for later codesigning.

We could make this work with considerably less page-protection-switching than in your patch though. If we are really careful the overhead probably won't be too noticable.

Certainly. Please also give a look to memory allocations to make sure there is no chance of accidental write protection removal from an adjacent memory as well as wrong page sizes (APPLE does not mean it should be 4096).

Fortunately this situation is quite easy to simulate on other platforms (by simply restricting ourselves to the above calls to mprotect) so I might have another look soon.

Thanks ^^

you can extract a deb and make an ipa in 2min or less.

very easy. the only thing is codesigh for unjalibroken devices.

@vit9696 yeah, taking the page size into account is important indeed. Any idea what the correct method is to check it on Apple's operating systems?

@hrydgard I would use PAGE_SIZE macro myself if available, however, you could go with getpagesize or sysctl. PAGE_SIZE is available from mach/vm_param.h which includes the platform-specific header. On iOS it will be like that https://ghostbin.com/paste/jvq7r, on macOS like that: https://ghostbin.com/paste/mnuu4. Given that these are specific to architectures (x86/arm) I expect tvOS and watchOS have the same.

apple sucksssssssssssssssssss all they do is boss your device by sending out stupid new firmwares that are patching all the good stuff

@zakusa They're patching SECURITY VULNERABILITIES. It's completely understandable. Stop being ignorant.

8937 implements a much lighter version of @vit9696 's patch, please let me know if it works on iOS as I'm unable to test on a device currently.

Hello guys
My device is
Iphone 6s ios 9.3.3 jailbroken

I can test too , update ppsspp and i try the new JIT

I am available to test as well.. iPhone 6s Plus 9.3.3 jail broken hit me up

@hrydgard: it's working. Just played through the intro of Breath of Fire 3 (PAL) on a not jailbroken iPhone 6 Plus running 9.3.3 with minor slowdowns. I'll do further test and report it. Anything else you want to be tested (comparison to IR Interpreter maybe?)

I'm playng god of war
Iphone 6s
15fps 100%speed audio is perfect

@Fadi5555: the latest build from the buildbot doesn't include the JIT commit. Try to compile it yourself.

Can someone send me the deb please? @seadil some of us don't have MAC's. And my pc isn't really good enough for virtualization

If things are working right, the next build from the iOS buildbot should have it.

@Fadi5555 you should thank @vit9696 as well for the investigation and initial patch, made it clear what needed to be done :)

Thank you so much for all the hard work guys!
Now waiting for the buildbot (1.22-881 just got built, but doesn't show JIT yet).

@jettan 895 should be the good one.

There is a different buildbot for the cydia repo that does that automatically but on a different schedule, I'm not sure exactly when, angelXwind set up that bot.

Eh, don't worry about it dude. It'll be there when it is there.

Dynarec works really well. I just tested it out. Thanks a lot guys!! Mission accomplished. I think we can officially close this issue.

Great! Thanks for reporting.

Yup works like a charm!
Brilliant work guys and thanks again.

Thanks for the work.

Unfortunately, I'm having issues with build 897 on a non-jailbroken iPhone 6s. If I enable jit and run a game, the screen turns completely black and the iPhone becomes unresponsive (home and other buttons stop working and I need to hard reset my iPhone to get it back). I can run just fine (and slow) with everything but jit.

@atsumori666 make sure you sign with the entitlements allowing you to debug the application. Best idea is to try once with Xcode, and then stop using it.

@atsumori666 are you jailbroken?

Still no luck though I'm new at all this so I may not be doing the entitlements right (Code Signing Entitlements > Debut > Any iOS SDK?).

Whenever I launch a game (and the screen turns dark), Xcode takes me to the line:
inline void Write32(u32 value) {_(u32_)code = value; code+=4;}
in ArmEmitter.h (under ARMXEmitter).

Error is: Thread 1: EXC_BAD_ACCESS(code=2, address=0x90c7078

Edit: And no, non-jailbroken.

@hrydgard Is it possible we could implement dynarec in the mupen64 emulator? That would be great.

@atsumori666 ARMEmitter (instead of ARM64Emitter) means you're on a 32-bit device, while most here are on 64-bit. I'll check later that I didn't miss anything when implementing this support for 32-bit, I might have. Can you see the rest of the call stack?

@hotyute Well, obviously it's possible but that's not something I have time for. Ask the mupen64 team if anyone.

That's odd, I'm on a 6s which I'm pretty sure is 64bit. Is there a compile setting I'm missing? Bi don't see the rest of the stack.

Don't know, is there a target option somewhere? Either way, I don't see why a 32-bit build wouldn't work. address=0x90c7078 looks like a 32-bit address, too.

About no callstack, that's also odd as if you got a line number, normally you can see the call stack. But maybe not.

@hrydgard cmake generates armv7 builds by default, and therefore @atsumori666 launches 32-bit builds on a 64-bit device. That's what I myself did, i.e. I did not try a 64-bit build actually. In any case I had no issue. One can set an architecture in "PPSSPP → Architecture" options.

~In fact I did only test your latest changes on a jailbroken device with jailbreak on. Let me reboot and try without a jailbreak.~ Worked just fine. I guess that could either be memory corruption or some change in 9.3.4+ iOS.

@atsumori666 what exact iOS version do you have? I think trying a native arm64 option is an idea to start with. Just pick "Other" and enter "arm64" to the Architecture field in all the projects, also remove "-march=armv7-a" option from cflags.

Is it possible to generate combined 32-bit + 64-bit builds somehow, like you can on Android?

@hrydgard of course it is, just the cmake you use is not only terrible itself :) but produces terrible xcodeproj.

@vit9696 if you can, feel free to help fix it :)

@hrydgard do not the buildbots already produce fat binaries? Never checked myself but they claim it so. If I find some time, I might help as usual. Might not be soon though.

this commit broke everything. I can confirm the issue @atsumori666 mentioned. Getting KERN_PROTECTION_FAILURE (EXC_BAD_ACCESS code=2), which likely means the pages are not aligned before being passed to mprotect.

@vit9696 aahh the pages are still not being aligned properly? how are we able to access jit though?

Ah, OK. I'll look into it, although that explanation sounds strange. Can always revert that commit if we can't get it to work soon.

Wait, I see the mistake. It should ProtectMemoryPages(exitPoint) not ProtectMemoryPages(checkedEntry) in a bunch of places.

Ah I was just reading through. hadn't noticed that @hrydgard . Nice find.

Alright, fix commited, please rebuild or wait for the next build from the bot.

Good stuff. Will test after the build bot passes through. Thanks @hrydgard

Just tried v1.2.2-898-g22b6988 and Everything seems to be running fine! Keep it up @hrydgard

Nice, 898 works for me as well. A few of the games I've tried so far have had issues with freezing to a seemingly unrecoverable black screen but that might be a problem with support for those specific games on iOS. Many of the other games over tried have worked fine.

Doesn't work: Gran Turismo (if you drop bezier quality from high it seems to work) and DOA: Beach Volleyball (unrecoverable regardless of setting once you start a game).

Works Fine: Corpse Party, Danganronpa, and Wipeout Pure (though pure is still a little slow).

Does IOS 10 also work with JIT ?
My friend just ask

Who knows, iOS 10 isn't out yet as far as I know. We'll just have to wait and see.

@atsumori666 do those games work if you switch to the IR interpreter?

No,my friend updated to ios 10

Ah, the preview? Well, ask him to try it and report if it works.

Looks like no. GT was hard to tell because it's so slow it looks like it's crashed with IR interpreter anyway, but DOA reliably freezes the system in IR interpreter mode so it's not an issue with JIT. Thanks for the help!

My friend another ask:How can he download ppsspp latest git build without jailbreak?

You'll need a Apple developer account (which is free) and a Mac with Xcode: http://bouk.co/blog/sideload-iphone/

@sum2012
You can download the deb and convert it to an ipa (There are tutorials out there for that)
Then sideload it using Cydia Impactor on Mac/Linux/Windows
(Plug the phone and click and drag the ipa to the app)

Just convertetd to ipa sideloaded by Impactor.Iphone 5S ios 9.3.3no jailbreak PPSSPP is starting,when try to lunch any game emulator close (crash to ios menu ). I was trying two versions 1.2.2 898 and 1.2.2.906. IR interpreter,Interpreter, JIT same result

Thank you @vit9696 and @hrydgard for your hard work :+1:

@sum2012
download link for deb is
http://cydia.ppsspp.org/org.ppsspp.ppsspp-dev-latest.deb
as far as I remember.

Thanks,I will tell my friend test

Hm, I suppose Impactor doesn't give us all the permissions we need? Maybe need to re-add some checks... But if it crashes like that, it's likely JIT simply won't work when loaded that way.

To play anyway, you can go into system/developer setting and change CPU Core to IR Interpreter but it will be slower and there are a few glitches.

@hrydgard there is no reason for this to fail for iOS 10 but I guess it is correct to be ready to other changes breaking stuff in PPSSPP.

I do wonder whether we could actually check whether we can use JIT on iOS in runtime to avoid crashes. My thoughts on this are:

• SecRequirement check with with "entitlement[\"get-task-allow\"] exists", unsure whether this works actually;
• jailbreak detection;
• syscall tracing return code;
• mprotect return code;
• obtain memory permissions (unsure what is exposed to userspace on iOS, there was stuff in the kernel but cannot say about sandboxed userspace right now).

Regarding Cydia Impactor my experience with it was pretty unpleasant, so was the feedback availability. It is easy to check whether it adds a correct entitlement to the app binary though. One needs to sign the ipa, unpack it with any archiver (as a zip file) and run codesign --display --entitlements - path/to/ppsspp.app/execuable. In cases when codesign is not available one can use a hex editor and look for the embedded plist file incorporating <key>get-task-allow</key>.

If you want to play around with this, pull requests are accepted :) I only have one iOS device myself and had lost the charger cable until recently and have a slow mac laptop so working on this is quite limited and painful, which (in addition to my annoyance at Apple not allowing emulators in the app store) is a reason I haven't worked very hard on this stuff.

I'm not sure the current state of JIT in PPSSPP. I muted this thread 😛, but I have been messing around with mmap again on iOS 9.3.3.

if your app has the dynamic-codesigning entitlement, you can use the MAP_JIT flag in mmap to have memory as truly RWX. This doesn't require any ptrace tricks or any mapping as RW->RX

not sure if this is useful or if this is already implemented, just thought i'd share.

@Fadi5555 the method I just mentioned is different to the one I shared for the iNDS project. It's possible the stuttering is fixed

@Fadi5555 it works just fine in RELEASE with logging disabled. Your claims are invalid. Please stop annoying the audience just because your hands do not grow from your shoudlers.

@vit9696 is right.. with logging disabled it works fine.. I believe @hrydgard told you this himself sometime ago.

Can someone tell me which deb should i use for iphone 6s ios 9.3.3 jailbroken?i use 1.3-283 but it crashes when i launch a game.

@karless JIT is working on iOS 10 with Yalu102, so if you've managed to save your APTickets (blobs) just upgrade to iOS 10.2 and you're set.

We just need an android device,dolphine emulator available,recast available,epsxe available …,iOS,all I know is PPSSPP. And retroarch can't run properly since iOS 9+,and no fix,yeah,you know,iOS is dying,like Nokia Symbian,iOS beats Symbian,and android beats iOS,android wins finally,definitely

@ijoinit

Buy one plus 3t or another device with GPU adreno 530 Gles 3.2 + Vulkan and you are ready.

@ijoinit

It's not about Android vs iOS. I was looking for a device that had these requirements:

1. Decent build quality
2. Top notch performance
3. Compact, no bigger than 4-inch
4. Superb photo and video autofocus

I was willing to drop my "4-inch" requirement, as it appeared there was no Android equivalent in this size which was worth looking at. So if I would drop that requirement, the OnePlus 3T or Samsung Galaxy S7 would be still on my shortlist (next to the iPhone SE). However, it appeared that the S7's build quality is even worse than I expected (84 of our 463 company S7's died within half a year), so I scratched that one. After getting my hands on a OnePlus 3T, I was almost certain that this would be my next phone. Its performance it top notch, it has a slick design, good build quality and produces great photos. Unfortunately, after having used it for a week in the field, I noticed its autofocus is way too slow for my liking and somehow video quality was terrible (which I still don't understand as its CMOS specs are outstanding), so I had to scratch that one as well.

The only phone left on my shortlist was the iPhone SE. It complies with all my requirements. The only downside is that it runs Apple's restricted iOS. The only way for me to enjoy iOS is to run it jailbroken. Don't get me wrong, I love it, but security wise jailbroken iOS is as insecure as Android. I have tons of exploits (written by myself and obtained through other channels) to steal all the nudes from your girlfriend's phone, for both jailbroken iOS and stock Android. If your girlfriend's phone is running Android and has Facebook/WhatsApp/Instagram/Twitter or Musical.ly installed, her nudes are mine. If she has a stock/non-jailbroken iPhone, I'm lacking the skills to break into it.

Back on topic: both PPSSPP and RetroArch (Libretro) are working flawlessly on iOS 10.2. So if you've got a jailbroken device running iOS 10, the sky is the limit! To provide some evidence, here are a few screenshots of Mortal Kombat - Unchained (PSP) using PPSSPP running on an iPhone SE with 10.2:

Other than having set the renderer from 1x PSP to 1:1 no settings have been touched, so the graphics could be even better. Think of anti-aliasing (i.e. supersampling), anistropic filtering, etc.