Lightning JIT support for better Performance on iDevices about inds HOT 82 CLOSED

iNDS has JIT. You just have to enable it in the settings.

from inds.

iNDS has JIT? That's awesome brother. I checked the settings but I don't see the option to enable JIT in the settings?

from inds.

I examined the app files of iNDS and I can see the code for some kind of Lightning JIT option that you are supposed to flip on and off but I can't seem to see it in the settings. I found the code for it in iFile

from inds.

I want to find out how to enable this. If anyone can help I'd appreciate it.

from inds.

The JIT lighting code is there but doesn't work yet. I took the option out because all it did was crash the emulator. I'm going to try to work on JIT after finals and see if I can get it working.

from inds.

I see. I saw in a video showcasing the Nitrogen DS emulator which iNDS is based off had the option of enabling Lightning JIT and there was a switch for it in the video. Maybe you could import the code from that emulator into iNDS...

from inds.

Oh cool. I'll take a look at that today. The DeSmuME core already has JIT implementation done so it should work fine on the iPhone

from inds.

Is there an ETA on when you'll implement the JIT or is it a simple port over from Nitrogen?

from inds.

My bad, I was using an old build that still had it enabled. Sorry.

from inds.

It's alright. The new build removes it due to crashing issues. Did you ever do gameplay with JIT on? How was it?

from inds.

I'm pretty sure Nitrogen's JIT lighting never quite worked (Please let me know if I'm wrong). I just tested it on every game in my library and it crashed on startup for all of them. I haven't looked enough into JIT yet to give you an ETA but i'll post any updates here.

from inds.

I've always used iNDS on a non-jailbroken iPhone, so I had no way of getting an accurate test. Sorry. I just saw the option.

from inds.

@WilliamLCobb I'll be looking forward for the updates on JIT. Check out Nitrogen as I think they have Lightning JIT implemented in their emulator. Maybe you could port it to iNDS and give credit to them. And I saw your post on Twitter about being a beta tester for you. I'm interested in that also. Been involved with emulation on iOS since 2007 so I've seen all emulators, currently developed and discontinued👍

from inds.

Awesome, I'll let you know once I get those to a testable state. Also I did some debugging on their JIT implementation and these were the errors I got:

I'll see if I can figure out whats going on but I'll put them here incase someone see's something I'm not.

from inds.

Let me know when you get them in a testible state on this thread here on Github or on Twitter. Looks like most of their JIT was implemented correctly and I'm sure the few errors you got there can be corrected with some fixing of the code

from inds.

We need more people with experience in code to contribute I'm going to post an issue on the Nitrogen emulator to redirect people to this page. I feel as if not enough developers know about this. We need more pull request.

from inds.

I figured out the error. It's in the JIT initialization. I think I may know the fix and I'll post here later tonight or tomorrow morning with a progress update

from inds.

@WilliamLCobb That's awesome that you found the fix for JIT. Will you push an update to Cydia to enable it in the settings?

from inds.

👍🏻👍🏻👍🏻👍🏻👍🏻😊

from inds.

I haven't found the fix yet just the problem. In order for JIT to work, the device must be able to compile code, store it in memory and then execute it. Loading the code into memory is working fine but when the emu tries to execute it, we get the error above. I'm going to look at the PPSSPP code to see how they did JIT.

from inds.

@WilliamLCobb Ah I see. I know the PPSSPP team faced a similar issue when their emulator came to iOS in 2013. Maybe you can examine their JIT code and implementation. Who knows you might find your answer how to fix the error that iNDS gets when you enable JIT👍

from inds.

Currently the problem lies in this line: mprotect(p, 1024, PROT_READ | PROT_EXEC)

I'm getting errno 22 which means invalid arguments. Not exactly sure why thats coming up but once it's solved JIT should be able to work.

from inds.

I think the problem is not mprotect, but how the alignment is currently handled. I managed to get the test case in main.m to run in my fork by using posix_memalign to allocate the buffer.

from inds.

Awesome! I'll put that in the JIT initialization in a little bit and see if that fixes it

from inds.

I'm playing around with it currently, but unfortunately it seems that more is broken with the compiler on iOS. Here's the error I'm currently getting:

from inds.

I just sent you a Pull Request to make it easier for you to integrate those changes.

from inds.

@milch @WilliamLCobb I checked out the pull request. Looks like it was closed so it seems you guys figured out the issue for JIT. Will initial JIT be implemented in the settings for the next iNDS update for Cydia?

from inds.

@mk8itra1n have you tried to build the app using Xcode or terminal its more reliable than waiting for the cydia source to get updated. https://github.com/WilliamLCobb/iNDS/wiki/Building-INDS-Jailbroken

https://github.com/WilliamLCobb/iNDS/wiki/Building-INDS

from inds.

JIT is still not working, milch got it really close but it's not generating code correctly. I'm going to try it on a a 32bit device and see if that works

from inds.

Unfortunately it's really hard to work with the JIT code as there's no documentation and everything is hidden several levels deep in macros. If it's still generating armv6 it's possible that it will work on older devices, though.

from inds.

Yea it's a complete mess. It is emitting arm6 so it's not going to work on newer devices.

It's emitting real instructions on my iPad mini but I have yet to get any games to run without bad access errors.

from inds.

Jit not work in ios 9 + for 64 bits devices

Because pangu jalibreak broke some things (No full kernel patch). Need to wait for Taig team

If you want to enable somo tiny jit code take an look on the libretro desmume port (retroarch) but of curse will not work until an new stable jalibreak release.

from inds.

@WilliamLCobb I think RetroArch has a Nintendo DS emulator but I'm not sure if they implemented JIT in their emulator. I think iOS 9 jailbreak by Pangu broke JIT. But now that iOS 9.2 has been released by Apple maybe a jailbreak will be released by TaiG that fixes JIT on newer devices

from inds.

I don't think it has anything to do with the Pangu jailbreak, it's more likely that the GNU Lightning implementation is simply outdated (looking at lightning_config.h it seems this is using a modified version 1.2 from 2004). I'm not sure if 64bit was even a theoretical thing back then in the ARM world.

In my opinion, the current JIT implementation probably would need to be replaced by something more current to work correctly (also, as I see it, the current implementation is very hard to maintain). Either some other emulator's JIT code is ported (e.g. if libretro has a working implementation) to this codebase, the current implementation is updated to the latest version of lightning (2.1 with a lot of breaking changes), or someone implements it from scratch using a more recent JIT engine.

from inds.

Is there anyway the current JIT implementation can be fixed for ARM64 devices or will it have to be scrapped with a more recent JIT engine?

from inds.

@milch

NO.

This is due to a number of changes in both iOS 9 and how Pangu9 works. iOS 9 (and OS X 10.11) includes something Apple advertises as "Rootless Security"

Now, many people think "Rootless" means "there is no longer root on iOS/OSX" — no, that'd be crazy. "Rootless" (on iOS, at least) is actually called KPP — Kernel Patch Protection — something where iOS checksums the kernel constantly (ARM TrustZone functionality is how they're doing that without destroying battery life), and panics if anything is patched.

Because of this new security model in iOS, Pangu9 had to make a number of innovations in how the untether works — this is where I skip out on details. The core thing that affects PPSSPP and other projects requiring JIT/modifying of rwx memory pages is the fact that the kernel is no longer patched.

You see, no one's actually figured out how to break KPP. So Pangu9 does not actually patch the kernel, but rather does some [censored] magic to achieve most of what we see in past jailbreaks. Unfortunately, VM_PROTECT is not one of these things — this is what broke basically every JIT implementation out there.

Now, some of you with iOS 9 32-bit devices (iPhone 5, 5c, 4s; iPad 2, 3, 4; iPod touch 5) may have noticed that hey — PPSSPPBuildBot's PPSSPP builds have perfectly working JIT! This is because Pangu9 on 32-bit devices actually does patch the kernel, including VM_PROTECT ;P So JIT is fine for you.

thx to @ angelxwind

from inds.

@brujo5

Still, they must be doing something right.

If you don't believe me, go to main.m, put #define USE_TEMP_JIT at the top and try running it on a 64 bit device (I ran it on my iPhone 6+ 9.0.2, in case that matters).

The example in there has the arm64 assembly for a simple increment function in a buffer, allocates some memory on the heap, copies that buffer to the heap, activates the execute flag on the heap memory and then executes the function on the heap with a parameter of 1. It then correctly prints the result of 2 and exits successfully with no EXC_BAD_INSTRUCTION, EXC_BAD_ACCESS or any other errors thrown which should be impossible according to your explanation, unless I'm missing something.

The fact remains that what the JIT currently outputs on a 64bit device are not valid arm64 instructions and that won't change, even if the KPP needs to be patched before the JIT would theoretically work.

from inds.

Looks like development of iNDS has come to a halt. I've seen no pull requests or changes on GitHub for it. Any news or anything on the JIT support?

from inds.

I'm busy this week studying for finals and applying for internships. Development will resume pretty soon.

JIT is going to be a pretty big hill to climb but I'm going to try and get it working

from inds.

@WilliamLCobb Yep finals for me are next week. Best of luck to you brother✌️

from inds.

In the meantime while your trying to get JIT working do you have any plans to increase FPS and speed for the software interpreter ?

from inds.

Just an update, I've been messing around with JIT some more and actually got a rom into the execution loop which is pretty good. But it gets BAD_ACCESS errors before anything on the screen even shows up. I'll update if anything else interesting happens

from inds.

@WilliamLCobb thanks for the update brother👏 Oh and do let me know about the beta tester position if you still need one man👍

from inds.

@WilliamLCobb

That error is normal, just wait for an better jalibreak

"Kernel patch protection" is a security feature that stops the kernel from being modified (see https://en.wikipedia.org/wiki/Kernel_Patch_Protection; it's not a thing unique to iOS, even Windows XP had a form of it), so their jailbreak works by hacking the kernel, quickly modifying userspace to grant more permissions than there were before, then putting the kernel back to normal before KPP notices. My guess would be that the RWX patch was a kernel modification, and since the jailbreak can't persist a modified kernel, it can't apply any permanent kernel patches.

This doesn't mean you can't execute code in jailbroken iOS anymore; the solution would likely be to give an app the same permissions as Safari so that it can allocate RWX memory on startup, and design the emulator to use that API (however it works).

Pangu can't "apply the RWX patch" because kernel patch protection means you can't apply any patches [to the kernel].

from inds.

I've been testing it on a device on iOS 8 where protecting the kernel still works. If only I could find documentation for DeSmuME's JIT I might be able to get it to work.

from inds.

http://filetrip.net/nds-downloads/emulators/download-desmume-099-jit-jit-f29543.html[/spoiler]

from inds.

I'm getting really close. JIT code is successfully compiling and executing for a few loops before memory errors.

from inds.

great if you get it working well it could also be used in GC4IOS, you have some really good skills man.

from inds.

@WilliamLCobb I can't wait for iNDS with JIT support. Looks like it won't be long now👍

from inds.

with this emulator envy least android..Well only envy Dolphin and MAME 0.167 emulators

from inds.

yes there are good emulators on android but good luck finding a phone,tablet, or streaming box that supports it because there is a lot of fragmentation among not only android versions but hardware. At least with IOS once an emulator is made it is pretty much going to work on most devices except for older a5 processors.

from inds.

Don't get your hopes too high yet. I just got a picture on the screen but it only for like .1 seconds. There's still a long way to go before we get something runnable

from inds.

Thats .1 seconds is still better than doing nothing

from inds.

Definitely, and It's now producing 100% perfect arm code. There's just something wrong with the memory address offsets.

Edit: I think I know whats up. I'm about to head out for new years but I'll be working on it tomorrow

from inds.

That Great. let's party ^_^

from inds.

Happy New Year to all of you guys👍🎉

from inds.

Still not 2016 in America 😞

from inds.

Happy New Years!!!!!!!!

from inds.

@WilliamLCobb For 2016, here comes JIT in iNDS🎉🎉🎉

from inds.

Maybe someone can come along and help with this because I'm pretty stumped.

Here's an example block of JIT that failed: http://www.cenigma.org/OWRrpxY

It's appears to be correct except it fails at offset 8c (str r6, [r4, #0x78]) with EXC_BAD_ACCESS. It's odd because just a few lines up "str r6, [r4, #0x70]" ran fine.

Here's the value of the registers when the program stops on 8c.

(lldb) register read
General Purpose Registers:
        r0 = 0x00000026
        r1 = 0x17a64000
        r2 = 0x0002c500
        r3 = 0x0002c500
        r4 = 0x00000000
        r5 = 0x00000000
        r6 = 0x0200080c  iNDS g_JitLut + 18928396
        r7 = 0x0d083cc4
        r8 = 0x00000038
        r9 = 0x3ceedcc0  _MergedGlobals + 256
       r10 = 0x063a5191  libdispatch.dylib _dispatch_call_block_and_release + 1
       r11 = 0x0d083c48
       r12 = 0x00000000
        sp = 0x0d083c10
        lr = 0x00547650  iNDS unsigned int cpuExecuteLJIT<0u>() + 552 at ArmLJit.cpp:7500
        pc = 0x17a6408c
      cpsr = 0x60000010

I think the problem might be that the registers are losing their values. r4 shouldn't be equal to 0, and that is what caused the crash. The function called at blx r8 pushes the registers but I can't find where or if it pops them.

Again I'm going to keep trying to fix it but hopefully someone more familiar with JIT or DeSmuME will see this and know what's going wrong

from inds.

The problem is definitely that when the program branches to the address in r8, it pushes the registers r4-r8 but never pops them back.

The fix would be to add a pop call after branching to r8 but I don't understand the JIT implementation enough to make that change and the lack of documentation makes it even hard to figure everything out.

I think this is the last thing we need to fix before JIT starts working though.

After more debugging I found out it's branching to

template<u32 PROCNUM, u32 memtype>
static u32 MEMOP_STR(u32 adr, u32 data)
{
    WRITE32(cpu->mem_if->data, adr, data);
    return MMU_aluMemAccessCycles<PROCNUM,32,MMU_AD_WRITE>(2,adr);
}

Some more debugging info:

where the program branches to in blx r8
(lldb) image lookup -a 0x5509d0
      Address: iNDS[0x0045d9d0] (iNDS.__TEXT.__text + 4535080)
      Summary: iNDS`unsigned int ArmLJit::MEMOP_STR<0u, 0u>(unsigned int, unsigned int) at ArmLJit.cpp:601

What the value of r4 should have been but it was never popped back from memory:
(lldb) image lookup -a 0xa48b80
      Address: iNDS[0x00955b80] (iNDS.__DATA.__common + 256)
      Summary: iNDS`NDS_ARM9

For some reason registers 4-8 were pushed but never popped back. If we could figure out why then it might fix JIT. I'm going to fix the rom downloading bugs and add things like microphone support, but I'll definitely come back to this and try to finish JIT

from inds.

hrydgard/ppsspp#8122
Idk if this will help but there is a discussion on ppssp about jit.

from inds.

trying to fix JIT is a pain in any emulator, you should leave it till the end of the list.

The libretro desmume port for ios/android is based in pc core. So is not ARM friendly but it has JIT enabled (JIT and JIT block size) also has another options.

Maybe you can take a look In the libreto code

from inds.

@brujo5 do you need another ipa

from inds.

if there are further changes if. Thx

from inds.

You're right. There's a lot of other things I should be worrying about. It's so close though it runs fine 95% of the time but it just takes one bad command to throw an error.

from inds.

The latest commit has changes he made to jit so I'll send it to you

from inds.

@WilliamLCobb
hopefully he will help us. @rock88

but it has not been connected for some time:(

Is the person who port the nds4ios and ppsspp

@pmp174 thx man.

from inds.

Does he have a Twitter account to reach him?

from inds.

check her profile on github

from inds.

@brujo5 sent
And I'll track them down 😂 lets see if we can get this to work

from inds.

Consider it done... at least we try!.
Thanks a bunch.

from inds.

hrydgard/ppsspp#8327

from inds.

Yea basically what they're saying is JIT isn't working on iOS 9 64bit (Even though I was able to rwx pages on my 6s? which they said shouldn't be possible)

I've been testing this on my iPad mini on ios 8 though so the iOS 9 problems shouldn't apply.

from inds.

Didn't they do the patches to jit after 8.1?

from inds.

From what I've read, in the iOS 9 jailbreak they didn't really jail break your phone in the usual sense. In earlier versions they were able to patch or change the kernel which allowed jailbroken applications full root privileges. In iOS 9 apple added KPP which basically ensures the code in the kernel is never changed. Pangu probably exploited a system application with root privileges and and somehow uses that to give jailbroken applications the same privileges (That's 100% speculation). They then added a patch to allow 32bit applications the ability to allocated executable memory which is why JIT still works on older devices. But we might not see JIT on 64 bit devices until the next jailbreak or maybe after

from inds.

@WilliamLCobb in this latest committ did you set jit to be on always or something. Emulation got really slow?

from inds.

Accidentally left optimization turned off. It should be fixed now

from inds.

I'm going to open a new technical JIT thread so if someone doe come to help it will be easier to keep up

from inds.

Maybe the TaiG jailbreak will fix JIT in the near future

from inds.

It is know that Pangu JB breaks Dynarec/JIT.
TAIG is the only solid team on iOS JB.

from inds.

The issue was the JIT was compiled into the cache but took around 1 ms to flushed to the cache. If the compiled block was executed before it was flushed to memory, it would crash.
It was hard to debug though because the debugger showed everything was successfully loaded and the errors came for no reason.
The fix was simply fixing the cache flushing function.

from inds.