From 31b7cd65cbf3a348de1dd48723dd7a18077cbe32 Mon Sep 17 00:00:00 2001
From: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
Date: Wed, 7 Jun 2023 15:39:05 +0300
Subject: [PATCH 1/7] Initial catalina efforts

Signed-off-by: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
---
 NootedRed/kern_amd.hpp      |  14 ++-
 NootedRed/kern_hwlibs.cpp   |  68 +++++++++-----
 NootedRed/kern_hwlibs.hpp   |   1 -
 NootedRed/kern_nred.cpp     |  12 +--
 NootedRed/kern_nred.hpp     |   2 +-
 NootedRed/kern_patches.hpp  |  63 ++++++++++---
 NootedRed/kern_patterns.hpp |  12 ++-
 NootedRed/kern_start.cpp    |   2 +-
 NootedRed/kern_x5000.cpp    | 154 ++++++++++++++++++++------------
 NootedRed/kern_x6000.cpp    | 171 +++++++++++++++++++-----------------
 NootedRed/kern_x6000fb.cpp  |  24 +++--
 README.md                   |   2 +-
 12 files changed, 339 insertions(+), 186 deletions(-)

diff --git a/NootedRed/kern_amd.hpp b/NootedRed/kern_amd.hpp
index 994af94e..6f16ed9a 100644
--- a/NootedRed/kern_amd.hpp
+++ b/NootedRed/kern_amd.hpp
@@ -132,7 +132,7 @@ struct CailAsicCapEntry {
     const uint32_t *skeleton;
 } PACKED;
 
-struct CailInitAsicCapEntry {
+struct CailAsicCapsInitEntry {
     uint64_t familyId, deviceId;
     uint64_t revision, extRevision;
     uint64_t pciRevision;
@@ -158,6 +158,18 @@ struct CailDeviceTypeEntry {
     uint32_t deviceType;
 } PACKED;
 
+static const uint32_t ravenDevAttrFlags = 0x49;
+
+struct DeviceCapabilityEntry {
+    uint64_t familyId, extRevision;
+    uint64_t deviceId, revision, enumRevision;
+    const void *swipInfo, *swipInfoMinimal;
+    const uint32_t *devAttrFlags;
+    const void *goldenRegisterSetings, *doorbellRange;
+} PACKED;
+
+constexpr uint64_t DEVICE_CAP_ENTRY_REV_DONT_CARE = 0xDEADCAFEU;
+
 enum VideoMemoryType : uint32_t {
     kVideoMemoryTypeUnknown,
     kVideoMemoryTypeDDR2,
diff --git a/NootedRed/kern_hwlibs.cpp b/NootedRed/kern_hwlibs.cpp
index 9a4aae81..e889efbc 100644
--- a/NootedRed/kern_hwlibs.cpp
+++ b/NootedRed/kern_hwlibs.cpp
@@ -26,24 +26,28 @@ bool X5000HWLibs::processKext(KernelPatcher &patcher, size_t index, mach_vm_addr
         NRed::callback->setRMMIOIfNecessary();
 
         CailAsicCapEntry *orgCapsTbl = nullptr;
-        CailInitAsicCapEntry *orgInitCapsTbl = nullptr;
+        CailAsicCapsInitEntry *orgCapsInitTable = nullptr;
         CailDeviceTypeEntry *orgDeviceTypeTable = nullptr;
+        DeviceCapabilityEntry *orgDevCapTable = nullptr;
 
+        auto catalina = getKernelVersion() == KernelVersion::Catalina;
         SolveRequestPlus solveRequests[] = {
-            {"__ZL15deviceTypeTable", orgDeviceTypeTable, kDeviceTypeTablePattern},
-            {"__ZN11AMDFirmware14createFirmwareEPhjjPKc", this->orgCreateFirmware, kCreateFirmwarePattern},
+            {"__ZL15deviceTypeTable", orgDeviceTypeTable, kDeviceTypeTablePattern, !catalina},
+            {"__ZN11AMDFirmware14createFirmwareEPhjjPKc", this->orgCreateFirmware, kCreateFirmwarePattern, !catalina},
             {"__ZN20AMDFirmwareDirectory11putFirmwareE16_AMD_DEVICE_TYPEP11AMDFirmware", this->orgPutFirmware,
-                kPutFirmwarePattern},
+                kPutFirmwarePattern, !catalina},
             {"__ZL20CAIL_ASIC_CAPS_TABLE", orgCapsTbl, kCailAsicCapsTableHWLibsPattern},
-            {"_CAILAsicCapsInitTable", orgInitCapsTbl, kCAILAsicCapsInitTablePattern},
+            {"_CAILAsicCapsInitTable", orgCapsInitTable, kCAILAsicCapsInitTablePattern},
+            {"_DeviceCapabilityTbl", orgDevCapTable, kDeviceCapabilityTblPattern},
         };
         PANIC_COND(!SolveRequestPlus::solveAll(&patcher, index, solveRequests, address, size), "hwlibs",
             "Failed to resolve symbols");
 
         RouteRequestPlus requests[] = {
             {"__ZN35AMDRadeonX5000_AMDRadeonHWLibsX500025populateFirmwareDirectoryEv", wrapPopulateFirmwareDirectory,
-                this->orgPopulateFirmwareDirectory},
-            {"_smu_get_fw_constants", hwLibsNoop, kSmuGetFwConstantsPattern, kSmuGetFwConstantsMask},
+                this->orgPopulateFirmwareDirectory, !catalina},
+            {catalina ? "_smu_get_external_fw" : "_smu_get_fw_constants", hwLibsNoop, kSmuGetFwConstantsPattern,
+                kSmuGetFwConstantsMask},
             {"_smu_9_0_1_check_fw_status", hwLibsNoop, kSmu901CheckFwStatusPattern, kSmu901CheckFwStatusMask},
             {"_smu_9_0_1_unload_smu", hwLibsNoop, kSmu901UnloadSmuPattern, kSmu901UnloadSmuMask},
             {"_psp_cmd_km_submit", wrapPspCmdKmSubmit, this->orgPspCmdKmSubmit, kPspCmdKmSubmitPattern,
@@ -56,37 +60,59 @@ bool X5000HWLibs::processKext(KernelPatcher &patcher, size_t index, mach_vm_addr
 
         PANIC_COND(MachInfo::setKernelWriting(true, KernelPatcher::kernelWriteLock) != KERN_SUCCESS, "hwlibs",
             "Failed to enable kernel writing");
-        *orgDeviceTypeTable = {.deviceId = NRed::callback->deviceId, .deviceType = 6};
+        if (!catalina) { *orgDeviceTypeTable = {.deviceId = NRed::callback->deviceId, .deviceType = 6}; }
+        auto renoir = NRed::callback->chipType >= ChipType::Renoir;
         *orgCapsTbl = {
             .familyId = AMDGPU_FAMILY_RAVEN,
             .deviceId = NRed::callback->deviceId,
             .revision = NRed::callback->revision,
-            .extRevision = NRed::callback->extRevision,
+            .extRevision = static_cast<uint32_t>(NRed::callback->enumRevision) + NRed::callback->revision,
             .pciRevision = NRed::callback->pciRevision,
-            .caps = NRed::callback->chipType < ChipType::Renoir ? ddiCapsRaven : ddiCapsRenoir,
+            .caps = !renoir ? ddiCapsRaven : ddiCapsRenoir,
         };
-        auto *temp = orgInitCapsTbl;
-        while (temp->deviceId != 0xFFFFFFFF) {
-            if (temp->familyId == AMDGPU_FAMILY_RAVEN && temp->deviceId == NRed::callback->deviceId) {
-                temp->revision = NRed::callback->revision;
-                temp->extRevision = NRed::callback->extRevision;
-                temp->pciRevision = NRed::callback->pciRevision;
+        auto targetDeviceId =
+            (catalina && renoir && NRed::callback->deviceId != 0x1636) ? 0x1636 : NRed::callback->deviceId;
+        auto found = false;
+        while (orgCapsInitTable->deviceId != 0xFFFFFFFF) {
+            if (orgCapsInitTable->familyId == AMDGPU_FAMILY_RAVEN && orgCapsInitTable->deviceId == targetDeviceId) {
+                orgCapsInitTable->deviceId = NRed::callback->deviceId;
+                orgCapsInitTable->revision = NRed::callback->revision;
+                orgCapsInitTable->extRevision =
+                    static_cast<uint64_t>(NRed::callback->enumRevision) + NRed::callback->revision;
+                orgCapsInitTable->pciRevision = NRed::callback->pciRevision;
+                found = true;
                 break;
             }
-            temp++;
+            orgCapsInitTable++;
         }
+        PANIC_COND(!found, "hwlibs", "Failed to find init caps table entry");
+        found = false;
+        while (orgDevCapTable->familyId) {
+            if (orgDevCapTable->familyId == AMDGPU_FAMILY_RAVEN && orgDevCapTable->deviceId == targetDeviceId) {
+                orgDevCapTable->deviceId = NRed::callback->deviceId;
+                orgDevCapTable->extRevision =
+                    static_cast<uint64_t>(NRed::callback->enumRevision) + NRed::callback->revision;
+                orgDevCapTable->revision = DEVICE_CAP_ENTRY_REV_DONT_CARE;
+                orgDevCapTable->enumRevision = DEVICE_CAP_ENTRY_REV_DONT_CARE;
+                found = true;
+                break;
+            }
+            orgDevCapTable++;
+        }
+        PANIC_COND(!found, "hwlibs", "Failed to find device capability table entry");
         MachInfo::setKernelWriting(false, KernelPatcher::kernelWriteLock);
         DBGLOG("hwlibs", "Applied DDI Caps patches");
 
         LookupPatchPlus const patches[] = {
-            {&kextRadeonX5000HWLibs, kPspSwInitOriginal1, kPspSwInitPatched1, 1},
-            {&kextRadeonX5000HWLibs, kPspSwInitOriginal2, kPspSwInitMask2, kPspSwInitPatched2, 1},
+            {&kextRadeonX5000HWLibs, kPspSwInitOriginal1, kPspSwInitPatched1, 1, !catalina},
+            {&kextRadeonX5000HWLibs, kPspSwInitOriginal2, kPspSwInitMask2, kPspSwInitPatched2, 1, !catalina},
             {&kextRadeonX5000HWLibs, kSmuInitFunctionPointerListOriginal, kSmuInitFunctionPointerListMask,
                 kSmuInitFunctionPointerListPatched, 1},
             {&kextRadeonX5000HWLibs, kFullAsicResetOriginal, kFullAsicResetPatched, 1},
             {&kextRadeonX5000HWLibs, kGcSwInitOriginal, kGcSwInitOriginalMask, kGcSwInitPatched, kGcSwInitPatchedMask,
-                1},
-            {&kextRadeonX5000HWLibs, kGcSetFwEntryInfoOriginal, kGcSetFwEntryInfoMask, kGcSetFwEntryInfoPatched, 1},
+                1, !catalina},
+            {&kextRadeonX5000HWLibs, kGcSetFwEntryInfoOriginal, kGcSetFwEntryInfoMask, kGcSetFwEntryInfoPatched, 1,
+                !catalina},
             {&kextRadeonX5000HWLibs, kCreatePowerTuneServicesOriginal1, kCreatePowerTuneServicesPatched1, 1,
                 getKernelVersion() < KernelVersion::Monterey},
             {&kextRadeonX5000HWLibs, kCreatePowerTuneServicesMontereyOriginal1,
diff --git a/NootedRed/kern_hwlibs.hpp b/NootedRed/kern_hwlibs.hpp
index df2060f6..61f1b163 100644
--- a/NootedRed/kern_hwlibs.hpp
+++ b/NootedRed/kern_hwlibs.hpp
@@ -22,7 +22,6 @@ class X5000HWLibs {
     mach_vm_address_t orgUpdateSdmaPowerGating {0};
     mach_vm_address_t orgPspCmdKmSubmit {0};
 
-    static uint32_t wrapSmuGetHwVersion();
     static void wrapPopulateFirmwareDirectory(void *that);
     static void wrapUpdateSdmaPowerGating(void *cail, uint32_t mode);
     static AMDReturn wrapPspCmdKmSubmit(void *psp, void *ctx, void *param3, void *param4);
diff --git a/NootedRed/kern_nred.cpp b/NootedRed/kern_nred.cpp
index 2492427c..90deb532 100644
--- a/NootedRed/kern_nred.cpp
+++ b/NootedRed/kern_nred.cpp
@@ -275,32 +275,32 @@ void NRed::setRMMIOIfNecessary() {
             case 0x15D8:
                 if (LIKELY(this->revision >= 0x8)) {
                     this->chipType = ChipType::Raven2;
-                    this->extRevision = 0x79;
+                    this->enumRevision = 0x79;
                     break;
                 }
                 this->chipType = ChipType::Picasso;
-                this->extRevision = 0x41;
+                this->enumRevision = 0x41;
                 break;
             case 0x15DD:
                 if (LIKELY(this->revision >= 0x8)) {
                     this->chipType = ChipType::Raven2;
-                    this->extRevision = 0x79;
+                    this->enumRevision = 0x79;
                     break;
                 }
                 this->chipType = ChipType::Raven;
-                this->extRevision = 0x10;
+                this->enumRevision = 0x10;
                 break;
             case 0x164C:
                 [[fallthrough]];
             case 0x1636:
                 this->chipType = ChipType::Renoir;
-                this->extRevision = 0x91;
+                this->enumRevision = 0x91;
                 break;
             case 0x15E7:
                 [[fallthrough]];
             case 0x1638:
                 this->chipType = ChipType::GreenSardine;
-                this->extRevision = 0x91;
+                this->enumRevision = 0x91;
                 break;
             default:
                 PANIC("nred", "Unknown device ID");
diff --git a/NootedRed/kern_nred.hpp b/NootedRed/kern_nred.hpp
index 8636f559..30140b46 100644
--- a/NootedRed/kern_nred.hpp
+++ b/NootedRed/kern_nred.hpp
@@ -243,7 +243,7 @@ class NRed {
     IOMemoryMap *rmmio {nullptr};
     volatile uint32_t *rmmioPtr {nullptr};
     uint32_t deviceId {0};
-    uint16_t extRevision {0};
+    uint16_t enumRevision {0};
     uint16_t revision {0};
     uint32_t pciRevision {0};
     IOPCIDevice *iGPU {nullptr};
diff --git a/NootedRed/kern_patches.hpp b/NootedRed/kern_patches.hpp
index 16a978de..c637e1ab 100644
--- a/NootedRed/kern_patches.hpp
+++ b/NootedRed/kern_patches.hpp
@@ -112,13 +112,15 @@ static const uint8_t kCreatePowerTuneServicesPatched2[] = {0x41, 0x8B, 0x47, 0x1
 
 /**
  * `AMDRadeonX6000_AmdAsicInfoNavi::populateDeviceInfo`
- * AMDRadeonX6000.kext
+ * AMDRadeonX6000Framebuffer.kext
  * Fix register read (0xD31 -> 0xD2F) and family ID (0x8F -> 0x8E).
  */
 static const uint8_t kPopulateDeviceInfoOriginal[] {0xBE, 0x31, 0x0D, 0x00, 0x00, 0xFF, 0x90, 0x40, 0x01, 0x00, 0x00,
-    0xC7, 0x43, 0x60, 0x8F, 0x00, 0x00, 0x00};
+    0xC7, 0x43, 0x00, 0x8F, 0x00, 0x00, 0x00};
+static const uint8_t kPopulateDeviceInfoMask[] {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xFF, 0x00, 0xFF, 0xFF, 0xFF, 0xFF};
 static const uint8_t kPopulateDeviceInfoPatched[] {0xBE, 0x2F, 0x0D, 0x00, 0x00, 0xFF, 0x90, 0x40, 0x01, 0x00, 0x00,
-    0xC7, 0x43, 0x60, 0x8E, 0x00, 0x00, 0x00};
+    0xC7, 0x43, 0x00, 0x8E, 0x00, 0x00, 0x00};
 
 /**
  * `AmdAtomFwServices::initializeAtomDataTable`
@@ -131,6 +133,14 @@ static const uint8_t kAmdAtomVramInfoNullCheckOriginal[] = {0x48, 0x89, 0x83, 0x
 static const uint8_t kAmdAtomVramInfoNullCheckPatched[] = {0x48, 0x89, 0x83, 0x90, 0x00, 0x00, 0x00, 0x66, 0x90, 0x66,
     0x90, 0x66, 0x90, 0x66, 0x90, 0x90, 0x48, 0x8B, 0x7B, 0x18};
 
+/** Ditto */
+static const uint8_t kAmdAtomVramInfoNullCheckCatalinaOriginal[] = {0x48, 0x89, 0x83, 0x80, 0x00, 0x00, 0x00, 0x48,
+    0x85, 0xC0, 0x74, 0x00};
+static const uint8_t kAmdAtomVramInfoNullCheckCatalinaMask[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xFF, 0xFF, 0x00};
+static const uint8_t kAmdAtomVramInfoNullCheckCatalinaPatched[] = {0x48, 0x89, 0x83, 0x80, 0x00, 0x00, 0x00, 0x66, 0x90,
+    0x66, 0x90, 0x90};
+
 /**
  * `AmdAtomFwServices::initializeAtomDataTable`
  * AMDRadeonX6000Framebuffer.kext
@@ -147,10 +157,14 @@ static const uint8_t kAmdAtomPspDirectoryNullCheckPatched[] = {0x48, 0x89, 0x83,
  * AMDRadeonX6000Framebuffer.kext
  * Neutralise `AmdAtomVramInfo` null check.
  */
-static const uint8_t kGetFirmwareInfoNullCheckOriginal[] = {0x48, 0x83, 0xBB, 0x90, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84,
-    0x90, 0x00, 0x00, 0x00, 0x49, 0x89};
-static const uint8_t kGetFirmwareInfoNullCheckPatched[] = {0x48, 0x83, 0xBB, 0x90, 0x00, 0x00, 0x00, 0x00, 0x66, 0x90,
-    0x66, 0x90, 0x66, 0x90, 0x49, 0x89};
+static const uint8_t kGetFirmwareInfoNullCheckOriginal[] = {0x48, 0x83, 0xBB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84,
+    0x00, 0x00, 0x00, 0x00, 0x49, 0x89};
+static const uint8_t kGetFirmwareInfoNullCheckOriginalMask[] = {0xFF, 0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF};
+static const uint8_t kGetFirmwareInfoNullCheckPatched[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x90,
+    0x66, 0x90, 0x66, 0x90, 0x00, 0x00};
+static const uint8_t kGetFirmwareInfoNullCheckPatchedMask[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
 
 /**
  * `AMDRadeonX6000_AmdAgdcServices::getVendorInfo`
@@ -172,6 +186,21 @@ static const uint8_t kAgdcServicesGetVendorInfoPatched[] = {0xC7, 0x00, 0x00, 0x
 static const uint8_t kStartHWEnginesOriginal[] = {0x48, 0x83, 0xFB, 0x02};
 static const uint8_t kStartHWEnginesPatched[] = {0x48, 0x83, 0xFB, 0x01};
 
+/**
+ * `AMDRadeonX5000_AMDGraphicsAccelerator::createAccelChannels`
+ * AMDRadeonX5000.kext
+ * Catalina only. Change loop condition to skip SDMA1_HP.
+ */
+static const uint8_t kCreateAccelChannelsOriginal[] = {0x8D, 0x44, 0x09, 0x02};
+static const uint8_t kCreateAccelChannelsPatched[] = {0x8D, 0x44, 0x09, 0x01};
+
+/**
+ * Mismatched `getTtlInterface` virtual call
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetTtlInterfaceCallOriginal[] = {0x48, 0x89, 0xF7, 0xFF, 0x90, 0xC8, 0x02, 0x00, 0x00};
+static const uint8_t kGetTtlInterfaceCallPatched[] = {0x48, 0x89, 0xF7, 0xFF, 0x90, 0xC0, 0x02, 0x00, 0x00};
+
 /**
  * Mismatched `getGpuDebugPolicy` virtual calls.
  * AMDRadeonX6000.kext
@@ -179,6 +208,10 @@ static const uint8_t kStartHWEnginesPatched[] = {0x48, 0x83, 0xFB, 0x01};
 static const uint8_t kGetGpuDebugPolicyCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xC0, 0x03, 0x00, 0x00};
 static const uint8_t kGetGpuDebugPolicyCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xC8, 0x03, 0x00, 0x00};
 
+/** Ditto */
+static const uint8_t kGetGpuDebugPolicyCallCatalinaOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xC8, 0x03, 0x00, 0x00};
+static const uint8_t kGetGpuDebugPolicyCallCatalinaPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xC0, 0x03, 0x00, 0x00};
+
 /**
  * `AMDRadeonX6000_AMDHWChannel::submitCommandBuffer`
  * AMDRadeonX6000.kext
@@ -190,6 +223,12 @@ static const uint8_t kHWChannelSubmitCommandBufferOriginal[] = {0x48, 0x8B, 0x07
 static const uint8_t kHWChannelSubmitCommandBufferPatched[] = {0x48, 0x8B, 0x07, 0x66, 0x90, 0x66, 0x90, 0x66, 0x90,
     0x48, 0x8B, 0x43};
 
+/** Ditto */
+static const uint8_t kHWChannelSubmitCommandBufferCatalinaOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x20, 0x02, 0x00,
+    0x00, 0x49, 0x8B, 0x45};
+static const uint8_t kHWChannelSubmitCommandBufferCatalinaPatched[] = {0x48, 0x8B, 0x07, 0x66, 0x90, 0x66, 0x90, 0x66,
+    0x90, 0x49, 0x8B, 0x45};
+
 /**
  * Mismatched `getScheduler` virtual calls.
  * AMDRadeonX6000.kext
@@ -197,6 +236,10 @@ static const uint8_t kHWChannelSubmitCommandBufferPatched[] = {0x48, 0x8B, 0x07,
 static const uint8_t kGetSchedulerCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xB8, 0x03, 0x00, 0x00};
 static const uint8_t kGetSchedulerCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xC0, 0x03, 0x00, 0x00};
 
+/** Ditto */
+static const uint8_t kGetSchedulerCallCatalinaOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xC0, 0x03, 0x00, 0x00};
+static const uint8_t kGetSchedulerCallCatalinaPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xB8, 0x03, 0x00, 0x00};
+
 /**
  * Mismatched `isDeviceValid` virtual calls.
  * AMDRadeonX6000.kext
@@ -205,12 +248,12 @@ static const uint8_t kIsDeviceValidCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x9
 static const uint8_t kIsDeviceValidCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x98, 0x02, 0x00, 0x00};
 
 /**
- * Mismatched `isDevicePCITunnelled` virtual call.
  * `AMDRadeonX6000_AMDNavi10VideoContext::setSuspendResumeState`
  * AMDRadeonX6000.kext
+ * Mismatched `isDevicePCITunnelled` virtual call.
  */
-static const uint8_t kIsDevicePCITunnelledOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xB0, 0x02, 0x00, 0x00};
-static const uint8_t kIsDevicePCITunnelledPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xA8, 0x02, 0x00, 0x00};
+static const uint8_t kIsDevicePCITunnelledOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xB0, 0x02, 0x00, 0x00, 0x84};
+static const uint8_t kIsDevicePCITunnelledPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xA8, 0x02, 0x00, 0x00, 0x84};
 
 /** VideoToolbox DRM model check */
 static const char kVideoToolboxDRMModelOriginal[] = "MacPro5,1\0MacPro6,1\0IOService";
diff --git a/NootedRed/kern_patterns.hpp b/NootedRed/kern_patterns.hpp
index 965def10..98a2b49b 100644
--- a/NootedRed/kern_patterns.hpp
+++ b/NootedRed/kern_patterns.hpp
@@ -87,9 +87,17 @@ static const uint8_t kUpdateSdmaPowerGatingMask[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xF
  * `_CAILAsicCapsInitTable`
  * AMDRadeonX5000HWLibs.kext
  */
-static const uint8_t kCAILAsicCapsInitTablePattern[] = {0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x67,
+static const uint8_t kCAILAsicCapsInitTablePattern[] = {0x6E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x67,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00};
+    0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00};
+
+/**
+ * `_DeviceCapabilityTbl`
+ * AMDRadeonX5000HWLibs.kext
+ */
+static const uint8_t kDeviceCapabilityTblPattern[] = {0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xCA, 0xAD, 0xDE, 0x00, 0x00,
+    0x00, 0x00, 0xFE, 0xCA, 0xAD, 0xDE, 0x00, 0x00, 0x00, 0x00};
 
 /**
  * `__ZZN37AMDRadeonX5000_AMDGraphicsAccelerator19createAccelChannelsEbE12channelTypes`
diff --git a/NootedRed/kern_start.cpp b/NootedRed/kern_start.cpp
index 61ed70eb..9f6e20c2 100644
--- a/NootedRed/kern_start.cpp
+++ b/NootedRed/kern_start.cpp
@@ -32,7 +32,7 @@ PluginConfiguration ADDPR(config) {
     arrsize(bootargDebug),
     bootargBeta,
     arrsize(bootargBeta),
-    KernelVersion::BigSur,
+    KernelVersion::Catalina,
     KernelVersion::Monterey,
     []() { nred.init(); },
 };
diff --git a/NootedRed/kern_x5000.cpp b/NootedRed/kern_x5000.cpp
index c2bd405a..11d99b58 100644
--- a/NootedRed/kern_x5000.cpp
+++ b/NootedRed/kern_x5000.cpp
@@ -28,9 +28,12 @@ bool X5000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
         uint32_t *orgChannelTypes = nullptr;
         mach_vm_address_t startHWEngines = 0;
 
+        auto catalina = getKernelVersion() == KernelVersion::Catalina;
         SolveRequestPlus solveRequests[] = {
-            {"__ZZN37AMDRadeonX5000_AMDGraphicsAccelerator19createAccelChannelsEbE12channelTypes", orgChannelTypes,
-                kChannelTypesPattern},
+            {catalina ? "__ZZN37AMDRadeonX5000_AMDGraphicsAccelerator22getAdditionalQueueListEPPK18_"
+                        "AMDQueueSpecifierE27additionalQueueList_Default" :
+                        "__ZZN37AMDRadeonX5000_AMDGraphicsAccelerator19createAccelChannelsEbE12channelTypes",
+                orgChannelTypes, kChannelTypesPattern},
             {"__ZN31AMDRadeonX5000_AMDGFX9PM4EngineC1Ev", this->orgGFX9PM4EngineConstructor},
             {"__ZN32AMDRadeonX5000_AMDGFX9SDMAEngineC1Ev", this->orgGFX9SDMAEngineConstructor},
             {"__ZN39AMDRadeonX5000_AMDAccelSharedUserClient5startEP9IOService", this->orgAccelSharedUCStart},
@@ -58,43 +61,69 @@ bool X5000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
             {"__ZN31AMDRadeonX5000_IAMDSMLInterface18createSMLInterfaceEj", wrapCreateSMLInterface},
             {"__ZN26AMDRadeonX5000_AMDHWMemory17adjustVRAMAddressEy", wrapAdjustVRAMAddress,
                 this->orgAdjustVRAMAddress},
-            {"__ZN37AMDRadeonX5000_AMDGraphicsAccelerator9newSharedEv", wrapNewShared},
-            {"__ZN37AMDRadeonX5000_AMDGraphicsAccelerator19newSharedUserClientEv", wrapNewSharedUserClient},
+            {"__ZN37AMDRadeonX5000_AMDGraphicsAccelerator9newSharedEv", wrapNewShared, !catalina},
+            {"__ZN37AMDRadeonX5000_AMDGraphicsAccelerator19newSharedUserClientEv", wrapNewSharedUserClient, !catalina},
             {"__ZN30AMDRadeonX5000_AMDGFX9Hardware25allocateAMDHWAlignManagerEv", wrapAllocateAMDHWAlignManager,
                 this->orgAllocateAMDHWAlignManager},
             {"__ZN43AMDRadeonX5000_AMDVega10GraphicsAccelerator13getDeviceTypeEP11IOPCIDevice", wrapGetDeviceType},
             {"__ZN30AMDRadeonX5000_AMDGFX9Hardware20writeASICHangLogInfoEPPv", wrapReturnZero},
             {"__ZN37AMDRadeonX5000_AMDGraphicsAccelerator23obtainAccelChannelGroupE11SS_PRIORITY",
-                wrapObtainAccelChannelGroup, orgObtainAccelChannelGroup},
+                wrapObtainAccelChannelGroup, orgObtainAccelChannelGroup, !catalina},
             {"__ZN4Addr2V27Gfx9Lib20HwlConvertChipFamilyEjj", wrapHwlConvertChipFamily, kHwlConvertChipFamilyPattern},
         };
         PANIC_COND(!RouteRequestPlus::routeAll(patcher, index, requests, address, size), "x5000",
             "Failed to route symbols");
 
-        LookupPatchPlus const patch {&kextRadeonX5000, kStartHWEnginesOriginal, kStartHWEnginesPatched, 1};
+        LookupPatchPlus const patch {&kextRadeonX5000, kStartHWEnginesOriginal, kStartHWEnginesPatched, 1, !catalina};
         PANIC_COND(!patch.apply(&patcher, startHWEngines, PAGE_SIZE), "x5000", "Failed to patch startHWEngines");
 
-        uint32_t findBpp64 = Dcn1Bpp64SwModeMask;
-        uint32_t replBpp64 = Dcn2Bpp64SwModeMask;
-        uint32_t findNonBpp64 = Dcn1NonBpp64SwModeMask;
-        uint32_t replNonBpp64 = Dcn2NonBpp64SwModeMask;
-        auto dcn2 = NRed::callback->chipType >= ChipType::Renoir;
-        LookupPatchPlus const swizzleModePatches[] = {
-            {&kextRadeonX5000, reinterpret_cast<const uint8_t *>(&findBpp64),
-                reinterpret_cast<const uint8_t *>(&replBpp64), sizeof(uint32_t), 4, dcn2},
-            {&kextRadeonX5000, reinterpret_cast<const uint8_t *>(&findNonBpp64),
-                reinterpret_cast<const uint8_t *>(&replNonBpp64), sizeof(uint32_t), 4, dcn2},
-        };
-        PANIC_COND(!LookupPatchPlus::applyAll(&patcher, swizzleModePatches, address, size), "x5000",
-            "Failed to patch swizzle mode");
-
-        PANIC_COND(MachInfo::setKernelWriting(true, KernelPatcher::kernelWriteLock) != KERN_SUCCESS, "x5000",
-            "Failed to enable kernel writing");
-        orgChannelTypes[5] = 1;    // Fix createAccelChannels so that it only starts SDMA0
-        orgChannelTypes[getKernelVersion() > KernelVersion::BigSur ? 12 : 11] =
-            0;    // Fix getPagingChannel so that it gets SDMA0
-        MachInfo::setKernelWriting(false, KernelPatcher::kernelWriteLock);
-        DBGLOG("x5000", "Applied SDMA1 patches");
+        LookupPatchPlus const createAccelChannelsPatch {&kextRadeonX5000, kCreateAccelChannelsOriginal,
+            kCreateAccelChannelsPatched, 2, catalina};
+        PANIC_COND(!createAccelChannelsPatch.apply(&patcher, address, size), "x5000",
+            "Failed to patch createAccelChannels");
+
+        if (!catalina) {
+            uint32_t findBpp64 = Dcn1Bpp64SwModeMask;
+            uint32_t replBpp64 = Dcn2Bpp64SwModeMask;
+            uint32_t findNonBpp64 = Dcn1NonBpp64SwModeMask;
+            uint32_t replNonBpp64 = Dcn2NonBpp64SwModeMask;
+            auto dcn2 = NRed::callback->chipType >= ChipType::Renoir;
+            LookupPatchPlus const swizzleModePatches[] = {
+                {&kextRadeonX5000, reinterpret_cast<const uint8_t *>(&findBpp64),
+                    reinterpret_cast<const uint8_t *>(&replBpp64), sizeof(uint32_t), 4, dcn2},
+                {&kextRadeonX5000, reinterpret_cast<const uint8_t *>(&findNonBpp64),
+                    reinterpret_cast<const uint8_t *>(&replNonBpp64), sizeof(uint32_t), 4, dcn2},
+            };
+            PANIC_COND(!LookupPatchPlus::applyAll(&patcher, swizzleModePatches, address, size), "x5000",
+                "Failed to patch swizzle mode");
+
+            PANIC_COND(MachInfo::setKernelWriting(true, KernelPatcher::kernelWriteLock) != KERN_SUCCESS, "x5000",
+                "Failed to enable kernel writing");
+            orgChannelTypes[5] = 1;    // Fix createAccelChannels so that it only starts SDMA0
+            orgChannelTypes[getKernelVersion() > KernelVersion::BigSur ? 12 : 11] =
+                0;    // Fix getPagingChannel so that it gets SDMA0
+            MachInfo::setKernelWriting(false, KernelPatcher::kernelWriteLock);
+            DBGLOG("x5000", "Applied SDMA1 patches");
+        } else {
+            auto dcn2 = NRed::callback->chipType >= ChipType::Renoir;
+            uint32_t findNonBpp64 = 0x22222221;
+            uint32_t replNonBpp64 = dcn2 ? Dcn2NonBpp64SwModeMask : Dcn1NonBpp64SwModeMask;
+            uint32_t findBpp64 = 0x44444440;
+            uint32_t replBpp64Pt2 = dcn2 ? Dcn2Bpp64SwModeMask : Dcn1Bpp64SwModeMask;
+            uint32_t replBpp64 = replNonBpp64 ^ replBpp64Pt2;
+            uint32_t findBpp64Pt2 = 0x66666661;
+            LookupPatchPlus const swizzleModePatches[] = {
+                {&kextRadeonX5000, reinterpret_cast<const uint8_t *>(&findNonBpp64),
+                    reinterpret_cast<const uint8_t *>(&replNonBpp64), sizeof(uint32_t), 2},
+                {&kextRadeonX5000, reinterpret_cast<const uint8_t *>(&findBpp64),
+                    reinterpret_cast<const uint8_t *>(&replBpp64), sizeof(uint32_t), 1},
+                {&kextRadeonX5000, reinterpret_cast<const uint8_t *>(&findBpp64Pt2),
+                    reinterpret_cast<const uint8_t *>(&replBpp64Pt2), sizeof(uint32_t), 1},
+            };
+            PANIC_COND(!LookupPatchPlus::applyAll(&patcher, swizzleModePatches, address, size), "x5000",
+                "Failed to patch swizzle mode");
+            *orgChannelTypes = 1;    // Make VMPT use SDMA0 instead of SDMA1
+        }
 
         return true;
     }
@@ -103,28 +132,42 @@ bool X5000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
 }
 
 bool X5000::wrapAllocateHWEngines(void *that) {
-    callback->orgGFX9PM4EngineConstructor(getMember<void *>(that, 0x3B8) = IOMallocZero(0x340));
-    callback->orgGFX9SDMAEngineConstructor(getMember<void *>(that, 0x3C0) = IOMallocZero(0x250));
-    X6000::callback->orgVCN2EngineConstructor(getMember<void *>(that, 0x3F8) = IOMallocZero(0x2D8));
+    auto catalina = getKernelVersion() == KernelVersion::Catalina;
+    auto fieldBase = catalina ? 0x348 : 0x3B8;
+    callback->orgGFX9PM4EngineConstructor(getMember<void *>(that, fieldBase) = IOMallocZero(0x340));
+    callback->orgGFX9SDMAEngineConstructor(getMember<void *>(that, fieldBase + 0x8) = IOMallocZero(0x250));
+    X6000::callback->orgVCN2EngineConstructor(
+        getMember<void *>(that, fieldBase + (catalina ? 0x30 : 0x40)) = IOMallocZero(0x2D8));
 
     return true;
 }
 
-enum HWCapability : uint64_t {
-    DisplayPipeCount = 0x04,    // uint32_t
-    SECount = 0x34,             // uint32_t
-    SHPerSE = 0x3C,             // uint32_t
-    CUPerSH = 0x70,             // uint32_t
-    HasUVD0 = 0x84,             // bool
-    HasUVD1 = 0x85,             // bool
-    HasVCE = 0x86,              // bool
-    HasVCN0 = 0x87,             // bool
-    HasVCN1 = 0x88,             // bool
-    HasSDMAPageQueue = 0x98,    // bool
+struct HWCapability {
+    enum : uint64_t {
+        DisplayPipeCount = 0x04,    // uint32_t
+        SECount = 0x34,             // uint32_t
+        SHPerSE = 0x3C,             // uint32_t
+        CUPerSH = 0x70,             // uint32_t
+        HasUVD0 = 0x84,             // bool
+        HasVCE = 0x86,              // bool
+        HasVCN0 = 0x87,             // bool
+    };
+};
+
+struct HWCapabilityCatalina {
+    enum : uint64_t {
+        DisplayPipeCount = 0x04,    // uint32_t
+        SECount = 0x30,             // uint32_t
+        SHPerSE = 0x34,             // uint32_t
+        CUPerSH = 0x58,             // uint32_t
+        HasUVD0 = 0x68,             // bool
+        HasVCE = 0x6A,              // bool
+        HasVCN0 = 0x6B,             // bool
+    };
 };
 
 template<typename T>
-static inline void setHWCapability(void *that, HWCapability capability, T value) {
+static inline void setHWCapability(void *that, uint64_t capability, T value) {
     getMember<T>(that, 0x28 + capability) = value;
 }
 
@@ -136,19 +179,20 @@ void X5000::wrapSetupAndInitializeHWCapabilities(void *that) {
     auto *header = reinterpret_cast<const CommonFirmwareHeader *>(fwDesc.data);
     auto *gpuInfo = reinterpret_cast<const GPUInfoFirmware *>(fwDesc.data + header->ucodeOff);
 
-    setHWCapability<uint32_t>(that, HWCapability::SECount, gpuInfo->gcNumSe);
-    setHWCapability<uint32_t>(that, HWCapability::SHPerSE, gpuInfo->gcNumShPerSe);
-    setHWCapability<uint32_t>(that, HWCapability::CUPerSH, gpuInfo->gcNumCuPerSh);
+    auto catalina = getKernelVersion() == KernelVersion::Catalina;
+    setHWCapability<uint32_t>(that, catalina ? HWCapabilityCatalina::SECount : HWCapability::SECount, gpuInfo->gcNumSe);
+    setHWCapability<uint32_t>(that, catalina ? HWCapabilityCatalina::SHPerSE : HWCapability::SHPerSE,
+        gpuInfo->gcNumShPerSe);
+    setHWCapability<uint32_t>(that, catalina ? HWCapabilityCatalina::CUPerSH : HWCapability::CUPerSH,
+        gpuInfo->gcNumCuPerSh);
 
     FunctionCast(wrapSetupAndInitializeHWCapabilities, callback->orgSetupAndInitializeHWCapabilities)(that);
 
-    setHWCapability<uint32_t>(that, HWCapability::DisplayPipeCount, isRavenDerivative ? 4 : 6);
-    setHWCapability<bool>(that, HWCapability::HasUVD0, false);
-    setHWCapability<bool>(that, HWCapability::HasUVD1, false);
-    setHWCapability<bool>(that, HWCapability::HasVCE, false);
-    setHWCapability<bool>(that, HWCapability::HasVCN0, true);
-    setHWCapability<bool>(that, HWCapability::HasVCN1, false);
-    setHWCapability<bool>(that, HWCapability::HasSDMAPageQueue, false);
+    setHWCapability<uint32_t>(that, catalina ? HWCapabilityCatalina::DisplayPipeCount : HWCapability::DisplayPipeCount,
+        isRavenDerivative ? 4 : 6);
+    setHWCapability<bool>(that, catalina ? HWCapabilityCatalina::HasUVD0 : HWCapability::HasUVD0, false);
+    setHWCapability<bool>(that, catalina ? HWCapabilityCatalina::HasVCE : HWCapability::HasVCE, false);
+    setHWCapability<bool>(that, catalina ? HWCapabilityCatalina::HasVCN0 : HWCapability::HasVCN0, true);
 }
 
 void *X5000::wrapGetHWChannel(void *that, uint32_t engineType, uint32_t ringId) {
@@ -156,7 +200,9 @@ void *X5000::wrapGetHWChannel(void *that, uint32_t engineType, uint32_t ringId)
     return FunctionCast(wrapGetHWChannel, callback->orgGetHWChannel)(that, (engineType == 2) ? 1 : engineType, ringId);
 }
 
-void X5000::wrapInitializeFamilyType(void *that) { getMember<uint32_t>(that, 0x308) = AMDGPU_FAMILY_RAVEN; }
+void X5000::wrapInitializeFamilyType(void *that) {
+    getMember<uint32_t>(that, getKernelVersion() == KernelVersion::Catalina ? 0x2B4 : 0x308) = AMDGPU_FAMILY_RAVEN;
+}
 
 void *X5000::wrapAllocateAMDHWDisplay(void *that) {
     return FunctionCast(wrapAllocateAMDHWDisplay, X6000::callback->orgAllocateAMDHWDisplay)(that);
@@ -209,7 +255,7 @@ void *X5000::wrapObtainAccelChannelGroup(void *that, uint32_t priority) {
 }
 
 uint32_t X5000::wrapHwlConvertChipFamily(void *that, uint32_t, uint32_t) {
-    auto &settings = getMember<Gfx9ChipSettings>(that, 0x5B10);
+    auto &settings = getMember<Gfx9ChipSettings>(that, getKernelVersion() == KernelVersion::Catalina ? 0x5B18 : 0x5B10);
     auto renoir = NRed::callback->chipType >= ChipType::Renoir;
     settings.isArcticIsland = 1;
     settings.isRaven = 1;
diff --git a/NootedRed/kern_x6000.cpp b/NootedRed/kern_x6000.cpp
index 63ddfa07..da648c07 100644
--- a/NootedRed/kern_x6000.cpp
+++ b/NootedRed/kern_x6000.cpp
@@ -24,13 +24,15 @@ bool X6000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
     if (kextRadeonX6000.loadIndex == index) {
         NRed::callback->setRMMIOIfNecessary();
 
-        KernelPatcher::SolveRequest solveRequests[] = {
+        auto catalina = getKernelVersion() == KernelVersion::Catalina;
+        SolveRequestPlus solveRequests[] = {
             {"__ZN30AMDRadeonX6000_AMDVCN2HWEngineC1Ev", this->orgVCN2EngineConstructor},
             {"__ZN31AMDRadeonX6000_AMDGFX10Hardware20allocateAMDHWDisplayEv", this->orgAllocateAMDHWDisplay},
             {"__ZN42AMDRadeonX6000_AMDGFX10GraphicsAccelerator15newVideoContextEv", this->orgNewVideoContext},
             {"__ZN31AMDRadeonX6000_IAMDSMLInterface18createSMLInterfaceEj", this->orgCreateSMLInterface},
-            {"__ZN37AMDRadeonX6000_AMDGraphicsAccelerator9newSharedEv", this->orgNewShared},
-            {"__ZN37AMDRadeonX6000_AMDGraphicsAccelerator19newSharedUserClientEv", this->orgNewSharedUserClient},
+            {"__ZN37AMDRadeonX6000_AMDGraphicsAccelerator9newSharedEv", this->orgNewShared, !catalina},
+            {"__ZN37AMDRadeonX6000_AMDGraphicsAccelerator19newSharedUserClientEv", this->orgNewSharedUserClient,
+                !catalina},
             {"__ZN35AMDRadeonX6000_AMDAccelVideoContext10gMetaClassE", NRed::callback->metaClassMap[0][1]},
             {"__ZN37AMDRadeonX6000_AMDAccelDisplayMachine10gMetaClassE", NRed::callback->metaClassMap[1][1]},
             {"__ZN34AMDRadeonX6000_AMDAccelDisplayPipe10gMetaClassE", NRed::callback->metaClassMap[2][1]},
@@ -38,16 +40,17 @@ bool X6000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
             {"__ZN33AMDRadeonX6000_AMDHWAlignManager224getPreferredSwizzleMode2EP33_ADDR2_COMPUTE_SURFACE_INFO_INPUT",
                 this->orgGetPreferredSwizzleMode2},
         };
-        PANIC_COND(!patcher.solveMultiple(index, solveRequests, address, size), "x6000", "Failed to resolve symbols");
+        PANIC_COND(!SolveRequestPlus::solveAll(&patcher, index, solveRequests, address, size), "x6000",
+            "Failed to resolve symbols");
 
-        KernelPatcher::RouteRequest requests[] = {
+        RouteRequestPlus requests[] = {
             {"__ZN37AMDRadeonX6000_AMDGraphicsAccelerator5startEP9IOService", wrapAccelStartX6000},
-            {"__ZN39AMDRadeonX6000_AMDAccelSharedUserClient5startEP9IOService", wrapAccelSharedUCStartX6000},
-            {"__ZN39AMDRadeonX6000_AMDAccelSharedUserClient4stopEP9IOService", wrapAccelSharedUCStopX6000},
+            {"__ZN39AMDRadeonX6000_AMDAccelSharedUserClient5startEP9IOService", wrapAccelSharedUCStartX6000, !catalina},
+            {"__ZN39AMDRadeonX6000_AMDAccelSharedUserClient4stopEP9IOService", wrapAccelSharedUCStopX6000, !catalina},
             {"__ZN30AMDRadeonX6000_AMDGFX10Display23initDCNRegistersOffsetsEv", wrapInitDCNRegistersOffsets,
-                this->orgInitDCNRegistersOffsets},
+                this->orgInitDCNRegistersOffsets, NRed::callback->chipType < ChipType::Renoir},
             {"__ZN29AMDRadeonX6000_AMDAccelShared11SurfaceCopyEPjyP12IOAccelEvent", wrapAccelSharedSurfaceCopy,
-                this->orgAccelSharedSurfaceCopy},
+                this->orgAccelSharedSurfaceCopy, !catalina},
             {"__ZN27AMDRadeonX6000_AMDHWDisplay17allocateScanoutFBEjP16IOAccelResource2S1_Py", wrapAllocateScanoutFB,
                 this->orgAllocateScanoutFB},
             {"__ZN27AMDRadeonX6000_AMDHWDisplay14fillUBMSurfaceEjP17_FRAMEBUFFER_INFOP13_UBM_SURFINFO",
@@ -57,15 +60,26 @@ bool X6000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
             {"__ZN27AMDRadeonX6000_AMDHWDisplay14getDisplayInfoEjbbPvP17_FRAMEBUFFER_INFO", wrapGetDisplayInfo,
                 this->orgGetDisplayInfo},
         };
-        PANIC_COND(!patcher.routeMultiple(index, requests, address, size), "x6000", "Failed to route symbols");
+        PANIC_COND(!RouteRequestPlus::routeAll(patcher, index, requests, address, size), "x6000",
+            "Failed to route symbols");
 
         auto monterey = getKernelVersion() == KernelVersion::Monterey;
         LookupPatchPlus const patches[] = {
-            {&kextRadeonX6000, kGetGpuDebugPolicyCallOriginal, kGetGpuDebugPolicyCallPatched, 28},
-            {&kextRadeonX6000, kHWChannelSubmitCommandBufferOriginal, kHWChannelSubmitCommandBufferPatched, 1},
-            {&kextRadeonX6000, kGetSchedulerCallOriginal, kGetSchedulerCallPatched, monterey ? 21U : 22U},
-            {&kextRadeonX6000, kIsDeviceValidCallOriginal, kIsDeviceValidCallPatched, monterey ? 26U : 24U},
-            {&kextRadeonX6000, kIsDevicePCITunnelledOriginal, kIsDevicePCITunnelledPatched, 1},
+            {&kextRadeonX6000, kGetGpuDebugPolicyCallOriginal, kGetGpuDebugPolicyCallPatched, 28, !catalina},
+            {&kextRadeonX6000, kGetGpuDebugPolicyCallCatalinaOriginal, kGetGpuDebugPolicyCallCatalinaPatched, 27,
+                catalina},
+            {&kextRadeonX6000, kHWChannelSubmitCommandBufferOriginal, kHWChannelSubmitCommandBufferPatched, 1,
+                !catalina},
+            {&kextRadeonX6000, kHWChannelSubmitCommandBufferCatalinaOriginal,
+                kHWChannelSubmitCommandBufferCatalinaPatched, 1, catalina},
+            {&kextRadeonX6000, kGetSchedulerCallOriginal, kGetSchedulerCallPatched, monterey ? 21U : 22, !catalina},
+            {&kextRadeonX6000, kGetSchedulerCallCatalinaOriginal, kGetSchedulerCallCatalinaPatched, 22, catalina},
+            {&kextRadeonX6000, kIsDeviceValidCallOriginal, kIsDeviceValidCallPatched,
+                catalina ? 20U :
+                monterey ? 26 :
+                           24},
+            {&kextRadeonX6000, kIsDevicePCITunnelledOriginal, kIsDevicePCITunnelledPatched, catalina ? 5U : 1},
+            {&kextRadeonX6000, kGetTtlInterfaceCallOriginal, kGetTtlInterfaceCallPatched, 6, catalina},
         };
         PANIC_COND(!LookupPatchPlus::applyAll(&patcher, patches, address, size), "x6000", "Failed to apply patches: %d",
             patcher.getError());
@@ -92,70 +106,69 @@ bool X6000::wrapAccelSharedUCStopX6000(void *that, void *provider) {
 
 void X6000::wrapInitDCNRegistersOffsets(void *that) {
     FunctionCast(wrapInitDCNRegistersOffsets, callback->orgInitDCNRegistersOffsets)(that);
-    if (NRed::callback->chipType < ChipType::Renoir) {
-        DBGLOG("x6000", "initDCNRegistersOffsets !! PATCHING REGISTERS FOR DCN 1.0 !!");
-        auto base = getMember<uint32_t>(that, 0x4830);
-        getMember<uint32_t>(that, 0x4840) = base + mmHUBPREQ0_DCSURF_PRIMARY_SURFACE_ADDRESS;
-        getMember<uint32_t>(that, 0x4878) = base + mmHUBPREQ1_DCSURF_PRIMARY_SURFACE_ADDRESS;
-        getMember<uint32_t>(that, 0x48B0) = base + mmHUBPREQ2_DCSURF_PRIMARY_SURFACE_ADDRESS;
-        getMember<uint32_t>(that, 0x48E8) = base + mmHUBPREQ3_DCSURF_PRIMARY_SURFACE_ADDRESS;
-        getMember<uint32_t>(that, 0x4844) = base + mmHUBPREQ0_DCSURF_PRIMARY_SURFACE_ADDRESS_HIGH;
-        getMember<uint32_t>(that, 0x487C) = base + mmHUBPREQ1_DCSURF_PRIMARY_SURFACE_ADDRESS_HIGH;
-        getMember<uint32_t>(that, 0x48B4) = base + mmHUBPREQ2_DCSURF_PRIMARY_SURFACE_ADDRESS_HIGH;
-        getMember<uint32_t>(that, 0x48EC) = base + mmHUBPREQ3_DCSURF_PRIMARY_SURFACE_ADDRESS_HIGH;
-        getMember<uint32_t>(that, 0x4848) = base + mmHUBP0_DCSURF_SURFACE_CONFIG;
-        getMember<uint32_t>(that, 0x4880) = base + mmHUBP1_DCSURF_SURFACE_CONFIG;
-        getMember<uint32_t>(that, 0x48B8) = base + mmHUBP2_DCSURF_SURFACE_CONFIG;
-        getMember<uint32_t>(that, 0x48F0) = base + mmHUBP3_DCSURF_SURFACE_CONFIG;
-        getMember<uint32_t>(that, 0x484C) = base + mmHUBPREQ0_DCSURF_SURFACE_PITCH;
-        getMember<uint32_t>(that, 0x4884) = base + mmHUBPREQ1_DCSURF_SURFACE_PITCH;
-        getMember<uint32_t>(that, 0x48BC) = base + mmHUBPREQ2_DCSURF_SURFACE_PITCH;
-        getMember<uint32_t>(that, 0x48F4) = base + mmHUBPREQ3_DCSURF_SURFACE_PITCH;
-        getMember<uint32_t>(that, 0x4850) = base + mmHUBP0_DCSURF_ADDR_CONFIG;
-        getMember<uint32_t>(that, 0x4888) = base + mmHUBP1_DCSURF_ADDR_CONFIG;
-        getMember<uint32_t>(that, 0x48C0) = base + mmHUBP2_DCSURF_ADDR_CONFIG;
-        getMember<uint32_t>(that, 0x48F8) = base + mmHUBP3_DCSURF_ADDR_CONFIG;
-        getMember<uint32_t>(that, 0x4854) = base + mmHUBP0_DCSURF_TILING_CONFIG;
-        getMember<uint32_t>(that, 0x488C) = base + mmHUBP1_DCSURF_TILING_CONFIG;
-        getMember<uint32_t>(that, 0x48C4) = base + mmHUBP2_DCSURF_TILING_CONFIG;
-        getMember<uint32_t>(that, 0x48FC) = base + mmHUBP3_DCSURF_TILING_CONFIG;
-        getMember<uint32_t>(that, 0x4858) = base + mmHUBP0_DCSURF_PRI_VIEWPORT_START;
-        getMember<uint32_t>(that, 0x4890) = base + mmHUBP1_DCSURF_PRI_VIEWPORT_START;
-        getMember<uint32_t>(that, 0x48C8) = base + mmHUBP2_DCSURF_PRI_VIEWPORT_START;
-        getMember<uint32_t>(that, 0x4900) = base + mmHUBP3_DCSURF_PRI_VIEWPORT_START;
-        getMember<uint32_t>(that, 0x485C) = base + mmHUBP0_DCSURF_PRI_VIEWPORT_DIMENSION;
-        getMember<uint32_t>(that, 0x4894) = base + mmHUBP1_DCSURF_PRI_VIEWPORT_DIMENSION;
-        getMember<uint32_t>(that, 0x48CC) = base + mmHUBP2_DCSURF_PRI_VIEWPORT_DIMENSION;
-        getMember<uint32_t>(that, 0x4904) = base + mmHUBP3_DCSURF_PRI_VIEWPORT_DIMENSION;
-        getMember<uint32_t>(that, 0x4860) = base + mmOTG0_OTG_CONTROL;
-        getMember<uint32_t>(that, 0x4898) = base + mmOTG1_OTG_CONTROL;
-        getMember<uint32_t>(that, 0x48D0) = base + mmOTG2_OTG_CONTROL;
-        getMember<uint32_t>(that, 0x4908) = base + mmOTG3_OTG_CONTROL;
-        getMember<uint32_t>(that, 0x4940) = base + mmOTG4_OTG_CONTROL;
-        getMember<uint32_t>(that, 0x4978) = base + mmOTG5_OTG_CONTROL;
-        getMember<uint32_t>(that, 0x4864) = base + mmOTG0_OTG_INTERLACE_CONTROL;
-        getMember<uint32_t>(that, 0x489C) = base + mmOTG1_OTG_INTERLACE_CONTROL;
-        getMember<uint32_t>(that, 0x48D4) = base + mmOTG2_OTG_INTERLACE_CONTROL;
-        getMember<uint32_t>(that, 0x490C) = base + mmOTG3_OTG_INTERLACE_CONTROL;
-        getMember<uint32_t>(that, 0x4944) = base + mmOTG4_OTG_INTERLACE_CONTROL;
-        getMember<uint32_t>(that, 0x497C) = base + mmOTG5_OTG_INTERLACE_CONTROL;
-        getMember<uint32_t>(that, 0x4868) = base + mmHUBPREQ0_DCSURF_FLIP_CONTROL;
-        getMember<uint32_t>(that, 0x48A0) = base + mmHUBPREQ1_DCSURF_FLIP_CONTROL;
-        getMember<uint32_t>(that, 0x48D8) = base + mmHUBPREQ2_DCSURF_FLIP_CONTROL;
-        getMember<uint32_t>(that, 0x4910) = base + mmHUBPREQ3_DCSURF_FLIP_CONTROL;
-        getMember<uint32_t>(that, 0x486C) = base + mmHUBPRET0_HUBPRET_CONTROL;
-        getMember<uint32_t>(that, 0x48A4) = base + mmHUBPRET1_HUBPRET_CONTROL;
-        getMember<uint32_t>(that, 0x48DC) = base + mmHUBPRET2_HUBPRET_CONTROL;
-        getMember<uint32_t>(that, 0x4914) = base + mmHUBPRET3_HUBPRET_CONTROL;
-        getMember<uint32_t>(that, 0x4870) = base + mmHUBPREQ0_DCSURF_SURFACE_EARLIEST_INUSE;
-        getMember<uint32_t>(that, 0x48A8) = base + mmHUBPREQ1_DCSURF_SURFACE_EARLIEST_INUSE;
-        getMember<uint32_t>(that, 0x48E0) = base + mmHUBPREQ2_DCSURF_SURFACE_EARLIEST_INUSE;
-        getMember<uint32_t>(that, 0x4918) = base + mmHUBPREQ3_DCSURF_SURFACE_EARLIEST_INUSE;
-        getMember<uint32_t>(that, 0x4874) = base + mmHUBPREQ0_DCSURF_SURFACE_EARLIEST_INUSE_HIGH;
-        getMember<uint32_t>(that, 0x48AC) = base + mmHUBPREQ1_DCSURF_SURFACE_EARLIEST_INUSE_HIGH;
-        getMember<uint32_t>(that, 0x48E4) = base + mmHUBPREQ2_DCSURF_SURFACE_EARLIEST_INUSE_HIGH;
-        getMember<uint32_t>(that, 0x491C) = base + mmHUBPREQ3_DCSURF_SURFACE_EARLIEST_INUSE_HIGH;
-    }
+    DBGLOG("x6000", "initDCNRegistersOffsets !! PATCHING REGISTERS FOR DCN 1.0 !!");
+    auto fieldBase = getKernelVersion() == KernelVersion::Catalina ? 0x4838 : 0x4830;
+    auto base = getMember<uint32_t>(that, fieldBase);
+    getMember<uint32_t>(that, fieldBase + 0x10) = base + mmHUBPREQ0_DCSURF_PRIMARY_SURFACE_ADDRESS;
+    getMember<uint32_t>(that, fieldBase + 0x48) = base + mmHUBPREQ1_DCSURF_PRIMARY_SURFACE_ADDRESS;
+    getMember<uint32_t>(that, fieldBase + 0x80) = base + mmHUBPREQ2_DCSURF_PRIMARY_SURFACE_ADDRESS;
+    getMember<uint32_t>(that, fieldBase + 0xB8) = base + mmHUBPREQ3_DCSURF_PRIMARY_SURFACE_ADDRESS;
+    getMember<uint32_t>(that, fieldBase + 0x14) = base + mmHUBPREQ0_DCSURF_PRIMARY_SURFACE_ADDRESS_HIGH;
+    getMember<uint32_t>(that, fieldBase + 0x4C) = base + mmHUBPREQ1_DCSURF_PRIMARY_SURFACE_ADDRESS_HIGH;
+    getMember<uint32_t>(that, fieldBase + 0x84) = base + mmHUBPREQ2_DCSURF_PRIMARY_SURFACE_ADDRESS_HIGH;
+    getMember<uint32_t>(that, fieldBase + 0xBC) = base + mmHUBPREQ3_DCSURF_PRIMARY_SURFACE_ADDRESS_HIGH;
+    getMember<uint32_t>(that, fieldBase + 0x18) = base + mmHUBP0_DCSURF_SURFACE_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x50) = base + mmHUBP1_DCSURF_SURFACE_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x88) = base + mmHUBP2_DCSURF_SURFACE_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0xC0) = base + mmHUBP3_DCSURF_SURFACE_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x1C) = base + mmHUBPREQ0_DCSURF_SURFACE_PITCH;
+    getMember<uint32_t>(that, fieldBase + 0x54) = base + mmHUBPREQ1_DCSURF_SURFACE_PITCH;
+    getMember<uint32_t>(that, fieldBase + 0x8C) = base + mmHUBPREQ2_DCSURF_SURFACE_PITCH;
+    getMember<uint32_t>(that, fieldBase + 0xC4) = base + mmHUBPREQ3_DCSURF_SURFACE_PITCH;
+    getMember<uint32_t>(that, fieldBase + 0x20) = base + mmHUBP0_DCSURF_ADDR_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x58) = base + mmHUBP1_DCSURF_ADDR_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x90) = base + mmHUBP2_DCSURF_ADDR_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0xC8) = base + mmHUBP3_DCSURF_ADDR_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x24) = base + mmHUBP0_DCSURF_TILING_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x5C) = base + mmHUBP1_DCSURF_TILING_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x94) = base + mmHUBP2_DCSURF_TILING_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0xCC) = base + mmHUBP3_DCSURF_TILING_CONFIG;
+    getMember<uint32_t>(that, fieldBase + 0x28) = base + mmHUBP0_DCSURF_PRI_VIEWPORT_START;
+    getMember<uint32_t>(that, fieldBase + 0x60) = base + mmHUBP1_DCSURF_PRI_VIEWPORT_START;
+    getMember<uint32_t>(that, fieldBase + 0x98) = base + mmHUBP2_DCSURF_PRI_VIEWPORT_START;
+    getMember<uint32_t>(that, fieldBase + 0xD0) = base + mmHUBP3_DCSURF_PRI_VIEWPORT_START;
+    getMember<uint32_t>(that, fieldBase + 0x2C) = base + mmHUBP0_DCSURF_PRI_VIEWPORT_DIMENSION;
+    getMember<uint32_t>(that, fieldBase + 0x64) = base + mmHUBP1_DCSURF_PRI_VIEWPORT_DIMENSION;
+    getMember<uint32_t>(that, fieldBase + 0x9C) = base + mmHUBP2_DCSURF_PRI_VIEWPORT_DIMENSION;
+    getMember<uint32_t>(that, fieldBase + 0xD4) = base + mmHUBP3_DCSURF_PRI_VIEWPORT_DIMENSION;
+    getMember<uint32_t>(that, fieldBase + 0x30) = base + mmOTG0_OTG_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x68) = base + mmOTG1_OTG_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0xA0) = base + mmOTG2_OTG_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0xD8) = base + mmOTG3_OTG_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x110) = base + mmOTG4_OTG_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x148) = base + mmOTG5_OTG_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x34) = base + mmOTG0_OTG_INTERLACE_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x6C) = base + mmOTG1_OTG_INTERLACE_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0xA4) = base + mmOTG2_OTG_INTERLACE_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0xDC) = base + mmOTG3_OTG_INTERLACE_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x114) = base + mmOTG4_OTG_INTERLACE_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x14C) = base + mmOTG5_OTG_INTERLACE_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x38) = base + mmHUBPREQ0_DCSURF_FLIP_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x70) = base + mmHUBPREQ1_DCSURF_FLIP_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0xA8) = base + mmHUBPREQ2_DCSURF_FLIP_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0xE0) = base + mmHUBPREQ3_DCSURF_FLIP_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x3C) = base + mmHUBPRET0_HUBPRET_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x74) = base + mmHUBPRET1_HUBPRET_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0xAC) = base + mmHUBPRET2_HUBPRET_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0xE4) = base + mmHUBPRET3_HUBPRET_CONTROL;
+    getMember<uint32_t>(that, fieldBase + 0x40) = base + mmHUBPREQ0_DCSURF_SURFACE_EARLIEST_INUSE;
+    getMember<uint32_t>(that, fieldBase + 0x78) = base + mmHUBPREQ1_DCSURF_SURFACE_EARLIEST_INUSE;
+    getMember<uint32_t>(that, fieldBase + 0xB0) = base + mmHUBPREQ2_DCSURF_SURFACE_EARLIEST_INUSE;
+    getMember<uint32_t>(that, fieldBase + 0xE8) = base + mmHUBPREQ3_DCSURF_SURFACE_EARLIEST_INUSE;
+    getMember<uint32_t>(that, fieldBase + 0x44) = base + mmHUBPREQ0_DCSURF_SURFACE_EARLIEST_INUSE_HIGH;
+    getMember<uint32_t>(that, fieldBase + 0x7C) = base + mmHUBPREQ1_DCSURF_SURFACE_EARLIEST_INUSE_HIGH;
+    getMember<uint32_t>(that, fieldBase + 0xB4) = base + mmHUBPREQ2_DCSURF_SURFACE_EARLIEST_INUSE_HIGH;
+    getMember<uint32_t>(that, fieldBase + 0xEC) = base + mmHUBPREQ3_DCSURF_SURFACE_EARLIEST_INUSE_HIGH;
 }
 
 #define HWALIGNMGR_ADJUST getMember<void *>(X5000::callback->hwAlignMgr, 0) = X5000::callback->hwAlignMgrVtX6000;
diff --git a/NootedRed/kern_x6000fb.cpp b/NootedRed/kern_x6000fb.cpp
index 10c7a265..a49632d8 100644
--- a/NootedRed/kern_x6000fb.cpp
+++ b/NootedRed/kern_x6000fb.cpp
@@ -27,9 +27,10 @@ bool X6000FB::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_
 
         CailAsicCapEntry *orgAsicCapsTable = nullptr;
 
+        auto catalina = getKernelVersion() == KernelVersion::Catalina;
         SolveRequestPlus solveRequests[] = {
             {"__ZL20CAIL_ASIC_CAPS_TABLE", orgAsicCapsTable, kCailAsicCapsTablePattern},
-            {"_dce_driver_set_backlight", this->orgDceDriverSetBacklight, kDceDriverSetBacklight},
+            {"_dce_driver_set_backlight", this->orgDceDriverSetBacklight, kDceDriverSetBacklight, !catalina},
         };
         PANIC_COND(!SolveRequestPlus::solveAll(&patcher, index, solveRequests, address, size), "x6000fb",
             "Failed to resolve symbols");
@@ -41,8 +42,8 @@ bool X6000FB::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_
             {"__ZN24AMDRadeonX6000_AmdLogger15initWithPciInfoEP11IOPCIDevice", wrapInitWithPciInfo,
                 this->orgInitWithPciInfo, ADDPR(debugEnabled)},
             {"__ZN34AMDRadeonX6000_AmdRadeonController10doGPUPanicEPKcz", wrapDoGPUPanic, ADDPR(debugEnabled)},
-            {"_dce_panel_cntl_hw_init", wrapDcePanelCntlHwInit, this->orgDcePanelCntlHwInit,
-                kDcePanelCntlHwInitPattern},
+            {"_dce_panel_cntl_hw_init", wrapDcePanelCntlHwInit, this->orgDcePanelCntlHwInit, kDcePanelCntlHwInitPattern,
+                !catalina},
             {"__ZN35AMDRadeonX6000_AmdRadeonFramebuffer25setAttributeForConnectionEijm", wrapFramebufferSetAttribute,
                 this->orgFramebufferSetAttribute},
             {"__ZN35AMDRadeonX6000_AmdRadeonFramebuffer25getAttributeForConnectionEijPm", wrapFramebufferGetAttribute,
@@ -59,11 +60,16 @@ bool X6000FB::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_
             "Failed to route symbols");
 
         LookupPatchPlus const patches[] = {
-            {&kextRadeonX6000Framebuffer, kPopulateDeviceInfoOriginal, kPopulateDeviceInfoPatched, 1},
-            {&kextRadeonX6000Framebuffer, kAmdAtomVramInfoNullCheckOriginal, kAmdAtomVramInfoNullCheckPatched, 1},
+            {&kextRadeonX6000Framebuffer, kPopulateDeviceInfoOriginal, kPopulateDeviceInfoMask,
+                kPopulateDeviceInfoPatched, kPopulateDeviceInfoMask, 1},
+            {&kextRadeonX6000Framebuffer, kAmdAtomVramInfoNullCheckOriginal, kAmdAtomVramInfoNullCheckPatched, 1,
+                !catalina},
+            {&kextRadeonX6000Framebuffer, kAmdAtomVramInfoNullCheckCatalinaOriginal,
+                kAmdAtomVramInfoNullCheckCatalinaMask, kAmdAtomVramInfoNullCheckCatalinaPatched, 1, catalina},
             {&kextRadeonX6000Framebuffer, kAmdAtomPspDirectoryNullCheckOriginal, kAmdAtomPspDirectoryNullCheckPatched,
-                1},
-            {&kextRadeonX6000Framebuffer, kGetFirmwareInfoNullCheckOriginal, kGetFirmwareInfoNullCheckPatched, 1},
+                1, !catalina},
+            {&kextRadeonX6000Framebuffer, kGetFirmwareInfoNullCheckOriginal, kGetFirmwareInfoNullCheckOriginalMask,
+                kGetFirmwareInfoNullCheckPatched, kGetFirmwareInfoNullCheckPatchedMask, 1},
             {&kextRadeonX6000Framebuffer, kAgdcServicesGetVendorInfoOriginal, kAgdcServicesGetVendorInfoMask,
                 kAgdcServicesGetVendorInfoPatched, kAgdcServicesGetVendorInfoMask, 1},
         };
@@ -77,7 +83,7 @@ bool X6000FB::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_
             .caps = NRed::callback->chipType < ChipType::Renoir ? ddiCapsRaven : ddiCapsRenoir,
             .deviceId = NRed::callback->deviceId,
             .revision = NRed::callback->revision,
-            .extRevision = NRed::callback->extRevision,
+            .extRevision = static_cast<uint32_t>(NRed::callback->enumRevision) + NRed::callback->revision,
             .pciRevision = NRed::callback->pciRevision,
         };
         MachInfo::setKernelWriting(false, KernelPatcher::kernelWriteLock);
@@ -89,7 +95,7 @@ bool X6000FB::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_
     return false;
 }
 
-uint16_t X6000FB::wrapGetEnumeratedRevision() { return NRed::callback->extRevision - NRed::callback->revision; }
+uint16_t X6000FB::wrapGetEnumeratedRevision() { return NRed::callback->enumRevision; }
 
 IOReturn X6000FB::wrapPopulateVramInfo(void *, void *fwInfo) {
     uint32_t channelCount = 1;
diff --git a/README.md b/README.md
index f501a29a..89b5c278 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 The AMD Vega iGPU support [Lilu](https://github.com/acidanthera/Lilu) (1.6.4+) plug-in.
 
-Supports the entire Raven ASIC family (Ryzen 5XXX series and older), from Big Sur to Monterey.
+Supports the entire Raven ASIC family (Ryzen 5XXX series and older), from Catalina to Monterey.
 
 The Source Code of this Original Work is licensed under the `Thou Shalt Not Profit License version 1.0`. See [`LICENSE`](https://github.com/NootInc/NootedRed/blob/master/LICENSE).
 

From 6c87b34c10cb3269977ea461ae5f9158f8ef84b0 Mon Sep 17 00:00:00 2001
From: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
Date: Tue, 13 Jun 2023 14:07:51 +0300
Subject: [PATCH 2/7] Force meta class cast for IAMDHWChannel

Signed-off-by: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
---
 NootedRed/kern_nred.hpp  | 2 +-
 NootedRed/kern_x5000.cpp | 1 +
 NootedRed/kern_x6000.cpp | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NootedRed/kern_nred.hpp b/NootedRed/kern_nred.hpp
index 28db4edb..804b11bb 100644
--- a/NootedRed/kern_nred.hpp
+++ b/NootedRed/kern_nred.hpp
@@ -243,7 +243,7 @@ class NRed {
     uint16_t revision {0};
     uint32_t pciRevision {0};
     IOPCIDevice *iGPU {nullptr};
-    OSMetaClass *metaClassMap[4][2] = {{nullptr}};
+    OSMetaClass *metaClassMap[5][2] = {{nullptr}};
     mach_vm_address_t orgSafeMetaCast {0};
     mach_vm_address_t orgApplePanelSetDisplay {0};
 
diff --git a/NootedRed/kern_x5000.cpp b/NootedRed/kern_x5000.cpp
index e0a88b62..e249823d 100644
--- a/NootedRed/kern_x5000.cpp
+++ b/NootedRed/kern_x5000.cpp
@@ -42,6 +42,7 @@ bool X5000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
             {"__ZN37AMDRadeonX5000_AMDAccelDisplayMachine10gMetaClassE", NRed::callback->metaClassMap[1][0]},
             {"__ZN34AMDRadeonX5000_AMDAccelDisplayPipe10gMetaClassE", NRed::callback->metaClassMap[2][0]},
             {"__ZN30AMDRadeonX5000_AMDAccelChannel10gMetaClassE", NRed::callback->metaClassMap[3][1]},
+            {"__ZN28AMDRadeonX5000_IAMDHWChannel10gMetaClassE", NRed::callback->metaClassMap[4][0]},
             {"__ZN30AMDRadeonX5000_AMDGFX9Hardware32setupAndInitializeHWCapabilitiesEv",
                 this->orgSetupAndInitializeHWCapabilities},
             {"__ZN26AMDRadeonX5000_AMDHardware14startHWEnginesEv", startHWEngines},
diff --git a/NootedRed/kern_x6000.cpp b/NootedRed/kern_x6000.cpp
index fa31d4d5..7f7c4e0e 100644
--- a/NootedRed/kern_x6000.cpp
+++ b/NootedRed/kern_x6000.cpp
@@ -37,6 +37,7 @@ bool X6000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
             {"__ZN37AMDRadeonX6000_AMDAccelDisplayMachine10gMetaClassE", NRed::callback->metaClassMap[1][1]},
             {"__ZN34AMDRadeonX6000_AMDAccelDisplayPipe10gMetaClassE", NRed::callback->metaClassMap[2][1]},
             {"__ZN30AMDRadeonX6000_AMDAccelChannel10gMetaClassE", NRed::callback->metaClassMap[3][0]},
+            {"__ZN28AMDRadeonX6000_IAMDHWChannel10gMetaClassE", NRed::callback->metaClassMap[4][1]},
             {"__ZN33AMDRadeonX6000_AMDHWAlignManager224getPreferredSwizzleMode2EP33_ADDR2_COMPUTE_SURFACE_INFO_INPUT",
                 this->orgGetPreferredSwizzleMode2},
         };

From 4aa821f2d2cd8a254183a02929d923afc6dfeeab Mon Sep 17 00:00:00 2001
From: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
Date: Tue, 13 Jun 2023 14:08:56 +0300
Subject: [PATCH 3/7] Apply addrlib patch to catalina

Signed-off-by: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
---
 NootedRed/kern_x5000.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NootedRed/kern_x5000.cpp b/NootedRed/kern_x5000.cpp
index e249823d..68af0f8f 100644
--- a/NootedRed/kern_x5000.cpp
+++ b/NootedRed/kern_x5000.cpp
@@ -81,9 +81,9 @@ bool X5000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
             "Failed to route symbols");
 
         LookupPatchPlus const addrLibPatch {&kextRadeonX5000, kAddrLibCreateOriginal, kAddrLibCreatePatched, 1,
-            ventura1304};
+            catalina || ventura1304};
         PANIC_COND(!addrLibPatch.apply(&patcher, address, size), "x5000",
-            "Failed to apply Ventura 13.4+ Addr::Lib::Create patch: %d", patcher.getError());
+            "Failed to apply Catalina & Ventura 13.4+ Addr::Lib::Create patch: %d", patcher.getError());
 
         LookupPatchPlus const patch {&kextRadeonX5000, kStartHWEnginesOriginal, kStartHWEnginesMask,
             kStartHWEnginesPatched, kStartHWEnginesMask, ventura ? 2U : 1, !catalina};

From 1fc75ecf207201b1cd5d638301d29f362f5b0a8e Mon Sep 17 00:00:00 2001
From: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
Date: Tue, 13 Jun 2023 14:15:32 +0300
Subject: [PATCH 4/7] Fix more VTable mismatches

Co-authored-by: NyanCatTW1 <17372086+NyanCatTW1@users.noreply.github.com>
Signed-off-by: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
---
 NootedRed/kern_patches.hpp | 221 +++++++++++++++++++++++++++++++++++--
 NootedRed/kern_x6000.cpp   |  44 +++++++-
 2 files changed, 256 insertions(+), 9 deletions(-)

diff --git a/NootedRed/kern_patches.hpp b/NootedRed/kern_patches.hpp
index 662cd115..54309146 100644
--- a/NootedRed/kern_patches.hpp
+++ b/NootedRed/kern_patches.hpp
@@ -240,11 +240,13 @@ static const uint8_t kCreateAccelChannelsOriginal[] = {0x8D, 0x44, 0x09, 0x02};
 static const uint8_t kCreateAccelChannelsPatched[] = {0x8D, 0x44, 0x09, 0x01};
 
 /**
- * Mismatched `getTtlInterface` virtual call
+ * Mismatched `getTtlInterface` virtual calls
  * AMDRadeonX6000.kext
  */
-static const uint8_t kGetTtlInterfaceCallOriginal[] = {0x48, 0x89, 0xF7, 0xFF, 0x90, 0xC8, 0x02, 0x00, 0x00};
-static const uint8_t kGetTtlInterfaceCallPatched[] = {0x48, 0x89, 0xF7, 0xFF, 0x90, 0xC0, 0x02, 0x00, 0x00};
+static const uint8_t kGetTtlInterfaceCallOriginal[] = {0x40, 0x80, 0x00, 0xFF, 0x90, 0xC8, 0x02, 0x00, 0x00};
+static const uint8_t kGetTtlInterfaceCallOriginalMask[] = {0xF0, 0xF0, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+static const uint8_t kGetTtlInterfaceCallPatched[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00};
+static const uint8_t kGetTtlInterfaceCallPatchedMask[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00};
 
 /**
  * Mismatched `getGpuDebugPolicy` virtual calls.
@@ -297,9 +299,214 @@ static const uint8_t kIsDeviceValidCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x9
 static const uint8_t kIsDeviceValidCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x98, 0x02, 0x00, 0x00};
 
 /**
- * `AMDRadeonX6000_AMDNavi10VideoContext::setSuspendResumeState`
+ * Mismatched `isDevicePCITunnelled` virtual calls.
  * AMDRadeonX6000.kext
- * Mismatched `isDevicePCITunnelled` virtual call.
  */
-static const uint8_t kIsDevicePCITunnelledCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xB0, 0x02, 0x00, 0x00, 0x84};
-static const uint8_t kIsDevicePCITunnelledCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xA8, 0x02, 0x00, 0x00, 0x84};
+static const uint8_t kIsDevicePCITunnelledCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xB0, 0x02, 0x00, 0x00};
+static const uint8_t kIsDevicePCITunnelledCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xA8, 0x02, 0x00, 0x00};
+
+/**
+ * Mismatched `getSML` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetSMLCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x98, 0x03, 0x00, 0x00};
+static const uint8_t kGetSMLCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x90, 0x03, 0x00, 0x00};
+
+/**
+ * `AMDRadeonX6000_AMDHWDisplay::fillUBMSurface`
+ * AMDRadeonX6000.kext
+ * Mismatched `getUbmSwizzleMode` virtual call.
+ */
+static const uint8_t kGetUbmSwizzleModeCallOriginal[] = {0xFF, 0x91, 0x78, 0x04, 0x00, 0x00};
+static const uint8_t kGetUbmSwizzleModeCallPatched[] = {0xFF, 0x91, 0xA0, 0x04, 0x00, 0x00};
+
+/**
+ * `AMDRadeonX6000_AMDHWDisplay::fillUBMSurface`
+ * AMDRadeonX6000.kext
+ * Mismatched `getUbmTileMode` virtual call.
+ */
+static const uint8_t kGetUbmTileModeCallOriginal[] = {0xFF, 0x90, 0x80, 0x04, 0x00, 0x00};
+static const uint8_t kGetUbmTileModeCallPatched[] = {0xFF, 0x90, 0xA8, 0x04, 0x00, 0x00};
+
+/**
+ * `AMDRadeonX6000_AMDHWDisplay::writeUpdateFrameBufferOffsetCommands`
+ * AMDRadeonX6000.kext
+ * Mismatched `writeWaitForRenderingPipe` virtual call.
+ */
+static const uint8_t kWriteWaitForRenderingPipeCallOriginal[] = {0xFF, 0x90, 0xB8, 0x02, 0x00, 0x00, 0x89, 0x45, 0xAC};
+static const uint8_t kWriteWaitForRenderingPipeCallPatched[] = {0xFF, 0x90, 0xB0, 0x02, 0x00, 0x00, 0x89, 0x45, 0xAC};
+
+/**
+ * `AMDRadeonX6000_AMDRTRing::WPTRDiagnostic`
+ * AMDRadeonX6000.kext
+ * Mismatched `dummyWPTRUpdateDiag` virtual call.
+ */
+static const uint8_t kDummyWPTRUpdateDiagCallOriginal[] = {0x48, 0x8B, 0x80, 0x50, 0x02, 0x00, 0x00};
+static const uint8_t kDummyWPTRUpdateDiagCallPatched[] = {0x48, 0x8B, 0x80, 0x48, 0x02, 0x00, 0x00};
+
+/**
+ * `AMDRadeonX6000_AMDHWDisplay::init`
+ * AMDRadeonX6000.kext
+ * Mismatched `getPM4CommandsUtility` virtual call.
+ */
+static const uint8_t kGetPM4CommandUtilityCallOriginal[] = {0xFF, 0x90, 0xA0, 0x03, 0x00, 0x00};
+static const uint8_t kGetPM4CommandUtilityCallPatched[] = {0xFF, 0x90, 0x98, 0x03, 0x00, 0x00};
+
+/**
+ * `AMDRadeonX6000_AMDRTRing::allocateMemoryResources`
+ * AMDRadeonX6000.kext
+ * Mismatched `getChannelDoorbellOffset` virtual call.
+ */
+static const uint8_t kGetChannelDoorbellOffsetCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x88, 0x03, 0x00, 0x00};
+static const uint8_t kGetChannelDoorbellOffsetCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x80, 0x03, 0x00, 0x00};
+
+/**
+ * `AMDRadeonX6000_AMDRTRing::allocateMemoryResources`
+ * AMDRadeonX6000.kext
+ * Mismatched `getDoorbellMemoryBaseAddress` virtual call.
+ */
+static const uint8_t kGetDoorbellMemoryBaseAddressCallOriginal[] = {0xFF, 0x90, 0x80, 0x03, 0x00, 0x00};
+static const uint8_t kGetDoorbellMemoryBaseAddressCallPatched[] = {0xFF, 0x90, 0x78, 0x03, 0x00, 0x00};
+
+/**
+ * Mismatched `updateUtilizationStatisticsCounter` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kUpdateUtilizationStatisticsCounterCallOriginal[] = {0x41, 0xFF, 0x90, 0xE0, 0x03, 0x00, 0x00};
+static const uint8_t kUpdateUtilizationStatisticsCounterCallPatched[] = {0x41, 0xFF, 0x90, 0xD8, 0x03, 0x00, 0x00};
+
+/**
+ * `AMDRadeonX6000_AMDHWChannel::submitCommandBuffer`
+ * AMDRadeonX6000.kext
+ * Mismatched `dumpASICHangState` virtual calls.
+ */
+static const uint8_t kDumpASICHangStateCallOriginal[] = {0xFF, 0x90, 0xA8, 0x03, 0x00, 0x00};
+static const uint8_t kDumpASICHangStateCallPatched[] = {0xFF, 0x90, 0xA0, 0x03, 0x00, 0x00};
+
+/**
+ * `AMDRadeonX6000_AMDHWChannel::init`
+ * AMDRadeonX6000.kext
+ * Mismatched `registerChannel` virtual call.
+ */
+static const uint8_t kRegisterChannelCallOriginal[] = {0x4C, 0x89, 0xEE, 0xFF, 0x90, 0x28, 0x03, 0x00, 0x00};
+static const uint8_t kRegisterChannelCallPatched[] = {0x4C, 0x89, 0xEE, 0xFF, 0x90, 0x20, 0x03, 0x00, 0x00};
+
+/**
+ * Mismatched `disableGfxOff` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kDisableGfxOffCallOriginal[] = {0xFF, 0x90, 0x00, 0x04, 0x00, 0x00};
+static const uint8_t kDisableGfxOffCallPatched[] = {0xFF, 0x90, 0xF8, 0x03, 0x00, 0x00};
+
+/**
+ * Mismatched `enableGfxOff` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kEnableGfxOffCallOriginal[] = {0xFF, 0x90, 0x08, 0x04, 0x00, 0x00};
+static const uint8_t kEnableGfxOffCallPatched[] = {0xFF, 0x90, 0x00, 0x04, 0x00, 0x00};
+
+/**
+ * Mismatched `getHWMemory` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetHWMemoryCallOriginal[] = {0x18, 0x48, 0x8B, 0x07, 0xFF, 0x90, 0xE0, 0x02, 0x00, 0x00, 0x48};
+static const uint8_t kGetHWMemoryCallPatched[] = {0x18, 0x48, 0x8B, 0x07, 0xFF, 0x90, 0xD8, 0x02, 0x00, 0x00, 0x48};
+
+/**
+ * Mismatched `getHWGart` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetHWGartCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xE8, 0x02, 0x00, 0x00};
+static const uint8_t kGetHWGartCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0xE0, 0x02, 0x00, 0x00};
+
+/**
+ * Mismatched `getChannelCount` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetChannelCountCallOriginal[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x38, 0x03, 0x00, 0x00};
+static const uint8_t kGetChannelCountCallPatched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x30, 0x03, 0x00, 0x00};
+
+/**
+ * Mismatched `flushSystemCaches` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kFlushSystemCachesCallOriginal[] = {0xFF, 0x90, 0xA8, 0x04, 0x00, 0x00};
+static const uint8_t kFlushSystemCachesCallPatched[] = {0xFF, 0x90, 0xD0, 0x04, 0x00, 0x00};
+
+/**
+ * Mismatched `getIOPCIDevice` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetIOPCIDeviceCallOriginal[] = {0xFF, 0x90, 0x90, 0x03, 0x00, 0x00};
+static const uint8_t kGetIOPCIDeviceCallPatched[] = {0xFF, 0x90, 0x88, 0x03, 0x00, 0x00};
+
+/**
+ * Mismatched `getHWRegisters` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetHWRegistersCallOriginal[] = {0x40, 0x80, 0x00, 0xFF, 0x90, 0xD8, 0x02, 0x00, 0x00};
+static const uint8_t kGetHWRegistersCallOriginalMask[] = {0xF0, 0xF0, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+static const uint8_t kGetHWRegistersCallPatched[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0xD0, 0x00, 0x00, 0x00};
+static const uint8_t kGetHWRegistersCallPatchedMask[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00};
+
+/**
+ * Mismatched `getChannelWriteBackFrameAddr` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetChannelWriteBackFrameAddrCallOriginal[] = {0xFF, 0x90, 0x50, 0x03, 0x00, 0x00, 0x40};
+static const uint8_t kGetChannelWriteBackFrameAddrCallOriginalMask[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xF0};
+static const uint8_t kGetChannelWriteBackFrameAddrCallPatched[] = {0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00};
+static const uint8_t kGetChannelWriteBackFrameAddrCallPatchedMask[] = {0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00};
+
+/**
+ * Mismatched `getChannelWriteBackFrameOffset` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetChannelWriteBackFrameOffsetCall1Original[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x48, 0x03, 0x00,
+    0x00};
+static const uint8_t kGetChannelWriteBackFrameOffsetCall1Patched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x40, 0x03, 0x00,
+    0x00};
+
+static const uint8_t kGetChannelWriteBackFrameOffsetCall2Original[] = {0x89, 0xDE, 0xFF, 0x90, 0x48, 0x03, 0x00, 0x00};
+static const uint8_t kGetChannelWriteBackFrameOffsetCall2Patched[] = {0x89, 0xDE, 0xFF, 0x90, 0x40, 0x03, 0x00, 0x00};
+
+/**
+ * Mismatched `getHWChannel` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetHWChannelCall1Original[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x20, 0x03, 0x00, 0x00, 0x48, 0x85,
+    0xC0};
+static const uint8_t kGetHWChannelCall1Patched[] = {0x48, 0x8B, 0x07, 0xFF, 0x90, 0x18, 0x03, 0x00, 0x00, 0x48, 0x85,
+    0xC0};
+
+static const uint8_t kGetHWChannelCall2Original[] = {0x31, 0xD2, 0xFF, 0x90, 0x18, 0x03, 0x00, 0x00};
+static const uint8_t kGetHWChannelCall2Patched[] = {0x31, 0xD2, 0xFF, 0x90, 0x10, 0x03, 0x00, 0x00};
+
+static const uint8_t kGetHWChannelCall3Original[] = {0x00, 0x00, 0x00, 0xFF, 0x90, 0x18, 0x03, 0x00, 0x00};
+static const uint8_t kGetHWChannelCall3Patched[] = {0x00, 0x00, 0x00, 0xFF, 0x90, 0x10, 0x03, 0x00, 0x00};
+
+/**
+ * Mismatched `getHWAlignManager` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetHWAlignManagerCall1Original[] = {0x48, 0x80, 0x00, 0xFF, 0x90, 0x00, 0x03, 0x00, 0x00};
+static const uint8_t kGetHWAlignManagerCall1OriginalMask[] = {0xFF, 0xF0, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+static const uint8_t kGetHWAlignManagerCall1Patched[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0x02, 0x00, 0x00};
+static const uint8_t kGetHWAlignManagerCall1PatchedMask[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00};
+
+static const uint8_t kGetHWAlignManagerCall2Original[] = {0x49, 0x89, 0xD4, 0xFF, 0x90, 0x00, 0x03, 0x00, 0x00};
+static const uint8_t kGetHWAlignManagerCall2Patched[] = {0x49, 0x89, 0xD4, 0xFF, 0x90, 0xF8, 0x02, 0x00, 0x00};
+
+/**
+ * Mismatched `getHWEngine` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetHWEngineCallOriginal[] = {0x00, 0x00, 0x00, 0xFF, 0x90, 0x10, 0x03, 0x00, 0x00};
+static const uint8_t kGetHWEngineCallPatched[] = {0x00, 0x00, 0x00, 0xFF, 0x90, 0x08, 0x03, 0x00, 0x00};
+
+/**
+ * Mismatched `getAMDHWHandler` virtual calls.
+ * AMDRadeonX6000.kext
+ */
+static const uint8_t kGetAMDHWHandlerCallOriginal[] = {0xFF, 0x90, 0xD0, 0x02, 0x00, 0x00};
+static const uint8_t kGetAMDHWHandlerCallPatched[] = {0xFF, 0x90, 0xC8, 0x02, 0x00, 0x00};
diff --git a/NootedRed/kern_x6000.cpp b/NootedRed/kern_x6000.cpp
index 7f7c4e0e..91181bf9 100644
--- a/NootedRed/kern_x6000.cpp
+++ b/NootedRed/kern_x6000.cpp
@@ -71,16 +71,49 @@ bool X6000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
                 kHWChannelSubmitCommandBufferCatalinaPatched, 1, catalina},
             {&kextRadeonX6000, kHWChannelSubmitCommandBufferOriginal, kHWChannelSubmitCommandBufferPatched, 1,
                 !catalina},
+            {&kextRadeonX6000, kDummyWPTRUpdateDiagCallOriginal, kDummyWPTRUpdateDiagCallPatched, 1, catalina},
             {&kextRadeonX6000, kIsDeviceValidCallOriginal, kIsDeviceValidCallPatched,
                 catalina ? 20U :
                 ventura  ? 23 :
                 monterey ? 26 :
                            24},
             {&kextRadeonX6000, kIsDevicePCITunnelledCallOriginal, kIsDevicePCITunnelledCallPatched,
-                catalina ? 5U :
+                catalina ? 9U :
                 ventura  ? 3 :
                            1},
-            {&kextRadeonX6000, kGetTtlInterfaceCallOriginal, kGetTtlInterfaceCallPatched, 6, catalina},
+            {&kextRadeonX6000, kWriteWaitForRenderingPipeCallOriginal, kWriteWaitForRenderingPipeCallPatched, 1,
+                catalina},
+            {&kextRadeonX6000, kGetTtlInterfaceCallOriginal, kGetTtlInterfaceCallOriginalMask,
+                kGetTtlInterfaceCallPatched, kGetTtlInterfaceCallPatchedMask, 38, catalina},
+            {&kextRadeonX6000, kGetAMDHWHandlerCallOriginal, kGetAMDHWHandlerCallPatched, 19, catalina},
+            {&kextRadeonX6000, kGetAMDHWHandlerCallOriginal, kGetAMDHWHandlerCallPatched, 64, catalina, 1},
+            {&kextRadeonX6000, kGetHWRegistersCallOriginal, kGetHWRegistersCallOriginalMask, kGetHWRegistersCallPatched,
+                kGetHWRegistersCallPatchedMask, 13, catalina},
+            {&kextRadeonX6000, kGetHWMemoryCallOriginal, kGetHWMemoryCallPatched, 11, catalina},
+            {&kextRadeonX6000, kGetHWGartCallOriginal, kGetHWGartCallPatched, 9, catalina},
+            {&kextRadeonX6000, kGetHWAlignManagerCall1Original, kGetHWAlignManagerCall1OriginalMask,
+                kGetHWAlignManagerCall1Patched, kGetHWAlignManagerCall1PatchedMask, 33, catalina},
+            {&kextRadeonX6000, kGetHWAlignManagerCall2Original, kGetHWAlignManagerCall2Patched, 1, catalina},
+            {&kextRadeonX6000, kGetHWEngineCallOriginal, kGetHWEngineCallPatched, 31, catalina},
+            {&kextRadeonX6000, kGetHWChannelCall1Original, kGetHWChannelCall1Patched, 2, catalina},
+            {&kextRadeonX6000, kGetHWChannelCall2Original, kGetHWChannelCall2Patched, 53, catalina},
+            {&kextRadeonX6000, kGetHWChannelCall3Original, kGetHWChannelCall3Patched, 20, catalina},
+            {&kextRadeonX6000, kRegisterChannelCallOriginal, kRegisterChannelCallPatched, 1, catalina},
+            {&kextRadeonX6000, kGetChannelCountCallOriginal, kGetChannelCountCallPatched, 7, catalina},
+            {&kextRadeonX6000, kGetChannelWriteBackFrameOffsetCall1Original,
+                kGetChannelWriteBackFrameOffsetCall1Patched, 4, catalina},
+            {&kextRadeonX6000, kGetChannelWriteBackFrameOffsetCall2Original,
+                kGetChannelWriteBackFrameOffsetCall2Patched, 1, catalina},
+            {&kextRadeonX6000, kGetChannelWriteBackFrameAddrCallOriginal, kGetChannelWriteBackFrameAddrCallOriginalMask,
+                kGetChannelWriteBackFrameAddrCallPatched, kGetChannelWriteBackFrameAddrCallPatchedMask, 10, catalina},
+            {&kextRadeonX6000, kGetDoorbellMemoryBaseAddressCallOriginal, kGetDoorbellMemoryBaseAddressCallPatched, 1,
+                catalina},
+            {&kextRadeonX6000, kGetChannelDoorbellOffsetCallOriginal, kGetChannelDoorbellOffsetCallPatched, 1,
+                catalina},
+            {&kextRadeonX6000, kGetIOPCIDeviceCallOriginal, kGetIOPCIDeviceCallPatched, 5, catalina},
+            {&kextRadeonX6000, kGetSMLCallOriginal, kGetSMLCallPatched, 10, catalina},
+            {&kextRadeonX6000, kGetPM4CommandUtilityCallOriginal, kGetPM4CommandUtilityCallPatched, 2, catalina},
+            {&kextRadeonX6000, kDumpASICHangStateCallOriginal, kDumpASICHangStateCallPatched, 2, catalina},
             {&kextRadeonX6000, kGetSchedulerCallVenturaOriginal, kGetSchedulerCallVenturaPatched, 24, ventura},
             {&kextRadeonX6000, kGetSchedulerCallOriginal, kGetSchedulerCallPatched, monterey ? 21U : 22,
                 !catalina && !ventura},
@@ -92,6 +125,13 @@ bool X6000::processKext(KernelPatcher &patcher, size_t index, mach_vm_address_t
                 !catalina},
             {&kextRadeonX6000, kGetGpuDebugPolicyCallCatalinaOriginal, kGetGpuDebugPolicyCallCatalinaPatched, 27,
                 catalina},
+            {&kextRadeonX6000, kUpdateUtilizationStatisticsCounterCallOriginal,
+                kUpdateUtilizationStatisticsCounterCallPatched, 2, catalina},
+            {&kextRadeonX6000, kDisableGfxOffCallOriginal, kDisableGfxOffCallPatched, 17, catalina},
+            {&kextRadeonX6000, kEnableGfxOffCallOriginal, kEnableGfxOffCallPatched, 16, catalina},
+            {&kextRadeonX6000, kFlushSystemCachesCallOriginal, kFlushSystemCachesCallPatched, 4, catalina},
+            {&kextRadeonX6000, kGetUbmSwizzleModeCallOriginal, kGetUbmSwizzleModeCallPatched, 1, catalina},
+            {&kextRadeonX6000, kGetUbmTileModeCallOriginal, kGetUbmTileModeCallPatched, 1, catalina},
         };
         SYSLOG_COND(!LookupPatchPlus::applyAll(&patcher, patches, address, size), "x6000",
             "Failed to apply patches: %d", patcher.getError());

From 3cd9367e0f46b6fd40d496d36a1d78f694d48bcc Mon Sep 17 00:00:00 2001
From: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
Date: Tue, 13 Jun 2023 14:18:36 +0300
Subject: [PATCH 5/7] There's some versions of macOS which default to having a
 paging queue

Co-authored-by: NyanCatTW1 <17372086+NyanCatTW1@users.noreply.github.com>
Signed-off-by: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
---
 NootedRed/kern_x5000.cpp | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/NootedRed/kern_x5000.cpp b/NootedRed/kern_x5000.cpp
index 68af0f8f..35165499 100644
--- a/NootedRed/kern_x5000.cpp
+++ b/NootedRed/kern_x5000.cpp
@@ -154,25 +154,27 @@ bool X5000::wrapAllocateHWEngines(void *that) {
 
 struct HWCapability {
     enum : uint64_t {
-        DisplayPipeCount = 0x04,    // uint32_t
-        SECount = 0x34,             // uint32_t
-        SHPerSE = 0x3C,             // uint32_t
-        CUPerSH = 0x70,             // uint32_t
-        HasUVD0 = 0x84,             // bool
-        HasVCE = 0x86,              // bool
-        HasVCN0 = 0x87,             // bool
+        DisplayPipeCount = 0x04,      // uint32_t
+        SECount = 0x34,               // uint32_t
+        SHPerSE = 0x3C,               // uint32_t
+        CUPerSH = 0x70,               // uint32_t
+        HasUVD0 = 0x84,               // bool
+        HasVCE = 0x86,                // bool
+        HasVCN0 = 0x87,               // bool
+        HasSDMAPagingQueue = 0x98,    // bool
     };
 };
 
 struct HWCapabilityCatalina {
     enum : uint64_t {
-        DisplayPipeCount = 0x04,    // uint32_t
-        SECount = 0x30,             // uint32_t
-        SHPerSE = 0x34,             // uint32_t
-        CUPerSH = 0x58,             // uint32_t
-        HasUVD0 = 0x68,             // bool
-        HasVCE = 0x6A,              // bool
-        HasVCN0 = 0x6B,             // bool
+        DisplayPipeCount = 0x04,      // uint32_t
+        SECount = 0x30,               // uint32_t
+        SHPerSE = 0x34,               // uint32_t
+        CUPerSH = 0x58,               // uint32_t
+        HasUVD0 = 0x68,               // bool
+        HasVCE = 0x6A,                // bool
+        HasVCN0 = 0x6B,               // bool
+        HasSDMAPagingQueue = 0x7C,    // bool
     };
 };
 
@@ -203,6 +205,8 @@ void X5000::wrapSetupAndInitializeHWCapabilities(void *that) {
     setHWCapability<bool>(that, catalina ? HWCapabilityCatalina::HasUVD0 : HWCapability::HasUVD0, false);
     setHWCapability<bool>(that, catalina ? HWCapabilityCatalina::HasVCE : HWCapability::HasVCE, false);
     setHWCapability<bool>(that, catalina ? HWCapabilityCatalina::HasVCN0 : HWCapability::HasVCN0, true);
+    setHWCapability<bool>(that, catalina ? HWCapabilityCatalina::HasSDMAPagingQueue : HWCapability::HasSDMAPagingQueue,
+        false);
 }
 
 void *X5000::wrapGetHWChannel(void *that, uint32_t engineType, uint32_t ringId) {

From 6facceebf595a0f8af019500200e8352fd70b5b9 Mon Sep 17 00:00:00 2001
From: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
Date: Fri, 14 Jul 2023 19:10:36 +0300
Subject: [PATCH 6/7] Catalina: Wrap AmdTtlServices::getIpFw for VCN firmware

Signed-off-by: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
---
 NootedRed/kern_hwlibs.cpp | 20 ++++++++++++++++++--
 NootedRed/kern_hwlibs.hpp |  2 ++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/NootedRed/kern_hwlibs.cpp b/NootedRed/kern_hwlibs.cpp
index ea960f1e..f5f21152 100644
--- a/NootedRed/kern_hwlibs.cpp
+++ b/NootedRed/kern_hwlibs.cpp
@@ -54,6 +54,7 @@ bool X5000HWLibs::processKext(KernelPatcher &patcher, size_t index, mach_vm_addr
                 kPspCmdKmSubmitMask},
             {"_update_sdma_power_gating", wrapUpdateSdmaPowerGating, this->orgUpdateSdmaPowerGating,
                 kUpdateSdmaPowerGatingPattern, kUpdateSdmaPowerGatingMask},
+            {"__ZN16AmdTtlFwServices7getIpFwEjPKcP10_TtlFwInfo", wrapGetIpFw, this->orgGetIpFw, catalina},
         };
         PANIC_COND(!RouteRequestPlus::routeAll(patcher, index, requests, address, size), "hwlibs",
             "Failed to route symbols");
@@ -138,8 +139,8 @@ void X5000HWLibs::wrapPopulateFirmwareDirectory(void *that) {
 
     auto isRenoirDerivative = NRed::callback->chipType >= ChipType::Renoir;
 
-    char filename[128] = {0};
-    snprintf(filename, 128, "%s_vcn.bin", NRed::callback->getChipName());
+    char filename[64] = {0};
+    snprintf(filename, 64, "%s_vcn.bin", NRed::callback->getChipName());
     auto *targetFn = isRenoirDerivative ? "ativvaxy_nv.dat" : "ativvaxy_rv.dat";
     DBGLOG("wred", "%s => %s", filename, targetFn);
 
@@ -183,3 +184,18 @@ CAILResult X5000HWLibs::wrapPspCmdKmSubmit(void *psp, void *ctx, void *param3, v
 
     return FunctionCast(wrapPspCmdKmSubmit, callback->orgPspCmdKmSubmit)(psp, ctx, param3, param4);
 }
+
+bool X5000HWLibs::wrapGetIpFw(void *that, uint32_t ipVersion, char *name, void *out) {
+    if (!strncmp(name, "ativvaxy_rv.dat", 16) || !strncmp(name, "ativvaxy_nv.dat", 16)) {
+        char filename[64] = {0};
+        snprintf(filename, 64, "%s_vcn.bin", NRed::callback->getChipName());
+        DBGLOG("wred", "getIpFw: %s => %s", filename, name);
+
+        auto &fwDesc = getFWDescByName(filename);
+        auto *fwHeader = reinterpret_cast<const CommonFirmwareHeader *>(fwDesc.data);
+        getMember<const uint8_t *>(out, 0x0) = fwDesc.data + fwHeader->ucodeOff;
+        getMember<uint32_t>(out, 0x8) = fwHeader->ucodeSize;
+        return true;
+    }
+    return FunctionCast(wrapGetIpFw, callback->orgGetIpFw)(that, ipVersion, name, out);
+}
diff --git a/NootedRed/kern_hwlibs.hpp b/NootedRed/kern_hwlibs.hpp
index 83058941..9288145c 100644
--- a/NootedRed/kern_hwlibs.hpp
+++ b/NootedRed/kern_hwlibs.hpp
@@ -21,9 +21,11 @@ class X5000HWLibs {
     t_putFirmware orgPutFirmware {nullptr};
     mach_vm_address_t orgUpdateSdmaPowerGating {0};
     mach_vm_address_t orgPspCmdKmSubmit {0};
+    mach_vm_address_t orgGetIpFw {0};
 
     static void wrapPopulateFirmwareDirectory(void *that);
     static void wrapUpdateSdmaPowerGating(void *cail, uint32_t mode);
     static CAILResult wrapPspCmdKmSubmit(void *psp, void *ctx, void *param3, void *param4);
+    static bool wrapGetIpFw(void *that, uint32_t param1, char *name, void *out);
     static CAILResult hwLibsNoop();
 };

From dd3bf7b963b32c92a5ce7516275228403fe16e2c Mon Sep 17 00:00:00 2001
From: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
Date: Mon, 7 Aug 2023 09:23:29 +0300
Subject: [PATCH 7/7] Deactivate {set,get}AttributeForConnection wraps on
 Catalina

Signed-off-by: Visual Ehrmanntraut <30368284+ChefKissInc@users.noreply.github.com>
---
 NootedRed/kern_x6000fb.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NootedRed/kern_x6000fb.cpp b/NootedRed/kern_x6000fb.cpp
index bffa696e..3721721f 100644
--- a/NootedRed/kern_x6000fb.cpp
+++ b/NootedRed/kern_x6000fb.cpp
@@ -49,9 +49,9 @@ bool X6000FB::processKext(KernelPatcher &patcher, size_t id, mach_vm_address_t s
             {"_dce_panel_cntl_hw_init", wrapDcePanelCntlHwInit, this->orgDcePanelCntlHwInit, kDcePanelCntlHwInitPattern,
                 !catalina},
             {"__ZN35AMDRadeonX6000_AmdRadeonFramebuffer25setAttributeForConnectionEijm", wrapFramebufferSetAttribute,
-                this->orgFramebufferSetAttribute},
+                this->orgFramebufferSetAttribute, !catalina},
             {"__ZN35AMDRadeonX6000_AmdRadeonFramebuffer25getAttributeForConnectionEijPm", wrapFramebufferGetAttribute,
-                this->orgFramebufferGetAttribute},
+                this->orgFramebufferGetAttribute, !catalina},
             {"__ZNK22AmdAtomObjectInfo_V1_421getNumberOfConnectorsEv", wrapGetNumberOfConnectors,
                 this->orgGetNumberOfConnectors, kGetNumberOfConnectorsPattern, kGetNumberOfConnectorsMask},
             {"_IH_4_0_IVRing_InitHardware", wrapIH40IVRingInitHardware, this->orgIH40IVRingInitHardware,