Created
November 5, 2023 22:30
-
-
Save chris-pcguy/255170f2538f8efc75bee601d32dcbed to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c | |
index 551a055715..661d9c799c 100644 | |
--- a/hw/arm/apple_a13.c | |
+++ b/hw/arm/apple_a13.c | |
@@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = { | |
A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0), | |
A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0), | |
A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0), | |
- A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), | |
+ A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS | |
+ A13_CPREG_DEF(SYS_E_LSU_ERR_STS, 3, 3, 15, 2, 0, PL1_RW, 0), // A16 SYS_E_LSU_ERR_STS | |
+ A13_CPREG_DEF(SYS_E_FED_ERR_STS, 3, 4, 15, 0, 2, PL1_RW, 0), // A16 SYS_E_FED_ERR_STS | |
A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0, 3, 3, 15, 15, 0, PL1_RW, 0), | |
A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0, 3, 3, 15, 15, 1, PL1_RW, 0), | |
A13_CPREG_DEF(ARM64_REG_3_3_15_7, 3, 3, 15, 7, 0, PL1_RW, | |
@@ -520,6 +522,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = { | |
A13_CPREG_DEF(ARM64_REG_CYC_OVRD, 3, 5, 15, 5, 0, PL1_RW, 0), | |
A13_CPREG_DEF(ARM64_REG_ACC_CFG, 3, 5, 15, 4, 0, PL1_RW, 0), | |
A13_CPREG_DEF(S3_5_c15_c10_1, 3, 5, 15, 10, 1, PL0_RW, 0), | |
+ A13_CPREG_DEF(SYS_PRE_LLCFLUSH_TMR, 3, 5, 15, 7, 0, PL1_RW, 0), | |
+ A13_CPREG_DEF(SYS_ACC_PWR_DN_SAVE, 3, 7, 15, 2, 0, PL1_RW, 0), | |
+ A13_CPREG_DEF(SYS_AON_CNT_CTL, 3, 7, 15, 4, 0, PL1_RW, 0), | |
A13_CPREG_DEF(UPMPCM, 3, 7, 15, 5, 4, PL1_RW, 0), | |
A13_CPREG_DEF(UPMCR0, 3, 7, 15, 0, 4, PL1_RW, 0), | |
A13_CPREG_DEF(UPMSR, 3, 7, 15, 6, 4, PL1_RW, 0), | |
@@ -718,7 +723,7 @@ AppleA13State *apple_a13_cpu_create(DTBNode *node, char *name, uint32_t cpu_id, | |
} | |
} | |
- if (tcpu->cpu_id == 0 || node == NULL) { | |
+ if (tcpu->cpu_id == 0/* || node == NULL*/) { | |
if (node) { | |
set_dtb_prop(node, "state", 8, "running"); | |
} | |
@@ -817,6 +822,8 @@ static const VMStateDescription vmstate_apple_a13 = { | |
VMSTATE_A13_CPREG(ARM64_REG_HID14), | |
VMSTATE_A13_CPREG(ARM64_REG_HID16), | |
VMSTATE_A13_CPREG(ARM64_REG_LSU_ERR_STS), | |
+ VMSTATE_A13_CPREG(SYS_E_LSU_ERR_STS), | |
+ VMSTATE_A13_CPREG(SYS_E_FED_ERR_STS), | |
VMSTATE_A13_CPREG(PMC0), | |
VMSTATE_A13_CPREG(PMC1), | |
VMSTATE_A13_CPREG(PMCR0), | |
@@ -828,6 +835,9 @@ static const VMStateDescription vmstate_apple_a13 = { | |
VMSTATE_A13_CPREG(ARM64_REG_CYC_OVRD), | |
VMSTATE_A13_CPREG(ARM64_REG_ACC_CFG), | |
VMSTATE_A13_CPREG(S3_5_c15_c10_1), | |
+ VMSTATE_A13_CPREG(SYS_PRE_LLCFLUSH_TMR), | |
+ VMSTATE_A13_CPREG(SYS_ACC_PWR_DN_SAVE), | |
+ VMSTATE_A13_CPREG(SYS_AON_CNT_CTL), | |
VMSTATE_A13_CPREG(UPMPCM), | |
VMSTATE_A13_CPREG(UPMCR0), | |
VMSTATE_A13_CPREG(UPMSR), | |
diff --git a/hw/arm/apple_sep.c b/hw/arm/apple_sep.c | |
index da318ca250..9909500232 100644 | |
--- a/hw/arm/apple_sep.c | |
+++ b/hw/arm/apple_sep.c | |
@@ -22,12 +22,19 @@ | |
#include "hw/arm/apple_a13.h" | |
#include "hw/arm/apple_a9.h" | |
#include "hw/arm/apple_sep.h" | |
+#include "hw/misc/apple_mbox.h" | |
#include "hw/arm/xnu.h" | |
#include "hw/core/cpu.h" | |
#include "qapi/error.h" | |
#include "qemu/error-report.h" | |
#include "qemu/log.h" | |
#include "qemu/units.h" | |
+#include "hw/arm/t8030.h" | |
+#include "exec/address-spaces.h" | |
+#include "hw/irq.h" | |
+#include "sysemu/dma.h" | |
+ | |
+//#define DO_SECUREROM 1 | |
static void trng_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
unsigned size) | |
@@ -225,6 +232,521 @@ static const MemoryRegionOps misc2_reg_ops = { | |
.valid.unaligned = false, | |
}; | |
+static void misc39_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
+ unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ switch (addr) { | |
+ default: | |
+ memcpy(&s->misc39_regs[addr], &data, size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC39: Unknown write at 0x" HWADDR_FMT_plx | |
+ " with value 0x" HWADDR_FMT_plx "\n", | |
+ addr, data); | |
+ break; | |
+ } | |
+} | |
+ | |
+static uint64_t misc39_reg_read(void *opaque, hwaddr addr, unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ uint64_t ret = 0; | |
+ // 0x0;0x4 == T8101 | |
+ // 0x4;0x8 == T8020 | |
+ | |
+ switch (addr) { | |
+#if 0 | |
+ //case 0x00: // ???? T8101 | |
+ // return 0x1; | |
+ //case 0x04: // ???? T8101 | |
+ // return 0x1; | |
+ case 0x04: // ???? T8020 | |
+ //return 0x1; | |
+ return 0x0; // required for misc9 0x318 | |
+ case 0x08: // ???? T8020 | |
+ //return 0x1; | |
+ return 0x0; | |
+#endif | |
+ default: | |
+ memcpy(&ret, &s->misc39_regs[addr], size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC39: Unknown read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+ break; | |
+ } | |
+ | |
+ return ret; | |
+} | |
+ | |
+static const MemoryRegionOps misc39_reg_ops = { | |
+ .write = misc39_reg_write, | |
+ .read = misc39_reg_read, | |
+ .endianness = DEVICE_NATIVE_ENDIAN, | |
+ .valid.min_access_size = 4, | |
+ .valid.max_access_size = 4, | |
+ .impl.min_access_size = 4, | |
+ .impl.max_access_size = 4, | |
+ .valid.unaligned = false, | |
+}; | |
+ | |
+#if 1 | |
+static void misc4_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
+ unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ switch (addr) { | |
+#if 0 | |
+ case 0x14: | |
+ if (!!(data & 1)) { | |
+ uint64_t vector = *(uint64_t*)(&s->misc4_regs[0x20]); | |
+ AppleSEPResetMisc_func(vector); | |
+ } | |
+ break; | |
+#endif | |
+ default: | |
+ memcpy(&s->misc4_regs[addr], &data, size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC4: Unknown write at 0x" HWADDR_FMT_plx | |
+ " with value 0x" HWADDR_FMT_plx "\n", | |
+ addr, data); | |
+ break; | |
+ } | |
+} | |
+ | |
+static uint64_t misc4_reg_read(void *opaque, hwaddr addr, unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ uint64_t ret = 0; | |
+ | |
+ switch (addr) { | |
+#if 0 | |
+ case 0x00: // ???? because of WFE FUN_240011488_DAT_241500000_wfe, hangs otherwise, fix it properly! | |
+ return 0x0; | |
+ case 0x04: // ???? because of WFE FUN_2400113cc_DAT_241500004_wfe, hangs otherwise, fix it properly! | |
+ return 0x0; | |
+ case 0x0c: // ???? because of switch case FUN_2400113ec_DAT_24150000c_should_be_0, panics otherwise | |
+ return 0x0; | |
+#endif | |
+ default: | |
+ memcpy(&ret, &s->misc4_regs[addr], size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC4: Unknown read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+ break; | |
+ } | |
+ | |
+ return ret; | |
+} | |
+ | |
+static const MemoryRegionOps misc4_reg_ops = { | |
+ .write = misc4_reg_write, | |
+ .read = misc4_reg_read, | |
+ .endianness = DEVICE_NATIVE_ENDIAN, | |
+ .valid.min_access_size = 4, | |
+ .valid.max_access_size = 4, | |
+ .impl.min_access_size = 4, | |
+ .impl.max_access_size = 4, | |
+ .valid.unaligned = false, | |
+}; | |
+#endif | |
+ | |
+static void misc5_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
+ unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ switch (addr) { | |
+ default: | |
+ memcpy(&s->misc5_regs[addr], &data, size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC5: Unknown write at 0x" HWADDR_FMT_plx | |
+ " with value 0x" HWADDR_FMT_plx "\n", | |
+ addr, data); | |
+ break; | |
+ } | |
+} | |
+ | |
+static uint64_t misc5_reg_read(void *opaque, hwaddr addr, unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ uint64_t ret = 0; | |
+ | |
+ switch (addr) { | |
+ default: | |
+ memcpy(&ret, &s->misc5_regs[addr], size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC5: Unknown read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+ break; | |
+ } | |
+ | |
+ return ret; | |
+} | |
+ | |
+static const MemoryRegionOps misc5_reg_ops = { | |
+ .write = misc5_reg_write, | |
+ .read = misc5_reg_read, | |
+ .endianness = DEVICE_NATIVE_ENDIAN, | |
+ .valid.min_access_size = 4, | |
+ .valid.max_access_size = 4, | |
+ .impl.min_access_size = 4, | |
+ .impl.max_access_size = 4, | |
+ .valid.unaligned = false, | |
+}; | |
+ | |
+static void misc6_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
+ unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ switch (addr) { | |
+ default: | |
+ memcpy(&s->misc6_regs[addr], &data, size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC6: Unknown write at 0x" HWADDR_FMT_plx | |
+ " with value 0x" HWADDR_FMT_plx "\n", | |
+ addr, data); | |
+ break; | |
+ } | |
+} | |
+ | |
+static uint64_t misc6_reg_read(void *opaque, hwaddr addr, unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ uint64_t ret = 0; | |
+ | |
+ switch (addr) { | |
+ default: | |
+ memcpy(&ret, &s->misc6_regs[addr], size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC6: Unknown read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+ break; | |
+ } | |
+ | |
+ return ret; | |
+} | |
+ | |
+static const MemoryRegionOps misc6_reg_ops = { | |
+ .write = misc6_reg_write, | |
+ .read = misc6_reg_read, | |
+ .endianness = DEVICE_NATIVE_ENDIAN, | |
+ .valid.min_access_size = 4, | |
+ .valid.max_access_size = 4, | |
+ .impl.min_access_size = 4, | |
+ .impl.max_access_size = 4, | |
+ .valid.unaligned = false, | |
+}; | |
+ | |
+static void misc7_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
+ unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ //apple_mbox_msg_t msg0 = NULL; | |
+ //apple_mbox_msg_t msg1 = NULL; | |
+ //apple_mbox_msg_t msg2 = NULL; | |
+ //apple_mbox_msg_t msg3 = NULL; | |
+ //apple_mbox_msg_t msg4 = NULL; | |
+ //apple_mbox_msg_t msg5 = NULL; | |
+ //sep_message_t sep_msg = NULL; | |
+ struct sep_message sep_msg = { 0 }; | |
+ switch (addr) { | |
+ //case 0x8: | |
+ case 0x4: | |
+ //if (data == 0x2cbd3509) | |
+ if (data == 0xf2e31133) | |
+ { | |
+ //sep_msg = g_new0(struct sep_message, 1); | |
+ //msg0 = g_new0(struct apple_mbox_msg, 1); | |
+ //msg1 = g_new0(struct apple_mbox_msg, 1); | |
+ //msg2 = g_new0(struct apple_mbox_msg, 1); | |
+ //msg3 = g_new0(struct apple_mbox_msg, 1); | |
+ //msg4 = g_new0(struct apple_mbox_msg, 1); | |
+ //msg5 = g_new0(struct apple_mbox_msg, 1); | |
+ sep_msg.endpoint = 0xff; | |
+ | |
+#if 0 | |
+ sep_msg->opcode = 1; // kOpCode_Ping | |
+ sep_msg->tag = 0x70; | |
+ memcpy(msg5->data, sep_msg, 16); | |
+ apple_mbox_inbox_push(s->mbox, msg5); | |
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode1/kOpCode_Ping", msg5); | |
+#endif | |
+ | |
+ sep_msg.opcode = 3; // kOpCode_GenerateNonce | |
+ sep_msg.tag = 0x67; | |
+ //memcpy(msg0->data, sep_msg, 16); | |
+ //apple_mbox_inbox_push(s->mbox, msg0); | |
+ //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce", msg0); | |
+ apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw); | |
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce\n"); | |
+ | |
+#if 0 | |
+ sep_msg->opcode = 4; // Opcode 4 | |
+ sep_msg->tag = 0x6e; | |
+ memcpy(msg4->data, sep_msg, 16); | |
+ apple_mbox_inbox_push(s->mbox, msg4); | |
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode4/kOpCode_GetNonceWord", msg4); | |
+ | |
+ sep_msg->opcode = 15; // Opcode 15 | |
+ sep_msg->tag = 0x0; | |
+ memcpy(msg2->data, sep_msg, 16); | |
+ apple_mbox_inbox_push(s->mbox, msg2); | |
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode15/kOpCode_SendDpa", msg2); | |
+ | |
+ sep_msg->opcode = 16; // Opcode 16 | |
+ sep_msg->tag = 0x0; | |
+ memcpy(msg3->data, sep_msg, 16); | |
+ apple_mbox_inbox_push(s->mbox, msg3); | |
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode16", msg3); | |
+#endif | |
+ | |
+ sep_msg.opcode = 17; // Opcode 17 | |
+ sep_msg.tag = 0x0; | |
+ //sep_msg->data = 0x2000; // 0x2000 | |
+ //sep_msg->data = 0x3200; // iBoot on iOS 12.0 for T8020 says 0x3200 (0x1c52000 bytes). Might not be enough for SEPOS in iOS 14.4.2. | |
+ //sep_msg->data = 0x4000; // iBoot on iOS 13.0/13.7 for T8020 says 0x4000 (0x2440000 bytes). Might not be enough for SEPOS in iOS 14.4.2. | |
+ //sep_msg->data = 0x3400; // SEPFW on iOS 14.4.2 for T8020 wants something higher | |
+ //sep_msg->data = 0x3800; // SEPFW on iOS 14.4.2 for T8020 wants something higher | |
+ //sep_msg->data = 0x6000; // SEPFW on iOS 14.4.2 for T8020 wants something higher | |
+ sep_msg.data = 0x8000; // SEPFW on iOS 14.0/14.4.2 for T8020, if I found the correct data in Ghidra. | |
+ // max value 0x8000, checked in SEPROM:FUN_240011564_maybe_check_amcc. | |
+ // size in bytes == value * 0x910 | |
+ //memcpy(msg1->data, sep_msg, 16); | |
+ //apple_mbox_inbox_push(s->mbox, msg1); | |
+ //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode17", msg1); | |
+ apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw); | |
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode17\n"); | |
+#if 0 | |
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: before response loop, this will surely dead-lock, but let's try it anyway. YOLO.\n"); | |
+ int response_count = 2; | |
+ while (response_count > 0) { | |
+ while (!apple_mbox_outbox_empty(s->mbox)) { | |
+ response_count -= pop_from_outbox(opaque); | |
+ } | |
+ } | |
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: after response loop\n"); | |
+#endif | |
+ //g_free(sep_msg); | |
+ ////g_free(msg0); | |
+ ////g_free(msg1); | |
+ ////g_free(msg2); | |
+ ////g_free(msg3); | |
+ ////g_free(msg4); | |
+ ////g_free(msg5); | |
+ } | |
+ //goto jump_default; | |
+ //QEMU_FALLTHROUGH; | |
+ break; | |
+ case 0x0: | |
+ //case 0x4: | |
+ case 0x8: | |
+ case 0x114: | |
+ case 0x214: | |
+ case 0x218: | |
+ case 0x21c: | |
+ case 0x220: | |
+ case 0x2d8: | |
+ case 0x2dc: | |
+ case 0x2e0: // ecid low | |
+ case 0x2e4: // ecid high | |
+ case 0x2e8: // board-id | |
+ case 0x2ec: // chip-id | |
+ case 0x314: | |
+ case 0x318: | |
+ case 0x31c: | |
+ memcpy(&s->misc7_regs[addr], &data, size); | |
+ break; | |
+ default: | |
+ jump_default: | |
+ memcpy(&s->misc7_regs[addr], &data, size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: Unknown write at 0x" HWADDR_FMT_plx | |
+ " with value 0x" HWADDR_FMT_plx "\n", | |
+ addr, data); | |
+ break; | |
+ } | |
+} | |
+ | |
+static uint64_t misc7_reg_read(void *opaque, hwaddr addr, unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ uint64_t ret = 0; | |
+ | |
+ switch (addr) { | |
+ case 0xc: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+#if 1 | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); // ARM_CPU_IRQ == 0 | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); | |
+ | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); // ARM_CPU_FIQ == 1 | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); | |
+ | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); // GTIMER_VIRT == 1 | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); | |
+ | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0)); | |
+ | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1)); | |
+ | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2)); | |
+ | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3)); | |
+ | |
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 0)); | |
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 1)); | |
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 2)); | |
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 3)); | |
+ ret = 0xdeadbeef; | |
+#endif | |
+ break; | |
+ case 0x10: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing? | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+#if 1 | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); | |
+ | |
+ ret = 0xdeadbeef; | |
+#endif | |
+ break; | |
+ case 0x14: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+#if 1 | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); | |
+ | |
+ ret = 0xdeadbeef; | |
+#endif | |
+ break; | |
+ case 0x18: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // panic(cpu 3 caller 0xfffffff008b69bb0): SEP Panic: [elfour panic] [&&&&&&&&] sep,*.c:*(+ | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+#if 1 | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); | |
+ | |
+ ret = 0xdeadbeef; | |
+#endif | |
+ break; | |
+ case 0x1c: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing? | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+#if 1 | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0)); | |
+ | |
+ ret = 0xdeadbeef; | |
+#endif | |
+ break; | |
+ case 0x20: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+#if 1 | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1)); | |
+ | |
+ ret = 0xdeadbeef; | |
+#endif | |
+ break; | |
+ case 0x24: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing? | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+#if 1 | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2)); | |
+ | |
+ ret = 0xdeadbeef; | |
+#endif | |
+ break; | |
+ case 0x28: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing? | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+#if 1 | |
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3)); | |
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3)); | |
+ | |
+ ret = 0xdeadbeef; | |
+#endif | |
+ break; | |
+ default: | |
+ memcpy(&ret, &s->misc7_regs[addr], size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC7: Unknown read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+ break; | |
+ } | |
+ | |
+ return ret; | |
+} | |
+ | |
+static const MemoryRegionOps misc7_reg_ops = { | |
+ .write = misc7_reg_write, | |
+ .read = misc7_reg_read, | |
+ .endianness = DEVICE_NATIVE_ENDIAN, | |
+ .valid.min_access_size = 4, | |
+ .valid.max_access_size = 4, | |
+ .impl.min_access_size = 4, | |
+ .impl.max_access_size = 4, | |
+ .valid.unaligned = false, | |
+}; | |
+ | |
+static void misc8_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
+ unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ switch (addr) { | |
+ default: | |
+ memcpy(&s->misc8_regs[addr], &data, size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC8: Unknown write at 0x" HWADDR_FMT_plx | |
+ " with value 0x" HWADDR_FMT_plx "\n", | |
+ addr, data); | |
+ break; | |
+ } | |
+} | |
+ | |
+static uint64_t misc8_reg_read(void *opaque, hwaddr addr, unsigned size) | |
+{ | |
+ AppleSEPState *s = APPLE_SEP(opaque); | |
+ uint64_t ret = 0; | |
+ | |
+ switch (addr) { | |
+ default: | |
+ memcpy(&ret, &s->misc8_regs[addr], size); | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "SEP MISC8: Unknown read at 0x" HWADDR_FMT_plx "\n", | |
+ addr); | |
+ break; | |
+ } | |
+ | |
+ return ret; | |
+} | |
+ | |
+static const MemoryRegionOps misc8_reg_ops = { | |
+ .write = misc8_reg_write, | |
+ .read = misc8_reg_read, | |
+ .endianness = DEVICE_NATIVE_ENDIAN, | |
+ .valid.min_access_size = 4, | |
+ .valid.max_access_size = 4, | |
+ .impl.min_access_size = 4, | |
+ .impl.max_access_size = 4, | |
+ .valid.unaligned = false, | |
+}; | |
+ | |
static const struct AppleMboxOps sep_mailbox_ops = {}; | |
@@ -270,9 +792,9 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id, | |
APPLE_MBOX_MMIO_V2)); | |
sysbus_pass_irq(sbd, SYS_BUS_DEVICE(s->mbox)); | |
- memory_region_init_io(&s->trng_mr, OBJECT(dev), &trng_reg_ops, s, | |
- "sep.trng", 0x100); | |
- sysbus_init_mmio(sbd, &s->trng_mr); | |
+ memory_region_init_io(&s->trng_t8101_mr, OBJECT(dev), &trng_reg_ops, s, | |
+ "sep.trng_t8101", 0x100); // TRNG T8101 | |
+ sysbus_init_mmio(sbd, &s->trng_t8101_mr); | |
memory_region_init_io(&s->misc0_mr, OBJECT(dev), &misc0_reg_ops, s, | |
"sep.misc0", 0x100); | |
sysbus_init_mmio(sbd, &s->misc0_mr); | |
@@ -282,6 +804,30 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id, | |
memory_region_init_io(&s->misc2_mr, OBJECT(dev), &misc2_reg_ops, s, | |
"sep.misc2", 0x100); | |
sysbus_init_mmio(sbd, &s->misc2_mr); | |
+ memory_region_init_io(&s->misc3_mr, OBJECT(dev), &misc39_reg_ops, s, | |
+ "sep.misc39_t8101", 0x100); // MISC39 T8101 | |
+ sysbus_init_mmio(sbd, &s->misc3_mr); | |
+ memory_region_init_io(&s->misc4_mr, OBJECT(dev), &misc4_reg_ops, s, | |
+ "sep.misc4", 0x100); // MISC4 // 0x241440000 | |
+ sysbus_init_mmio(sbd, &s->misc4_mr); | |
+ memory_region_init_io(&s->misc5_mr, OBJECT(dev), &misc5_reg_ops, s, | |
+ "sep.misc5", 0x100); // MISC5 | |
+ sysbus_init_mmio(sbd, &s->misc5_mr); | |
+ memory_region_init_io(&s->misc6_mr, OBJECT(dev), &misc6_reg_ops, s, | |
+ "sep.misc6", 0x4000); // MISC6 // T8020's dart-sep? | |
+ sysbus_init_mmio(sbd, &s->misc6_mr); | |
+ memory_region_init_io(&s->misc7_mr, OBJECT(dev), &misc7_reg_ops, s, | |
+ "sep.misc7", 0x1000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM. | |
+ sysbus_init_mmio(sbd, &s->misc7_mr); | |
+ memory_region_init_io(&s->misc8_mr, OBJECT(dev), &misc8_reg_ops, s, | |
+ "sep.misc8", 0x40000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8. | |
+ sysbus_init_mmio(sbd, &s->misc8_mr); | |
+ memory_region_init_io(&s->trng_t8020_mr, OBJECT(dev), &trng_reg_ops, s, | |
+ "sep.trng_t8020", 0x100); // TRNG T8020 | |
+ sysbus_init_mmio(sbd, &s->trng_t8020_mr); | |
+ memory_region_init_io(&s->misc9_mr, OBJECT(dev), &misc39_reg_ops, s, | |
+ "sep.misc39_t8020", 0x100); // MISC39 T8020 | |
+ sysbus_init_mmio(sbd, &s->misc9_mr); | |
DTBNode *child = find_dtb_node(node, "iop-sep-nub"); | |
assert(child); | |
//! SEPFW needs to be loaded by restore, supposedly | |
@@ -293,7 +839,17 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id, | |
static void apple_sep_cpu_reset_work(CPUState *cpu, run_on_cpu_data data) | |
{ | |
AppleSEPState *s = data.host_ptr; | |
+ AddressSpace *nsas = &address_space_memory; | |
+ MachineState *machine = MACHINE(qdev_get_machine()); | |
+ T8030MachineState *tms = T8030_MACHINE(machine); | |
cpu_reset(cpu); | |
+#ifdef DO_SECUREROM | |
+ // make it possible to re-run SEPROM after SecureROM panics without powering off | |
+ // replaces e.g.: set *0x241130840=0x0 ; set *0x241130800=0x0 | |
+ //address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x3000000, MEMTXATTRS_UNSPECIFIED); | |
+ address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x1000000, MEMTXATTRS_UNSPECIFIED); | |
+#endif | |
+ fprintf(stderr, "apple_sep_cpu_reset_work: before cpu_set_pc: base=0x" HWADDR_FMT_plx "\n", s->base); | |
cpu_set_pc(cpu, s->base); | |
} | |
diff --git a/hw/arm/s8000.c b/hw/arm/s8000.c | |
index 7b3e89eb17..3ed35dd78c 100644 | |
--- a/hw/arm/s8000.c | |
+++ b/hw/arm/s8000.c | |
@@ -617,16 +617,44 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size) | |
{ | |
hwaddr base = (hwaddr)opaque; | |
+ uint64_t ret = 0; | |
switch (base + addr) { | |
- case 0x102BC000: //! CFG_FUSE0 | |
- return (1 << 2); | |
+ case 0x102BC000: //! CFG_FUSE0 | |
+ //return (1 << 2); | |
+ //return 0; | |
+ //return -1; | |
+ ret |= (1 << 2); | |
+ ret |= (0x12ULL << 9); // SCEP: max: 0x7f | |
+ //ret |= (1 << 8); | |
+ //ret |= 0xf << 4; | |
+ ret |= 0x1 << 4; // BDID |= 0x20 | |
+ //ret |= 0x1 << 5; // BDID |= 0x40 | |
+ //ret |= 0x1 << 6; // BDID |= 0x80 | |
+ //ret |= 0x1 << 7; | |
+ ret |= (1 << 0); // IBFL |= 0x10 | |
+ return ret; | |
case 0x102BC200: //! CFG_FUSE0_RAW | |
- return 0x0; | |
+ //return 0x0; | |
+ //return (1 << 2); | |
+ //return -1; | |
+ //return 0xffffffffULL << 16; | |
+ //ret |= (0x1 << 1); // CPFM |= 0x1 ; IBFL |= 0x08 | |
+ ret |= (0x1 << 0); // CPFM |= 0x3 ; IBFL |= 0x08 | |
+ return ret; | |
+ case 0x102BC010: | |
+ //return 0x1 << 22; // CPRV |= 0x01 | |
+ //return 0x1 << 23; // CPRV |= 0x02 | |
+ //return 0x1 << 24; // CPRV |= 0x04 | |
+ //return 0x1 << 25; // CPRV |= 0x10 | |
+ //return 0x1 << 26; // CPRV |= 0x20 | |
+ //return 0x1 << 27; // CPRV |= 0x40 | |
+ return (3 << 22); | |
case 0x102BC080: //! ECID_LO | |
return 0x13371337; | |
case 0x102BC084: //! ECID_HI | |
- return 0xDEADBEEF; | |
+ return 0x7EADBEEF; | |
+ //return 0xDEADBEEF; | |
case 0x102E8000: // ???? | |
return 0x4; | |
case 0x102BC104: // ???? bit 24 => is fresh boot? | |
diff --git a/hw/arm/t8030.c b/hw/arm/t8030.c | |
index f704899133..54dbc957b8 100644 | |
--- a/hw/arm/t8030.c | |
+++ b/hw/arm/t8030.c | |
@@ -1,3 +1,6 @@ | |
+ | |
+//#define DO_SECUREROM 1 | |
+ | |
/* | |
* Apple t8030 SoC. | |
* | |
@@ -65,8 +68,12 @@ | |
#define T8030_DRAM_BASE (0x800000000ULL) | |
#define T8030_DRAM_SIZE (4ULL * GiB) | |
+#define T8030_SEP_BASE (0x240000000ULL) | |
+#define T8030_SEP_SIZE (0x4000000ULL) | |
+ | |
#define T8030_SEPROM_BASE (0x240000000ULL) | |
-#define T8030_SEPROM_SIZE (0x4000000ULL) | |
+//#define T8030_SEPROM_BASE (0x242200000ULL) // Visual told me to | |
+#define T8030_SEPROM_SIZE (0x40000ULL) | |
#define T8030_GPIO_FORCE_DFU (161) | |
@@ -158,6 +165,20 @@ static void t8030_create_s3c_uart(const T8030MachineState *tms, uint32_t port, | |
static void t8030_patch_kernel(MachoHeader64 *hdr) | |
{ | |
+#ifndef DO_SECUREROM | |
+#if 0 | |
+ uint32_t value32_nop = 0xd503201f; // nop | |
+ *(uint32_t *)vtop_static(0xFFFFFFF0077142C8) = 0; | |
+ //*(uint32_t *)vtop_static(0xfffffff009845140) = 0xFFFFFFFF; // AMCC | |
+ // gAppleSMCDebugLevel = 0xFFFFFFFF; | |
+ //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA18) = 0xFFFFFFFF; | |
+ // gAppleSMCDebugPath = 0x2; | |
+ //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA1C) = 0x2; | |
+ *(uint32_t *)vtop_static(0xfffffff007eef5c0) = value32_nop; | |
+ *(uint32_t *)vtop_static(0xfffffff007eef600) = value32_nop; | |
+ *(uint32_t *)vtop_static(0xfffffff007eef6a4) = value32_nop; | |
+#endif | |
+#endif | |
kpf(); | |
} | |
@@ -307,10 +328,10 @@ static void t8030_load_classic_kc(T8030MachineState *tms, const char *cmdline) | |
if (tms->sepfw_filename) { | |
info->sep_fw_pa = phys_ptr; | |
- macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", | |
- info->sep_fw_pa, &info->sep_fw_size); | |
info->sep_fw_size = align_16k_high(8 * MiB); | |
phys_ptr += info->sep_fw_size; | |
+ size_t garbage = 0; | |
+ macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x4000ULL, &garbage); | |
} | |
mem_size = | |
@@ -460,6 +481,7 @@ static void t8030_memory_setup(MachineState *machine) | |
DTBNode *memory_map = get_dtb_node(tms->device_tree, "/chosen/memory-map"); | |
g_autofree char *cmdline = NULL; | |
AddressSpace *nsas = &address_space_memory; | |
+ g_autofree char *securerom = NULL; | |
g_autofree char *seprom = NULL; | |
unsigned long fsize = 0; | |
@@ -470,6 +492,20 @@ static void t8030_memory_setup(MachineState *machine) | |
info->dram_base = T8030_DRAM_BASE; | |
info->dram_size = T8030_DRAM_SIZE; | |
+#ifdef DO_SECUREROM | |
+ if (!machine->firmware) { | |
+ error_report("Please set firmware to SecureROM's path"); | |
+ exit(EXIT_FAILURE); | |
+ } | |
+ | |
+ if (!g_file_get_contents(machine->firmware, &securerom, &fsize, NULL)) { | |
+ error_report("Could not load data from file '%s'", | |
+ machine->firmware); exit(EXIT_FAILURE); | |
+ } | |
+ address_space_rw(nsas, T8030_SROM_BASE, MEMTXATTRS_UNSPECIFIED, | |
+ (uint8_t *)securerom, fsize, 1); | |
+#endif | |
+ | |
if (tms->seprom_filename == NULL) { | |
error_report("Please set path to SEPROM"); | |
exit(EXIT_FAILURE); | |
@@ -484,11 +520,56 @@ static void t8030_memory_setup(MachineState *machine) | |
(uint8_t *)seprom, fsize, 1); | |
uint64_t value = 0x8000000000000000; | |
- address_space_write(nsas, tms->soc_base_pa + 0x42140108, | |
- MEMTXATTRS_UNSPECIFIED, &value, sizeof(value)); | |
uint32_t value32 = 0x1; | |
- address_space_write(nsas, tms->soc_base_pa + 0x41448000, | |
- MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32)); | |
+ uint32_t value32_mov_w8_0 = 0x52800008; // mov w8, #0x0 | |
+ uint32_t value32_mov_w8_1 = 0x52800028; // mov w8, #0x1 | |
+ uint32_t value32_mov_x0_1 = 0xd2800020; // mov x0, #0x1 | |
+ uint32_t value32_mov_x0_0 = 0xd2800000; // mov x0, #0x0 | |
+ uint32_t value32_mov_x0_0x10 = 0xd2800200; // mov x0, #0x10 | |
+ uint32_t value32_mov_x0_0x2000 = 0xd2840000; // mov x0, #0x2000 | |
+ uint32_t value32_mov_x0_0x5000 = 0xd28a0000; // mov x0, #0x5000 | |
+ uint32_t value32_mov_x0_0x200000 = 0xd2a00400; // mov x0, #0x200000 | |
+ uint32_t value32_mov_x0_0xe20 = 0xd281c400; // mov x0, #0xe20 | |
+ uint32_t value32_mov_x20_1 = 0xd2800034; // mov x20, #0x1 | |
+ uint32_t value32_nop = 0xd503201f; // nop | |
+ uint32_t value32_mov_w0_8030 = 0x52900600; // mov w0, #0x8030 | |
+ uint32_t value32_cmp_x0_x0 = 0xeb00001f; // cmp x0, x0 | |
+ uint32_t value32_bl_GenerateNonce_t8101 = 0x9400026d; // bl generate_random_GenerateNonce for T8101 from 0x24000edec | |
+ uint32_t value32_bl_GenerateNonce_t8020 = 0x94000187; // bl generate_random_GenerateNonce for T8020 from 0x24000b574 | |
+ uint32_t value32_mov_x5_0xf0000000 = 0xd2be0005; // mov x5,#0xf0000000 | |
+ uint32_t value32_retab = 0xd65f0fff; // retab | |
+ uint32_t value32_ret = 0xd65f03c0; // ret | |
+ uint32_t value32_mov_w0_minus1 = 0x12800000; // mov w0, #0xffffffff | |
+ uint32_t value32_mov_w0_0x10000000 = 0x52a20000; // mov w0, #0x10000000 | |
+ uint32_t value32_mov_w0_sp_0x4 = 0xb90007e0; // mov w0, [sp, #0x4] | |
+#if 1 // for T8020 SEPROM | |
+ address_space_write(nsas, tms->soc_base_pa + 0x42140108, MEMTXATTRS_UNSPECIFIED, &value, sizeof(value)); // _entry: prevent busy-loop (data section) | |
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0d2c8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // image4_validate_property_callback: skip AMNM | |
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x12144, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: Skip RSA verification result. | |
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x121d8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: payload_raw hashing stuck, nop'ing | |
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x121dc, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: nop'ing result of payload_raw hashing | |
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0abd8, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs30: fake success | |
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0ca84, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs14: fake success | |
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x091b4, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_8030, sizeof(value32_mov_w0_8030)); // get_chipid: patch get_chipid to return 0x8030 instead of 0x8020 | |
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x077ac, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // load_sepos: jump over img4_compare_verified_values_true_on_success | |
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b574, MEMTXATTRS_UNSPECIFIED, &value32_bl_GenerateNonce_t8020, sizeof(value32_bl_GenerateNonce_t8020)); // boot: replace calling clear_GenerateNonce_nonce with a call generating the nonce T8020 (Opcode3). Needed because we don't run iBoot/SecureROM. | |
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // boot: set opcode_17_inbox_msg_data | |
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0x2000, sizeof(value32_mov_x0_0x2000)); // boot: set opcode_17_inbox_msg_data | |
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b588, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_sp_0x4, sizeof(value32_mov_w0_sp_0x4)); // boot: set opcode_17_inbox_msg_data | |
+#ifndef DO_SECUREROM | |
+#if 0 | |
+ *(uint32_t *)vtop_static(0xfffffff008b4e018) = value32_mov_w0_0x10000000; // AppleSEPBooter::getBootTimeout: increase timeout for debugging (GDB tracing) | |
+ *(uint32_t *)vtop_static(0xfffffff008b576b4) = value32_nop; // AppleSEPManager::_tracingEnabled: Don't require _PE_i_can_has_debugger. | |
+ //*(uint32_t *)vtop_static(0xfffffff008b57ad4) = value32_mov_x0_1; // AppleSEPManager::_bootSEP:: Don't require _PE_i_can_has_debugger. | |
+ *(uint32_t *)vtop_static(0xfffffff007a231d8) = value32_mov_x0_1; // _kern_config_is_development | |
+#endif | |
+#else | |
+ address_space_write(nsas, 0x100005b64, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: image4_load: fake success for maybe_verify_zero_on_success. unused because of the next patches. | |
+ address_space_write(nsas, 0x1000020e4, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: _main: fake success for image_load | |
+ address_space_write(nsas, 0x1000021d4, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // SecureROM: _main: nop because it panics of plain payload | |
+#endif | |
+ | |
+#endif // for T8020 SEPROM | |
nvram = APPLE_NVRAM(qdev_find_recursive(sysbus_get_default(), "nvram")); | |
if (!nvram) { | |
@@ -594,6 +675,7 @@ static void t8030_memory_setup(MachineState *machine) | |
set_dtb_prop(vram, "reg", sizeof(vram_reg), &vram_reg); | |
} | |
+#ifndef DO_SECUREROM | |
hdr = tms->kernel; | |
g_assert(hdr); | |
@@ -613,12 +695,26 @@ static void t8030_memory_setup(MachineState *machine) | |
__func__, hdr->file_type); | |
break; | |
} | |
+#endif | |
} | |
+static uint64_t pmgr_unk_e4800 = 0; | |
+static uint32_t pmgr_unk_e4000[0x180/4] = {0}; | |
+ | |
static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
unsigned size) | |
{ | |
hwaddr base = (hwaddr)opaque; | |
+ switch (base + addr) { | |
+ case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4 | |
+ pmgr_unk_e4800 = data; // 0x240002c00 and 0x2400037a4 | |
+ break; | |
+ case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c | |
+ pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4] = data; // 0x24000377c | |
+ break; | |
+ default: | |
+ break; | |
+ } | |
#if 1 | |
qemu_log_mask(LOG_UNIMP, | |
"PMGR reg WRITE unk @ 0x" TARGET_FMT_lx | |
@@ -629,7 +725,11 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size) | |
{ | |
+ MachineState *machine = MACHINE(qdev_get_machine()); | |
+ T8030MachineState *tms = T8030_MACHINE(machine); | |
+ AppleSEPState *sep; | |
hwaddr base = (hwaddr)opaque; | |
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal)); | |
#if 1 | |
qemu_log_mask(LOG_UNIMP, | |
@@ -637,43 +737,120 @@ static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size) | |
" base: 0x" TARGET_FMT_lx "\n", | |
base + addr, base); | |
#endif | |
- switch (base + addr) { | |
- case 0x3D2BC000: | |
- // return 0xA050C030; // IBFL | 0x00 | |
- return 0xA55AC33C; // IBFL | 0x10 | |
- case 0x3D2BC008: | |
+ uint32_t chip_revision; | |
+ //chip_revision = 0x01; | |
+ chip_revision = 0x11; | |
+ switch (base + addr) { | |
+ case 0x3D2BC000: // DPRO | |
+ case 0x3D2BC200: | |
+ //// return 0xA050C030; // IBFL | 0x00 | |
+ return 0xA55AC33C; // IBFL | 0x10 // my | |
+ //return 0xA050C030; // Ntrung | |
+ case 0x3D2BC004: // ??? DPRO? is value==0xA050C030 (disabled), take value from 0xbc600 | |
+ case 0x3D2BC204: | |
+ return 0xA55AC33C; // force return enabled | |
+ //return 0xA050C030; // force return disabled ; skip loop inside FUN_240003fcc_wait_for_DAT_23d2bc004_maybe_memory_encryption | |
+ // FUN_240003fcc_wait_for_DAT_23d2bc004 | |
+ if ((sep->misc5_regs[0] & 0x2) != 0) | |
+ return 0xA050C030; // if bit1 is set | |
+ else | |
+ return 0xA55AC33C; // if bit1 is unset | |
+ case 0x3D2BC008: // EDOM_0? Effective SDOM_0? (Security Domain) T8030? | |
+ case 0x3D2BC208: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-A12-D331pAP | |
+ ////case 0x3D2BC308: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-S4-S5-B1 | |
+ case 0x3D2BC608: // SDOM_0? (Security Domain) AppleSEPROM-Sicily-A0 | |
return 0xA55AC33C; // security domain | 0x1 | |
- case 0x3D2BC00C: | |
- // return 0xA55AC33C; // security domain | 0x2 | |
+ //return 0xA050C030; // MAYBE security domain | 0x0 | |
+ case 0x3D2BC00C: // EDOM_1? Effective SDOM_1? (Security Domain) T8030? | |
+ case 0x3D2BC20C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-A12-D331pAP | |
+ ////case 0x3D2BC30C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-S4-S5-B1 | |
+ case 0x3D2BC60C: // SDOM_1? (Security Domain) AppleSEPROM-Sicily-A0 | |
+ //return 0xA55AC33C; // security domain | 0x2 | |
return 0xA050C030; // security domain | 0x0 | |
- case 0x3D2BC010: | |
- return (1 << 5) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << | |
- // 5 ;; (1 << 31) for SEP | |
- case 0x3D2BC030: | |
- // return 0xFFFFFFFF; // CPRV | |
- // return 0x7 << 6; // LOW NIBBLE | |
- // return 0x70 << 5; // HIGH NIBBLE | |
- return 0x1 << 6; | |
- case 0x3D2BC300: // TODO | |
- return 0xCAFEBABE; // ECID lower | |
- case 0x3D2BC304: // TODO | |
- return 0xDEADBEEF; // ECID upper | |
- case 0x3D2BC400: | |
+ case 0x3D2BC010: // maybe effective CEPO? SEPO/BOARDID (upper three??/five bits stored in the three lower bits) | |
+ case 0x3D2BC210: // CEPO? SEPO? AppleSEPROM-A12-D331pAP | |
+ ////case 0x3D2BC310: // CEPO? SEPO? AppleSEPROM-S4-S5-B1 | |
+ case 0x3D2BC610: // CEPO? SEPO? AppleSEPROM-Sicily-A0 | |
+ uint64_t sep_bit30 = ((sep->misc5_regs[0] & 0x1) != 0); | |
+ //return (1 << 5) | (0 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (0 << 30) | (1 << 31) for SEP | |
+ return (1 << 5) | (sep_bit30 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (sep_bit30 << 30) | (1 << 31) for SEP | |
+ case 0x3D2BC020: // T8030 iBSS: FUN_19c07feac_return_value_causes_crash | |
+ //return 0xA050C030; // causes panic, so does a invalid value | |
+ return 0xA55AC33C; | |
+ //0x3d2bc024 T8030 | |
+ //0x3d2bc028 T8030 | |
+ //0x3d2bc02c T8030 | |
+ //case 0x3D2BC028: // CPRV (Chip Revision) AppleSEPROM-S4-S5-B1 | |
+ //case 0x3D2BC02c: // T8030 iBSS: _DAT_23d2bc02c >> 30 | (_DAT_23d2bc030 & 15) << 2; | |
+ case 0x3D2BC030: // CPRV (Chip Revision) T8030? T8020? | |
+ return ((chip_revision & 0x7) << 6) | (((chip_revision & 0x70) >> 4) << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1 | |
+ case 0x3D2BC03c: // CPRV (Chip Revision) AppleSEPROM-Sicily-A0 | |
+ return ((chip_revision & 0x7) << 10) | (((chip_revision & 0x70) >> 4) << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0 | |
+ //// return 0xFFFFFFFF; // CPRV | |
+ //// return (0x7 << 6) | (0x70 << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1 | |
+ //// return (0x7 << 10) | (0x70 << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0 | |
+ //return 0x1 << 6; // my ; (1 << 6) == 0x40 == revision:0x1 | |
+ //return 0x240; // Ntrung // == revision:0x11 | |
+ case 0x3D2BC100: // ECID lower T8020? | |
+ ////case 0x3D2BC200: // ECID lower AppleSEPROM-S4-S5-B1 | |
+ case 0x3D2BC300: // ECID lower T8030? | |
+ case 0x3D2BC500: // ECID lower AppleSEPROM-Sicily-A0 | |
+ //return 0xCAFEBABE; // ECID lower | |
+ return tms->ecid & 0xffffffff; // ECID lower | |
+ case 0x3D2BC104: // ECID upper T8020? | |
+ ////case 0x3D2BC204: // ECID upper AppleSEPROM-S4-S5-B1 | |
+ case 0x3D2BC304: // ECID upper T8030? | |
+ case 0x3D2BC504: // ECID upper AppleSEPROM-Sicily-A0 | |
+ //return 0xDEADBEEF; // ECID upper | |
+ return tms->ecid >> 32; // ECID upper | |
+ case 0x3D2BC400: // EKEY_0 | |
// if 0xBC404 returns 1==0xA55AC33C, this will get ignored | |
- // return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04 | |
- return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C | |
- case 0x3D2BC404: | |
- // return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C | |
- return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04 | |
- case 0x3D2BC604: //? | |
- return 0xA050C030; | |
+ //// return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04 | |
+ return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C // my | |
+ //return 0xA050C030; // Ntrung | |
+ case 0x3D2BC404: // EKEY_1 | |
+ return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C | |
+ //return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04 | |
+ case 0x3D2BC600: //? EPRO (Effective Production Status)? CPRO (Certificate Production Status)? | |
+ //return 0xA55AC33C; // avoided panic(0x74/0xf1) with patches | |
+ //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off | |
+ //return 0; | |
+ return 0xA55AC33C; // EPRO enabled | |
+ //return 0xA050C030; // EPRO disabled | |
+ case 0x3D2BC604: //? CSEC (Certificate Security Mode)? | |
+ //return 0xA55AC33C; // set at 0x24000b070, causes crash at 0x240008928 // avoided panic(0x74/0xf1) with patches | |
+ //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off | |
+ //return 0; // panic(0x74) ? | |
+ return 0xA55AC33C; // CSEC enabled | |
+ //return 0xA050C030; // CSEC disabled | |
case 0x3D2E8000: // ???? | |
- return 0x32B3; // memory encryption AMK (Authentication Master Key) | |
- // disabled | |
- // return 0xC2E9; // memory encryption AMK (Authentication Master Key) | |
- // enabled | |
- case 0x3D2D0034: //? | |
- return (1 << 24) | (1 << 25); | |
+ //return 0x32B3; // memory encryption AMK (Authentication Master Key) disabled // avoided panic(0x74/0xf1) with patches | |
+ return 0xC2E9; // memory encryption AMK (Authentication Master Key) enabled // needed to avoid panic(0x74) ? | |
+ case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4 | |
+ //////return 0x3; // 0x2400037a4 | |
+ return pmgr_unk_e4800; // 0x240002c00 and 0x2400037a4 | |
+ case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c | |
+ return pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4]; // 0x24000377c | |
+#if 0 | |
+ //case 0x3D2D0034: //? in AES | |
+ // return (1 << 24) | (1 << 25); | |
+#endif | |
+#if 1 | |
+#if 0 | |
+ //case 0x3D2D0020: // ???? in AES | |
+ // return 4; | |
+#endif | |
+ //case 0x3D2BC200: // ???? | |
+ // return 0xA050C030; | |
+ //case 0x3D2BC204: // ???? | |
+ // return 0xA050C030; | |
+#endif | |
+#ifdef DO_SECUREROM | |
+ case 0x3d2d4040: // SecureROM: prevent panic in platform_bootprep(_panics_on_plain_payload) | |
+ return (1 << 16); | |
+ case 0x3d12c014: // while ((*(int64_t*)0x23d12c014 & 0x1ff) == 0) | |
+ return 0x1; | |
+#endif | |
default: | |
if (((base + addr) & 0x10E70000) == 0x10E70000) { | |
return (108 << 4) | 0x200000; //? | |
@@ -692,6 +869,7 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
{ | |
MachineState *machine = MACHINE(opaque); | |
T8030MachineState *tms = T8030_MACHINE(opaque); | |
+ AppleSEPState *sep; | |
uint32_t value = data; | |
if (addr >= 0x80000 && addr <= 0x8C000) { | |
@@ -707,6 +885,32 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
case 0xD4004: | |
t8030_start_cpus(machine, data); | |
return; | |
+ case 0x80C00: | |
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal)); | |
+#ifdef DO_SECUREROM | |
+ if ((data & 0xf) == 0xf) { | |
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) { | |
+ apple_a13_cpu_start(APPLE_A13(sep->cpu)); | |
+ } | |
+ } | |
+#else | |
+ //if ((data >> 31) == 1) { | |
+ if (((data >> 31) & 1) == 1) { | |
+ apple_a13_cpu_reset(APPLE_A13(sep->cpu)); | |
+ //} else if ((data & 0xf) == 0xf) { | |
+ //} else if (((data & (1 << 28)) == 0) && ((data & (1 << 10)) == 0)) { | |
+ } else if (((data >> 10) & 1) == 0) { | |
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) { | |
+ apple_a13_cpu_start(APPLE_A13(sep->cpu)); | |
+ } | |
+ //} else if ((data & 0xf) == 0x0) { | |
+ //} else if (((data & (1 << 28)) != 0) && ((data & (1 << 10)) != 0)) { | |
+ //} else if (((data & (1 << 28)) != 0) || ((data & (1 << 10)) != 0)) { | |
+ } else if (((data >> 10) & 1) == 1) { | |
+ apple_a13_cpu_off(APPLE_A13(sep->cpu)); | |
+ } | |
+#endif | |
+ break; | |
} | |
memcpy(tms->pmgr_reg + addr, &value, size); | |
} | |
@@ -719,9 +923,15 @@ static uint64_t pmgr_reg_read(void *opaque, hwaddr addr, unsigned size) | |
case 0xF0010: //! AppleT8030PMGR::commonSramCheck | |
result = 0x5000; | |
break; | |
+#ifdef DO_SECUREROM | |
case 0x80C00: //! SEP Power State, Manual & Actual: Run Max | |
result = 0xFF; | |
break; | |
+ case 0x30000: // ??? T8030 IBSS | |
+ memcpy(&result, tms->pmgr_reg + addr, size); | |
+ result &= ~(1 << 25); // prevent two busy-loops in T8030 IBSS | |
+ break; | |
+#endif | |
#if 0 | |
case 0xBC008: | |
result = 0xFFFFFFFF; | |
@@ -754,44 +964,65 @@ static void amcc_reg_write(void *opaque, hwaddr addr, uint64_t data, | |
T8030MachineState *tms = T8030_MACHINE(opaque); | |
uint32_t value = data; | |
+#if 1 | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "AMCC reg WRITE @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx | |
+ "\n", | |
+ addr, data); | |
+#endif | |
memcpy(tms->amcc_reg + addr, &value, size); | |
} | |
static uint64_t amcc_reg_read(void *opaque, hwaddr addr, unsigned size) | |
{ | |
- T8030MachineState *tms = T8030_MACHINE(opaque); | |
+ MachineState *machine = MACHINE(opaque); | |
+ T8030MachineState *tms = T8030_MACHINE(machine); | |
+ hwaddr orig_addr = addr; | |
+ uint64_t result = 0; | |
switch (addr) { | |
+#if 1 | |
case 0x6A0: | |
case 0x406A0: | |
case 0x806A0: | |
case 0xC06A0: | |
- return 0x0; | |
+ //result = 0x080000; // Don't know if this is correct. | |
+ result = 0x080000000ULL >> 12; | |
+ break; | |
case 0x6A4: | |
- // return 0x1003; | |
case 0x406A4: | |
- // return 0x2003; | |
case 0x806A4: | |
- // return 0x3003; | |
case 0xC06A4: | |
- // return 0x3; | |
- return 0x1003; // 0x1003 == 0x1004000 | |
- // return 0x4003; | |
+ //result = 0xad9f+0x080000; // Don't know if this is correct. | |
+ //result = ((0x20000000+0x080000000ULL)-1)>>12; | |
+ result = ((0xada0000+0x080000000ULL)-1)>>12; | |
+ break; | |
case 0x6A8: | |
case 0x406A8: | |
case 0x806A8: | |
case 0xC06A8: | |
- return 0x1; | |
+ result = 0x1; | |
+ break; | |
case 0x6B8: | |
case 0x406B8: | |
case 0x806B8: | |
case 0xC06B8: | |
- return 0x1; | |
+ result = 0x1; | |
+ break; | |
+ case 0x4: | |
+ result = 0xcf; | |
+ break; | |
+#endif | |
default: { | |
- uint64_t result = 0; | |
memcpy(&result, tms->amcc_reg + addr, size); | |
- return result; | |
} | |
} | |
+#if 1 | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "AMCC reg READ @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx | |
+ "\n", | |
+ orig_addr, result); | |
+#endif | |
+ return result; | |
} | |
static const MemoryRegionOps amcc_reg_ops = { | |
@@ -1723,13 +1954,29 @@ static void t8030_create_sep(MachineState *machine) | |
reg = (uint64_t *)prop->value; | |
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 0, tms->soc_base_pa + reg[0]); | |
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 1, | |
- tms->soc_base_pa + 0x41180000); // TRNG | |
+ tms->soc_base_pa + 0x41180000); // TRNG T8101 | |
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 2, | |
tms->soc_base_pa + 0x41080000); // MISC0 | |
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 3, | |
tms->soc_base_pa + 0x41040000); // MISC1 | |
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 4, | |
tms->soc_base_pa + 0x410C4000); // MISC2 | |
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 5, | |
+ tms->soc_base_pa + 0x413CA000); // MISC39 T8101 | |
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 6, | |
+ tms->soc_base_pa + 0x41440000); // MISC4 // 0x241440000 | |
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 7, | |
+ tms->soc_base_pa + 0x41008000); // MISC5 | |
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 8, | |
+ tms->soc_base_pa + 0x41280000); // MISC6 // T8020's dart-sep? | |
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 9, | |
+ tms->soc_base_pa + 0x41240000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM. | |
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 10, | |
+ tms->soc_base_pa + 0x41200000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8. | |
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 11, | |
+ tms->soc_base_pa + 0x41100000); // TRNG T8020 | |
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 12, | |
+ tms->soc_base_pa + 0x41388000); // MISC39 T8020 | |
prop = find_dtb_prop(child, "interrupts"); | |
g_assert(prop); | |
@@ -1740,6 +1987,7 @@ static void t8030_create_sep(MachineState *machine) | |
qdev_get_gpio_in(DEVICE(tms->aic), ints[i])); | |
} | |
+#if 0 | |
dart = APPLE_DART( | |
object_property_get_link(OBJECT(machine), "dart-sep", &error_fatal)); | |
g_assert(dart); | |
@@ -1756,6 +2004,33 @@ static void t8030_create_sep(MachineState *machine) | |
OBJECT(sep->dma_mr))); | |
sep->dma_as = g_new0(AddressSpace, 1); | |
address_space_init(sep->dma_as, sep->dma_mr, "sep.dma"); | |
+#if 1 | |
+ // after trying out stuff for too long, Visual told me how to do it approximately, but I had to skip the early addresses because SEPOS is there. | |
+ MemoryRegion *mr = g_new0(MemoryRegion, 1); | |
+ //MemoryRegion *mr = g_new0(MemoryRegion, 0x10000+0x80c000); | |
+ ////memory_region_init_alias(sep->dma_mr, OBJECT(tms), "sep.dma.alias", tms->sysmem, T8030_SEPROM_BASE, T8030_SEPROM_SIZE); | |
+ memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x80c000, 0x10000); | |
+ //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0, 0x10000+0x80c000); | |
+ ////memory_region_add_subregion(tms->sysmem, 0, &sep->dma_mr); | |
+ ////memory_region_add_subregion(tms->sysmem, 0, mr); | |
+ memory_region_add_subregion(tms->sysmem, 0x80c000, mr); | |
+ //memory_region_add_subregion(tms->sysmem, 0x0, mr); | |
+#if 0 | |
+ MemoryRegion *mr1 = g_new0(MemoryRegion, 1); | |
+ memory_region_init_alias(mr1, OBJECT(tms), "sep.t8030.sepdart.alias", tms->sysmem, tms->soc_base_pa + 0x41280000, 0x4000); | |
+ memory_region_add_subregion_overlap(tms->sysmem, tms->soc_base_pa + 0x412c0000, mr1, 1); | |
+#endif | |
+#if 1 | |
+ MemoryRegion *mr2 = g_new0(MemoryRegion, 1); | |
+ memory_region_init_alias(mr2, OBJECT(tms), "sep.t8030.sepdart.alias", tms->sysmem, tms->soc_base_pa + 0x412c0000, 0x4000); | |
+ memory_region_add_subregion_overlap(tms->sysmem, tms->soc_base_pa + 0x41280000, mr2, 1); | |
+#endif | |
+ | |
+#endif | |
+ | |
+#else | |
+ g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr", OBJECT(tms->sysmem))); | |
+#endif | |
sysbus_realize_and_unref(SYS_BUS_DEVICE(sep), &error_fatal); | |
} | |
@@ -1770,9 +2045,12 @@ static void t8030_cpu_reset_work(CPUState *cpu, run_on_cpu_data data) | |
} | |
cpu_reset(cpu); | |
env = &ARM_CPU(cpu)->env; | |
+#ifndef DO_SECUREROM | |
env->xregs[0] = tms->bootinfo.kern_boot_args_pa; | |
cpu_set_pc(cpu, tms->bootinfo.kern_entry); | |
- // cpu_set_pc(cpu, T8030_SROM_BASE); | |
+#else | |
+ cpu_set_pc(cpu, T8030_SROM_BASE); | |
+#endif | |
} | |
static void t8030_cpu_reset(void *opaque) | |
@@ -1849,13 +2127,48 @@ static void t8030_machine_init(MachineState *machine) | |
tms = T8030_MACHINE(machine); | |
tms->sysmem = get_system_memory(); | |
- // allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0); | |
- // allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0); | |
+#ifdef DO_SECUREROM | |
+ allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0); | |
+ allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0); | |
+ //allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x00000038 * 4, 0); | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x1000, 0); | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_1", 0x23b2c4000, 0x1000, 0); // 0x23b2c401c | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_2", 0x23b2c8000, 0x1000, 0); // 0x23b2c801c | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_3", 0x23b2cc000, 0x1000, 0); // 0x23b2cc01c | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_4", 0x23e804000, 0x1000, 0); // 0x23e8040fc | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_5", 0x23e808000, 0x1000, 0); // 0x23e808004 | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_6", 0x23D008000, 0x1000, 0); // 0x23D008000 | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_7", 0x24A854000, 0x1000, 0); // 0x24A85401C | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_8", 0x24a858000, 0x1000, 0); // 0x24a85801c | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_9", 0x23C260000, 0x1000, 0); // 0x23C260000 | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_10", 0x23C280000, 0x1000, 0); // 0x23C280000 | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_11", 0x23c290000, 0x1000, 0); // 0x23c290000 | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_12", 0x23c2a0000, 0x1000, 0); // 0x23c2a0000 | |
+ //allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x1000, 0); // 0x23FE00000 | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x60000, 0); // 0x23FE00000 | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_14", 0x23E041000, 0x1000, 0); // 0x23E041010 | |
+ allocate_ram(tms->sysmem, "SRAM_TEST_15", 0x23E80C000, 0x1000, 0); // 0x23E80C000 | |
+#endif | |
allocate_ram(tms->sysmem, "DRAM", T8030_DRAM_BASE, T8030_DRAM_SIZE, 0); | |
- allocate_ram(tms->sysmem, "SEPROM", T8030_SEPROM_BASE, T8030_SEPROM_SIZE, | |
- 0); | |
- allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0); | |
- | |
+ allocate_ram(tms->sysmem, "SEP", T8030_SEP_BASE, T8030_SEP_SIZE, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x500000000ULL, 0); | |
+ allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x60000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_30", 0x300000000ULL, 0x20000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_32", 0x320000000ULL, 0x20000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_34", 0x340000000ULL, 0x20000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_3_8", 0x300000000ULL, 0x80000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_3_8_0", 0x380000000ULL, 0x80000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_f_8", 0xf00000000ULL, 0x80000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "DRAM_f_8_0", 0xf80000000ULL, 0x80000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "SEPFW_0", 0x000000000ULL, 0x800000ULL, 0); | |
+ ////allocate_ram(sysmem, "SEPFW", 0x0, info->sepfw_size+0x4000, 0); | |
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL+0x4000ULL, 0); | |
+ allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x1000000ULL, 0); | |
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x2000000ULL, 0); | |
+ | |
+#ifndef DO_SECUREROM | |
hdr = macho_load_file(machine->kernel_filename, NULL); | |
g_assert(hdr); | |
tms->kernel = hdr; | |
@@ -1894,10 +2207,15 @@ static void t8030_machine_init(MachineState *machine) | |
g_phys_base = (hwaddr)macho_get_buffer(hdr); | |
t8030_patch_kernel(hdr); | |
+#else | |
+ tms->rtbuddyv2_protocol_version = 11; | |
+#endif | |
tms->device_tree = load_dtb_from_file(machine->dtb); | |
+#ifndef DO_SECUREROM | |
tms->trustcache = load_trustcache_from_file(tms->trustcache_filename, | |
&tms->bootinfo.trustcache_size); | |
+#endif | |
data = 24000000; | |
set_dtb_prop(tms->device_tree, "clock-frequency", sizeof(data), &data); | |
child = find_dtb_node(tms->device_tree, "arm-io"); | |
@@ -1995,7 +2313,7 @@ static void t8030_machine_init(MachineState *machine) | |
t8030_create_dart(machine, "dart-usb"); | |
t8030_create_dart(machine, "dart-sio"); | |
t8030_create_dart(machine, "dart-disp0"); | |
- t8030_create_dart(machine, "dart-sep"); | |
+ //t8030_create_dart(machine, "dart-sep"); | |
t8030_create_usb(machine); | |
t8030_create_wdt(machine); | |
diff --git a/hw/arm/xnu.c b/hw/arm/xnu.c | |
index dd58ba6756..2e49ea53ed 100644 | |
--- a/hw/arm/xnu.c | |
+++ b/hw/arm/xnu.c | |
@@ -89,7 +89,7 @@ static const char *REM_NAMES[] = { | |
"dart-rsm\0$", "dart-scaler\0$", "dart-jpeg0\0$", | |
"dart-jpeg1\0$", "dart-isp\0$", "dart-ave\0$", | |
"dart-avd\0$", "dart-ane\0$", "dart-apcie2\0$", | |
- "dart-apcie3\0$", | |
+ "dart-apcie3\0$", "dart-sep\0$", | |
}; | |
static const char *REM_DEV_TYPES[] = { "backlight\0$", "pmp\0$", "wlan\0$", | |
@@ -111,6 +111,8 @@ static const char *REM_PROPS[] = { | |
"soc-tuning", | |
"mcc-power-gating", | |
"function-dock_parent", | |
+ "function-wait_for_power_gate", | |
+ "self-power-gate", | |
}; | |
static void allocate_and_copy(MemoryRegion *mem, AddressSpace *as, | |
@@ -458,8 +460,45 @@ void macho_populate_dtb(DTBNode *root, AppleBootInfo *info) | |
set_dtb_prop(child, "security-domain", sizeof(data), &data); | |
set_dtb_prop(child, "chip-epoch", sizeof(data), &data); | |
set_dtb_prop(child, "amfi-allows-trust-cache-load", sizeof(data), &data); | |
- // data = 1; | |
- // set_dtb_prop(child, "debug-enabled", sizeof(data), &data); | |
+ //data = 1; | |
+ //set_dtb_prop(child, "debug-enabled", sizeof(data), &data); | |
+#if 0 | |
+ data = 1; | |
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data); | |
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data); | |
+ data = 0; | |
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); | |
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data); | |
+#endif | |
+#if 1 | |
+ data = 0; | |
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data); | |
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data); | |
+ data = 1; | |
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); | |
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data); | |
+#endif | |
+#if 0 | |
+ data = 1; | |
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data); | |
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data); | |
+ data = 0; | |
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); | |
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data); | |
+#endif | |
+#if 0 | |
+ data = 0; | |
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data); | |
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data); | |
+ data = 1; | |
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); | |
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data); | |
+#endif | |
+#if 1 | |
+ child = get_dtb_node(root, "defaults"); | |
+ data = 1; | |
+ set_dtb_prop(child, "no-effaceable-storage", sizeof(data), &data); | |
+#endif | |
child = get_dtb_node(root, "chosen/manifest-properties"); | |
set_dtb_prop(child, "BNCH", sizeof(info->boot_nonce_hash), | |
@@ -468,6 +507,7 @@ void macho_populate_dtb(DTBNode *root, AppleBootInfo *info) | |
child = get_dtb_node(root, "filesystems"); | |
child = get_dtb_node(child, "fstab"); | |
+ remove_dtb_node_by_name(child, "xart-vol"); | |
remove_dtb_node_by_name(child, "baseband-vol"); | |
macho_dtb_node_process(root, NULL); | |
diff --git a/hw/misc/apple_aes.c b/hw/misc/apple_aes.c | |
index cd55638d3c..bb665150d1 100644 | |
--- a/hw/misc/apple_aes.c | |
+++ b/hw/misc/apple_aes.c | |
@@ -372,8 +372,9 @@ static uint64_t aes_security_reg_read(void *opaque, hwaddr addr, unsigned size) | |
switch (addr) { | |
case 0x20: //! board-id | |
return 0x4; | |
- case 0x34: //? bit 24 = is fresh boot? | |
- return (1 << 24) | (1 << 25); | |
+ case 0x34: //? bit 24 = is first boot ; bit 25 = something with memory encryption? | |
+ //return (1 << 24) | (1 << 25); | |
+ return (1 << 24) | (0 << 25); | |
default: //! We don't know the rest | |
return 0xFF; | |
} | |
diff --git a/hw/misc/apple_mbox.c b/hw/misc/apple_mbox.c | |
index fbe337fce3..dd69e92da5 100644 | |
--- a/hw/misc/apple_mbox.c | |
+++ b/hw/misc/apple_mbox.c | |
@@ -9,25 +9,6 @@ | |
#include "qemu/main-loop.h" | |
#include "trace.h" | |
-#define IOP_LOG_MSG(s, t, msg) \ | |
- do { \ | |
- qemu_log_mask(LOG_GUEST_ERROR, \ | |
- "%s: %s message (msg->endpoint: 0x%X " \ | |
- "msg->data[0]: 0x" HWADDR_FMT_plx \ | |
- " msg->data[1]: 0x" HWADDR_FMT_plx \ | |
- " s->ep0_status: 0x%X)\n", \ | |
- s->role, t, msg->endpoint, msg->data[0], msg->data[1], \ | |
- s->ep0_status); \ | |
- } while (0) | |
- | |
-#define IOP_LOG_MGMT_MSG(s, msg) \ | |
- do { \ | |
- qemu_log_mask(LOG_GUEST_ERROR, \ | |
- "%s: IOP received management message (msg->endpoint: " \ | |
- "0x0 msg->raw: 0x" HWADDR_FMT_plx \ | |
- " s->ep0_status: 0x%X)\n", \ | |
- s->role, msg->raw, s->ep0_status); \ | |
- } while (0) | |
//! ------ V3 ------ | |
@@ -37,20 +18,29 @@ | |
#define REG_V3_CPU_STATUS (0x0048) | |
#define V3_CPU_STATUS_IDLE (0x1) | |
+#define REG_V3_UNKNOWN0 (0x004c) | |
+#define REG_V3_UNKNOWN1 (0x0818) | |
+#define REG_V3_UNKNOWN2 (0x081c) // "akf: READ IRQ %x" | |
+ | |
#define REG_V3_NMI0 (0xC04) // ?? | |
#define REG_V3_NMI1 (0xC14) // ?? | |
#define REG_AKF_CONFIG (0x2043) // ?? | |
-#define REG_V3_IOP_INT_MASK_SET (0x4100) | |
-#define REG_V3_IOP_INT_MASK_CLR (0x4108) | |
+//#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8101 64-bit | |
+//#define REG_V3_IOP_INT_MASK_CLR (0x4108) // T8101 64-bit | |
+#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8020 32-bit | |
+#define REG_V3_IOP_INT_MASK_CLR (0x4104) // T8020 32-bit | |
+ | |
-#define REG_V3_IOP_I2A_CTRL (0x4114) | |
+//#define REG_V3_IOP_I2A_CTRL (0x4114) // T8101 32-bit | |
+#define REG_V3_IOP_I2A_CTRL (0x410c) // T8020 32-bit | |
#define REG_V3_IOP_I2A_SEND0 (0x4820) | |
#define REG_V3_IOP_I2A_SEND1 (0x4824) | |
#define REG_V3_IOP_I2A_SEND2 (0x4828) | |
#define REG_V3_IOP_I2A_SEND3 (0x482C) | |
-#define REG_V3_IOP_A2I_CTRL (0x4110) | |
+//#define REG_V3_IOP_A2I_CTRL (0x4110) // T8101 32-bit | |
+#define REG_V3_IOP_A2I_CTRL (0x4108) // T8020 32-bit | |
#define REG_V3_IOP_A2I_RECV0 (0x4810) | |
#define REG_V3_IOP_A2I_RECV1 (0x4814) | |
#define REG_V3_IOP_A2I_RECV2 (0x4818) | |
@@ -142,7 +132,7 @@ static gint g_uint_cmp(gconstpointer a, gconstpointer b) | |
return a - b; | |
} | |
-static bool apple_mbox_outbox_empty(AppleMboxState *s) | |
+bool apple_mbox_outbox_empty(AppleMboxState *s) | |
{ | |
return QTAILQ_EMPTY(&s->outbox); | |
} | |
@@ -203,7 +193,7 @@ static void ap_update_irq(AppleMboxState *s) | |
* Push a message from AP to IOP, | |
* take ownership of msg | |
*/ | |
-static void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg) | |
+void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg) | |
{ | |
QTAILQ_INSERT_TAIL(&s->inbox, msg, entry); | |
s->inboxCount++; | |
@@ -236,7 +226,7 @@ static void apple_mbox_outbox_push(AppleMboxState *s, apple_mbox_msg_t msg) | |
iop_update_irq(s); | |
} | |
-static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s) | |
+apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s) | |
{ | |
apple_mbox_msg_t msg = QTAILQ_FIRST(&s->outbox); | |
if (msg) { | |
@@ -248,6 +238,15 @@ static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s) | |
return msg; | |
} | |
+void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep, | |
+ uint64_t msg) | |
+{ | |
+ apple_mbox_msg_t m = g_new0(struct apple_mbox_msg, 1); | |
+ m->msg = msg; | |
+ m->endpoint = ep; | |
+ apple_mbox_inbox_push(s, m); | |
+} | |
+ | |
void apple_mbox_send_control_message(AppleMboxState *s, uint32_t ep, | |
uint64_t msg) | |
{ | |
@@ -455,15 +454,24 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr, | |
{ | |
AppleMboxState *s = APPLE_MBOX(opaque); | |
apple_mbox_msg_t msg = NULL; | |
+ struct sep_message sep_msg = { 0 }; | |
s->int_mask = 0; | |
WITH_QEMU_LOCK_GUARD(&s->mutex) | |
{ | |
+#if 0 | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "%s AKF_v3: Begin write to 0x" HWADDR_FMT_plx | |
+ " of value 0x" HWADDR_FMT_plx "\n", | |
+ s->role, addr, data); | |
+#endif | |
memcpy(&s->regs[addr], &data, size); | |
switch (addr) { | |
case REG_V3_CPU_CTRL: | |
- if (data & V3_CPU_CTRL_RUN) { | |
+ if (data & V3_CPU_CTRL_RUN) | |
+ //if ((data & V3_CPU_CTRL_RUN) || (data & 0x10000)) | |
+ { | |
struct apple_mbox_mgmt_msg m = { 0 }; | |
s->regs[REG_V3_CPU_STATUS] &= ~V3_CPU_STATUS_IDLE; | |
iop_start(s); | |
@@ -486,6 +494,11 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr, | |
if (addr + size == REG_V3_A2I_PUSH3 + 4) { | |
msg = g_new0(struct apple_mbox_msg, 1); | |
memcpy(msg->data, &s->regs[REG_V3_A2I_PUSH0], 16); | |
+ if (!strcmp(s->role, "SEP")) | |
+ { | |
+ memcpy(&sep_msg.raw, msg->data, 8); | |
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_A2I_PUSH3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ } | |
apple_mbox_inbox_push(s, msg); | |
IOP_LOG_MSG(s, "AP sent", msg); | |
} | |
@@ -518,6 +531,26 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr, | |
if (addr + size == REG_V3_IOP_I2A_SEND3 + 4) { | |
msg = g_new0(struct apple_mbox_msg, 1); | |
memcpy(msg->data, &s->regs[REG_V3_IOP_I2A_SEND0], 16); | |
+ if (!strcmp(s->role, "SEP")) | |
+ { | |
+ memcpy(&sep_msg.raw, msg->data, 8); | |
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_I2A_SEND3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 103 || sep_msg.opcode == 117)) | |
+ { | |
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ g_free(msg); | |
+ break; | |
+ } | |
+#if 0 | |
+ else if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 0x66 || sep_msg.opcode == 0xd2) && sep_msg.data == 0x2) | |
+ { | |
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: change_status: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ sep_msg.data = 0x8; | |
+ memcpy(msg->data, &sep_msg.raw, 8); | |
+ } | |
+#endif | |
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: not skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ } | |
apple_mbox_outbox_push(s, msg); | |
IOP_LOG_MSG(s, "IOP sent", msg); | |
} | |
@@ -545,6 +578,7 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) | |
AppleMboxState *s = APPLE_MBOX(opaque); | |
uint64_t ret = 0; | |
apple_mbox_msg_t msg = NULL; | |
+ struct sep_message sep_msg = { 0 }; | |
WITH_QEMU_LOCK_GUARD(&s->mutex) | |
{ | |
@@ -552,9 +586,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) | |
switch (addr) { | |
case REG_V3_INT_MASK_SET: | |
- return s->int_mask; | |
+ //return s->int_mask; | |
+ ret = s->int_mask; | |
+ break; | |
case REG_V3_INT_MASK_CLR: | |
- return ~s->int_mask; | |
+ //return ~s->int_mask; | |
+ ret = ~s->int_mask; | |
+ break; | |
case REG_V3_I2A_POP_0_LOW: | |
msg = apple_mbox_outbox_pop(s); | |
if (!msg) { | |
@@ -563,6 +601,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) | |
msg->flags = iop_outbox_flags(s); | |
IOP_LOG_MSG(s, "AP received", msg); | |
+ if (!strcmp(s->role, "SEP")) | |
+ { | |
+ memcpy(&sep_msg.raw, msg->data, 8); | |
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_I2A_POP_0_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ } | |
memcpy(&s->regs[REG_V3_I2A_POP_0_LOW], msg->data, 16); | |
memcpy(&ret, &s->regs[addr], size); | |
@@ -575,9 +618,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) | |
case REG_V3_I2A_POP_1_HIGH: | |
break; | |
case REG_V3_IOP_INT_MASK_SET: | |
- return s->iop_int_mask; | |
+ //return s->iop_int_mask; | |
+ ret = s->iop_int_mask; | |
+ break; | |
case REG_V3_IOP_INT_MASK_CLR: | |
- return ~s->iop_int_mask; | |
+ //return ~s->iop_int_mask; | |
+ ret = ~s->iop_int_mask; | |
+ break; | |
case REG_V3_A2I_CTRL: | |
QEMU_FALLTHROUGH; | |
case REG_V3_IOP_A2I_CTRL: | |
@@ -602,6 +649,27 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) | |
break; | |
case REG_V3_CPU_STATUS: | |
break; | |
+ case REG_V3_UNKNOWN0: | |
+#if 0 | |
+ ret = ((apple_mbox_inbox_empty(s) && | |
+ !(s->iop_int_mask & V2_A2I_EMPTY)) || | |
+ (!apple_mbox_inbox_empty(s) && | |
+ !(s->iop_int_mask & V2_A2I_NONEMPTY)) || | |
+ (apple_mbox_outbox_empty(s) && | |
+ !(s->iop_int_mask & V2_I2A_EMPTY)) || | |
+ (!apple_mbox_outbox_empty(s) && | |
+ !(s->iop_int_mask & V2_I2A_NONEMPTY))); | |
+#endif | |
+ ret = 1; | |
+ // TODO: response not interrupt available, but something with REG_V3_CPU_CTRL? | |
+ break; | |
+ case REG_V3_UNKNOWN1: | |
+ break; | |
+ case REG_V3_UNKNOWN2: | |
+ //ret = 1; | |
+ //ret = 0xffffffff; | |
+ return 0; | |
+ break; | |
case REG_V3_IOP_A2I_RECV0: | |
msg = apple_mbox_inbox_pop(s); | |
if (!msg) { | |
@@ -609,6 +677,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) | |
} | |
msg->flags = iop_outbox_flags(s); | |
IOP_LOG_MSG(s, "IOP received", msg); | |
+ if (!strcmp(s->role, "SEP")) | |
+ { | |
+ memcpy(&sep_msg.raw, msg->data, 8); | |
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_A2I_RECV0: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ } | |
memcpy(&s->regs[addr], msg->data, 16); | |
memcpy(&ret, &s->regs[addr], size); | |
g_free(msg); | |
@@ -626,6 +699,12 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) | |
break; | |
} | |
} | |
+#if 0 | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "%s AKF_v3: End read from 0x" HWADDR_FMT_plx | |
+ " of value 0x" HWADDR_FMT_plx "\n", | |
+ s->role, addr, ret); | |
+#endif | |
return ret; | |
} | |
@@ -646,9 +725,16 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr, | |
{ | |
AppleMboxState *s = APPLE_MBOX(opaque); | |
apple_mbox_msg_t msg = NULL; | |
+ struct sep_message sep_msg = { 0 }; | |
WITH_QEMU_LOCK_GUARD(&s->mutex) | |
{ | |
+#if 0 | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "%s AKF_v2: Begin write to 0x" HWADDR_FMT_plx | |
+ " of value 0x" HWADDR_FMT_plx "\n", | |
+ s->role, addr, data); | |
+#endif | |
memcpy(&s->regs[addr], &data, size); | |
switch (addr) { | |
@@ -671,6 +757,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr, | |
if (addr + size == REG_V2_A2I_PUSH_HIGH + 4) { | |
msg = g_new0(struct apple_mbox_msg, 1); | |
memcpy(msg->data, &s->regs[REG_V2_A2I_PUSH_LOW], 8); | |
+ if (!strcmp(s->role, "SEP")) | |
+ { | |
+ memcpy(&sep_msg.raw, msg->data, 8); | |
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_A2I_PUSH_HIGH: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ } | |
apple_mbox_inbox_push(s, msg); | |
IOP_LOG_MSG(s, "AP sent", msg); | |
} | |
@@ -699,6 +790,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr, | |
if (addr + size == REG_V2_IOP_I2A_SEND1 + 4) { | |
msg = g_new0(struct apple_mbox_msg, 1); | |
memcpy(msg->data, &s->regs[REG_V2_IOP_I2A_SEND0], 8); | |
+ if (!strcmp(s->role, "SEP")) | |
+ { | |
+ memcpy(&sep_msg.raw, msg->data, 8); | |
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_I2A_SEND1: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ } | |
apple_mbox_outbox_push(s, msg); | |
IOP_LOG_MSG(s, "IOP sent", msg); | |
} | |
@@ -724,6 +820,7 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr, | |
static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) | |
{ | |
AppleMboxState *s = APPLE_MBOX(opaque); | |
+ struct sep_message sep_msg = { 0 }; | |
uint64_t ret = 0; | |
WITH_QEMU_LOCK_GUARD(&s->mutex) | |
@@ -733,9 +830,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) | |
switch (addr) { | |
case REG_V2_INT_MASK_SET: | |
- return s->int_mask; | |
+ //return s->int_mask; | |
+ ret = s->int_mask; | |
+ break; | |
case REG_V2_INT_MASK_CLR: | |
- return ~s->int_mask; | |
+ //return ~s->int_mask; | |
+ ret = ~s->int_mask; | |
+ break; | |
case REG_V2_I2A_POP_LOW: | |
m = apple_mbox_outbox_pop(s); | |
if (!m) { | |
@@ -744,6 +845,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) | |
m->flags = iop_outbox_flags(s); | |
IOP_LOG_MSG(s, "AP received", m); | |
+ if (!strcmp(s->role, "SEP")) | |
+ { | |
+ memcpy(&sep_msg.raw, m->data, 8); | |
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_I2A_POP_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ } | |
memcpy(&s->regs[REG_V2_I2A_POP_LOW], m->data, 8); | |
memcpy(&ret, &s->regs[addr], size); | |
@@ -752,9 +858,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) | |
case REG_V2_I2A_POP_HIGH: | |
break; | |
case REG_V2_IOP_INT_MASK_SET: | |
- return s->iop_int_mask; | |
+ //return s->iop_int_mask; | |
+ ret = s->iop_int_mask; | |
+ break; | |
case REG_V2_IOP_INT_MASK_CLR: | |
- return ~s->iop_int_mask; | |
+ //return ~s->iop_int_mask; | |
+ ret = ~s->iop_int_mask; | |
+ break; | |
case REG_V2_A2I_CTRL: | |
QEMU_FALLTHROUGH; | |
case REG_V2_IOP_A2I_CTRL: | |
@@ -780,6 +890,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) | |
} | |
m->flags = iop_outbox_flags(s); | |
IOP_LOG_MSG(s, "IOP received", m); | |
+ if (!strcmp(s->role, "SEP")) | |
+ { | |
+ memcpy(&sep_msg.raw, m->data, 8); | |
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_A2I_RECV_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); | |
+ } | |
memcpy(&s->regs[addr], m->data, 8); | |
memcpy(&ret, &s->regs[addr], size); | |
g_free(m); | |
@@ -793,6 +908,12 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) | |
break; | |
} | |
} | |
+#if 0 | |
+ qemu_log_mask(LOG_UNIMP, | |
+ "%s AKF_v2: End read from 0x" HWADDR_FMT_plx | |
+ " of value 0x" HWADDR_FMT_plx "\n", | |
+ s->role, addr, ret); | |
+#endif | |
return ret; | |
} | |
@@ -901,6 +1022,7 @@ AppleMboxState *apple_mbox_create(const char *role, void *opaque, | |
} | |
qdev_init_gpio_out_named(DEVICE(dev), &s->iop_irq, APPLE_MBOX_IOP_IRQ, 1); | |
+ qdev_init_gpio_out_named(DEVICE(dev), &s->test_irq, APPLE_MBOX_TEST_IRQ, 1); | |
QTAILQ_INIT(&s->inbox); | |
QTAILQ_INIT(&s->outbox); | |
QTAILQ_INIT(&s->rollcall); | |
diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c | |
index 9e224ffc72..fd7ae6fc2e 100644 | |
--- a/hw/usb/hcd-dwc2.c | |
+++ b/hw/usb/hcd-dwc2.c | |
@@ -45,7 +45,13 @@ | |
#include "trace.h" | |
// #define SOC_DMA_BASE (0x100000000ULL) | |
+//#define DO_T8030_SECUREROM 1 | |
+ | |
+#ifdef DO_T8030_SECUREROM | |
+#define SOC_DMA_BASE (0x100000000ULL) | |
+#else | |
#define SOC_DMA_BASE (0x0ULL) | |
+#endif | |
#define USB_HZ_FS 12000000 | |
#define USB_HZ_HS 96000000 | |
diff --git a/include/hw/arm/apple_a13.h b/include/hw/arm/apple_a13.h | |
index f591f780cf..51b9a6b251 100644 | |
--- a/include/hw/arm/apple_a13.h | |
+++ b/include/hw/arm/apple_a13.h | |
@@ -66,6 +66,8 @@ typedef struct AppleA13State { | |
A13_CPREG_VAR_DEF(ARM64_REG_HID14); | |
A13_CPREG_VAR_DEF(ARM64_REG_HID16); | |
A13_CPREG_VAR_DEF(ARM64_REG_LSU_ERR_STS); | |
+ A13_CPREG_VAR_DEF(SYS_E_LSU_ERR_STS); | |
+ A13_CPREG_VAR_DEF(SYS_E_FED_ERR_STS); | |
A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0); | |
A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0); | |
A13_CPREG_VAR_DEF(ARM64_REG_3_3_15_7); | |
@@ -75,6 +77,10 @@ typedef struct AppleA13State { | |
A13_CPREG_VAR_DEF(PMCR1); | |
A13_CPREG_VAR_DEF(PMSR); | |
A13_CPREG_VAR_DEF(S3_4_c15_c0_5); | |
+ A13_CPREG_VAR_DEF(SYS_HCR_EL2); // TODO: already exists in target/arm/helper.c | |
+ A13_CPREG_VAR_DEF(SYS_PRE_LLCFLUSH_TMR); | |
+ A13_CPREG_VAR_DEF(SYS_ACC_PWR_DN_SAVE); | |
+ A13_CPREG_VAR_DEF(SYS_AON_CNT_CTL); | |
A13_CPREG_VAR_DEF(AMX_STATUS_EL1); | |
A13_CPREG_VAR_DEF(AMX_CTL_EL1); | |
A13_CPREG_VAR_DEF(ARM64_REG_CYC_OVRD); | |
diff --git a/include/hw/arm/apple_sep.h b/include/hw/arm/apple_sep.h | |
index 96740ccd58..e5a8540394 100644 | |
--- a/include/hw/arm/apple_sep.h | |
+++ b/include/hw/arm/apple_sep.h | |
@@ -24,6 +24,7 @@ | |
#include "hw/arm/apple_a13.h" | |
#include "hw/arm/xnu_dtb.h" | |
#include "hw/misc/apple_mbox.h" | |
+#include "hw/boards.h" | |
#include "hw/sysbus.h" | |
#include "qemu/typedefs.h" | |
#include "qom/object.h" | |
@@ -42,13 +43,27 @@ struct AppleSEPState { | |
AppleMboxState *mbox; | |
MemoryRegion *dma_mr; | |
AddressSpace *dma_as; | |
- MemoryRegion trng_mr; | |
+ MemoryRegion trng_t8020_mr; | |
+ MemoryRegion trng_t8101_mr; | |
MemoryRegion misc0_mr; | |
MemoryRegion misc1_mr; | |
MemoryRegion misc2_mr; | |
+ MemoryRegion misc3_mr; | |
+ MemoryRegion misc4_mr; // MISC4 // T8101 BootMonitor for SEPOS loading? | |
+ MemoryRegion misc5_mr; | |
+ MemoryRegion misc6_mr; | |
+ MemoryRegion misc7_mr; | |
+ MemoryRegion misc8_mr; | |
+ MemoryRegion misc9_mr; | |
uint8_t misc0_regs[REG_SIZE]; | |
uint8_t misc1_regs[REG_SIZE]; | |
uint8_t misc2_regs[REG_SIZE]; | |
+ uint8_t misc39_regs[REG_SIZE]; | |
+ uint8_t misc4_regs[REG_SIZE]; | |
+ uint8_t misc5_regs[REG_SIZE]; | |
+ uint8_t misc6_regs[REG_SIZE]; | |
+ uint8_t misc7_regs[REG_SIZE]; | |
+ uint8_t misc8_regs[REG_SIZE]; | |
}; | |
AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id, | |
diff --git a/include/hw/misc/apple_mbox.h b/include/hw/misc/apple_mbox.h | |
index d802cffd40..412fb5d7f0 100644 | |
--- a/include/hw/misc/apple_mbox.h | |
+++ b/include/hw/misc/apple_mbox.h | |
@@ -11,6 +11,7 @@ | |
#define APPLE_MBOX_IRQ_I2A_NONEMPTY 2 | |
#define APPLE_MBOX_IRQ_I2A_EMPTY 3 | |
#define APPLE_MBOX_IOP_IRQ "apple-mbox-iop-irq" | |
+#define APPLE_MBOX_TEST_IRQ "apple-mbox-test-irq" | |
#define APPLE_MBOX_MMIO_V3 0 | |
#define APPLE_MBOX_MMIO_V2 1 | |
@@ -23,6 +24,28 @@ OBJECT_DECLARE_SIMPLE_TYPE(AppleMboxState, APPLE_MBOX) | |
#define EP_MANAGEMENT (0) | |
#define EP_CRASHLOG (1) | |
+ | |
+#define IOP_LOG_MSG(s, t, msg) \ | |
+ do { \ | |
+ qemu_log_mask(LOG_GUEST_ERROR, \ | |
+ "%s: %s message (msg->endpoint: 0x%X " \ | |
+ "msg->data[0]: 0x" HWADDR_FMT_plx \ | |
+ " msg->data[1]: 0x" HWADDR_FMT_plx \ | |
+ " s->ep0_status: 0x%X)\n", \ | |
+ s->role, t, msg->endpoint, msg->data[0], msg->data[1], \ | |
+ s->ep0_status); \ | |
+ } while (0) | |
+ | |
+#define IOP_LOG_MGMT_MSG(s, msg) \ | |
+ do { \ | |
+ qemu_log_mask(LOG_GUEST_ERROR, \ | |
+ "%s: IOP received management message (msg->endpoint: " \ | |
+ "0x0 msg->raw: 0x" HWADDR_FMT_plx \ | |
+ " s->ep0_status: 0x%X)\n", \ | |
+ s->role, msg->raw, s->ep0_status); \ | |
+ } while (0) | |
+ | |
+ | |
enum apple_mbox_ep0_state { | |
EP0_IDLE, | |
EP0_WAIT_HELLO, | |
@@ -102,6 +125,7 @@ struct AppleMboxState { | |
uint32_t protocol_version; | |
qemu_irq irqs[4]; | |
qemu_irq iop_irq; | |
+ qemu_irq test_irq; | |
QTAILQ_HEAD(, apple_mbox_msg) inbox; | |
QTAILQ_HEAD(, apple_mbox_msg) outbox; | |
QTAILQ_HEAD(, apple_mbox_msg) rollcall; | |
@@ -128,6 +152,25 @@ struct AppleMboxOps { | |
void (*wakeup)(void *opaque); | |
}; | |
+void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg); | |
+apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s); | |
+bool apple_mbox_outbox_empty(AppleMboxState *s); | |
+void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep, uint64_t msg); | |
+ | |
+struct QEMU_PACKED sep_message { | |
+ union { | |
+ struct QEMU_PACKED { | |
+ uint8_t endpoint; | |
+ uint8_t tag; | |
+ uint8_t opcode; | |
+ uint8_t param; | |
+ uint32_t data; | |
+ }; | |
+ uint64_t raw; | |
+ }; | |
+}; | |
+ | |
+ | |
/* | |
* Send message to an endpoint | |
*/ | |
diff --git a/meson.build b/meson.build | |
index 7d26691204..ba57333214 100644 | |
--- a/meson.build | |
+++ b/meson.build | |
@@ -1365,8 +1365,10 @@ endif | |
liblzfse = not_found | |
if not get_option('lzfse').auto() or have_block | |
- liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'], | |
- required: get_option('lzfse')) | |
+ liblzfse = dependency('lzfse', required: get_option('lzfse'), | |
+ method: 'pkg-config') | |
+# liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'], | |
+# required: get_option('lzfse')) | |
endif | |
if liblzfse.found() and not cc.links(''' | |
#include <lzfse.h> | |
diff --git a/softmmu/memory.c b/softmmu/memory.c | |
index 7d9494ce70..78a1ed7475 100644 | |
--- a/softmmu/memory.c | |
+++ b/softmmu/memory.c | |
@@ -1397,6 +1397,8 @@ bool memory_region_access_valid(MemoryRegion *mr, | |
{ | |
if (mr->ops->valid.accepts | |
&& !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { | |
+ CPUState *cpu = first_cpu; | |
+ cpu_dump_state(cpu, stderr, CPU_DUMP_CODE); | |
qemu_log_mask(LOG_GUEST_ERROR, "Invalid %s at addr 0x%" HWADDR_PRIX | |
", size %u, region '%s', reason: rejected\n", | |
is_write ? "write" : "read", | |
@@ -1469,6 +1471,8 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr, | |
pval, op, attrs); | |
} | |
if (!memory_region_access_valid(mr, addr, size, false, attrs)) { | |
+ fprintf(stderr, "Invalid read: addr: 0x%llx ; size : %d\n", addr, size); | |
+ //__asm__("int3"); | |
*pval = unassigned_mem_read(mr, addr, size); | |
return MEMTX_DECODE_ERROR; | |
} | |
@@ -1518,6 +1522,8 @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr, | |
data, op, attrs); | |
} | |
if (!memory_region_access_valid(mr, addr, size, true, attrs)) { | |
+ fprintf(stderr, "Invalid write: addr: 0x%llx ; data: 0x%llx ; size : %d\n", addr, data, size); | |
+ //__asm__("int3"); | |
unassigned_mem_write(mr, addr, data, size); | |
return MEMTX_DECODE_ERROR; | |
} | |
diff --git a/target/arm/cpu.h b/target/arm/cpu.h | |
index 63f439d162..b3da79aa59 100644 | |
--- a/target/arm/cpu.h | |
+++ b/target/arm/cpu.h | |
@@ -2990,8 +2990,10 @@ typedef enum ARMMMUIdx { | |
ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB, | |
ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB, | |
ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB, | |
- ARMMMUIdx_Stage1_GE1 = 3 | ARM_MMU_IDX_NOTLB, | |
- ARMMMUIdx_Stage1_GE1_PAN = 4 | ARM_MMU_IDX_NOTLB, | |
+ //ARMMMUIdx_Stage1_GE1 = 3 | ARM_MMU_IDX_NOTLB, | |
+ //ARMMMUIdx_Stage1_GE1_PAN = 4 | ARM_MMU_IDX_NOTLB, | |
+ ARMMMUIdx_Stage1_GE1 = ARMMMUIdx_Stage1_E1 | ARM_MMU_IDX_NOTLB | ARM_MMU_IDX_A_GXF, | |
+ ARMMMUIdx_Stage1_GE1_PAN = ARMMMUIdx_Stage1_E1_PAN | ARM_MMU_IDX_NOTLB | ARM_MMU_IDX_A_GXF, | |
/* | |
* M-profile. | |
diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c | |
index abe72e35ae..3d2fbea790 100644 | |
--- a/target/arm/debug_helper.c | |
+++ b/target/arm/debug_helper.c | |
@@ -444,9 +444,6 @@ static uint32_t arm_debug_exception_fsr(CPUARMState *env) | |
using_lpae = false; | |
} else if (target_el == 2 || arm_el_is_aa64(env, target_el)) { | |
using_lpae = true; | |
- } else if (arm_feature(env, ARM_FEATURE_PMSA) && | |
- arm_feature(env, ARM_FEATURE_V8)) { | |
- using_lpae = true; | |
} else if (arm_feature(env, ARM_FEATURE_LPAE) && | |
(env->cp15.tcr_el[target_el] & TTBCR_EAE)) { | |
using_lpae = true; | |
diff --git a/ui/gtk.c b/ui/gtk.c | |
index 8ba41c8f13..f5d8258a9e 100644 | |
--- a/ui/gtk.c | |
+++ b/ui/gtk.c | |
@@ -967,10 +967,9 @@ static gboolean gd_button_event(GtkWidget *widget, GdkEventButton *button, | |
if (button->button == 1 && button->type == GDK_BUTTON_PRESS && | |
!qemu_input_is_absolute() && s->ptr_owner != vc) { | |
if (!vc->window) { | |
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), | |
- TRUE); | |
+ //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE); | |
} else { | |
- gd_grab_pointer(vc, "relative-mode-click"); | |
+ //gd_grab_pointer(vc, "relative-mode-click"); | |
} | |
return TRUE; | |
} | |
@@ -1369,7 +1368,7 @@ static gboolean gd_win_grab(void *opaque) | |
if (vc->s->ptr_owner) { | |
gd_ungrab_pointer(vc->s); | |
} else { | |
- gd_grab_pointer(vc, "user-request-detached-tab"); | |
+ //gd_grab_pointer(vc, "user-request-detached-tab"); | |
} | |
return TRUE; | |
} | |
@@ -1445,7 +1444,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque) | |
{ | |
GtkDisplayState *s = opaque; | |
VirtualConsole *vc = gd_vc_find_current(s); | |
- | |
+#if 0 | |
if (!s->full_screen) { | |
gtk_notebook_set_show_tabs(GTK_NOTEBOOK(s->notebook), FALSE); | |
gtk_widget_hide(s->menu_bar); | |
@@ -1468,7 +1467,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque) | |
gd_update_windowsize(vc); | |
} | |
} | |
- | |
+#endif | |
gd_update_cursor(vc); | |
} | |
@@ -1644,8 +1643,8 @@ static void gd_menu_grab_input(GtkMenuItem *item, void *opaque) | |
VirtualConsole *vc = gd_vc_find_current(s); | |
if (gd_is_grab_active(s)) { | |
- gd_grab_keyboard(vc, "user-request-main-window"); | |
- gd_grab_pointer(vc, "user-request-main-window"); | |
+ //gd_grab_keyboard(vc, "user-request-main-window"); | |
+ //gd_grab_pointer(vc, "user-request-main-window"); | |
} else { | |
gd_ungrab_keyboard(s); | |
gd_ungrab_pointer(s); | |
@@ -1669,16 +1668,13 @@ static void gd_change_page(GtkNotebook *nb, gpointer arg1, guint arg2, | |
if (!vc) { | |
return; | |
} | |
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item), | |
- TRUE); | |
+ gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item), TRUE); | |
on_vga = (vc->type == GD_VC_GFX && | |
qemu_console_is_graphic(vc->gfx.dcl.con)); | |
if (!on_vga) { | |
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), | |
- FALSE); | |
+ gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), FALSE); | |
} else if (s->full_screen) { | |
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), | |
- TRUE); | |
+ //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE); | |
} | |
gtk_widget_set_sensitive(s->grab_item, on_vga); | |
#ifdef CONFIG_VTE | |
@@ -1696,7 +1692,7 @@ static gboolean gd_enter_event(GtkWidget *widget, GdkEventCrossing *crossing, | |
GtkDisplayState *s = vc->s; | |
if (gd_grab_on_hover(s)) { | |
- gd_grab_keyboard(vc, "grab-on-hover"); | |
+ //gd_grab_keyboard(vc, "grab-on-hover"); | |
} | |
return TRUE; | |
} | |
diff --git a/ui/sdl2.c b/ui/sdl2.c | |
index 0d91b555e3..2e8bbe5c8d 100644 | |
--- a/ui/sdl2.c | |
+++ b/ui/sdl2.c | |
@@ -274,24 +274,25 @@ static void absolute_mouse_grab(struct sdl2_console *scon) | |
SDL_GetWindowSize(scon->real_window, &scr_w, &scr_h); | |
if (mouse_x > 0 && mouse_x < scr_w - 1 && | |
mouse_y > 0 && mouse_y < scr_h - 1) { | |
- sdl_grab_start(scon); | |
+ //sdl_grab_start(scon); | |
} | |
} | |
static void sdl_mouse_mode_change(Notifier *notify, void *data) | |
{ | |
- if (qemu_input_is_absolute()) { | |
+ if (qemu_input_is_absolute() && 0) { | |
if (!absolute_enabled) { | |
- absolute_enabled = 1; | |
- SDL_SetRelativeMouseMode(SDL_FALSE); | |
- absolute_mouse_grab(&sdl2_console[0]); | |
+ //absolute_enabled = 1; | |
+ //SDL_SetRelativeMouseMode(SDL_FALSE); | |
+ //absolute_mouse_grab(&sdl2_console[0]); | |
} | |
} else if (absolute_enabled) { | |
if (!gui_fullscreen) { | |
- sdl_grab_end(&sdl2_console[0]); | |
+ //sdl_grab_end(&sdl2_console[0]); | |
} | |
absolute_enabled = 0; | |
} | |
+ absolute_enabled = 0; | |
} | |
static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy, | |
@@ -333,15 +334,14 @@ static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy, | |
static void toggle_full_screen(struct sdl2_console *scon) | |
{ | |
- gui_fullscreen = !gui_fullscreen; | |
+ gui_fullscreen = 0;//!gui_fullscreen; | |
if (gui_fullscreen) { | |
- SDL_SetWindowFullscreen(scon->real_window, | |
- SDL_WINDOW_FULLSCREEN_DESKTOP); | |
- gui_saved_grab = gui_grab; | |
- sdl_grab_start(scon); | |
+ //SDL_SetWindowFullscreen(scon->real_window, SDL_WINDOW_FULLSCREEN_DESKTOP); | |
+ //gui_saved_grab = gui_grab; | |
+ //sdl_grab_start(scon); | |
} else { | |
if (!gui_saved_grab) { | |
- sdl_grab_end(scon); | |
+ //sdl_grab_end(scon); | |
} | |
SDL_SetWindowFullscreen(scon->real_window, 0); | |
} | |
@@ -397,7 +397,7 @@ static void handle_keydown(SDL_Event *ev) | |
case SDL_SCANCODE_8: | |
case SDL_SCANCODE_9: | |
if (gui_grab) { | |
- sdl_grab_end(scon); | |
+ //sdl_grab_end(scon); | |
} | |
win = ev->key.keysym.scancode - SDL_SCANCODE_1; | |
@@ -414,15 +414,15 @@ static void handle_keydown(SDL_Event *ev) | |
} | |
break; | |
case SDL_SCANCODE_F: | |
- toggle_full_screen(scon); | |
+ //toggle_full_screen(scon); | |
gui_keysym = 1; | |
break; | |
case SDL_SCANCODE_G: | |
gui_keysym = 1; | |
if (!gui_grab) { | |
- sdl_grab_start(scon); | |
+ //sdl_grab_start(scon); | |
} else if (!gui_fullscreen) { | |
- sdl_grab_end(scon); | |
+ //sdl_grab_end(scon); | |
} | |
break; | |
case SDL_SCANCODE_U: | |
@@ -506,12 +506,12 @@ static void handle_mousemotion(SDL_Event *ev) | |
if (gui_grab && !gui_fullscreen | |
&& (ev->motion.x == 0 || ev->motion.y == 0 || | |
ev->motion.x == max_x || ev->motion.y == max_y)) { | |
- sdl_grab_end(scon); | |
+ //sdl_grab_end(scon); | |
} | |
if (!gui_grab && | |
(ev->motion.x > 0 && ev->motion.x < max_x && | |
ev->motion.y > 0 && ev->motion.y < max_y)) { | |
- sdl_grab_start(scon); | |
+ //sdl_grab_start(scon); | |
} | |
} | |
if (gui_grab || qemu_input_is_absolute() || absolute_enabled) { | |
@@ -534,7 +534,7 @@ static void handle_mousebutton(SDL_Event *ev) | |
if (!gui_grab && !qemu_input_is_absolute()) { | |
if (ev->type == SDL_MOUSEBUTTONUP && bev->button == SDL_BUTTON_LEFT) { | |
/* start grabbing all events */ | |
- sdl_grab_start(scon); | |
+ //sdl_grab_start(scon); | |
} | |
} else { | |
if (ev->type == SDL_MOUSEBUTTONDOWN) { | |
@@ -605,7 +605,7 @@ static void handle_windowevent(SDL_Event *ev) | |
/* fall through */ | |
case SDL_WINDOWEVENT_ENTER: | |
if (!gui_grab && (qemu_input_is_absolute() || absolute_enabled)) { | |
- absolute_mouse_grab(scon); | |
+ //absolute_mouse_grab(scon); | |
} | |
/* If a new console window opened using a hotkey receives the | |
* focus, SDL sends another KEYDOWN event to the new window, | |
@@ -621,7 +621,7 @@ static void handle_windowevent(SDL_Event *ev) | |
win32_kbd_set_window(NULL); | |
} | |
if (gui_grab && !gui_fullscreen) { | |
- sdl_grab_end(scon); | |
+ //sdl_grab_end(scon); | |
} | |
break; | |
case SDL_WINDOWEVENT_RESTORED: | |
@@ -950,7 +950,7 @@ static void sdl2_display_init(DisplayState *ds, DisplayOptions *o) | |
sdl_cursor_normal = SDL_GetCursor(); | |
if (gui_fullscreen) { | |
- sdl_grab_start(&sdl2_console[0]); | |
+ //sdl_grab_start(&sdl2_console[0]); | |
} | |
atexit(sdl_cleanup); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment