Skip to content

Instantly share code, notes, and snippets.

@chris-pcguy

chris-pcguy/qemu-t8030_seprom_securerom_t8030_20231106_0.patch

Created November 6, 2023 21:14
Show Gist options
  • Save chris-pcguy/6fe3ee6eebcaadd58903de525a95958e to your computer and use it in GitHub Desktop.
Save chris-pcguy/6fe3ee6eebcaadd58903de525a95958e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
qemu-t8030_seprom_securerom_t8030_20231106_0.patch
diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c
index 551a055715..661d9c799c 100644
--- a/hw/arm/apple_a13.c
+++ b/hw/arm/apple_a13.c
@@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0),
- A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0),
+ A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS
+ A13_CPREG_DEF(SYS_E_LSU_ERR_STS, 3, 3, 15, 2, 0, PL1_RW, 0), // A16 SYS_E_LSU_ERR_STS
+ A13_CPREG_DEF(SYS_E_FED_ERR_STS, 3, 4, 15, 0, 2, PL1_RW, 0), // A16 SYS_E_FED_ERR_STS
A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0, 3, 3, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0, 3, 3, 15, 15, 1, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_3_3_15_7, 3, 3, 15, 7, 0, PL1_RW,
@@ -520,6 +522,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_CYC_OVRD, 3, 5, 15, 5, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_ACC_CFG, 3, 5, 15, 4, 0, PL1_RW, 0),
A13_CPREG_DEF(S3_5_c15_c10_1, 3, 5, 15, 10, 1, PL0_RW, 0),
+ A13_CPREG_DEF(SYS_PRE_LLCFLUSH_TMR, 3, 5, 15, 7, 0, PL1_RW, 0),
+ A13_CPREG_DEF(SYS_ACC_PWR_DN_SAVE, 3, 7, 15, 2, 0, PL1_RW, 0),
+ A13_CPREG_DEF(SYS_AON_CNT_CTL, 3, 7, 15, 4, 0, PL1_RW, 0),
A13_CPREG_DEF(UPMPCM, 3, 7, 15, 5, 4, PL1_RW, 0),
A13_CPREG_DEF(UPMCR0, 3, 7, 15, 0, 4, PL1_RW, 0),
A13_CPREG_DEF(UPMSR, 3, 7, 15, 6, 4, PL1_RW, 0),
@@ -718,7 +723,7 @@ AppleA13State *apple_a13_cpu_create(DTBNode *node, char *name, uint32_t cpu_id,
}
}
- if (tcpu->cpu_id == 0 || node == NULL) {
+ if (tcpu->cpu_id == 0/* || node == NULL*/) {
if (node) {
set_dtb_prop(node, "state", 8, "running");
}
@@ -817,6 +822,8 @@ static const VMStateDescription vmstate_apple_a13 = {
VMSTATE_A13_CPREG(ARM64_REG_HID14),
VMSTATE_A13_CPREG(ARM64_REG_HID16),
VMSTATE_A13_CPREG(ARM64_REG_LSU_ERR_STS),
+ VMSTATE_A13_CPREG(SYS_E_LSU_ERR_STS),
+ VMSTATE_A13_CPREG(SYS_E_FED_ERR_STS),
VMSTATE_A13_CPREG(PMC0),
VMSTATE_A13_CPREG(PMC1),
VMSTATE_A13_CPREG(PMCR0),
@@ -828,6 +835,9 @@ static const VMStateDescription vmstate_apple_a13 = {
VMSTATE_A13_CPREG(ARM64_REG_CYC_OVRD),
VMSTATE_A13_CPREG(ARM64_REG_ACC_CFG),
VMSTATE_A13_CPREG(S3_5_c15_c10_1),
+ VMSTATE_A13_CPREG(SYS_PRE_LLCFLUSH_TMR),
+ VMSTATE_A13_CPREG(SYS_ACC_PWR_DN_SAVE),
+ VMSTATE_A13_CPREG(SYS_AON_CNT_CTL),
VMSTATE_A13_CPREG(UPMPCM),
VMSTATE_A13_CPREG(UPMCR0),
VMSTATE_A13_CPREG(UPMSR),
diff --git a/hw/arm/apple_sep.c b/hw/arm/apple_sep.c
index da318ca250..9909500232 100644
--- a/hw/arm/apple_sep.c
+++ b/hw/arm/apple_sep.c
@@ -22,12 +22,19 @@
#include "hw/arm/apple_a13.h"
#include "hw/arm/apple_a9.h"
#include "hw/arm/apple_sep.h"
+#include "hw/misc/apple_mbox.h"
#include "hw/arm/xnu.h"
#include "hw/core/cpu.h"
#include "qapi/error.h"
#include "qemu/error-report.h"
#include "qemu/log.h"
#include "qemu/units.h"
+#include "hw/arm/t8030.h"
+#include "exec/address-spaces.h"
+#include "hw/irq.h"
+#include "sysemu/dma.h"
+
+//#define DO_SECUREROM 1
static void trng_reg_write(void *opaque, hwaddr addr, uint64_t data,
unsigned size)
@@ -225,6 +232,521 @@ static const MemoryRegionOps misc2_reg_ops = {
.valid.unaligned = false,
};
+static void misc39_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc39_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC39: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc39_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+ // 0x0;0x4 == T8101
+ // 0x4;0x8 == T8020
+
+ switch (addr) {
+#if 0
+ //case 0x00: // ???? T8101
+ // return 0x1;
+ //case 0x04: // ???? T8101
+ // return 0x1;
+ case 0x04: // ???? T8020
+ //return 0x1;
+ return 0x0; // required for misc9 0x318
+ case 0x08: // ???? T8020
+ //return 0x1;
+ return 0x0;
+#endif
+ default:
+ memcpy(&ret, &s->misc39_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC39: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc39_reg_ops = {
+ .write = misc39_reg_write,
+ .read = misc39_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+#if 1
+static void misc4_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+#if 0
+ case 0x14:
+ if (!!(data & 1)) {
+ uint64_t vector = *(uint64_t*)(&s->misc4_regs[0x20]);
+ AppleSEPResetMisc_func(vector);
+ }
+ break;
+#endif
+ default:
+ memcpy(&s->misc4_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC4: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc4_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+#if 0
+ case 0x00: // ???? because of WFE FUN_240011488_DAT_241500000_wfe, hangs otherwise, fix it properly!
+ return 0x0;
+ case 0x04: // ???? because of WFE FUN_2400113cc_DAT_241500004_wfe, hangs otherwise, fix it properly!
+ return 0x0;
+ case 0x0c: // ???? because of switch case FUN_2400113ec_DAT_24150000c_should_be_0, panics otherwise
+ return 0x0;
+#endif
+ default:
+ memcpy(&ret, &s->misc4_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC4: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc4_reg_ops = {
+ .write = misc4_reg_write,
+ .read = misc4_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+#endif
+
+static void misc5_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc5_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC5: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc5_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->misc5_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC5: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc5_reg_ops = {
+ .write = misc5_reg_write,
+ .read = misc5_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+static void misc6_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc6_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC6: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc6_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->misc6_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC6: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc6_reg_ops = {
+ .write = misc6_reg_write,
+ .read = misc6_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+static void misc7_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ //apple_mbox_msg_t msg0 = NULL;
+ //apple_mbox_msg_t msg1 = NULL;
+ //apple_mbox_msg_t msg2 = NULL;
+ //apple_mbox_msg_t msg3 = NULL;
+ //apple_mbox_msg_t msg4 = NULL;
+ //apple_mbox_msg_t msg5 = NULL;
+ //sep_message_t sep_msg = NULL;
+ struct sep_message sep_msg = { 0 };
+ switch (addr) {
+ //case 0x8:
+ case 0x4:
+ //if (data == 0x2cbd3509)
+ if (data == 0xf2e31133)
+ {
+ //sep_msg = g_new0(struct sep_message, 1);
+ //msg0 = g_new0(struct apple_mbox_msg, 1);
+ //msg1 = g_new0(struct apple_mbox_msg, 1);
+ //msg2 = g_new0(struct apple_mbox_msg, 1);
+ //msg3 = g_new0(struct apple_mbox_msg, 1);
+ //msg4 = g_new0(struct apple_mbox_msg, 1);
+ //msg5 = g_new0(struct apple_mbox_msg, 1);
+ sep_msg.endpoint = 0xff;
+
+#if 0
+ sep_msg->opcode = 1; // kOpCode_Ping
+ sep_msg->tag = 0x70;
+ memcpy(msg5->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg5);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode1/kOpCode_Ping", msg5);
+#endif
+
+ sep_msg.opcode = 3; // kOpCode_GenerateNonce
+ sep_msg.tag = 0x67;
+ //memcpy(msg0->data, sep_msg, 16);
+ //apple_mbox_inbox_push(s->mbox, msg0);
+ //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce", msg0);
+ apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw);
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce\n");
+
+#if 0
+ sep_msg->opcode = 4; // Opcode 4
+ sep_msg->tag = 0x6e;
+ memcpy(msg4->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg4);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode4/kOpCode_GetNonceWord", msg4);
+
+ sep_msg->opcode = 15; // Opcode 15
+ sep_msg->tag = 0x0;
+ memcpy(msg2->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg2);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode15/kOpCode_SendDpa", msg2);
+
+ sep_msg->opcode = 16; // Opcode 16
+ sep_msg->tag = 0x0;
+ memcpy(msg3->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg3);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode16", msg3);
+#endif
+
+ sep_msg.opcode = 17; // Opcode 17
+ sep_msg.tag = 0x0;
+ //sep_msg->data = 0x2000; // 0x2000
+ //sep_msg->data = 0x3200; // iBoot on iOS 12.0 for T8020 says 0x3200 (0x1c52000 bytes). Might not be enough for SEPOS in iOS 14.4.2.
+ //sep_msg->data = 0x4000; // iBoot on iOS 13.0/13.7 for T8020 says 0x4000 (0x2440000 bytes). Might not be enough for SEPOS in iOS 14.4.2.
+ //sep_msg->data = 0x3400; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ //sep_msg->data = 0x3800; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ //sep_msg->data = 0x6000; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ sep_msg.data = 0x8000; // SEPFW on iOS 14.0/14.4.2 for T8020, if I found the correct data in Ghidra.
+ // max value 0x8000, checked in SEPROM:FUN_240011564_maybe_check_amcc.
+ // size in bytes == value * 0x910
+ //memcpy(msg1->data, sep_msg, 16);
+ //apple_mbox_inbox_push(s->mbox, msg1);
+ //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode17", msg1);
+ apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw);
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode17\n");
+#if 0
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: before response loop, this will surely dead-lock, but let's try it anyway. YOLO.\n");
+ int response_count = 2;
+ while (response_count > 0) {
+ while (!apple_mbox_outbox_empty(s->mbox)) {
+ response_count -= pop_from_outbox(opaque);
+ }
+ }
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: after response loop\n");
+#endif
+ //g_free(sep_msg);
+ ////g_free(msg0);
+ ////g_free(msg1);
+ ////g_free(msg2);
+ ////g_free(msg3);
+ ////g_free(msg4);
+ ////g_free(msg5);
+ }
+ //goto jump_default;
+ //QEMU_FALLTHROUGH;
+ break;
+ case 0x0:
+ //case 0x4:
+ case 0x8:
+ case 0x114:
+ case 0x214:
+ case 0x218:
+ case 0x21c:
+ case 0x220:
+ case 0x2d8:
+ case 0x2dc:
+ case 0x2e0: // ecid low
+ case 0x2e4: // ecid high
+ case 0x2e8: // board-id
+ case 0x2ec: // chip-id
+ case 0x314:
+ case 0x318:
+ case 0x31c:
+ memcpy(&s->misc7_regs[addr], &data, size);
+ break;
+ default:
+ jump_default:
+ memcpy(&s->misc7_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc7_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ case 0xc: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); // ARM_CPU_IRQ == 0
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); // ARM_CPU_FIQ == 1
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); // GTIMER_VIRT == 1
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 0));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 1));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 2));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 3));
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x10: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing?
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x14: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x18: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // panic(cpu 3 caller 0xfffffff008b69bb0): SEP Panic: [elfour panic] [&&&&&&&&] sep,*.c:*(+
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x1c: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing?
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x20: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x24: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing?
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x28: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing?
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ default:
+ memcpy(&ret, &s->misc7_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc7_reg_ops = {
+ .write = misc7_reg_write,
+ .read = misc7_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+static void misc8_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc8_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC8: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc8_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->misc8_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC8: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc8_reg_ops = {
+ .write = misc8_reg_write,
+ .read = misc8_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
static const struct AppleMboxOps sep_mailbox_ops = {};
@@ -270,9 +792,9 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
APPLE_MBOX_MMIO_V2));
sysbus_pass_irq(sbd, SYS_BUS_DEVICE(s->mbox));
- memory_region_init_io(&s->trng_mr, OBJECT(dev), &trng_reg_ops, s,
- "sep.trng", 0x100);
- sysbus_init_mmio(sbd, &s->trng_mr);
+ memory_region_init_io(&s->trng_t8101_mr, OBJECT(dev), &trng_reg_ops, s,
+ "sep.trng_t8101", 0x100); // TRNG T8101
+ sysbus_init_mmio(sbd, &s->trng_t8101_mr);
memory_region_init_io(&s->misc0_mr, OBJECT(dev), &misc0_reg_ops, s,
"sep.misc0", 0x100);
sysbus_init_mmio(sbd, &s->misc0_mr);
@@ -282,6 +804,30 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
memory_region_init_io(&s->misc2_mr, OBJECT(dev), &misc2_reg_ops, s,
"sep.misc2", 0x100);
sysbus_init_mmio(sbd, &s->misc2_mr);
+ memory_region_init_io(&s->misc3_mr, OBJECT(dev), &misc39_reg_ops, s,
+ "sep.misc39_t8101", 0x100); // MISC39 T8101
+ sysbus_init_mmio(sbd, &s->misc3_mr);
+ memory_region_init_io(&s->misc4_mr, OBJECT(dev), &misc4_reg_ops, s,
+ "sep.misc4", 0x100); // MISC4 // 0x241440000
+ sysbus_init_mmio(sbd, &s->misc4_mr);
+ memory_region_init_io(&s->misc5_mr, OBJECT(dev), &misc5_reg_ops, s,
+ "sep.misc5", 0x100); // MISC5
+ sysbus_init_mmio(sbd, &s->misc5_mr);
+ memory_region_init_io(&s->misc6_mr, OBJECT(dev), &misc6_reg_ops, s,
+ "sep.misc6", 0x4000); // MISC6 // T8020's dart-sep?
+ sysbus_init_mmio(sbd, &s->misc6_mr);
+ memory_region_init_io(&s->misc7_mr, OBJECT(dev), &misc7_reg_ops, s,
+ "sep.misc7", 0x1000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM.
+ sysbus_init_mmio(sbd, &s->misc7_mr);
+ memory_region_init_io(&s->misc8_mr, OBJECT(dev), &misc8_reg_ops, s,
+ "sep.misc8", 0x40000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8.
+ sysbus_init_mmio(sbd, &s->misc8_mr);
+ memory_region_init_io(&s->trng_t8020_mr, OBJECT(dev), &trng_reg_ops, s,
+ "sep.trng_t8020", 0x100); // TRNG T8020
+ sysbus_init_mmio(sbd, &s->trng_t8020_mr);
+ memory_region_init_io(&s->misc9_mr, OBJECT(dev), &misc39_reg_ops, s,
+ "sep.misc39_t8020", 0x100); // MISC39 T8020
+ sysbus_init_mmio(sbd, &s->misc9_mr);
DTBNode *child = find_dtb_node(node, "iop-sep-nub");
assert(child);
//! SEPFW needs to be loaded by restore, supposedly
@@ -293,7 +839,17 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
static void apple_sep_cpu_reset_work(CPUState *cpu, run_on_cpu_data data)
{
AppleSEPState *s = data.host_ptr;
+ AddressSpace *nsas = &address_space_memory;
+ MachineState *machine = MACHINE(qdev_get_machine());
+ T8030MachineState *tms = T8030_MACHINE(machine);
cpu_reset(cpu);
+#ifdef DO_SECUREROM
+ // make it possible to re-run SEPROM after SecureROM panics without powering off
+ // replaces e.g.: set *0x241130840=0x0 ; set *0x241130800=0x0
+ //address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x3000000, MEMTXATTRS_UNSPECIFIED);
+ address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x1000000, MEMTXATTRS_UNSPECIFIED);
+#endif
+ fprintf(stderr, "apple_sep_cpu_reset_work: before cpu_set_pc: base=0x" HWADDR_FMT_plx "\n", s->base);
cpu_set_pc(cpu, s->base);
}
diff --git a/hw/arm/s8000.c b/hw/arm/s8000.c
index 7b3e89eb17..3ed35dd78c 100644
--- a/hw/arm/s8000.c
+++ b/hw/arm/s8000.c
@@ -617,16 +617,44 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size)
{
hwaddr base = (hwaddr)opaque;
+ uint64_t ret = 0;
switch (base + addr) {
- case 0x102BC000: //! CFG_FUSE0
- return (1 << 2);
+ case 0x102BC000: //! CFG_FUSE0
+ //return (1 << 2);
+ //return 0;
+ //return -1;
+ ret |= (1 << 2);
+ ret |= (0x12ULL << 9); // SCEP: max: 0x7f
+ //ret |= (1 << 8);
+ //ret |= 0xf << 4;
+ ret |= 0x1 << 4; // BDID |= 0x20
+ //ret |= 0x1 << 5; // BDID |= 0x40
+ //ret |= 0x1 << 6; // BDID |= 0x80
+ //ret |= 0x1 << 7;
+ ret |= (1 << 0); // IBFL |= 0x10
+ return ret;
case 0x102BC200: //! CFG_FUSE0_RAW
- return 0x0;
+ //return 0x0;
+ //return (1 << 2);
+ //return -1;
+ //return 0xffffffffULL << 16;
+ //ret |= (0x1 << 1); // CPFM |= 0x1 ; IBFL |= 0x08
+ ret |= (0x1 << 0); // CPFM |= 0x3 ; IBFL |= 0x08
+ return ret;
+ case 0x102BC010:
+ //return 0x1 << 22; // CPRV |= 0x01
+ //return 0x1 << 23; // CPRV |= 0x02
+ //return 0x1 << 24; // CPRV |= 0x04
+ //return 0x1 << 25; // CPRV |= 0x10
+ //return 0x1 << 26; // CPRV |= 0x20
+ //return 0x1 << 27; // CPRV |= 0x40
+ return (3 << 22);
case 0x102BC080: //! ECID_LO
return 0x13371337;
case 0x102BC084: //! ECID_HI
- return 0xDEADBEEF;
+ return 0x7EADBEEF;
+ //return 0xDEADBEEF;
case 0x102E8000: // ????
return 0x4;
case 0x102BC104: // ???? bit 24 => is fresh boot?
diff --git a/hw/arm/t8030.c b/hw/arm/t8030.c
index f704899133..b26ebd70c9 100644
--- a/hw/arm/t8030.c
+++ b/hw/arm/t8030.c
@@ -1,3 +1,6 @@
+
+//#define DO_SECUREROM 1
+
/*
* Apple t8030 SoC.
*
@@ -65,13 +68,29 @@
#define T8030_DRAM_BASE (0x800000000ULL)
#define T8030_DRAM_SIZE (4ULL * GiB)
+#define T8030_SEP_BASE (0x240000000ULL)
+#define T8030_SEP_SIZE (0x4000000ULL)
+
#define T8030_SEPROM_BASE (0x240000000ULL)
-#define T8030_SEPROM_SIZE (0x4000000ULL)
+//#define T8030_SEPROM_BASE (0x242200000ULL) // Visual told me to
+#define T8030_SEPROM_SIZE (0x40000ULL)
#define T8030_GPIO_FORCE_DFU (161)
-#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x10000000)
-#define T8030_KERNEL_REGION_SIZE (0x3F00000)
+/*
+ * This is from /chosen/carveout-memory-map/region-id-24
+ */
+//#define T8030_KERNEL_REGION_BASE (0x801964000)
+//#define T8030_KERNEL_REGION_SIZE (0xF09CC000)
+
+/* Those values are from Visual. */
+//#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x10000000)
+//#define T8030_KERNEL_REGION_SIZE (0x3F00000)
+//#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x1000000)
+//#define T8030_KERNEL_REGION_SIZE (0xF000000)
+#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x2000000ULL)
+#define T8030_KERNEL_REGION_SIZE (0xF000000ULL)
+/* */
#define T8030_SPI_BASE(_x) (0x35100000 + (_x)*APPLE_SPI_MMIO_SIZE)
@@ -158,6 +177,20 @@ static void t8030_create_s3c_uart(const T8030MachineState *tms, uint32_t port,
static void t8030_patch_kernel(MachoHeader64 *hdr)
{
+#ifndef DO_SECUREROM
+#if 1
+ uint32_t value32_nop = 0xd503201f; // nop
+ *(uint32_t *)vtop_static(0xFFFFFFF0077142C8) = 0;
+ //*(uint32_t *)vtop_static(0xfffffff009845140) = 0xFFFFFFFF; // AMCC
+ // gAppleSMCDebugLevel = 0xFFFFFFFF;
+ //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA18) = 0xFFFFFFFF;
+ // gAppleSMCDebugPath = 0x2;
+ //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA1C) = 0x2;
+ *(uint32_t *)vtop_static(0xfffffff007eef5c0) = value32_nop;
+ *(uint32_t *)vtop_static(0xfffffff007eef600) = value32_nop;
+ *(uint32_t *)vtop_static(0xfffffff007eef6a4) = value32_nop;
+#endif
+#endif
kpf();
}
@@ -305,17 +338,18 @@ static void t8030_load_classic_kc(T8030MachineState *tms, const char *cmdline)
dtb_va = ptov_static(info->device_tree_pa);
phys_ptr += align_16k_high(info->device_tree_size);
+#if 1
if (tms->sepfw_filename) {
info->sep_fw_pa = phys_ptr;
- macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw",
- info->sep_fw_pa, &info->sep_fw_size);
info->sep_fw_size = align_16k_high(8 * MiB);
phys_ptr += info->sep_fw_size;
+ size_t garbage = 0;
+ macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x4000ULL, &garbage);
}
+#endif
- mem_size =
- machine->maxram_size -
- (T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE));
+ //mem_size = T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE);
+ mem_size = machine->maxram_size - (T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE));
macho_load_dtb(tms->device_tree, nsas, sysmem, "DeviceTree", info);
@@ -436,8 +470,7 @@ static void t8030_load_fileset_kc(T8030MachineState *tms, const char *cmdline)
info->kern_boot_args_pa = phys_ptr;
phys_ptr += align_16k_high(0x4000);
- mem_size =
- T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE);
+ mem_size = T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE);
macho_load_dtb(tms->device_tree, nsas, sysmem, "DeviceTree", info);
@@ -460,6 +493,7 @@ static void t8030_memory_setup(MachineState *machine)
DTBNode *memory_map = get_dtb_node(tms->device_tree, "/chosen/memory-map");
g_autofree char *cmdline = NULL;
AddressSpace *nsas = &address_space_memory;
+ g_autofree char *securerom = NULL;
g_autofree char *seprom = NULL;
unsigned long fsize = 0;
@@ -470,11 +504,25 @@ static void t8030_memory_setup(MachineState *machine)
info->dram_base = T8030_DRAM_BASE;
info->dram_size = T8030_DRAM_SIZE;
+#ifdef DO_SECUREROM
+ if (!machine->firmware) {
+ error_report("Please set firmware to SecureROM's path");
+ exit(EXIT_FAILURE);
+ }
+
+ if (!g_file_get_contents(machine->firmware, &securerom, &fsize, NULL)) {
+ error_report("Could not load data from file '%s'",
+ machine->firmware); exit(EXIT_FAILURE);
+ }
+ address_space_rw(nsas, T8030_SROM_BASE, MEMTXATTRS_UNSPECIFIED,
+ (uint8_t *)securerom, fsize, 1);
+#endif
+
if (tms->seprom_filename == NULL) {
error_report("Please set path to SEPROM");
exit(EXIT_FAILURE);
}
-
+#if 1
if (!g_file_get_contents(tms->seprom_filename, &seprom, &fsize, NULL)) {
error_report("Could not load data from file '%s'",
tms->seprom_filename);
@@ -482,13 +530,58 @@ static void t8030_memory_setup(MachineState *machine)
}
address_space_rw(nsas, T8030_SEPROM_BASE, MEMTXATTRS_UNSPECIFIED,
(uint8_t *)seprom, fsize, 1);
-
+#endif
uint64_t value = 0x8000000000000000;
- address_space_write(nsas, tms->soc_base_pa + 0x42140108,
- MEMTXATTRS_UNSPECIFIED, &value, sizeof(value));
uint32_t value32 = 0x1;
- address_space_write(nsas, tms->soc_base_pa + 0x41448000,
- MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32));
+ uint32_t value32_mov_w8_0 = 0x52800008; // mov w8, #0x0
+ uint32_t value32_mov_w8_1 = 0x52800028; // mov w8, #0x1
+ uint32_t value32_mov_x0_1 = 0xd2800020; // mov x0, #0x1
+ uint32_t value32_mov_x0_0 = 0xd2800000; // mov x0, #0x0
+ uint32_t value32_mov_x0_0x10 = 0xd2800200; // mov x0, #0x10
+ uint32_t value32_mov_x0_0x2000 = 0xd2840000; // mov x0, #0x2000
+ uint32_t value32_mov_x0_0x5000 = 0xd28a0000; // mov x0, #0x5000
+ uint32_t value32_mov_x0_0x200000 = 0xd2a00400; // mov x0, #0x200000
+ uint32_t value32_mov_x0_0xe20 = 0xd281c400; // mov x0, #0xe20
+ uint32_t value32_mov_x20_1 = 0xd2800034; // mov x20, #0x1
+ uint32_t value32_nop = 0xd503201f; // nop
+ uint32_t value32_mov_w0_8030 = 0x52900600; // mov w0, #0x8030
+ uint32_t value32_cmp_x0_x0 = 0xeb00001f; // cmp x0, x0
+ uint32_t value32_bl_GenerateNonce_t8101 = 0x9400026d; // bl generate_random_GenerateNonce for T8101 from 0x24000edec
+ uint32_t value32_bl_GenerateNonce_t8020 = 0x94000187; // bl generate_random_GenerateNonce for T8020 from 0x24000b574
+ uint32_t value32_mov_x5_0xf0000000 = 0xd2be0005; // mov x5,#0xf0000000
+ uint32_t value32_retab = 0xd65f0fff; // retab
+ uint32_t value32_ret = 0xd65f03c0; // ret
+ uint32_t value32_mov_w0_minus1 = 0x12800000; // mov w0, #0xffffffff
+ uint32_t value32_mov_w0_0x10000000 = 0x52a20000; // mov w0, #0x10000000
+ uint32_t value32_mov_w0_sp_0x4 = 0xb90007e0; // mov w0, [sp, #0x4]
+#if 1 // for T8020 SEPROM
+ address_space_write(nsas, tms->soc_base_pa + 0x42140108, MEMTXATTRS_UNSPECIFIED, &value, sizeof(value)); // _entry: prevent busy-loop (data section)
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0d2c8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // image4_validate_property_callback: skip AMNM
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x12144, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: Skip RSA verification result.
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x121d8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: payload_raw hashing stuck, nop'ing
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x121dc, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: nop'ing result of payload_raw hashing
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0abd8, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs30: fake success
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0ca84, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs14: fake success
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x091b4, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_8030, sizeof(value32_mov_w0_8030)); // get_chipid: patch get_chipid to return 0x8030 instead of 0x8020
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x077ac, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // load_sepos: jump over img4_compare_verified_values_true_on_success
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b574, MEMTXATTRS_UNSPECIFIED, &value32_bl_GenerateNonce_t8020, sizeof(value32_bl_GenerateNonce_t8020)); // boot: replace calling clear_GenerateNonce_nonce with a call generating the nonce T8020 (Opcode3). Needed because we don't run iBoot/SecureROM.
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // boot: set opcode_17_inbox_msg_data
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0x2000, sizeof(value32_mov_x0_0x2000)); // boot: set opcode_17_inbox_msg_data
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b588, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_sp_0x4, sizeof(value32_mov_w0_sp_0x4)); // boot: set opcode_17_inbox_msg_data
+#ifndef DO_SECUREROM
+#if 1
+ *(uint32_t *)vtop_static(0xfffffff008b4e018) = value32_mov_w0_0x10000000; // AppleSEPBooter::getBootTimeout: increase timeout for debugging (GDB tracing)
+ *(uint32_t *)vtop_static(0xfffffff008b576b4) = value32_nop; // AppleSEPManager::_tracingEnabled: Don't require _PE_i_can_has_debugger.
+ //*(uint32_t *)vtop_static(0xfffffff008b57ad4) = value32_mov_x0_1; // AppleSEPManager::_bootSEP:: Don't require _PE_i_can_has_debugger.
+ *(uint32_t *)vtop_static(0xfffffff007a231d8) = value32_mov_x0_1; // _kern_config_is_development
+#endif
+#else
+ address_space_write(nsas, 0x100005b64, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: image4_load: fake success for maybe_verify_zero_on_success. unused because of the next patches.
+ address_space_write(nsas, 0x1000020e4, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: _main: fake success for image_load
+ address_space_write(nsas, 0x1000021d4, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // SecureROM: _main: nop because it panics of plain payload
+#endif
+
+#endif // for T8020 SEPROM
nvram = APPLE_NVRAM(qdev_find_recursive(sysbus_get_default(), "nvram"));
if (!nvram) {
@@ -594,6 +687,7 @@ static void t8030_memory_setup(MachineState *machine)
set_dtb_prop(vram, "reg", sizeof(vram_reg), &vram_reg);
}
+#ifndef DO_SECUREROM
hdr = tms->kernel;
g_assert(hdr);
@@ -613,12 +707,26 @@ static void t8030_memory_setup(MachineState *machine)
__func__, hdr->file_type);
break;
}
+#endif
}
+static uint64_t pmgr_unk_e4800 = 0;
+static uint32_t pmgr_unk_e4000[0x180/4] = {0};
+
static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
unsigned size)
{
hwaddr base = (hwaddr)opaque;
+ switch (base + addr) {
+ case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4
+ pmgr_unk_e4800 = data; // 0x240002c00 and 0x2400037a4
+ break;
+ case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c
+ pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4] = data; // 0x24000377c
+ break;
+ default:
+ break;
+ }
#if 1
qemu_log_mask(LOG_UNIMP,
"PMGR reg WRITE unk @ 0x" TARGET_FMT_lx
@@ -629,51 +737,135 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size)
{
+ MachineState *machine = MACHINE(qdev_get_machine());
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ AppleSEPState *sep;
hwaddr base = (hwaddr)opaque;
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal));
#if 1
+ if (((base + addr) & 0xfffffffb) != 0x10E20020) {
qemu_log_mask(LOG_UNIMP,
"PMGR reg READ unk @ 0x" TARGET_FMT_lx
" base: 0x" TARGET_FMT_lx "\n",
base + addr, base);
+ }
#endif
- switch (base + addr) {
- case 0x3D2BC000:
- // return 0xA050C030; // IBFL | 0x00
- return 0xA55AC33C; // IBFL | 0x10
- case 0x3D2BC008:
+ uint32_t chip_revision;
+ //chip_revision = 0x01;
+ chip_revision = 0x11;
+ switch (base + addr) {
+ case 0x3D2BC000: // DPRO
+ case 0x3D2BC200:
+ //// return 0xA050C030; // IBFL | 0x00
+ return 0xA55AC33C; // IBFL | 0x10 // my
+ //return 0xA050C030; // Ntrung
+ case 0x3D2BC004: // ??? DPRO? is value==0xA050C030 (disabled), take value from 0xbc600
+ case 0x3D2BC204:
+ return 0xA55AC33C; // force return enabled
+ //return 0xA050C030; // force return disabled ; skip loop inside FUN_240003fcc_wait_for_DAT_23d2bc004_maybe_memory_encryption
+ // FUN_240003fcc_wait_for_DAT_23d2bc004
+ if ((sep->misc5_regs[0] & 0x2) != 0)
+ return 0xA050C030; // if bit1 is set
+ else
+ return 0xA55AC33C; // if bit1 is unset
+ case 0x3D2BC008: // EDOM_0? Effective SDOM_0? (Security Domain) T8030?
+ case 0x3D2BC208: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-A12-D331pAP
+ ////case 0x3D2BC308: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-S4-S5-B1
+ case 0x3D2BC608: // SDOM_0? (Security Domain) AppleSEPROM-Sicily-A0
return 0xA55AC33C; // security domain | 0x1
- case 0x3D2BC00C:
- // return 0xA55AC33C; // security domain | 0x2
+ //return 0xA050C030; // MAYBE security domain | 0x0
+ case 0x3D2BC00C: // EDOM_1? Effective SDOM_1? (Security Domain) T8030?
+ case 0x3D2BC20C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-A12-D331pAP
+ ////case 0x3D2BC30C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-S4-S5-B1
+ case 0x3D2BC60C: // SDOM_1? (Security Domain) AppleSEPROM-Sicily-A0
+ //return 0xA55AC33C; // security domain | 0x2
return 0xA050C030; // security domain | 0x0
- case 0x3D2BC010:
- return (1 << 5) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) <<
- // 5 ;; (1 << 31) for SEP
- case 0x3D2BC030:
- // return 0xFFFFFFFF; // CPRV
- // return 0x7 << 6; // LOW NIBBLE
- // return 0x70 << 5; // HIGH NIBBLE
- return 0x1 << 6;
- case 0x3D2BC300: // TODO
- return 0xCAFEBABE; // ECID lower
- case 0x3D2BC304: // TODO
- return 0xDEADBEEF; // ECID upper
- case 0x3D2BC400:
+ case 0x3D2BC010: // maybe effective CEPO? SEPO/BOARDID (upper three??/five bits stored in the three lower bits)
+ case 0x3D2BC210: // CEPO? SEPO? AppleSEPROM-A12-D331pAP
+ ////case 0x3D2BC310: // CEPO? SEPO? AppleSEPROM-S4-S5-B1
+ case 0x3D2BC610: // CEPO? SEPO? AppleSEPROM-Sicily-A0
+ //uint64_t sep_bit30 = 0;
+ uint64_t sep_bit30 = ((sep->misc5_regs[0] & 0x1) != 0);
+ //return (1 << 5) | (0 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (0 << 30) | (1 << 31) for SEP
+ return (1 << 5) | (sep_bit30 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (sep_bit30 << 30) | (1 << 31) for SEP
+ case 0x3D2BC020: // T8030 iBSS: FUN_19c07feac_return_value_causes_crash
+ //return 0xA050C030; // causes panic, so does a invalid value
+ return 0xA55AC33C;
+ //0x3d2bc024 T8030
+ //0x3d2bc028 T8030
+ //0x3d2bc02c T8030
+ //case 0x3D2BC028: // CPRV (Chip Revision) AppleSEPROM-S4-S5-B1
+ //case 0x3D2BC02c: // T8030 iBSS: _DAT_23d2bc02c >> 30 | (_DAT_23d2bc030 & 15) << 2;
+ case 0x3D2BC030: // CPRV (Chip Revision) T8030? T8020?
+ return ((chip_revision & 0x7) << 6) | (((chip_revision & 0x70) >> 4) << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1
+ case 0x3D2BC03c: // CPRV (Chip Revision) AppleSEPROM-Sicily-A0
+ return ((chip_revision & 0x7) << 10) | (((chip_revision & 0x70) >> 4) << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0
+ //// return 0xFFFFFFFF; // CPRV
+ //// return (0x7 << 6) | (0x70 << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1
+ //// return (0x7 << 10) | (0x70 << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0
+ //return 0x1 << 6; // my ; (1 << 6) == 0x40 == revision:0x1
+ //return 0x240; // Ntrung // == revision:0x11
+ case 0x3D2BC100: // ECID lower T8020?
+ ////case 0x3D2BC200: // ECID lower AppleSEPROM-S4-S5-B1
+ case 0x3D2BC300: // ECID lower T8030?
+ case 0x3D2BC500: // ECID lower AppleSEPROM-Sicily-A0
+ //return 0xCAFEBABE; // ECID lower
+ return tms->ecid & 0xffffffff; // ECID lower
+ case 0x3D2BC104: // ECID upper T8020?
+ ////case 0x3D2BC204: // ECID upper AppleSEPROM-S4-S5-B1
+ case 0x3D2BC304: // ECID upper T8030?
+ case 0x3D2BC504: // ECID upper AppleSEPROM-Sicily-A0
+ //return 0xDEADBEEF; // ECID upper
+ return tms->ecid >> 32; // ECID upper
+ case 0x3D2BC400: // EKEY_0
// if 0xBC404 returns 1==0xA55AC33C, this will get ignored
- // return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
- return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C
- case 0x3D2BC404:
- // return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C
- return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
- case 0x3D2BC604: //?
- return 0xA050C030;
+ //// return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
+ return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C // my
+ //return 0xA050C030; // Ntrung
+ case 0x3D2BC404: // EKEY_1
+ return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C
+ //return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
+ case 0x3D2BC600: //? EPRO (Effective Production Status)? CPRO (Certificate Production Status)?
+ //return 0xA55AC33C; // avoided panic(0x74/0xf1) with patches
+ //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off
+ //return 0;
+ return 0xA55AC33C; // EPRO enabled
+ //return 0xA050C030; // EPRO disabled
+ case 0x3D2BC604: //? CSEC (Certificate Security Mode)?
+ //return 0xA55AC33C; // set at 0x24000b070, causes crash at 0x240008928 // avoided panic(0x74/0xf1) with patches
+ //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off
+ //return 0; // panic(0x74) ?
+ return 0xA55AC33C; // CSEC enabled
+ //return 0xA050C030; // CSEC disabled
case 0x3D2E8000: // ????
- return 0x32B3; // memory encryption AMK (Authentication Master Key)
- // disabled
- // return 0xC2E9; // memory encryption AMK (Authentication Master Key)
- // enabled
- case 0x3D2D0034: //?
- return (1 << 24) | (1 << 25);
+ //return 0x32B3; // memory encryption AMK (Authentication Master Key) disabled // avoided panic(0x74/0xf1) with patches
+ return 0xC2E9; // memory encryption AMK (Authentication Master Key) enabled // needed to avoid panic(0x74) ?
+ case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4
+ //////return 0x3; // 0x2400037a4
+ return pmgr_unk_e4800; // 0x240002c00 and 0x2400037a4
+ case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c
+ return pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4]; // 0x24000377c
+#if 0
+ //case 0x3D2D0034: //? in AES
+ // return (1 << 24) | (1 << 25);
+#endif
+#if 0
+#if 0
+ //case 0x3D2D0020: // ???? in AES
+ // return 4;
+#endif
+ //case 0x3D2BC200: // ????
+ // return 0xA050C030;
+ //case 0x3D2BC204: // ????
+ // return 0xA050C030;
+#endif
+#ifdef DO_SECUREROM
+ case 0x3d2d4040: // SecureROM: prevent panic in platform_bootprep(_panics_on_plain_payload)
+ return (1 << 16);
+ case 0x3d12c014: // while ((*(int64_t*)0x23d12c014 & 0x1ff) == 0)
+ return 0x1;
+#endif
default:
if (((base + addr) & 0x10E70000) == 0x10E70000) {
return (108 << 4) | 0x200000; //?
@@ -692,6 +884,7 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data,
{
MachineState *machine = MACHINE(opaque);
T8030MachineState *tms = T8030_MACHINE(opaque);
+ AppleSEPState *sep;
uint32_t value = data;
if (addr >= 0x80000 && addr <= 0x8C000) {
@@ -707,6 +900,34 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data,
case 0xD4004:
t8030_start_cpus(machine, data);
return;
+#if 1
+ case 0x80C00:
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal));
+#ifdef DO_SECUREROM
+ if ((data & 0xf) == 0xf) {
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) {
+ apple_a13_cpu_start(APPLE_A13(sep->cpu));
+ }
+ }
+#else
+ //if ((data >> 31) == 1) {
+ if (((data >> 31) & 1) == 1) {
+ apple_a13_cpu_reset(APPLE_A13(sep->cpu));
+ //} else if ((data & 0xf) == 0xf) {
+ //} else if (((data & (1 << 28)) == 0) && ((data & (1 << 10)) == 0)) {
+ } else if (((data >> 10) & 1) == 0) {
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) {
+ apple_a13_cpu_start(APPLE_A13(sep->cpu));
+ }
+ //} else if ((data & 0xf) == 0x0) {
+ //} else if (((data & (1 << 28)) != 0) && ((data & (1 << 10)) != 0)) {
+ //} else if (((data & (1 << 28)) != 0) || ((data & (1 << 10)) != 0)) {
+ } else if (((data >> 10) & 1) == 1) {
+ apple_a13_cpu_off(APPLE_A13(sep->cpu));
+ }
+#endif
+ break;
+#endif
}
memcpy(tms->pmgr_reg + addr, &value, size);
}
@@ -719,9 +940,15 @@ static uint64_t pmgr_reg_read(void *opaque, hwaddr addr, unsigned size)
case 0xF0010: //! AppleT8030PMGR::commonSramCheck
result = 0x5000;
break;
+#ifdef DO_SECUREROM
case 0x80C00: //! SEP Power State, Manual & Actual: Run Max
result = 0xFF;
break;
+ case 0x30000: // ??? T8030 IBSS
+ memcpy(&result, tms->pmgr_reg + addr, size);
+ result &= ~(1 << 25); // prevent two busy-loops in T8030 IBSS
+ break;
+#endif
#if 0
case 0xBC008:
result = 0xFFFFFFFF;
@@ -754,44 +981,69 @@ static void amcc_reg_write(void *opaque, hwaddr addr, uint64_t data,
T8030MachineState *tms = T8030_MACHINE(opaque);
uint32_t value = data;
+#if 1
+ qemu_log_mask(LOG_UNIMP,
+ "AMCC reg WRITE @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx
+ "\n",
+ addr, data);
+#endif
memcpy(tms->amcc_reg + addr, &value, size);
}
static uint64_t amcc_reg_read(void *opaque, hwaddr addr, unsigned size)
{
- T8030MachineState *tms = T8030_MACHINE(opaque);
+ MachineState *machine = MACHINE(opaque);
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ hwaddr orig_addr = addr;
+ uint64_t result = 0;
+ uint64_t base = (T8030_KERNEL_REGION_BASE-T8030_DRAM_BASE)+T8030_KERNEL_REGION_SIZE;
switch (addr) {
+#if 1
case 0x6A0:
case 0x406A0:
case 0x806A0:
case 0xC06A0:
- return 0x0;
+ //result = 0x080000; // Don't know if this is correct.
+ //result = 0x080000000ULL >> 12;
+ result = base >> 12;
+ break;
case 0x6A4:
- // return 0x1003;
case 0x406A4:
- // return 0x2003;
case 0x806A4:
- // return 0x3003;
case 0xC06A4:
- // return 0x3;
- return 0x1003; // 0x1003 == 0x1004000
- // return 0x4003;
+ //result = 0xad9f+0x080000; // Don't know if this is correct.
+ //result = ((0x20000000+0x080000000ULL)-1)>>12;
+ //result = ((0xada0000+0x080000000ULL)-1)>>12;
+ result = ((0xada0000+base)-1)>>12;
+ break;
case 0x6A8:
case 0x406A8:
case 0x806A8:
case 0xC06A8:
- return 0x1;
+ result = 0x1;
+ break;
case 0x6B8:
case 0x406B8:
case 0x806B8:
case 0xC06B8:
- return 0x1;
- default: {
- uint64_t result = 0;
+ result = 0x1;
+ break;
+ case 0x4:
+ result = 0xcf;
+ break;
+#endif
+ default:// {
memcpy(&result, tms->amcc_reg + addr, size);
- return result;
- }
+ break;
+ //}
}
+#if 1
+ qemu_log_mask(LOG_UNIMP,
+ "AMCC reg READ @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx
+ "\n",
+ orig_addr, result);
+#endif
+ return result;
}
static const MemoryRegionOps amcc_reg_ops = {
@@ -1723,13 +1975,29 @@ static void t8030_create_sep(MachineState *machine)
reg = (uint64_t *)prop->value;
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 0, tms->soc_base_pa + reg[0]);
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 1,
- tms->soc_base_pa + 0x41180000); // TRNG
+ tms->soc_base_pa + 0x41180000); // TRNG T8101
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 2,
tms->soc_base_pa + 0x41080000); // MISC0
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 3,
tms->soc_base_pa + 0x41040000); // MISC1
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 4,
tms->soc_base_pa + 0x410C4000); // MISC2
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 5,
+ tms->soc_base_pa + 0x413CA000); // MISC39 T8101
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 6,
+ tms->soc_base_pa + 0x41440000); // MISC4 // 0x241440000
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 7,
+ tms->soc_base_pa + 0x41008000); // MISC5
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 8,
+ tms->soc_base_pa + 0x41280000); // MISC6 // T8020's dart-sep?
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 9,
+ tms->soc_base_pa + 0x41240000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM.
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 10,
+ tms->soc_base_pa + 0x41200000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8.
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 11,
+ tms->soc_base_pa + 0x41100000); // TRNG T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 12,
+ tms->soc_base_pa + 0x41388000); // MISC39 T8020
prop = find_dtb_prop(child, "interrupts");
g_assert(prop);
@@ -1740,6 +2008,7 @@ static void t8030_create_sep(MachineState *machine)
qdev_get_gpio_in(DEVICE(tms->aic), ints[i]));
}
+#if 1
dart = APPLE_DART(
object_property_get_link(OBJECT(machine), "dart-sep", &error_fatal));
g_assert(dart);
@@ -1756,6 +2025,33 @@ static void t8030_create_sep(MachineState *machine)
OBJECT(sep->dma_mr)));
sep->dma_as = g_new0(AddressSpace, 1);
address_space_init(sep->dma_as, sep->dma_mr, "sep.dma");
+#if 1
+ // after trying out stuff for too long, Visual told me how to do it approximately, but I had to skip the early addresses because SEPOS is there.
+ MemoryRegion *mr = g_new0(MemoryRegion, 1);
+ //MemoryRegion *mr = g_new0(MemoryRegion, 0x10000+0x80c000);
+ ////memory_region_init_alias(sep->dma_mr, OBJECT(tms), "sep.dma.alias", tms->sysmem, T8030_SEPROM_BASE, T8030_SEPROM_SIZE);
+ memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x80c000, 0x10000);
+ //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0, 0x10000+0x80c000);
+ ////memory_region_add_subregion(tms->sysmem, 0, &sep->dma_mr);
+ ////memory_region_add_subregion(tms->sysmem, 0, mr);
+ memory_region_add_subregion(tms->sysmem, 0x80c000, mr);
+ //memory_region_add_subregion(tms->sysmem, 0x0, mr);
+#if 0
+ MemoryRegion *mr1 = g_new0(MemoryRegion, 1);
+ memory_region_init_alias(mr1, OBJECT(tms), "sep.t8030.sepdart.alias", tms->sysmem, tms->soc_base_pa + 0x41280000, 0x4000);
+ memory_region_add_subregion_overlap(tms->sysmem, tms->soc_base_pa + 0x412c0000, mr1, 1);
+#endif
+#if 0
+ MemoryRegion *mr2 = g_new0(MemoryRegion, 1);
+ memory_region_init_alias(mr2, OBJECT(tms), "sep.t8030.sepdart.alias", tms->sysmem, tms->soc_base_pa + 0x412c0000, 0x4000);
+ memory_region_add_subregion_overlap(tms->sysmem, tms->soc_base_pa + 0x41280000, mr2, 1);
+#endif
+
+#endif
+
+#else
+ g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr", OBJECT(tms->sysmem)));
+#endif
sysbus_realize_and_unref(SYS_BUS_DEVICE(sep), &error_fatal);
}
@@ -1770,9 +2066,12 @@ static void t8030_cpu_reset_work(CPUState *cpu, run_on_cpu_data data)
}
cpu_reset(cpu);
env = &ARM_CPU(cpu)->env;
+#ifndef DO_SECUREROM
env->xregs[0] = tms->bootinfo.kern_boot_args_pa;
cpu_set_pc(cpu, tms->bootinfo.kern_entry);
- // cpu_set_pc(cpu, T8030_SROM_BASE);
+#else
+ cpu_set_pc(cpu, T8030_SROM_BASE);
+#endif
}
static void t8030_cpu_reset(void *opaque)
@@ -1849,13 +2148,50 @@ static void t8030_machine_init(MachineState *machine)
tms = T8030_MACHINE(machine);
tms->sysmem = get_system_memory();
- // allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0);
- // allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0);
+#ifdef DO_SECUREROM
+ allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0);
+ allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0);
+ //allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x00000038 * 4, 0);
+ allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x1000, 0);
+ allocate_ram(tms->sysmem, "SRAM_TEST_1", 0x23b2c4000, 0x1000, 0); // 0x23b2c401c
+ allocate_ram(tms->sysmem, "SRAM_TEST_2", 0x23b2c8000, 0x1000, 0); // 0x23b2c801c
+ allocate_ram(tms->sysmem, "SRAM_TEST_3", 0x23b2cc000, 0x1000, 0); // 0x23b2cc01c
+ allocate_ram(tms->sysmem, "SRAM_TEST_4", 0x23e804000, 0x1000, 0); // 0x23e8040fc
+ allocate_ram(tms->sysmem, "SRAM_TEST_5", 0x23e808000, 0x1000, 0); // 0x23e808004
+ allocate_ram(tms->sysmem, "SRAM_TEST_6", 0x23D008000, 0x1000, 0); // 0x23D008000
+ allocate_ram(tms->sysmem, "SRAM_TEST_7", 0x24A854000, 0x1000, 0); // 0x24A85401C
+ allocate_ram(tms->sysmem, "SRAM_TEST_8", 0x24a858000, 0x1000, 0); // 0x24a85801c
+ allocate_ram(tms->sysmem, "SRAM_TEST_9", 0x23C260000, 0x1000, 0); // 0x23C260000
+ allocate_ram(tms->sysmem, "SRAM_TEST_10", 0x23C280000, 0x1000, 0); // 0x23C280000
+ allocate_ram(tms->sysmem, "SRAM_TEST_11", 0x23c290000, 0x1000, 0); // 0x23c290000
+ allocate_ram(tms->sysmem, "SRAM_TEST_12", 0x23c2a0000, 0x1000, 0); // 0x23c2a0000
+ //allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x1000, 0); // 0x23FE00000
+ allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x60000, 0); // 0x23FE00000
+ allocate_ram(tms->sysmem, "SRAM_TEST_14", 0x23E041000, 0x1000, 0); // 0x23E041010
+ allocate_ram(tms->sysmem, "SRAM_TEST_15", 0x23E80C000, 0x1000, 0); // 0x23E80C000
+#endif
allocate_ram(tms->sysmem, "DRAM", T8030_DRAM_BASE, T8030_DRAM_SIZE, 0);
- allocate_ram(tms->sysmem, "SEPROM", T8030_SEPROM_BASE, T8030_SEPROM_SIZE,
- 0);
- allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0);
+ allocate_ram(tms->sysmem, "SEP", T8030_SEP_BASE, T8030_SEP_SIZE, 0);
+#if 1
+ //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x500000000ULL, 0);
+ allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x60000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_30", 0x300000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_32", 0x320000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_34", 0x340000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3_8", 0x300000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3_8_0", 0x380000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_f_8", 0xf00000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_f_8_0", 0xf80000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW_0", 0x000000000ULL, 0x800000ULL, 0);
+ ////allocate_ram(sysmem, "SEPFW", 0x0, info->sepfw_size+0x4000, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL+0x4000ULL, 0);
+ allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x1000000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x2000000ULL, 0);
+#endif
+#ifndef DO_SECUREROM
hdr = macho_load_file(machine->kernel_filename, NULL);
g_assert(hdr);
tms->kernel = hdr;
@@ -1894,10 +2230,15 @@ static void t8030_machine_init(MachineState *machine)
g_phys_base = (hwaddr)macho_get_buffer(hdr);
t8030_patch_kernel(hdr);
+#else
+ tms->rtbuddyv2_protocol_version = 11;
+#endif
tms->device_tree = load_dtb_from_file(machine->dtb);
+#ifndef DO_SECUREROM
tms->trustcache = load_trustcache_from_file(tms->trustcache_filename,
&tms->bootinfo.trustcache_size);
+#endif
data = 24000000;
set_dtb_prop(tms->device_tree, "clock-frequency", sizeof(data), &data);
child = find_dtb_node(tms->device_tree, "arm-io");
diff --git a/hw/arm/xnu.c b/hw/arm/xnu.c
index dd58ba6756..994f9eeac2 100644
--- a/hw/arm/xnu.c
+++ b/hw/arm/xnu.c
@@ -89,11 +89,17 @@ static const char *REM_NAMES[] = {
"dart-rsm\0$", "dart-scaler\0$", "dart-jpeg0\0$",
"dart-jpeg1\0$", "dart-isp\0$", "dart-ave\0$",
"dart-avd\0$", "dart-ane\0$", "dart-apcie2\0$",
- "dart-apcie3\0$",
+ "dart-apcie3\0$",
+ //"dart-sep\0$", "sep\0$",
+ //"dart-disp0\0$", "disp0\0$",
};
static const char *REM_DEV_TYPES[] = { "backlight\0$", "pmp\0$", "wlan\0$",
- "bluetooth\0$", "aop\0$" };
+ "bluetooth\0$", "aop\0$",
+ //"sep\0$",
+ //"disp0\0$",
+
+};
static const char *REM_PROPS[] = {
"function-error_handler",
@@ -111,6 +117,8 @@ static const char *REM_PROPS[] = {
"soc-tuning",
"mcc-power-gating",
"function-dock_parent",
+ "function-wait_for_power_gate",
+ "self-power-gate",
};
static void allocate_and_copy(MemoryRegion *mem, AddressSpace *as,
@@ -458,8 +466,56 @@ void macho_populate_dtb(DTBNode *root, AppleBootInfo *info)
set_dtb_prop(child, "security-domain", sizeof(data), &data);
set_dtb_prop(child, "chip-epoch", sizeof(data), &data);
set_dtb_prop(child, "amfi-allows-trust-cache-load", sizeof(data), &data);
- // data = 1;
- // set_dtb_prop(child, "debug-enabled", sizeof(data), &data);
+ //data = 1;
+ //set_dtb_prop(child, "debug-enabled", sizeof(data), &data);
+#if 1
+ data = 1;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ data = 0;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+#endif
+#if 0
+ data = 1;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+ data = 0;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 0
+ data = 0;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+ data = 1;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 0
+ data = 1;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+ data = 0;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 0
+ data = 0;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+ data = 1;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 1
+ child = get_dtb_node(root, "defaults");
+ //data = 1;
+ data = 0;
+ set_dtb_prop(child, "no-effaceable-storage", sizeof(data), &data);
+ child = get_dtb_node(root, "product");
+ //data = 1;
+ data = 0;
+ set_dtb_prop(child, "boot-ios-diagnostics", sizeof(data), &data);
+#endif
child = get_dtb_node(root, "chosen/manifest-properties");
set_dtb_prop(child, "BNCH", sizeof(info->boot_nonce_hash),
@@ -468,6 +524,7 @@ void macho_populate_dtb(DTBNode *root, AppleBootInfo *info)
child = get_dtb_node(root, "filesystems");
child = get_dtb_node(child, "fstab");
+ //remove_dtb_node_by_name(child, "xart-vol");
remove_dtb_node_by_name(child, "baseband-vol");
macho_dtb_node_process(root, NULL);
diff --git a/hw/misc/apple_aes.c b/hw/misc/apple_aes.c
index cd55638d3c..bb665150d1 100644
--- a/hw/misc/apple_aes.c
+++ b/hw/misc/apple_aes.c
@@ -372,8 +372,9 @@ static uint64_t aes_security_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case 0x20: //! board-id
return 0x4;
- case 0x34: //? bit 24 = is fresh boot?
- return (1 << 24) | (1 << 25);
+ case 0x34: //? bit 24 = is first boot ; bit 25 = something with memory encryption?
+ //return (1 << 24) | (1 << 25);
+ return (1 << 24) | (0 << 25);
default: //! We don't know the rest
return 0xFF;
}
diff --git a/hw/misc/apple_mbox.c b/hw/misc/apple_mbox.c
index fbe337fce3..dd69e92da5 100644
--- a/hw/misc/apple_mbox.c
+++ b/hw/misc/apple_mbox.c
@@ -9,25 +9,6 @@
#include "qemu/main-loop.h"
#include "trace.h"
-#define IOP_LOG_MSG(s, t, msg) \
- do { \
- qemu_log_mask(LOG_GUEST_ERROR, \
- "%s: %s message (msg->endpoint: 0x%X " \
- "msg->data[0]: 0x" HWADDR_FMT_plx \
- " msg->data[1]: 0x" HWADDR_FMT_plx \
- " s->ep0_status: 0x%X)\n", \
- s->role, t, msg->endpoint, msg->data[0], msg->data[1], \
- s->ep0_status); \
- } while (0)
-
-#define IOP_LOG_MGMT_MSG(s, msg) \
- do { \
- qemu_log_mask(LOG_GUEST_ERROR, \
- "%s: IOP received management message (msg->endpoint: " \
- "0x0 msg->raw: 0x" HWADDR_FMT_plx \
- " s->ep0_status: 0x%X)\n", \
- s->role, msg->raw, s->ep0_status); \
- } while (0)
//! ------ V3 ------
@@ -37,20 +18,29 @@
#define REG_V3_CPU_STATUS (0x0048)
#define V3_CPU_STATUS_IDLE (0x1)
+#define REG_V3_UNKNOWN0 (0x004c)
+#define REG_V3_UNKNOWN1 (0x0818)
+#define REG_V3_UNKNOWN2 (0x081c) // "akf: READ IRQ %x"
+
#define REG_V3_NMI0 (0xC04) // ??
#define REG_V3_NMI1 (0xC14) // ??
#define REG_AKF_CONFIG (0x2043) // ??
-#define REG_V3_IOP_INT_MASK_SET (0x4100)
-#define REG_V3_IOP_INT_MASK_CLR (0x4108)
+//#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8101 64-bit
+//#define REG_V3_IOP_INT_MASK_CLR (0x4108) // T8101 64-bit
+#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8020 32-bit
+#define REG_V3_IOP_INT_MASK_CLR (0x4104) // T8020 32-bit
+
-#define REG_V3_IOP_I2A_CTRL (0x4114)
+//#define REG_V3_IOP_I2A_CTRL (0x4114) // T8101 32-bit
+#define REG_V3_IOP_I2A_CTRL (0x410c) // T8020 32-bit
#define REG_V3_IOP_I2A_SEND0 (0x4820)
#define REG_V3_IOP_I2A_SEND1 (0x4824)
#define REG_V3_IOP_I2A_SEND2 (0x4828)
#define REG_V3_IOP_I2A_SEND3 (0x482C)
-#define REG_V3_IOP_A2I_CTRL (0x4110)
+//#define REG_V3_IOP_A2I_CTRL (0x4110) // T8101 32-bit
+#define REG_V3_IOP_A2I_CTRL (0x4108) // T8020 32-bit
#define REG_V3_IOP_A2I_RECV0 (0x4810)
#define REG_V3_IOP_A2I_RECV1 (0x4814)
#define REG_V3_IOP_A2I_RECV2 (0x4818)
@@ -142,7 +132,7 @@ static gint g_uint_cmp(gconstpointer a, gconstpointer b)
return a - b;
}
-static bool apple_mbox_outbox_empty(AppleMboxState *s)
+bool apple_mbox_outbox_empty(AppleMboxState *s)
{
return QTAILQ_EMPTY(&s->outbox);
}
@@ -203,7 +193,7 @@ static void ap_update_irq(AppleMboxState *s)
* Push a message from AP to IOP,
* take ownership of msg
*/
-static void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
+void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
{
QTAILQ_INSERT_TAIL(&s->inbox, msg, entry);
s->inboxCount++;
@@ -236,7 +226,7 @@ static void apple_mbox_outbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
iop_update_irq(s);
}
-static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
+apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
{
apple_mbox_msg_t msg = QTAILQ_FIRST(&s->outbox);
if (msg) {
@@ -248,6 +238,15 @@ static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
return msg;
}
+void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep,
+ uint64_t msg)
+{
+ apple_mbox_msg_t m = g_new0(struct apple_mbox_msg, 1);
+ m->msg = msg;
+ m->endpoint = ep;
+ apple_mbox_inbox_push(s, m);
+}
+
void apple_mbox_send_control_message(AppleMboxState *s, uint32_t ep,
uint64_t msg)
{
@@ -455,15 +454,24 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
{
AppleMboxState *s = APPLE_MBOX(opaque);
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
s->int_mask = 0;
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v3: Begin write to 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, data);
+#endif
memcpy(&s->regs[addr], &data, size);
switch (addr) {
case REG_V3_CPU_CTRL:
- if (data & V3_CPU_CTRL_RUN) {
+ if (data & V3_CPU_CTRL_RUN)
+ //if ((data & V3_CPU_CTRL_RUN) || (data & 0x10000))
+ {
struct apple_mbox_mgmt_msg m = { 0 };
s->regs[REG_V3_CPU_STATUS] &= ~V3_CPU_STATUS_IDLE;
iop_start(s);
@@ -486,6 +494,11 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V3_A2I_PUSH3 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V3_A2I_PUSH0], 16);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_A2I_PUSH3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_inbox_push(s, msg);
IOP_LOG_MSG(s, "AP sent", msg);
}
@@ -518,6 +531,26 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V3_IOP_I2A_SEND3 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V3_IOP_I2A_SEND0], 16);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_I2A_SEND3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 103 || sep_msg.opcode == 117))
+ {
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ g_free(msg);
+ break;
+ }
+#if 0
+ else if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 0x66 || sep_msg.opcode == 0xd2) && sep_msg.data == 0x2)
+ {
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: change_status: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ sep_msg.data = 0x8;
+ memcpy(msg->data, &sep_msg.raw, 8);
+ }
+#endif
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: not skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_outbox_push(s, msg);
IOP_LOG_MSG(s, "IOP sent", msg);
}
@@ -545,6 +578,7 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
AppleMboxState *s = APPLE_MBOX(opaque);
uint64_t ret = 0;
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
@@ -552,9 +586,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case REG_V3_INT_MASK_SET:
- return s->int_mask;
+ //return s->int_mask;
+ ret = s->int_mask;
+ break;
case REG_V3_INT_MASK_CLR:
- return ~s->int_mask;
+ //return ~s->int_mask;
+ ret = ~s->int_mask;
+ break;
case REG_V3_I2A_POP_0_LOW:
msg = apple_mbox_outbox_pop(s);
if (!msg) {
@@ -563,6 +601,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
msg->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "AP received", msg);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_I2A_POP_0_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[REG_V3_I2A_POP_0_LOW], msg->data, 16);
memcpy(&ret, &s->regs[addr], size);
@@ -575,9 +618,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
case REG_V3_I2A_POP_1_HIGH:
break;
case REG_V3_IOP_INT_MASK_SET:
- return s->iop_int_mask;
+ //return s->iop_int_mask;
+ ret = s->iop_int_mask;
+ break;
case REG_V3_IOP_INT_MASK_CLR:
- return ~s->iop_int_mask;
+ //return ~s->iop_int_mask;
+ ret = ~s->iop_int_mask;
+ break;
case REG_V3_A2I_CTRL:
QEMU_FALLTHROUGH;
case REG_V3_IOP_A2I_CTRL:
@@ -602,6 +649,27 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
case REG_V3_CPU_STATUS:
break;
+ case REG_V3_UNKNOWN0:
+#if 0
+ ret = ((apple_mbox_inbox_empty(s) &&
+ !(s->iop_int_mask & V2_A2I_EMPTY)) ||
+ (!apple_mbox_inbox_empty(s) &&
+ !(s->iop_int_mask & V2_A2I_NONEMPTY)) ||
+ (apple_mbox_outbox_empty(s) &&
+ !(s->iop_int_mask & V2_I2A_EMPTY)) ||
+ (!apple_mbox_outbox_empty(s) &&
+ !(s->iop_int_mask & V2_I2A_NONEMPTY)));
+#endif
+ ret = 1;
+ // TODO: response not interrupt available, but something with REG_V3_CPU_CTRL?
+ break;
+ case REG_V3_UNKNOWN1:
+ break;
+ case REG_V3_UNKNOWN2:
+ //ret = 1;
+ //ret = 0xffffffff;
+ return 0;
+ break;
case REG_V3_IOP_A2I_RECV0:
msg = apple_mbox_inbox_pop(s);
if (!msg) {
@@ -609,6 +677,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
}
msg->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "IOP received", msg);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_A2I_RECV0: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[addr], msg->data, 16);
memcpy(&ret, &s->regs[addr], size);
g_free(msg);
@@ -626,6 +699,12 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
}
}
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v3: End read from 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, ret);
+#endif
return ret;
}
@@ -646,9 +725,16 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
{
AppleMboxState *s = APPLE_MBOX(opaque);
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v2: Begin write to 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, data);
+#endif
memcpy(&s->regs[addr], &data, size);
switch (addr) {
@@ -671,6 +757,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V2_A2I_PUSH_HIGH + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V2_A2I_PUSH_LOW], 8);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_A2I_PUSH_HIGH: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_inbox_push(s, msg);
IOP_LOG_MSG(s, "AP sent", msg);
}
@@ -699,6 +790,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V2_IOP_I2A_SEND1 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V2_IOP_I2A_SEND0], 8);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_I2A_SEND1: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_outbox_push(s, msg);
IOP_LOG_MSG(s, "IOP sent", msg);
}
@@ -724,6 +820,7 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
{
AppleMboxState *s = APPLE_MBOX(opaque);
+ struct sep_message sep_msg = { 0 };
uint64_t ret = 0;
WITH_QEMU_LOCK_GUARD(&s->mutex)
@@ -733,9 +830,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case REG_V2_INT_MASK_SET:
- return s->int_mask;
+ //return s->int_mask;
+ ret = s->int_mask;
+ break;
case REG_V2_INT_MASK_CLR:
- return ~s->int_mask;
+ //return ~s->int_mask;
+ ret = ~s->int_mask;
+ break;
case REG_V2_I2A_POP_LOW:
m = apple_mbox_outbox_pop(s);
if (!m) {
@@ -744,6 +845,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
m->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "AP received", m);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, m->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_I2A_POP_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[REG_V2_I2A_POP_LOW], m->data, 8);
memcpy(&ret, &s->regs[addr], size);
@@ -752,9 +858,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
case REG_V2_I2A_POP_HIGH:
break;
case REG_V2_IOP_INT_MASK_SET:
- return s->iop_int_mask;
+ //return s->iop_int_mask;
+ ret = s->iop_int_mask;
+ break;
case REG_V2_IOP_INT_MASK_CLR:
- return ~s->iop_int_mask;
+ //return ~s->iop_int_mask;
+ ret = ~s->iop_int_mask;
+ break;
case REG_V2_A2I_CTRL:
QEMU_FALLTHROUGH;
case REG_V2_IOP_A2I_CTRL:
@@ -780,6 +890,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
}
m->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "IOP received", m);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, m->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_A2I_RECV_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[addr], m->data, 8);
memcpy(&ret, &s->regs[addr], size);
g_free(m);
@@ -793,6 +908,12 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
}
}
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v2: End read from 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, ret);
+#endif
return ret;
}
@@ -901,6 +1022,7 @@ AppleMboxState *apple_mbox_create(const char *role, void *opaque,
}
qdev_init_gpio_out_named(DEVICE(dev), &s->iop_irq, APPLE_MBOX_IOP_IRQ, 1);
+ qdev_init_gpio_out_named(DEVICE(dev), &s->test_irq, APPLE_MBOX_TEST_IRQ, 1);
QTAILQ_INIT(&s->inbox);
QTAILQ_INIT(&s->outbox);
QTAILQ_INIT(&s->rollcall);
diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
index 9e224ffc72..fd7ae6fc2e 100644
--- a/hw/usb/hcd-dwc2.c
+++ b/hw/usb/hcd-dwc2.c
@@ -45,7 +45,13 @@
#include "trace.h"
// #define SOC_DMA_BASE (0x100000000ULL)
+//#define DO_T8030_SECUREROM 1
+
+#ifdef DO_T8030_SECUREROM
+#define SOC_DMA_BASE (0x100000000ULL)
+#else
#define SOC_DMA_BASE (0x0ULL)
+#endif
#define USB_HZ_FS 12000000
#define USB_HZ_HS 96000000
diff --git a/include/hw/arm/apple_a13.h b/include/hw/arm/apple_a13.h
index f591f780cf..51b9a6b251 100644
--- a/include/hw/arm/apple_a13.h
+++ b/include/hw/arm/apple_a13.h
@@ -66,6 +66,8 @@ typedef struct AppleA13State {
A13_CPREG_VAR_DEF(ARM64_REG_HID14);
A13_CPREG_VAR_DEF(ARM64_REG_HID16);
A13_CPREG_VAR_DEF(ARM64_REG_LSU_ERR_STS);
+ A13_CPREG_VAR_DEF(SYS_E_LSU_ERR_STS);
+ A13_CPREG_VAR_DEF(SYS_E_FED_ERR_STS);
A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0);
A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0);
A13_CPREG_VAR_DEF(ARM64_REG_3_3_15_7);
@@ -75,6 +77,10 @@ typedef struct AppleA13State {
A13_CPREG_VAR_DEF(PMCR1);
A13_CPREG_VAR_DEF(PMSR);
A13_CPREG_VAR_DEF(S3_4_c15_c0_5);
+ A13_CPREG_VAR_DEF(SYS_HCR_EL2); // TODO: already exists in target/arm/helper.c
+ A13_CPREG_VAR_DEF(SYS_PRE_LLCFLUSH_TMR);
+ A13_CPREG_VAR_DEF(SYS_ACC_PWR_DN_SAVE);
+ A13_CPREG_VAR_DEF(SYS_AON_CNT_CTL);
A13_CPREG_VAR_DEF(AMX_STATUS_EL1);
A13_CPREG_VAR_DEF(AMX_CTL_EL1);
A13_CPREG_VAR_DEF(ARM64_REG_CYC_OVRD);
diff --git a/include/hw/arm/apple_sep.h b/include/hw/arm/apple_sep.h
index 96740ccd58..e5a8540394 100644
--- a/include/hw/arm/apple_sep.h
+++ b/include/hw/arm/apple_sep.h
@@ -24,6 +24,7 @@
#include "hw/arm/apple_a13.h"
#include "hw/arm/xnu_dtb.h"
#include "hw/misc/apple_mbox.h"
+#include "hw/boards.h"
#include "hw/sysbus.h"
#include "qemu/typedefs.h"
#include "qom/object.h"
@@ -42,13 +43,27 @@ struct AppleSEPState {
AppleMboxState *mbox;
MemoryRegion *dma_mr;
AddressSpace *dma_as;
- MemoryRegion trng_mr;
+ MemoryRegion trng_t8020_mr;
+ MemoryRegion trng_t8101_mr;
MemoryRegion misc0_mr;
MemoryRegion misc1_mr;
MemoryRegion misc2_mr;
+ MemoryRegion misc3_mr;
+ MemoryRegion misc4_mr; // MISC4 // T8101 BootMonitor for SEPOS loading?
+ MemoryRegion misc5_mr;
+ MemoryRegion misc6_mr;
+ MemoryRegion misc7_mr;
+ MemoryRegion misc8_mr;
+ MemoryRegion misc9_mr;
uint8_t misc0_regs[REG_SIZE];
uint8_t misc1_regs[REG_SIZE];
uint8_t misc2_regs[REG_SIZE];
+ uint8_t misc39_regs[REG_SIZE];
+ uint8_t misc4_regs[REG_SIZE];
+ uint8_t misc5_regs[REG_SIZE];
+ uint8_t misc6_regs[REG_SIZE];
+ uint8_t misc7_regs[REG_SIZE];
+ uint8_t misc8_regs[REG_SIZE];
};
AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
diff --git a/include/hw/misc/apple_mbox.h b/include/hw/misc/apple_mbox.h
index d802cffd40..412fb5d7f0 100644
--- a/include/hw/misc/apple_mbox.h
+++ b/include/hw/misc/apple_mbox.h
@@ -11,6 +11,7 @@
#define APPLE_MBOX_IRQ_I2A_NONEMPTY 2
#define APPLE_MBOX_IRQ_I2A_EMPTY 3
#define APPLE_MBOX_IOP_IRQ "apple-mbox-iop-irq"
+#define APPLE_MBOX_TEST_IRQ "apple-mbox-test-irq"
#define APPLE_MBOX_MMIO_V3 0
#define APPLE_MBOX_MMIO_V2 1
@@ -23,6 +24,28 @@ OBJECT_DECLARE_SIMPLE_TYPE(AppleMboxState, APPLE_MBOX)
#define EP_MANAGEMENT (0)
#define EP_CRASHLOG (1)
+
+#define IOP_LOG_MSG(s, t, msg) \
+ do { \
+ qemu_log_mask(LOG_GUEST_ERROR, \
+ "%s: %s message (msg->endpoint: 0x%X " \
+ "msg->data[0]: 0x" HWADDR_FMT_plx \
+ " msg->data[1]: 0x" HWADDR_FMT_plx \
+ " s->ep0_status: 0x%X)\n", \
+ s->role, t, msg->endpoint, msg->data[0], msg->data[1], \
+ s->ep0_status); \
+ } while (0)
+
+#define IOP_LOG_MGMT_MSG(s, msg) \
+ do { \
+ qemu_log_mask(LOG_GUEST_ERROR, \
+ "%s: IOP received management message (msg->endpoint: " \
+ "0x0 msg->raw: 0x" HWADDR_FMT_plx \
+ " s->ep0_status: 0x%X)\n", \
+ s->role, msg->raw, s->ep0_status); \
+ } while (0)
+
+
enum apple_mbox_ep0_state {
EP0_IDLE,
EP0_WAIT_HELLO,
@@ -102,6 +125,7 @@ struct AppleMboxState {
uint32_t protocol_version;
qemu_irq irqs[4];
qemu_irq iop_irq;
+ qemu_irq test_irq;
QTAILQ_HEAD(, apple_mbox_msg) inbox;
QTAILQ_HEAD(, apple_mbox_msg) outbox;
QTAILQ_HEAD(, apple_mbox_msg) rollcall;
@@ -128,6 +152,25 @@ struct AppleMboxOps {
void (*wakeup)(void *opaque);
};
+void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg);
+apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s);
+bool apple_mbox_outbox_empty(AppleMboxState *s);
+void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep, uint64_t msg);
+
+struct QEMU_PACKED sep_message {
+ union {
+ struct QEMU_PACKED {
+ uint8_t endpoint;
+ uint8_t tag;
+ uint8_t opcode;
+ uint8_t param;
+ uint32_t data;
+ };
+ uint64_t raw;
+ };
+};
+
+
/*
* Send message to an endpoint
*/
diff --git a/meson.build b/meson.build
index 7d26691204..ba57333214 100644
--- a/meson.build
+++ b/meson.build
@@ -1365,8 +1365,10 @@ endif
liblzfse = not_found
if not get_option('lzfse').auto() or have_block
- liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'],
- required: get_option('lzfse'))
+ liblzfse = dependency('lzfse', required: get_option('lzfse'),
+ method: 'pkg-config')
+# liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'],
+# required: get_option('lzfse'))
endif
if liblzfse.found() and not cc.links('''
#include <lzfse.h>
diff --git a/softmmu/memory.c b/softmmu/memory.c
index 7d9494ce70..78a1ed7475 100644
--- a/softmmu/memory.c
+++ b/softmmu/memory.c
@@ -1397,6 +1397,8 @@ bool memory_region_access_valid(MemoryRegion *mr,
{
if (mr->ops->valid.accepts
&& !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+ CPUState *cpu = first_cpu;
+ cpu_dump_state(cpu, stderr, CPU_DUMP_CODE);
qemu_log_mask(LOG_GUEST_ERROR, "Invalid %s at addr 0x%" HWADDR_PRIX
", size %u, region '%s', reason: rejected\n",
is_write ? "write" : "read",
@@ -1469,6 +1471,8 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
pval, op, attrs);
}
if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
+ fprintf(stderr, "Invalid read: addr: 0x%llx ; size : %d\n", addr, size);
+ //__asm__("int3");
*pval = unassigned_mem_read(mr, addr, size);
return MEMTX_DECODE_ERROR;
}
@@ -1518,6 +1522,8 @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
data, op, attrs);
}
if (!memory_region_access_valid(mr, addr, size, true, attrs)) {
+ fprintf(stderr, "Invalid write: addr: 0x%llx ; data: 0x%llx ; size : %d\n", addr, data, size);
+ //__asm__("int3");
unassigned_mem_write(mr, addr, data, size);
return MEMTX_DECODE_ERROR;
}
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 63f439d162..b3da79aa59 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -2990,8 +2990,10 @@ typedef enum ARMMMUIdx {
ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB,
ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB,
ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB,
- ARMMMUIdx_Stage1_GE1 = 3 | ARM_MMU_IDX_NOTLB,
- ARMMMUIdx_Stage1_GE1_PAN = 4 | ARM_MMU_IDX_NOTLB,
+ //ARMMMUIdx_Stage1_GE1 = 3 | ARM_MMU_IDX_NOTLB,
+ //ARMMMUIdx_Stage1_GE1_PAN = 4 | ARM_MMU_IDX_NOTLB,
+ ARMMMUIdx_Stage1_GE1 = ARMMMUIdx_Stage1_E1 | ARM_MMU_IDX_NOTLB | ARM_MMU_IDX_A_GXF,
+ ARMMMUIdx_Stage1_GE1_PAN = ARMMMUIdx_Stage1_E1_PAN | ARM_MMU_IDX_NOTLB | ARM_MMU_IDX_A_GXF,
/*
* M-profile.
diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index abe72e35ae..3d2fbea790 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -444,9 +444,6 @@ static uint32_t arm_debug_exception_fsr(CPUARMState *env)
using_lpae = false;
} else if (target_el == 2 || arm_el_is_aa64(env, target_el)) {
using_lpae = true;
- } else if (arm_feature(env, ARM_FEATURE_PMSA) &&
- arm_feature(env, ARM_FEATURE_V8)) {
- using_lpae = true;
} else if (arm_feature(env, ARM_FEATURE_LPAE) &&
(env->cp15.tcr_el[target_el] & TTBCR_EAE)) {
using_lpae = true;
diff --git a/ui/gtk.c b/ui/gtk.c
index 8ba41c8f13..f5d8258a9e 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -967,10 +967,9 @@ static gboolean gd_button_event(GtkWidget *widget, GdkEventButton *button,
if (button->button == 1 && button->type == GDK_BUTTON_PRESS &&
!qemu_input_is_absolute() && s->ptr_owner != vc) {
if (!vc->window) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- TRUE);
+ //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE);
} else {
- gd_grab_pointer(vc, "relative-mode-click");
+ //gd_grab_pointer(vc, "relative-mode-click");
}
return TRUE;
}
@@ -1369,7 +1368,7 @@ static gboolean gd_win_grab(void *opaque)
if (vc->s->ptr_owner) {
gd_ungrab_pointer(vc->s);
} else {
- gd_grab_pointer(vc, "user-request-detached-tab");
+ //gd_grab_pointer(vc, "user-request-detached-tab");
}
return TRUE;
}
@@ -1445,7 +1444,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque)
{
GtkDisplayState *s = opaque;
VirtualConsole *vc = gd_vc_find_current(s);
-
+#if 0
if (!s->full_screen) {
gtk_notebook_set_show_tabs(GTK_NOTEBOOK(s->notebook), FALSE);
gtk_widget_hide(s->menu_bar);
@@ -1468,7 +1467,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque)
gd_update_windowsize(vc);
}
}
-
+#endif
gd_update_cursor(vc);
}
@@ -1644,8 +1643,8 @@ static void gd_menu_grab_input(GtkMenuItem *item, void *opaque)
VirtualConsole *vc = gd_vc_find_current(s);
if (gd_is_grab_active(s)) {
- gd_grab_keyboard(vc, "user-request-main-window");
- gd_grab_pointer(vc, "user-request-main-window");
+ //gd_grab_keyboard(vc, "user-request-main-window");
+ //gd_grab_pointer(vc, "user-request-main-window");
} else {
gd_ungrab_keyboard(s);
gd_ungrab_pointer(s);
@@ -1669,16 +1668,13 @@ static void gd_change_page(GtkNotebook *nb, gpointer arg1, guint arg2,
if (!vc) {
return;
}
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item),
- TRUE);
+ gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item), TRUE);
on_vga = (vc->type == GD_VC_GFX &&
qemu_console_is_graphic(vc->gfx.dcl.con));
if (!on_vga) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- FALSE);
+ gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), FALSE);
} else if (s->full_screen) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- TRUE);
+ //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE);
}
gtk_widget_set_sensitive(s->grab_item, on_vga);
#ifdef CONFIG_VTE
@@ -1696,7 +1692,7 @@ static gboolean gd_enter_event(GtkWidget *widget, GdkEventCrossing *crossing,
GtkDisplayState *s = vc->s;
if (gd_grab_on_hover(s)) {
- gd_grab_keyboard(vc, "grab-on-hover");
+ //gd_grab_keyboard(vc, "grab-on-hover");
}
return TRUE;
}
diff --git a/ui/sdl2.c b/ui/sdl2.c
index 0d91b555e3..2e8bbe5c8d 100644
--- a/ui/sdl2.c
+++ b/ui/sdl2.c
@@ -274,24 +274,25 @@ static void absolute_mouse_grab(struct sdl2_console *scon)
SDL_GetWindowSize(scon->real_window, &scr_w, &scr_h);
if (mouse_x > 0 && mouse_x < scr_w - 1 &&
mouse_y > 0 && mouse_y < scr_h - 1) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
}
static void sdl_mouse_mode_change(Notifier *notify, void *data)
{
- if (qemu_input_is_absolute()) {
+ if (qemu_input_is_absolute() && 0) {
if (!absolute_enabled) {
- absolute_enabled = 1;
- SDL_SetRelativeMouseMode(SDL_FALSE);
- absolute_mouse_grab(&sdl2_console[0]);
+ //absolute_enabled = 1;
+ //SDL_SetRelativeMouseMode(SDL_FALSE);
+ //absolute_mouse_grab(&sdl2_console[0]);
}
} else if (absolute_enabled) {
if (!gui_fullscreen) {
- sdl_grab_end(&sdl2_console[0]);
+ //sdl_grab_end(&sdl2_console[0]);
}
absolute_enabled = 0;
}
+ absolute_enabled = 0;
}
static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy,
@@ -333,15 +334,14 @@ static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy,
static void toggle_full_screen(struct sdl2_console *scon)
{
- gui_fullscreen = !gui_fullscreen;
+ gui_fullscreen = 0;//!gui_fullscreen;
if (gui_fullscreen) {
- SDL_SetWindowFullscreen(scon->real_window,
- SDL_WINDOW_FULLSCREEN_DESKTOP);
- gui_saved_grab = gui_grab;
- sdl_grab_start(scon);
+ //SDL_SetWindowFullscreen(scon->real_window, SDL_WINDOW_FULLSCREEN_DESKTOP);
+ //gui_saved_grab = gui_grab;
+ //sdl_grab_start(scon);
} else {
if (!gui_saved_grab) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
SDL_SetWindowFullscreen(scon->real_window, 0);
}
@@ -397,7 +397,7 @@ static void handle_keydown(SDL_Event *ev)
case SDL_SCANCODE_8:
case SDL_SCANCODE_9:
if (gui_grab) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
win = ev->key.keysym.scancode - SDL_SCANCODE_1;
@@ -414,15 +414,15 @@ static void handle_keydown(SDL_Event *ev)
}
break;
case SDL_SCANCODE_F:
- toggle_full_screen(scon);
+ //toggle_full_screen(scon);
gui_keysym = 1;
break;
case SDL_SCANCODE_G:
gui_keysym = 1;
if (!gui_grab) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
} else if (!gui_fullscreen) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
break;
case SDL_SCANCODE_U:
@@ -506,12 +506,12 @@ static void handle_mousemotion(SDL_Event *ev)
if (gui_grab && !gui_fullscreen
&& (ev->motion.x == 0 || ev->motion.y == 0 ||
ev->motion.x == max_x || ev->motion.y == max_y)) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
if (!gui_grab &&
(ev->motion.x > 0 && ev->motion.x < max_x &&
ev->motion.y > 0 && ev->motion.y < max_y)) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
}
if (gui_grab || qemu_input_is_absolute() || absolute_enabled) {
@@ -534,7 +534,7 @@ static void handle_mousebutton(SDL_Event *ev)
if (!gui_grab && !qemu_input_is_absolute()) {
if (ev->type == SDL_MOUSEBUTTONUP && bev->button == SDL_BUTTON_LEFT) {
/* start grabbing all events */
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
} else {
if (ev->type == SDL_MOUSEBUTTONDOWN) {
@@ -605,7 +605,7 @@ static void handle_windowevent(SDL_Event *ev)
/* fall through */
case SDL_WINDOWEVENT_ENTER:
if (!gui_grab && (qemu_input_is_absolute() || absolute_enabled)) {
- absolute_mouse_grab(scon);
+ //absolute_mouse_grab(scon);
}
/* If a new console window opened using a hotkey receives the
* focus, SDL sends another KEYDOWN event to the new window,
@@ -621,7 +621,7 @@ static void handle_windowevent(SDL_Event *ev)
win32_kbd_set_window(NULL);
}
if (gui_grab && !gui_fullscreen) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
break;
case SDL_WINDOWEVENT_RESTORED:
@@ -950,7 +950,7 @@ static void sdl2_display_init(DisplayState *ds, DisplayOptions *o)
sdl_cursor_normal = SDL_GetCursor();
if (gui_fullscreen) {
- sdl_grab_start(&sdl2_console[0]);
+ //sdl_grab_start(&sdl2_console[0]);
}
atexit(sdl_cleanup);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment