Skip to content

Instantly share code, notes, and snippets.

@chris-pcguy

chris-pcguy/qemu-t8030_seprom_securerom_t8030_20231226_its_alive_0.patch

Created December 26, 2023 17:48
Show Gist options
  • Save chris-pcguy/a29e6230d6e537a89e501b97542009db to your computer and use it in GitHub Desktop.
Save chris-pcguy/a29e6230d6e537a89e501b97542009db to your computer and use it in GitHub Desktop.
Download ZIP
It's alive: void AppleSEPManager::_notifyOSActiveGated(): SEP/OS is alive
Raw
qemu-t8030_seprom_securerom_t8030_20231226_its_alive_0.patch
diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c
index 551a055715..0cceeb7936 100644
--- a/hw/arm/apple_a13.c
+++ b/hw/arm/apple_a13.c
@@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0),
- A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0),
+ A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS
+ A13_CPREG_DEF(SYS_E_LSU_ERR_STS, 3, 3, 15, 2, 0, PL1_RW, 0), // A16 SYS_E_LSU_ERR_STS
+ A13_CPREG_DEF(SYS_E_FED_ERR_STS, 3, 4, 15, 0, 2, PL1_RW, 0), // A16 SYS_E_FED_ERR_STS
A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0, 3, 3, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0, 3, 3, 15, 15, 1, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_3_3_15_7, 3, 3, 15, 7, 0, PL1_RW,
@@ -520,6 +522,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_CYC_OVRD, 3, 5, 15, 5, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_ACC_CFG, 3, 5, 15, 4, 0, PL1_RW, 0),
A13_CPREG_DEF(S3_5_c15_c10_1, 3, 5, 15, 10, 1, PL0_RW, 0),
+ A13_CPREG_DEF(SYS_PRE_LLCFLUSH_TMR, 3, 5, 15, 7, 0, PL1_RW, 0),
+ A13_CPREG_DEF(SYS_ACC_PWR_DN_SAVE, 3, 7, 15, 2, 0, PL1_RW, 0),
+ A13_CPREG_DEF(SYS_AON_CNT_CTL, 3, 7, 15, 4, 0, PL1_RW, 0),
A13_CPREG_DEF(UPMPCM, 3, 7, 15, 5, 4, PL1_RW, 0),
A13_CPREG_DEF(UPMCR0, 3, 7, 15, 0, 4, PL1_RW, 0),
A13_CPREG_DEF(UPMSR, 3, 7, 15, 6, 4, PL1_RW, 0),
@@ -599,6 +604,7 @@ static void apple_a13_realize(DeviceState *dev, Error **errp)
AppleA13State *tcpu = APPLE_A13(dev);
AppleA13Class *tclass = APPLE_A13_GET_CLASS(dev);
DeviceState *fiq_or;
+ DeviceState *irq_or;
Object *obj = OBJECT(dev);
object_property_set_link(OBJECT(tcpu), "memory", OBJECT(&tcpu->memory),
@@ -619,10 +625,29 @@ static void apple_a13_realize(DeviceState *dev, Error **errp)
if (*errp) {
return;
}
+ irq_or = qdev_new(TYPE_OR_IRQ);
+ object_property_add_child(obj, "irq-or", OBJECT(irq_or));
+ qdev_prop_set_uint16(irq_or, "num-lines", 16);
+ qdev_realize_and_unref(irq_or, NULL, errp);
+ if (*errp) {
+ return;
+ }
qdev_connect_gpio_out(fiq_or, 0, qdev_get_gpio_in(dev, ARM_CPU_FIQ));
+ qdev_connect_gpio_out(irq_or, 0, qdev_get_gpio_in(dev, ARM_CPU_IRQ));
qdev_connect_gpio_out(dev, GTIMER_VIRT, qdev_get_gpio_in(fiq_or, 0));
+ qdev_connect_gpio_out(dev, GTIMER_PHYS, qdev_get_gpio_in(fiq_or, 1));
+ //qdev_connect_gpio_out(dev, GTIMER_VIRT, qdev_get_gpio_in(irq_or, 0));
+ if (tcpu->cpu_id == A13_MAX_CPU + 1)
+ {
+ qemu_log_mask(LOG_GUEST_ERROR, "apple_a13_realize: gpio_out for APPLE_SEP\n");
+ qdev_connect_gpio_out(dev, GTIMER_VIRT, qdev_get_gpio_in(irq_or, 0));
+ }
+ qdev_connect_gpio_out(dev, GTIMER_PHYS, qdev_get_gpio_in(irq_or, 1));
+ //qdev_connect_gpio_out(dev, GTIMER_PHYS, qdev_get_gpio_in(dev, ARM_CPU_IRQ));
+ //qdev_connect_gpio_out(dev, GTIMER_PHYS, qdev_get_gpio_in(dev, ARM_CPU_FIQ));
tcpu->fast_ipi = qdev_get_gpio_in(fiq_or, 1);
+ //tcpu->fast_ipi = qdev_get_gpio_in(irq_or, 1);
}
static void apple_a13_reset(DeviceState *dev)
@@ -718,7 +743,7 @@ AppleA13State *apple_a13_cpu_create(DTBNode *node, char *name, uint32_t cpu_id,
}
}
- if (tcpu->cpu_id == 0 || node == NULL) {
+ if (tcpu->cpu_id == 0/* || node == NULL*/) {
if (node) {
set_dtb_prop(node, "state", 8, "running");
}
@@ -817,6 +842,8 @@ static const VMStateDescription vmstate_apple_a13 = {
VMSTATE_A13_CPREG(ARM64_REG_HID14),
VMSTATE_A13_CPREG(ARM64_REG_HID16),
VMSTATE_A13_CPREG(ARM64_REG_LSU_ERR_STS),
+ VMSTATE_A13_CPREG(SYS_E_LSU_ERR_STS),
+ VMSTATE_A13_CPREG(SYS_E_FED_ERR_STS),
VMSTATE_A13_CPREG(PMC0),
VMSTATE_A13_CPREG(PMC1),
VMSTATE_A13_CPREG(PMCR0),
@@ -828,6 +855,9 @@ static const VMStateDescription vmstate_apple_a13 = {
VMSTATE_A13_CPREG(ARM64_REG_CYC_OVRD),
VMSTATE_A13_CPREG(ARM64_REG_ACC_CFG),
VMSTATE_A13_CPREG(S3_5_c15_c10_1),
+ VMSTATE_A13_CPREG(SYS_PRE_LLCFLUSH_TMR),
+ VMSTATE_A13_CPREG(SYS_ACC_PWR_DN_SAVE),
+ VMSTATE_A13_CPREG(SYS_AON_CNT_CTL),
VMSTATE_A13_CPREG(UPMPCM),
VMSTATE_A13_CPREG(UPMCR0),
VMSTATE_A13_CPREG(UPMSR),
diff --git a/hw/arm/apple_a9.c b/hw/arm/apple_a9.c
index 0aa0fb2d6e..a5c3f77746 100644
--- a/hw/arm/apple_a9.c
+++ b/hw/arm/apple_a9.c
@@ -180,8 +180,11 @@ AppleA9State *apple_a9_create(DTBNode *node, char *name, uint32_t cpu_id,
AppleA9State *tcpu;
Object *obj;
DTBProp *prop;
+ DTBProp *prop_cpuid;
uint64_t freq;
uint64_t *reg;
+ uint64_t reg_cpuimpl[2] = { 0 };
+ uint64_t reg_coresight[2] = { 0 };
obj = object_new(TYPE_APPLE_A9);
dev = DEVICE(obj);
@@ -191,13 +194,21 @@ AppleA9State *apple_a9_create(DTBNode *node, char *name, uint32_t cpu_id,
prop = find_dtb_prop(node, "name");
dev->id = g_strdup((char *)prop->value);
- prop = find_dtb_prop(node, "cpu-id");
- g_assert(prop->length == 4);
- tcpu->cpu_id = *(unsigned int *)prop->value;
+ prop_cpuid = find_dtb_prop(node, "cpu-id");
+ //if (prop_cpuid)
+ {
+ g_assert(prop_cpuid->length == 4);
+ tcpu->cpu_id = *(unsigned int *)prop_cpuid->value;
+ }
prop = find_dtb_prop(node, "reg");
g_assert(prop->length == 4);
tcpu->phys_id = *(unsigned int *)prop->value;
+#if 0
+ if (!prop_cpuid) {
+ tcpu->cpu_id = tcpu->phys_id;
+ }
+#endif
} else {
dev->id = g_strdup(name);
tcpu->cpu_id = cpu_id;
@@ -246,10 +257,23 @@ AppleA9State *apple_a9_create(DTBNode *node, char *name, uint32_t cpu_id,
if (node) {
prop = find_dtb_prop(node, "cpu-impl-reg");
+ //if (prop)
+ {
g_assert(prop);
g_assert(prop->length == 16);
reg = (uint64_t *)prop->value;
+ }
+#if 0
+ else {
+ reg_cpuimpl[0] = 0x0202050000ull;
+ reg_cpuimpl[1] = 0x1000;
+ if (tcpu->cpu_id == 1) {
+ reg_cpuimpl[0] |= 0x100000;
+ }
+ reg = reg_cpuimpl;
+ }
+#endif
memory_region_init_ram_device_ptr(&tcpu->impl_reg, obj,
TYPE_APPLE_A9 ".impl-reg", reg[1],
@@ -258,10 +282,23 @@ AppleA9State *apple_a9_create(DTBNode *node, char *name, uint32_t cpu_id,
&tcpu->impl_reg);
prop = find_dtb_prop(node, "coresight-reg");
+ //if (prop)
+ {
g_assert(prop);
g_assert(prop->length == 16);
reg = (uint64_t *)prop->value;
+ }
+#if 0
+ else {
+ reg_coresight[0] = 0x0202010000ull;
+ reg_coresight[1] = 0x040000;
+ if (tcpu->cpu_id == 1) {
+ reg_coresight[0] |= 0x100000;
+ }
+ reg = reg_coresight;
+ }
+#endif
memory_region_init_ram_device_ptr(&tcpu->coresight_reg, obj,
TYPE_APPLE_A9 ".coresight-reg",
diff --git a/hw/arm/apple_sep.c b/hw/arm/apple_sep.c
index da318ca250..ae3c313dc4 100644
--- a/hw/arm/apple_sep.c
+++ b/hw/arm/apple_sep.c
@@ -22,12 +22,19 @@
#include "hw/arm/apple_a13.h"
#include "hw/arm/apple_a9.h"
#include "hw/arm/apple_sep.h"
+#include "hw/misc/apple_mbox.h"
#include "hw/arm/xnu.h"
#include "hw/core/cpu.h"
#include "qapi/error.h"
#include "qemu/error-report.h"
#include "qemu/log.h"
#include "qemu/units.h"
+#include "hw/arm/t8030.h"
+#include "exec/address-spaces.h"
+#include "hw/irq.h"
+#include "sysemu/dma.h"
+
+//#define DO_SECUREROM 1
static void trng_reg_write(void *opaque, hwaddr addr, uint64_t data,
unsigned size)
@@ -226,7 +233,903 @@ static const MemoryRegionOps misc2_reg_ops = {
};
-static const struct AppleMboxOps sep_mailbox_ops = {};
+////
+
+
+
+static void pmgr_base_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->pmgr_base_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP PMGR_BASE: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t pmgr_base_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->pmgr_base_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP PMGR_BASE: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps pmgr_base_reg_ops = {
+ .write = pmgr_base_reg_write,
+ .read = pmgr_base_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+static void key_base_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->key_base_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP KEY_BASE: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t key_base_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->key_base_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP KEY_BASE: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps key_base_reg_ops = {
+ .write = key_base_reg_write,
+ .read = key_base_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+static void key_fcfg_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->key_fcfg_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP KEY_FCFG: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t key_fcfg_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->key_fcfg_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP KEY_FCFG: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps key_fcfg_reg_ops = {
+ .write = key_fcfg_reg_write,
+ .read = key_fcfg_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+static void moni_base_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->moni_base_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MONI_BASE: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t moni_base_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->moni_base_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MONI_BASE: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps moni_base_reg_ops = {
+ .write = moni_base_reg_write,
+ .read = moni_base_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+static void moni_thrm_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->moni_thrm_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MONI_THRM: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t moni_thrm_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->moni_thrm_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MONI_THRM: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps moni_thrm_reg_ops = {
+ .write = moni_thrm_reg_write,
+ .read = moni_thrm_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+static void eisp_base_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->eisp_base_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP EISP_BASE: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t eisp_base_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->eisp_base_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP EISP_BASE: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps eisp_base_reg_ops = {
+ .write = eisp_base_reg_write,
+ .read = eisp_base_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+static void eisp_hmac_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->eisp_hmac_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP EISP_HMAC: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t eisp_hmac_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->eisp_hmac_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP EISP_HMAC: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps eisp_hmac_reg_ops = {
+ .write = eisp_hmac_reg_write,
+ .read = eisp_hmac_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+
+
+////
+
+
+
+static void misc3_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc3_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC3: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc3_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+ // 0x0;0x4 == T8101
+ // 0x4;0x8 == T8020
+
+ switch (addr) {
+#if 0
+ //case 0x00: // ???? T8101
+ // return 0x1;
+ //case 0x04: // ???? T8101
+ // return 0x1;
+ case 0x04: // ???? T8020
+ //return 0x1;
+ return 0x0; // required for misc9 0x318
+ case 0x08: // ???? T8020
+ //return 0x1;
+ return 0x0;
+#endif
+ default:
+ memcpy(&ret, &s->misc3_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC3: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc3_reg_ops = {
+ .write = misc3_reg_write,
+ .read = misc3_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+#if 1
+static void misc4_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+#if 0
+ case 0x14:
+ if (!!(data & 1)) {
+ uint64_t vector = *(uint64_t*)(&s->misc4_regs[0x20]);
+ AppleSEPResetMisc_func(vector);
+ }
+ break;
+#endif
+ default:
+ memcpy(&s->misc4_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC4: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc4_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+#if 0
+ case 0x00: // ???? because of WFE FUN_240011488_DAT_241500000_wfe, hangs otherwise, fix it properly!
+ return 0x0;
+ case 0x04: // ???? because of WFE FUN_2400113cc_DAT_241500004_wfe, hangs otherwise, fix it properly!
+ return 0x0;
+ case 0x0c: // ???? because of switch case FUN_2400113ec_DAT_24150000c_should_be_0, panics otherwise
+ return 0x0;
+#endif
+ default:
+ memcpy(&ret, &s->misc4_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC4: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc4_reg_ops = {
+ .write = misc4_reg_write,
+ .read = misc4_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+#endif
+
+static void misc5_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc5_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC5: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc5_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->misc5_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC5: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc5_reg_ops = {
+ .write = misc5_reg_write,
+ .read = misc5_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+static void misc6_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc6_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC6: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc6_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->misc6_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC6: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc6_reg_ops = {
+ .write = misc6_reg_write,
+ .read = misc6_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+static void misc7_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ //apple_mbox_msg_t msg0 = NULL;
+ //apple_mbox_msg_t msg1 = NULL;
+ //apple_mbox_msg_t msg2 = NULL;
+ //apple_mbox_msg_t msg3 = NULL;
+ //apple_mbox_msg_t msg4 = NULL;
+ //apple_mbox_msg_t msg5 = NULL;
+ //sep_message_t sep_msg = NULL;
+ struct sep_message sep_msg = { 0 };
+ switch (addr) {
+ //case 0x8:
+ case 0x4:
+ //if (data == 0x2cbd3509)
+ if (data == 0xf2e31133)
+ {
+ //sep_msg = g_new0(struct sep_message, 1);
+ //msg0 = g_new0(struct apple_mbox_msg, 1);
+ //msg1 = g_new0(struct apple_mbox_msg, 1);
+ //msg2 = g_new0(struct apple_mbox_msg, 1);
+ //msg3 = g_new0(struct apple_mbox_msg, 1);
+ //msg4 = g_new0(struct apple_mbox_msg, 1);
+ //msg5 = g_new0(struct apple_mbox_msg, 1);
+ sep_msg.endpoint = 0xff;
+
+#if 0
+ sep_msg->opcode = 1; // kOpCode_Ping
+ sep_msg->tag = 0x70;
+ memcpy(msg5->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg5);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode1/kOpCode_Ping", msg5);
+#endif
+
+ sep_msg.opcode = 3; // kOpCode_GenerateNonce
+ sep_msg.tag = 0x67;
+ //memcpy(msg0->data, sep_msg, 16);
+ //apple_mbox_inbox_push(s->mbox, msg0);
+ //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce", msg0);
+ apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw);
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce\n");
+
+#if 0
+ sep_msg->opcode = 4; // Opcode 4
+ sep_msg->tag = 0x6e;
+ memcpy(msg4->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg4);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode4/kOpCode_GetNonceWord", msg4);
+
+ sep_msg->opcode = 15; // Opcode 15
+ sep_msg->tag = 0x0;
+ memcpy(msg2->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg2);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode15/kOpCode_SendDpa", msg2);
+
+ sep_msg->opcode = 16; // Opcode 16
+ sep_msg->tag = 0x0;
+ memcpy(msg3->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg3);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode16", msg3);
+#endif
+
+ sep_msg.opcode = 17; // Opcode 17
+ sep_msg.tag = 0x0;
+ //sep_msg->data = 0x2000; // 0x2000
+ //sep_msg->data = 0x3200; // iBoot on iOS 12.0 for T8020 says 0x3200 (0x1c52000 bytes). Might not be enough for SEPOS in iOS 14.4.2.
+ //sep_msg->data = 0x4000; // iBoot on iOS 13.0/13.7 for T8020 says 0x4000 (0x2440000 bytes). Might not be enough for SEPOS in iOS 14.4.2.
+ //sep_msg->data = 0x3400; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ //sep_msg->data = 0x3800; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ //sep_msg->data = 0x6000; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ sep_msg.data = 0x8000; // SEPFW on iOS 14.0/14.4.2 for T8020, if I found the correct data in Ghidra.
+ // max value 0x8000, checked in SEPROM:FUN_240011564_maybe_check_amcc.
+ // size in bytes == value * 0x910
+ //memcpy(msg1->data, sep_msg, 16);
+ //apple_mbox_inbox_push(s->mbox, msg1);
+ //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode17", msg1);
+ apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw);
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode17\n");
+#if 0
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: before response loop, this will surely dead-lock, but let's try it anyway. YOLO.\n");
+ int response_count = 2;
+ while (response_count > 0) {
+ while (!apple_mbox_outbox_empty(s->mbox)) {
+ response_count -= pop_from_outbox(opaque);
+ }
+ }
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: after response loop\n");
+#endif
+ //g_free(sep_msg);
+ ////g_free(msg0);
+ ////g_free(msg1);
+ ////g_free(msg2);
+ ////g_free(msg3);
+ ////g_free(msg4);
+ ////g_free(msg5);
+ }
+ //goto jump_default;
+ //QEMU_FALLTHROUGH;
+ break;
+ case 0x8:
+ if (data == 0x23bfdfe7)
+ {
+ AddressSpace *nsas = &address_space_memory;
+ uint32_t value32_mov_x8_0 = 0xd2800008; // mov x8, #0x0
+ //address_space_write(nsas, 0x340000000ULL+0xa114, MEMTXATTRS_UNSPECIFIED, &value32_mov_x8_0, sizeof(value32_mov_x8_0)); // SEPOS: kernel: maybe_sepos_main_called_by_FUN_800005ddc_write_to_TTBR01_wrapper: random_0_16
+ //address_space_write(nsas, 0x340000000ULL+0xa120, MEMTXATTRS_UNSPECIFIED, &value32_mov_x8_0, sizeof(value32_mov_x8_0)); // SEPOS: kernel: maybe_sepos_main_called_by_FUN_800005ddc_write_to_TTBR01_wrapper: random_0_24
+ uint8_t zeroes_16bytes[16] = {0};
+ // The first 16bytes of SEPB.random_0 are being used for SEPOS' ASLR. GDB's awatch refuses to tell me where it ends up, so here you go, I'm just zeroing that shit.
+ ////address_space_write(nsas, 0x340021098ULL, MEMTXATTRS_UNSPECIFIED, &zeroes_16bytes, sizeof(zeroes_16bytes));
+ ////address_space_write(nsas, 0x24221bce0ULL, MEMTXATTRS_UNSPECIFIED, &zeroes_16bytes, sizeof(zeroes_16bytes));
+ ////address_space_write(nsas, 0x340000080ULL, MEMTXATTRS_UNSPECIFIED, &zeroes_16bytes, sizeof(zeroes_16bytes));
+ address_space_write(nsas, 0x340736380ULL, MEMTXATTRS_UNSPECIFIED, &zeroes_16bytes, sizeof(zeroes_16bytes));
+ }
+ break;
+ case 0x0:
+ //case 0x4:
+ //case 0x8:
+ case 0x114:
+ case 0x214:
+ case 0x218:
+ case 0x21c:
+ case 0x220:
+ case 0x2d8:
+ case 0x2dc:
+ case 0x2e0: // ecid low
+ case 0x2e4: // ecid high
+ case 0x2e8: // board-id
+ case 0x2ec: // chip-id
+ case 0x314:
+ case 0x318:
+ case 0x31c:
+ memcpy(&s->misc7_regs[addr], &data, size);
+ break;
+ default:
+ jump_default:
+ memcpy(&s->misc7_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc7_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ case 0xc: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); // ARM_CPU_IRQ == 0
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); // ARM_CPU_FIQ == 1
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); // GTIMER_VIRT == 1
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 0));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 1));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 2));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 3));
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x10: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing?
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x14: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x18: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // panic(cpu 3 caller 0xfffffff008b69bb0): SEP Panic: [elfour panic] [&&&&&&&&] sep,*.c:*(+
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x1c: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing?
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x20: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x24: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing?
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ case 0x28: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing?
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+
+ ret = 0xdeadbeef;
+#endif
+ break;
+ default:
+ memcpy(&ret, &s->misc7_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc7_reg_ops = {
+ .write = misc7_reg_write,
+ .read = misc7_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+static void misc8_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc8_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC8: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc8_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->misc8_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC8: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc8_reg_ops = {
+ .write = misc8_reg_write,
+ .read = misc8_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+
+static const struct AppleMboxOps sep_mailbox_ops = {};
+
+static void sep_alarm(void *opaque)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+
+ //fprintf(stderr, "sep_alarm: entered function\n");
+ int64_t qemu_now;
+ qemu_now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+ //timer_mod_ns(s->timer, qemu_now + 10000);
+ //timer_mod_ns(s->timer, qemu_now + 1000000);
+ timer_mod_ns(s->timer, qemu_now + 10000000);
+
+#if 0
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+
+ //qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_VIRQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_VIRQ));
+
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_VFIQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_VFIQ));
+
+#else
+
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+ //qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_VIRQ));
+ //qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_VIRQ));
+
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_VFIQ));
+ //qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_VFIQ));
+
+
+
+#endif
+
+}
+
AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
uint32_t build_version, bool modern)
@@ -270,23 +1173,64 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
APPLE_MBOX_MMIO_V2));
sysbus_pass_irq(sbd, SYS_BUS_DEVICE(s->mbox));
- memory_region_init_io(&s->trng_mr, OBJECT(dev), &trng_reg_ops, s,
- "sep.trng", 0x100);
- sysbus_init_mmio(sbd, &s->trng_mr);
+ memory_region_init_io(&s->pmgr_base_mr, OBJECT(dev), &pmgr_base_reg_ops, s,
+ "sep.pmgr_base", 0x4000);
+ sysbus_init_mmio(sbd, &s->pmgr_base_mr);
memory_region_init_io(&s->misc0_mr, OBJECT(dev), &misc0_reg_ops, s,
- "sep.misc0", 0x100);
+ "sep.misc0", 0x4000);
sysbus_init_mmio(sbd, &s->misc0_mr);
memory_region_init_io(&s->misc1_mr, OBJECT(dev), &misc1_reg_ops, s,
- "sep.misc1", 0x1000);
+ "sep.misc1", 0x4000);
sysbus_init_mmio(sbd, &s->misc1_mr);
memory_region_init_io(&s->misc2_mr, OBJECT(dev), &misc2_reg_ops, s,
- "sep.misc2", 0x100);
+ "sep.misc2", 0x4000);
sysbus_init_mmio(sbd, &s->misc2_mr);
+ memory_region_init_io(&s->trng_t8020_mr, OBJECT(dev), &trng_reg_ops, s,
+ "sep.trng_t8020", 0x4000); // TRNG T8020
+ sysbus_init_mmio(sbd, &s->trng_t8020_mr);
+ memory_region_init_io(&s->key_base_mr, OBJECT(dev), &key_base_reg_ops, s,
+ "sep.key_base", 0x4000); // KEY_BASE T8020
+ sysbus_init_mmio(sbd, &s->key_base_mr);
+ memory_region_init_io(&s->key_fcfg_mr, OBJECT(dev), &key_fcfg_reg_ops, s,
+ "sep.key_fcfg", 0x4000); // KEY_FCFG T8020
+ sysbus_init_mmio(sbd, &s->key_fcfg_mr);
+ memory_region_init_io(&s->moni_base_mr, OBJECT(dev), &moni_base_reg_ops, s,
+ "sep.moni_base", 0x4000); // MONI_BASE T8020
+ sysbus_init_mmio(sbd, &s->moni_base_mr);
+ memory_region_init_io(&s->moni_thrm_mr, OBJECT(dev), &moni_thrm_reg_ops, s,
+ "sep.moni_thrm", 0x4000); // MONI_THRM T8020
+ sysbus_init_mmio(sbd, &s->moni_thrm_mr);
+ memory_region_init_io(&s->eisp_base_mr, OBJECT(dev), &eisp_base_reg_ops, s,
+ "sep.eisp_base", 0x4000); // EISP_BASE T8020
+ sysbus_init_mmio(sbd, &s->eisp_base_mr);
+ memory_region_init_io(&s->eisp_hmac_mr, OBJECT(dev), &eisp_hmac_reg_ops, s,
+ "sep.eisp_hmac", 0x4000); // EISP_HMAC T8020
+ sysbus_init_mmio(sbd, &s->eisp_hmac_mr);
+ memory_region_init_io(&s->misc3_mr, OBJECT(dev), &misc3_reg_ops, s,
+ "sep.misc3_t8020", 0x4000); // MISC3 T8020
+ sysbus_init_mmio(sbd, &s->misc3_mr);
+ memory_region_init_io(&s->misc4_mr, OBJECT(dev), &misc4_reg_ops, s,
+ "sep.misc4", 0x4000); // MISC4 // 0x241440000
+ sysbus_init_mmio(sbd, &s->misc4_mr);
+ memory_region_init_io(&s->misc5_mr, OBJECT(dev), &misc5_reg_ops, s,
+ "sep.misc5", 0x4000); // MISC5
+ sysbus_init_mmio(sbd, &s->misc5_mr);
+ memory_region_init_io(&s->misc6_mr, OBJECT(dev), &misc6_reg_ops, s,
+ "sep.misc6", 0x4000); // MISC6 // T8020's dart-sep?
+ sysbus_init_mmio(sbd, &s->misc6_mr);
+ memory_region_init_io(&s->misc7_mr, OBJECT(dev), &misc7_reg_ops, s,
+ "sep.misc7", 0x4000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM.
+ sysbus_init_mmio(sbd, &s->misc7_mr);
+ memory_region_init_io(&s->misc8_mr, OBJECT(dev), &misc8_reg_ops, s,
+ "sep.misc8", 0x40000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8.
+ sysbus_init_mmio(sbd, &s->misc8_mr);
DTBNode *child = find_dtb_node(node, "iop-sep-nub");
assert(child);
//! SEPFW needs to be loaded by restore, supposedly
// uint32_t data = 1;
// set_dtb_prop(child, "sepfw-loaded", sizeof(data), &data);
+ s->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sep_alarm, s);
+ //sep_alarm(s);
return s;
}
@@ -294,6 +1238,16 @@ static void apple_sep_cpu_reset_work(CPUState *cpu, run_on_cpu_data data)
{
AppleSEPState *s = data.host_ptr;
cpu_reset(cpu);
+#ifdef DO_SECUREROM
+ AddressSpace *nsas = &address_space_memory;
+ MachineState *machine = MACHINE(qdev_get_machine());
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ // make it possible to re-run SEPROM after SecureROM panics without powering off
+ // replaces e.g.: set *0x241130840=0x0 ; set *0x241130800=0x0
+ //address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x3000000, MEMTXATTRS_UNSPECIFIED);
+ address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x1000000, MEMTXATTRS_UNSPECIFIED);
+#endif
+ fprintf(stderr, "apple_sep_cpu_reset_work: before cpu_set_pc: base=0x" HWADDR_FMT_plx "\n", s->base);
cpu_set_pc(cpu, s->base);
}
@@ -311,6 +1265,7 @@ static void apple_sep_realize(DeviceState *dev, Error **errp)
qdev_connect_gpio_out_named(DEVICE(s->mbox), APPLE_MBOX_IOP_IRQ, 0,
qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ sep_alarm(s);
}
static void apple_sep_unrealize(DeviceState *dev)
diff --git a/hw/arm/s8000.c b/hw/arm/s8000.c
index 93fdf86760..cda5d32f3c 100644
--- a/hw/arm/s8000.c
+++ b/hw/arm/s8000.c
@@ -73,7 +73,8 @@
#define S8000_SEPROM_BASE (0x20D000000ull)
#define S8000_SEPROM_SIZE (0x1000000ull)
-#define S8000_TZ1_BASE (S8000_DRAM_BASE + 0x7D9FC000ull)
+//#define S8000_TZ1_BASE (S8000_DRAM_BASE + 0x7D9FC000ull)
+#define S8000_TZ1_BASE (S8000_DRAM_BASE + 0x7aadC000ull)
#define S8000_TZ1_SIZE (0x80000ull)
#define S8000_PANIC_BASE (S8000_DRAM_BASE + 0x7F374000ull)
@@ -82,8 +83,23 @@
#define S8000_DISPLAY_BASE (S8000_DRAM_BASE + 0x7E75C000ull)
#define S8000_DISPLAY_SIZE (0xC00000ull)
-#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE - 0x800000ull)
-#define S8000_KERNEL_REGION_SIZE (0xF000000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE - 0x800000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE - 0xc00000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE - 0x2800000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE - 0x10800000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE + 0x20000000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE + 0x20000000ull - 0x800000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE + 0x30000000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE + 0x3000000ull)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE + 0x3000000ull - 0x180c000)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE + 0x3000000ull - 0x17fc000)
+//#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE + 0x1804000ull)
+#define S8000_KERNEL_REGION_BASE (S8000_DRAM_BASE)
+//#define S8000_KERNEL_REGION_SIZE (0xF000000ull)
+//#define S8000_KERNEL_REGION_SIZE (0x10000000ull)
+//#define S8000_KERNEL_REGION_SIZE (0x40000000ull)
+//#define S8000_KERNEL_REGION_SIZE (0x1e000000ull)
+#define S8000_KERNEL_REGION_SIZE (0x5524000ull)
static void s8000_start_cpus(MachineState *machine, uint64_t cpu_mask)
{
@@ -129,7 +145,9 @@ static void s8000_create_s3c_uart(const S8000MachineState *tms, Chardev *chr)
static void s8000_patch_kernel(MachoHeader64 *hdr)
{
- kpf();
+ // disable_kprintf_output = 0;
+ //*(uint32_t *)vtop_static(0xFFFFFFF0070EC010) = 0;
+ //kpf();
}
static bool s8000_check_panic(MachineState *machine)
@@ -171,22 +189,25 @@ static void get_kaslr_slides(S8000MachineState *tms, hwaddr *phys_slide_out,
const size_t slide_virt_max = 0x100 * (2 * 1024 * 1024);
size_t random_value = get_kaslr_random();
+#if 0
// if (tms->kaslr_off) {
*phys_slide_out = 0;
*virt_slide_out = 0;
// return;
// }
+#else
+ slide_virt = (random_value & ~slide_granular_mask) % slide_virt_max;
+ if (slide_virt == 0) {
+ slide_virt = slide_virt_max;
+ }
+ slide_phys = slide_virt & L2_GRANULE_MASK;
- // slide_virt = (random_value & ~slide_granular_mask) % slide_virt_max;
- // if (slide_virt == 0) {
- // slide_virt = slide_virt_max;
- // }
- // slide_phys = slide_virt & L2_GRANULE_MASK;
-
- // *phys_slide_out = slide_phys;
- // *virt_slide_out = slide_virt;
+ *phys_slide_out = slide_phys;
+ *virt_slide_out = slide_virt;
+#endif
}
+#if 0
static void s8000_load_classic_kc(S8000MachineState *tms, const char *cmdline)
{
MachineState *machine = MACHINE(tms);
@@ -212,11 +233,38 @@ static void s8000_load_classic_kc(S8000MachineState *tms, const char *cmdline)
info->kern_text_off = text_range->va - virt_low;
prelink_text_range = xnu_pf_segment(hdr, "__PRELINK_TEXT");
- get_kaslr_slides(tms, &slide_phys, &slide_virt);
+ //get_kaslr_slides(tms, &slide_phys, &slide_virt);
g_phys_base = phys_ptr = S8000_KERNEL_REGION_BASE;
phys_ptr += slide_phys;
g_virt_base += slide_virt - slide_phys;
+ //g_phys_base = S8000_DRAM_BASE;
+ //phys_ptr = S8000_DRAM_BASE;
+
+ //size_t garbage = 0;
+ //macho_load_raw_file(machine->kernel_filename, nsas, sysmem, "kernelimg4", S8000_DRAM_BASE, &garbage);
+
+ //! Kernel boot args
+ //info->kern_boot_args_pa = phys_ptr;
+ //info->kern_boot_args_pa = 0x83e000000ull - (16 * 1024);
+ info->kern_boot_args_pa = 0x83dffc000ull;
+ phys_ptr += align_16k_high(0x4000);
+
+ //! Device tree
+ //info->device_tree_pa = phys_ptr;
+ info->device_tree_pa = 0x83e000000ull;
+ dtb_va = ptov_static(info->device_tree_pa);
+ phys_ptr += align_16k_high(info->device_tree_size);
+
+ //! Ramdisk
+ if (machine->initrd_filename) {
+ //info->ramdisk_pa = phys_ptr;
+ info->ramdisk_pa = 0x83e100000ull;
+ macho_load_ramdisk(machine->initrd_filename, nsas, sysmem,
+ info->ramdisk_pa, &info->ramdisk_size);
+ info->ramdisk_size = align_16k_high(info->ramdisk_size);
+ phys_ptr += info->ramdisk_size;
+ }
//! TrustCache
info->trustcache_pa = vtop_static(prelink_text_range->va + slide_virt) -
@@ -225,6 +273,7 @@ static void s8000_load_classic_kc(S8000MachineState *tms, const char *cmdline)
macho_load_trustcache(tms->trustcache, info->trustcache_size, nsas, sysmem,
info->trustcache_pa);
phys_ptr += align_16k_high(info->trustcache_size);
+ g_phys_base = phys_ptr;
info->kern_entry = arm_load_macho(hdr, nsas, sysmem, memory_map,
g_phys_base + slide_phys, slide_virt);
@@ -244,24 +293,6 @@ static void s8000_load_classic_kc(S8000MachineState *tms, const char *cmdline)
virt_end += slide_virt;
phys_ptr = vtop_static(align_16k_high(virt_end));
- //! Ramdisk
- if (machine->initrd_filename) {
- info->ramdisk_pa = phys_ptr;
- macho_load_ramdisk(machine->initrd_filename, nsas, sysmem,
- info->ramdisk_pa, &info->ramdisk_size);
- info->ramdisk_size = align_16k_high(info->ramdisk_size);
- phys_ptr += info->ramdisk_size;
- }
-
- //! Kernel boot args
- info->kern_boot_args_pa = phys_ptr;
- phys_ptr += align_16k_high(0x4000);
-
- //! Device tree
- info->device_tree_pa = phys_ptr;
- dtb_va = ptov_static(info->device_tree_pa);
- phys_ptr += align_16k_high(info->device_tree_size);
-
// if (tms->sepfw_filename) {
// info->sepfw_pa = phys_ptr;
// macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw",
@@ -284,6 +315,174 @@ static void s8000_load_classic_kc(S8000MachineState *tms, const char *cmdline)
tms->video, cmdline);
g_virt_base = virt_low;
}
+#else
+
+static void s8000_load_classic_kc(S8000MachineState *tms, const char *cmdline)
+{
+ MachineState *machine = MACHINE(tms);
+ MachoHeader64 *hdr = tms->kernel;
+ MemoryRegion *sysmem = tms->sysmem;
+ AddressSpace *nsas = &address_space_memory;
+ hwaddr virt_low;
+ hwaddr virt_end;
+ hwaddr dtb_va;
+ hwaddr top_of_kernel_data_pa;
+ hwaddr mem_size;
+ hwaddr phys_ptr;
+ hwaddr slide_phys = 0;
+ hwaddr slide_virt = 0;
+ AppleBootInfo *info = &tms->bootinfo;
+ g_autofree ApplePfRange *text_range = NULL;
+ g_autofree ApplePfRange *prelink_text_range = NULL;
+ DTBNode *memory_map = get_dtb_node(tms->device_tree, "/chosen/memory-map");
+
+ g_phys_base = (hwaddr)macho_get_buffer(hdr);
+ macho_highest_lowest(hdr, &virt_low, &virt_end);
+ fprintf(stderr, "g_virt_diff: 0x" TARGET_FMT_lx "\n", tms->g_virt_diff);
+ text_range = xnu_pf_segment(hdr, "__TEXT");
+ //info->kern_text_off = text_range->va - virt_low;
+ info->kern_text_off = text_range->va - virt_low + tms->g_virt_diff;
+ //info->kern_text_off = 0;
+ prelink_text_range = xnu_pf_segment(hdr, "__PRELINK_TEXT");
+
+ //get_kaslr_slides(tms, &slide_phys, &slide_virt);
+ slide_phys = 0x4000;
+ slide_virt = 0x4004000;
+
+////////
+
+
+///////
+
+ g_phys_base = phys_ptr = S8000_KERNEL_REGION_BASE;
+ phys_ptr += slide_phys;
+ //g_virt_base += slide_virt - slide_phys;
+
+ fprintf(stderr, "g_virt_base shift: 0x" TARGET_FMT_lx "\n", slide_virt - slide_phys);
+ fprintf(stderr, "g_virt_base before shift: 0x" TARGET_FMT_lx "\n", g_virt_base);
+ g_virt_base += slide_virt - slide_phys;
+ fprintf(stderr, "g_virt_base after shift: 0x" TARGET_FMT_lx "\n", g_virt_base);
+ //g_virt_base += slide_virt - slide_phys;
+ //g_virt_base = 0xfffffff008000000ull;
+
+ //! TrustCache
+ //info->trustcache_pa = vtop_static(prelink_text_range->va + slide_virt) - info->trustcache_size;
+ //info->trustcache_pa = vtop_static(prelink_text_range->va + slide_virt) - info->trustcache_size + tms->g_virt_diff;
+ phys_ptr = vtop_static(prelink_text_range->va + slide_virt + tms->g_virt_diff) - info->trustcache_size;
+ info->trustcache_pa = phys_ptr;
+
+ macho_load_trustcache(tms->trustcache, info->trustcache_size, nsas, sysmem,
+ info->trustcache_pa);
+ phys_ptr += align_16k_high(info->trustcache_size);
+
+ //info->kern_entry = arm_load_macho(hdr, nsas, sysmem, memory_map, g_phys_base + slide_phys, slide_virt);
+ info->kern_entry = arm_load_macho(hdr, nsas, sysmem, memory_map, g_phys_base + slide_phys, slide_virt + -tms->g_virt_diff);
+ fprintf(stderr,
+ "Kernel virtual base: 0x" TARGET_FMT_lx "\n"
+ "Kernel physical base: 0x" TARGET_FMT_lx "\n",
+ g_virt_base, g_phys_base);
+ fprintf(stderr, "Kernel text off: 0x" TARGET_FMT_lx "\n",
+ info->kern_text_off);
+ fprintf(stderr,
+ "Kernel virtual slide: 0x" TARGET_FMT_lx "\n"
+ "Kernel physical slide: 0x" TARGET_FMT_lx "\n",
+ slide_virt, slide_phys);
+ fprintf(stderr, "Kernel entry point: 0x" TARGET_FMT_lx "\n",
+ info->kern_entry);
+ fprintf(stderr, "virt_low: 0x" TARGET_FMT_lx "\n",
+ virt_low);
+
+ virt_end += slide_virt;
+ phys_ptr = vtop_static(align_16k_high(virt_end));
+ phys_ptr += tms->g_virt_diff;
+
+////////
+
+ //phys_ptr = 0x840000000ull;
+ top_of_kernel_data_pa = (align_16k_high(phys_ptr) + 0x3000ull) & ~0x3FFFull;
+
+
+ //! Device tree
+ //fprintf(stderr, "info->device_tree_pa_orig: 0x" TARGET_FMT_lx "\n", phys_ptr);
+ //phys_ptr = 0x803c90000ull;
+ info->device_tree_pa = phys_ptr;
+ //info->device_tree_pa = phys_ptr + tms->g_virt_diff;
+ dtb_va = ptov_static(info->device_tree_pa);
+ //info->device_tree_size += 0x10000;
+ info->device_tree_size = 0x22f84;
+ phys_ptr += align_16k_high(info->device_tree_size);
+
+ //printf("initrd_filename: %s\n", machine->initrd_filename);
+ //! Ramdisk
+ if (machine->initrd_filename) {
+ //macho_load_ramdisk(machine->initrd_filename, nsas, sysmem, NULL, &info->ramdisk_size);
+ //info->ramdisk_size = align_16k_high(info->ramdisk_size);
+ //phys_ptr -= info->ramdisk_size;
+ //fprintf(stderr, "info->ramdisk_pa_test0: 0x" TARGET_FMT_lx "\n", info->ramdisk_pa);
+ //fprintf(stderr, "info->ramdisk_pa_test1: 0x" TARGET_FMT_lx "\n", phys_ptr);
+ info->ramdisk_pa = phys_ptr;
+ //info->ramdisk_pa = phys_ptr + tms->g_virt_diff;
+ //fprintf(stderr, "info->ramdisk_pa_test2: 0x" TARGET_FMT_lx "\n", info->ramdisk_pa);
+ //fprintf(stderr, "info->ramdisk_pa_test3: 0x" TARGET_FMT_lx "\n", phys_ptr);
+ //info->ramdisk_pa = ;
+ macho_load_ramdisk(machine->initrd_filename, nsas, sysmem, info->ramdisk_pa, &info->ramdisk_size);
+ //info->ramdisk_size = align_16k_high(info->ramdisk_size);
+ //phys_ptr += info->ramdisk_size;
+ phys_ptr += align_16k_high(info->ramdisk_size);
+ }
+
+ //if (tms->sepfw_filename)
+ {
+ info->sep_fw_pa = phys_ptr;
+ //info->sep_fw_pa = phys_ptr + tms->g_virt_diff;
+ //macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", info->sepfw_pa, &info->sepfw_size);
+ //info->sepfw_size = align_16k_high(8 * MiB);
+ info->sep_fw_size = align_16k_high(15 * MiB);
+ phys_ptr += info->sep_fw_size;
+ }
+
+ //! Kernel boot args
+ fprintf(stderr, "info->kern_boot_args_pa_orig: 0x" TARGET_FMT_lx "\n", phys_ptr);
+ info->kern_boot_args_pa = phys_ptr;
+ //info->kern_boot_args_pa = phys_ptr + tms->g_virt_diff;
+ //info->kern_boot_args_pa = 0x80b0dc000ull;
+ phys_ptr += align_16k_high(0x4000);
+
+////////
+
+ fprintf(stderr, "info->trustcache_pa: 0x" TARGET_FMT_lx "\n", info->trustcache_pa);
+ fprintf(stderr, "info->trustcache_size: 0x" TARGET_FMT_lx "\n", info->trustcache_size);
+ fprintf(stderr, "info->ramdisk_pa: 0x" TARGET_FMT_lx "\n", info->ramdisk_pa);
+ fprintf(stderr, "info->ramdisk_size: 0x" TARGET_FMT_lx "\n", info->ramdisk_size);
+ fprintf(stderr, "info->sep_fw_pa: 0x" TARGET_FMT_lx "\n", info->sep_fw_pa);
+ fprintf(stderr, "info->sep_fw_size: 0x" TARGET_FMT_lx "\n", info->sep_fw_size);
+ fprintf(stderr, "info->kern_boot_args_pa: 0x" TARGET_FMT_lx "\n", info->kern_boot_args_pa);
+ fprintf(stderr, "info->device_tree_pa: 0x" TARGET_FMT_lx "\n", info->device_tree_pa);
+ fprintf(stderr, "info->device_tree_size: 0x" TARGET_FMT_lx "\n", info->device_tree_size);
+
+
+////////
+
+ //mem_size = machine->maxram_size - (S8000_KERNEL_REGION_SIZE + S8000_TZ1_SIZE);
+ mem_size = machine->maxram_size - (S8000_KERNEL_REGION_SIZE);
+
+ macho_load_dtb(tms->device_tree, nsas, sysmem, "DeviceTree", info);
+
+ top_of_kernel_data_pa = (align_16k_high(phys_ptr) + 0x3000ull) & ~0x3FFFull;
+ //top_of_kernel_data_pa = 0x80b0e0000ull;
+ //top_of_kernel_data_pa += tms->g_virt_diff;
+ ////g_virt_base = virt_low;
+
+ fprintf(stderr, "Boot args: [%s]\n", cmdline);
+ macho_setup_bootargs("BootArgs", nsas, sysmem, info->kern_boot_args_pa,
+ g_virt_base/*0xfffffff008000000ull*/, g_phys_base, mem_size,
+ top_of_kernel_data_pa, dtb_va, info->device_tree_size,
+ tms->video, cmdline);
+ g_virt_base = virt_low;
+ //g_virt_base = virt_end;
+}
+
+#endif
static void s8000_memory_setup(MachineState *machine)
{
@@ -292,7 +491,8 @@ static void s8000_memory_setup(MachineState *machine)
AddressSpace *nsas = &address_space_memory;
hwaddr fsize = 0;
AppleNvramState *nvram;
- g_autofree char *cmdline;
+ //g_autofree char *cmdline;
+ char *cmdline;
MachoHeader64 *hdr;
DTBNode *memory_map;
hwaddr tz1_virt_low;
@@ -471,25 +671,54 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size)
{
hwaddr base = (hwaddr)opaque;
+ uint64_t ret = 0;
+
+ qemu_log_mask(LOG_UNIMP,
+ "PMGR reg READ unk @ 0x" TARGET_FMT_lx
+ " base: 0x" TARGET_FMT_lx "\n",
+ base + addr, base);
switch (base + addr) {
- case 0x102BC000: //! CFG_FUSE0
- return (1 << 2);
+ case 0x102BC000: //! CFG_FUSE0
+ //return (1 << 2);
+ //return 0;
+ //return -1;
+ ret |= (1 << 2);
+ ret |= (0x12ULL << 9); // SCEP: max: 0x7f
+ //ret |= (1 << 8);
+ //ret |= 0xf << 4;
+ ret |= 0x1 << 4; // BDID |= 0x20
+ //ret |= 0x1 << 5; // BDID |= 0x40
+ //ret |= 0x1 << 6; // BDID |= 0x80
+ //ret |= 0x1 << 7;
+ ret |= (1 << 0); // IBFL |= 0x10
+ return ret;
case 0x102BC200: //! CFG_FUSE0_RAW
- return 0x0;
+ //return 0x0;
+ //return (1 << 2);
+ //return -1;
+ //return 0xffffffffULL << 16;
+ //ret |= (0x1 << 1); // CPFM |= 0x1 ; IBFL |= 0x08
+ ret |= (0x1 << 0); // CPFM |= 0x3 ; IBFL |= 0x08
+ return ret;
+ case 0x102BC010:
+ //return 0x1 << 22; // CPRV |= 0x01
+ //return 0x1 << 23; // CPRV |= 0x02
+ //return 0x1 << 24; // CPRV |= 0x04
+ //return 0x1 << 25; // CPRV |= 0x10
+ //return 0x1 << 26; // CPRV |= 0x20
+ //return 0x1 << 27; // CPRV |= 0x40
+ return (3 << 22);
case 0x102BC080: //! ECID_LO
return 0x13371337;
case 0x102BC084: //! ECID_HI
- return 0xDEADBEEF;
+ return 0x7EADBEEF;
+ //return 0xDEADBEEF;
case 0x102E8000: // ????
return 0x4;
case 0x102BC104: // ???? bit 24 => is fresh boot?
return (1 << 24) | (1 << 25);
default:
- qemu_log_mask(LOG_UNIMP,
- "PMGR reg READ unk @ 0x" TARGET_FMT_lx
- " base: 0x" TARGET_FMT_lx "\n",
- base + addr, base);
break;
}
return 0;
@@ -530,6 +759,7 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data,
static uint64_t pmgr_reg_read(void *opaque, hwaddr addr, unsigned size)
{
+ MachineState *machine = MACHINE(opaque);
S8000MachineState *tms = S8000_MACHINE(opaque);
uint64_t result = 0;
qemu_log_mask(LOG_UNIMP, "PMGR reg READ @ 0x" TARGET_FMT_lx "\n", addr);
@@ -651,6 +881,46 @@ static void s8000_pmgr_setup(MachineState *machine)
voltage_states1);
}
+static void s8000_create_dart(MachineState *machine, const char *name)
+{
+ AppleDARTState *dart = NULL;
+ DTBProp *prop;
+ uint64_t *reg;
+ uint32_t *ints;
+ int i;
+ S8000MachineState *tms = S8000_MACHINE(machine);
+ DTBNode *child = find_dtb_node(tms->device_tree, "arm-io");
+
+ g_assert(child);
+ child = find_dtb_node(child, name);
+ if (!child)
+ return;
+
+ dart = apple_dart_create(child);
+ g_assert(dart);
+ object_property_add_child(OBJECT(machine), name, OBJECT(dart));
+
+ prop = find_dtb_prop(child, "reg");
+ g_assert(prop);
+
+ reg = (uint64_t *)prop->value;
+
+ for (int i = 0; i < prop->length / 16; i++) {
+ sysbus_mmio_map(SYS_BUS_DEVICE(dart), i, tms->soc_base_pa + reg[i * 2]);
+ }
+
+ prop = find_dtb_prop(child, "interrupts");
+ g_assert(prop);
+ ints = (uint32_t *)prop->value;
+
+ for (i = 0; i < prop->length / sizeof(uint32_t); i++) {
+ sysbus_connect_irq(SYS_BUS_DEVICE(dart), i,
+ qdev_get_gpio_in(DEVICE(tms->aic), ints[i]));
+ }
+
+ sysbus_realize_and_unref(SYS_BUS_DEVICE(dart), &error_fatal);
+}
+
static void s8000_create_nvme(MachineState *machine)
{
uint32_t *ints;
@@ -1068,8 +1338,9 @@ static void s8000_machine_init(MachineState *machine)
tms->sysmem = get_system_memory();
allocate_ram(tms->sysmem, "SRAM", S8000_SRAM_BASE, S8000_SRAM_SIZE, 0);
allocate_ram(tms->sysmem, "DRAM", S8000_DRAM_BASE, machine->ram_size, 0);
- allocate_ram(tms->sysmem, "DRAMPlus", S8000_KERNEL_REGION_BASE,
- S8000_DRAM_BASE - S8000_KERNEL_REGION_BASE, 0);
+ //allocate_ram(tms->sysmem, "DRAMPlus", S8000_KERNEL_REGION_BASE, S8000_DRAM_BASE - S8000_KERNEL_REGION_BASE, 0);
+ //allocate_ram(tms->sysmem, "DRAMPlus", S8000_KERNEL_REGION_BASE, S8000_KERNEL_REGION_SIZE, 0);
+ allocate_ram(tms->sysmem, "DRAMPlus", 0x7f0000000ull, 0x10000000ull, 0);
allocate_ram(tms->sysmem, "SEPROM", S8000_SEPROM_BASE, S8000_SEPROM_SIZE,
0);
MemoryRegion *mr = g_new0(MemoryRegion, 1);
@@ -1114,6 +1385,7 @@ static void s8000_machine_init(MachineState *machine)
kernel_low, kernel_high);
g_virt_base = kernel_low;
+ //g_virt_base = kernel_high;
g_phys_base = (hwaddr)macho_get_buffer(hdr);
s8000_patch_kernel(hdr);
@@ -1209,6 +1481,9 @@ static void s8000_machine_init(MachineState *machine)
s8000_create_i2c(machine, "i2c1");
s8000_create_i2c(machine, "i2c2");
+ //s8000_create_dart(machine, "dart-disp0");
+ /////s8000_create_dart(machine, "dart-sep");
+
s8000_create_usb(machine);
s8000_create_wdt(machine);
diff --git a/hw/arm/t8030.c b/hw/arm/t8030.c
index aad6068a15..e7fcb1edb4 100644
--- a/hw/arm/t8030.c
+++ b/hw/arm/t8030.c
@@ -1,3 +1,6 @@
+
+//#define DO_SECUREROM 1
+
/*
* Apple t8030 SoC.
*
@@ -65,13 +68,29 @@
#define T8030_DRAM_BASE (0x800000000ull)
#define T8030_DRAM_SIZE (4ull * GiB)
+#define T8030_SEP_BASE (0x240000000ULL)
+#define T8030_SEP_SIZE (0x4000000ULL)
+
#define T8030_SEPROM_BASE (0x240000000ULL)
-#define T8030_SEPROM_SIZE (0x4000000ULL)
+//#define T8030_SEPROM_BASE (0x242200000ULL) // Visual told me to
+#define T8030_SEPROM_SIZE (0x40000ULL)
#define T8030_GPIO_FORCE_DFU (161)
-#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x2000000ull)
-#define T8030_KERNEL_REGION_SIZE (0xF000000ull)
+/*
+ * This is from /chosen/carveout-memory-map/region-id-24
+ */
+//#define T8030_KERNEL_REGION_BASE (0x801964000)
+//#define T8030_KERNEL_REGION_SIZE (0xF09CC000)
+
+/* Those values are from Visual. */
+//#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x10000000)
+//#define T8030_KERNEL_REGION_SIZE (0x3F00000)
+//#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x1000000)
+//#define T8030_KERNEL_REGION_SIZE (0xF000000)
+#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x2000000ULL)
+#define T8030_KERNEL_REGION_SIZE (0xF000000ULL)
+/* */
#define T8030_SPI_BASE(_x) (0x35100000ull + (_x)*APPLE_SPI_MMIO_SIZE)
@@ -158,6 +177,20 @@ static void t8030_create_s3c_uart(const T8030MachineState *tms, uint32_t port,
static void t8030_patch_kernel(MachoHeader64 *hdr)
{
+#ifndef DO_SECUREROM
+#if 1
+ uint32_t value32_nop = 0xd503201f; // nop
+ *(uint32_t *)vtop_static(0xFFFFFFF0077142C8) = 0;
+ //*(uint32_t *)vtop_static(0xfffffff009845140) = 0xFFFFFFFF; // AMCC
+ // gAppleSMCDebugLevel = 0xFFFFFFFF;
+ //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA18) = 0xFFFFFFFF;
+ // gAppleSMCDebugPath = 0x2;
+ //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA1C) = 0x2;
+ *(uint32_t *)vtop_static(0xfffffff007eef5c0) = value32_nop;
+ *(uint32_t *)vtop_static(0xfffffff007eef600) = value32_nop;
+ *(uint32_t *)vtop_static(0xfffffff007eef6a4) = value32_nop;
+#endif
+#endif
kpf();
}
@@ -295,17 +328,18 @@ static void t8030_load_classic_kc(T8030MachineState *tms, const char *cmdline)
dtb_va = ptov_static(info->device_tree_pa);
phys_ptr += align_16k_high(info->device_tree_size);
+#if 1
if (tms->sepfw_filename) {
info->sep_fw_pa = phys_ptr;
- macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw",
- info->sep_fw_pa, &info->sep_fw_size);
info->sep_fw_size = align_16k_high(8 * MiB);
phys_ptr += info->sep_fw_size;
+ size_t garbage = 0;
+ macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x4000ULL, &garbage);
}
+#endif
- mem_size =
- machine->maxram_size -
- (T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE));
+ //mem_size = T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE);
+ mem_size = machine->maxram_size - (T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE));
macho_load_dtb(tms->device_tree, nsas, sysmem, "DeviceTree", info);
@@ -416,8 +450,7 @@ static void t8030_load_fileset_kc(T8030MachineState *tms, const char *cmdline)
info->kern_boot_args_pa = phys_ptr;
phys_ptr += align_16k_high(0x4000);
- mem_size =
- T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE);
+ mem_size = T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE);
macho_load_dtb(tms->device_tree, nsas, sysmem, "DeviceTree", info);
@@ -440,6 +473,7 @@ static void t8030_memory_setup(MachineState *machine)
DTBNode *memory_map = get_dtb_node(tms->device_tree, "/chosen/memory-map");
g_autofree char *cmdline = NULL;
AddressSpace *nsas = &address_space_memory;
+ g_autofree char *securerom = NULL;
g_autofree char *seprom = NULL;
unsigned long fsize = 0;
@@ -450,11 +484,25 @@ static void t8030_memory_setup(MachineState *machine)
info->dram_base = T8030_DRAM_BASE;
info->dram_size = T8030_DRAM_SIZE;
+#ifdef DO_SECUREROM
+ if (!machine->firmware) {
+ error_report("Please set firmware to SecureROM's path");
+ exit(EXIT_FAILURE);
+ }
+
+ if (!g_file_get_contents(machine->firmware, &securerom, &fsize, NULL)) {
+ error_report("Could not load data from file '%s'",
+ machine->firmware); exit(EXIT_FAILURE);
+ }
+ address_space_rw(nsas, T8030_SROM_BASE, MEMTXATTRS_UNSPECIFIED,
+ (uint8_t *)securerom, fsize, 1);
+#endif
+
if (tms->seprom_filename == NULL) {
error_report("Please set path to SEPROM");
exit(EXIT_FAILURE);
}
-
+#if 1
if (!g_file_get_contents(tms->seprom_filename, &seprom, &fsize, NULL)) {
error_report("Could not load data from file '%s'",
tms->seprom_filename);
@@ -462,13 +510,63 @@ static void t8030_memory_setup(MachineState *machine)
}
address_space_rw(nsas, T8030_SEPROM_BASE, MEMTXATTRS_UNSPECIFIED,
(uint8_t *)seprom, fsize, 1);
-
+#endif
uint64_t value = 0x8000000000000000;
- address_space_write(nsas, tms->soc_base_pa + 0x42140108,
- MEMTXATTRS_UNSPECIFIED, &value, sizeof(value));
uint32_t value32 = 0x1;
- address_space_write(nsas, tms->soc_base_pa + 0x41448000,
- MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32));
+ uint32_t value32_mov_w8_0 = 0x52800008; // mov w8, #0x0
+ uint32_t value32_mov_w8_1 = 0x52800028; // mov w8, #0x1
+ uint32_t value32_mov_x0_1 = 0xd2800020; // mov x0, #0x1
+ uint32_t value32_mov_x0_0 = 0xd2800000; // mov x0, #0x0
+ uint32_t value32_mov_x0_0x10 = 0xd2800200; // mov x0, #0x10
+ uint32_t value32_mov_x0_0x2000 = 0xd2840000; // mov x0, #0x2000
+ uint32_t value32_mov_x0_0x5000 = 0xd28a0000; // mov x0, #0x5000
+ uint32_t value32_mov_x0_0x200000 = 0xd2a00400; // mov x0, #0x200000
+ uint32_t value32_mov_x0_0xe20 = 0xd281c400; // mov x0, #0xe20
+ uint32_t value32_mov_x8_0 = 0xd2800008; // mov x8, #0x0
+ uint32_t value32_mov_x20_1 = 0xd2800034; // mov x20, #0x1
+ uint32_t value32_nop = 0xd503201f; // nop
+ uint32_t value32_mov_w0_8030 = 0x52900600; // mov w0, #0x8030
+ uint32_t value32_cmp_x0_x0 = 0xeb00001f; // cmp x0, x0
+ uint32_t value32_bl_GenerateNonce_t8101 = 0x9400026d; // bl generate_random_GenerateNonce for T8101 from 0x24000edec
+ uint32_t value32_bl_GenerateNonce_t8020 = 0x94000187; // bl generate_random_GenerateNonce for T8020 from 0x24000b574
+ uint32_t value32_mov_x5_0xf0000000 = 0xd2be0005; // mov x5,#0xf0000000
+ uint32_t value32_retab = 0xd65f0fff; // retab
+ uint32_t value32_ret = 0xd65f03c0; // ret
+ uint32_t value32_mov_w0_minus1 = 0x12800000; // mov w0, #0xffffffff
+ uint32_t value32_mov_w0_0x10000000 = 0x52a20000; // mov w0, #0x10000000
+ uint32_t value32_mov_w0_sp_0x4 = 0xb90007e0; // mov w0, [sp, #0x4]
+#if 1 // for T8020 SEPROM
+ address_space_write(nsas, tms->soc_base_pa + 0x42140108, MEMTXATTRS_UNSPECIFIED, &value, sizeof(value)); // _entry: prevent busy-loop (data section)
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0d2c8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // image4_validate_property_callback: skip AMNM
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x12144, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: Skip RSA verification result.
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x121d8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: payload_raw hashing stuck, nop'ing
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x121dc, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: nop'ing result of payload_raw hashing
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0abd8, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs30: fake success
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0ca84, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs14: fake success
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x091b4, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_8030, sizeof(value32_mov_w0_8030)); // get_chipid: patch get_chipid to return 0x8030 instead of 0x8020
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x077ac, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // load_sepos: jump over img4_compare_verified_values_true_on_success
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b574, MEMTXATTRS_UNSPECIFIED, &value32_bl_GenerateNonce_t8020, sizeof(value32_bl_GenerateNonce_t8020)); // boot: replace calling clear_GenerateNonce_nonce with a call generating the nonce T8020 (Opcode3). Needed because we don't run iBoot/SecureROM.
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // boot: set opcode_17_inbox_msg_data
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0x2000, sizeof(value32_mov_x0_0x2000)); // boot: set opcode_17_inbox_msg_data
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b588, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_sp_0x4, sizeof(value32_mov_w0_sp_0x4)); // boot: set opcode_17_inbox_msg_data
+#ifndef DO_SECUREROM
+#if 1
+ *(uint32_t *)vtop_static(0xfffffff008b4e018) = value32_mov_w0_0x10000000; // AppleSEPBooter::getBootTimeout: increase timeout for debugging (GDB tracing)
+ *(uint32_t *)vtop_static(0xfffffff008b576b4) = value32_nop; // AppleSEPManager::_tracingEnabled: Don't require _PE_i_can_has_debugger.
+ ////*(uint32_t *)vtop_static(0xfffffff008b57ad4) = value32_mov_x0_1; // AppleSEPManager::_bootSEP:: Don't require _PE_i_can_has_debugger.
+ *(uint32_t *)vtop_static(0xfffffff008b56b18) = value32_nop; // AppleSEPManager::_initPMControl: Don't require _PE_i_can_has_debugger. // _PE_parse_boot_argn "sep_pm"
+ *(uint32_t *)vtop_static(0xfffffff007a231d8) = value32_mov_x0_1; // _kern_config_is_development
+ //address_space_write(nsas, 0x340000000ULL+0xa114, MEMTXATTRS_UNSPECIFIED, &value32_mov_x8_0, sizeof(value32_mov_x8_0)); // SEPOS: kernel: maybe_sepos_main_called_by_FUN_800005ddc_write_to_TTBR01_wrapper: random_0_16
+ //address_space_write(nsas, 0x340000000ULL+0xa120, MEMTXATTRS_UNSPECIFIED, &value32_mov_x8_0, sizeof(value32_mov_x8_0)); // SEPOS: kernel: maybe_sepos_main_called_by_FUN_800005ddc_write_to_TTBR01_wrapper: random_0_24
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0xc210, MEMTXATTRS_UNSPECIFIED, &value32_ret, sizeof(value32_ret)); // SEPROM: generate_random
+#endif
+#else
+ address_space_write(nsas, 0x100005b64, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: image4_load: fake success for maybe_verify_zero_on_success. unused because of the next patches.
+ address_space_write(nsas, 0x1000020e4, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: _main: fake success for image_load
+ address_space_write(nsas, 0x1000021d4, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // SecureROM: _main: nop because it panics of plain payload
+#endif
+
+#endif // for T8020 SEPROM
nvram = APPLE_NVRAM(qdev_find_recursive(sysbus_get_default(), "nvram"));
if (!nvram) {
@@ -574,6 +672,7 @@ static void t8030_memory_setup(MachineState *machine)
set_dtb_prop(vram, "reg", sizeof(vram_reg), &vram_reg);
}
+#ifndef DO_SECUREROM
hdr = tms->kernel;
g_assert(hdr);
@@ -593,12 +692,26 @@ static void t8030_memory_setup(MachineState *machine)
__func__, hdr->file_type);
break;
}
+#endif
}
+static uint64_t pmgr_unk_e4800 = 0;
+static uint32_t pmgr_unk_e4000[0x180/4] = {0};
+
static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
unsigned size)
{
hwaddr base = (hwaddr)opaque;
+ switch (base + addr) {
+ case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4
+ pmgr_unk_e4800 = data; // 0x240002c00 and 0x2400037a4
+ break;
+ case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c
+ pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4] = data; // 0x24000377c
+ break;
+ default:
+ break;
+ }
#if 1
qemu_log_mask(LOG_UNIMP,
"PMGR reg WRITE unk @ 0x" TARGET_FMT_lx
@@ -609,51 +722,135 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size)
{
+ MachineState *machine = MACHINE(qdev_get_machine());
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ AppleSEPState *sep;
hwaddr base = (hwaddr)opaque;
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal));
#if 1
+ if (((base + addr) & 0xfffffffb) != 0x10E20020) {
qemu_log_mask(LOG_UNIMP,
"PMGR reg READ unk @ 0x" TARGET_FMT_lx
" base: 0x" TARGET_FMT_lx "\n",
base + addr, base);
+ }
#endif
- switch (base + addr) {
- case 0x3D2BC000:
- // return 0xA050C030; // IBFL | 0x00
- return 0xA55AC33C; // IBFL | 0x10
- case 0x3D2BC008:
+ uint32_t chip_revision;
+ //chip_revision = 0x01;
+ chip_revision = 0x11;
+ switch (base + addr) {
+ case 0x3D2BC000: // DPRO
+ case 0x3D2BC200:
+ //// return 0xA050C030; // IBFL | 0x00
+ return 0xA55AC33C; // IBFL | 0x10 // my
+ //return 0xA050C030; // Ntrung
+ case 0x3D2BC004: // ??? DPRO? is value==0xA050C030 (disabled), take value from 0xbc600
+ case 0x3D2BC204:
+ return 0xA55AC33C; // force return enabled
+ //return 0xA050C030; // force return disabled ; skip loop inside FUN_240003fcc_wait_for_DAT_23d2bc004_maybe_memory_encryption
+ // FUN_240003fcc_wait_for_DAT_23d2bc004
+ if ((sep->misc5_regs[0] & 0x2) != 0)
+ return 0xA050C030; // if bit1 is set
+ else
+ return 0xA55AC33C; // if bit1 is unset
+ case 0x3D2BC008: // EDOM_0? Effective SDOM_0? (Security Domain) T8030?
+ case 0x3D2BC208: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-A12-D331pAP
+ ////case 0x3D2BC308: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-S4-S5-B1
+ case 0x3D2BC608: // SDOM_0? (Security Domain) AppleSEPROM-Sicily-A0
return 0xA55AC33C; // security domain | 0x1
- case 0x3D2BC00C:
- // return 0xA55AC33C; // security domain | 0x2
+ //return 0xA050C030; // MAYBE security domain | 0x0
+ case 0x3D2BC00C: // EDOM_1? Effective SDOM_1? (Security Domain) T8030?
+ case 0x3D2BC20C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-A12-D331pAP
+ ////case 0x3D2BC30C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-S4-S5-B1
+ case 0x3D2BC60C: // SDOM_1? (Security Domain) AppleSEPROM-Sicily-A0
+ //return 0xA55AC33C; // security domain | 0x2
return 0xA050C030; // security domain | 0x0
- case 0x3D2BC010:
- return (1 << 5) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) <<
- // 5 ;; (1 << 31) for SEP
- case 0x3D2BC030:
- // return 0xFFFFFFFF; // CPRV
- // return 0x7 << 6; // LOW NIBBLE
- // return 0x70 << 5; // HIGH NIBBLE
- return 0x1 << 6;
- case 0x3D2BC300: // TODO
- return 0xCAFEBABE; // ECID lower
- case 0x3D2BC304: // TODO
- return 0xDEADBEEF; // ECID upper
- case 0x3D2BC400:
+ case 0x3D2BC010: // maybe effective CEPO? SEPO/BOARDID (upper three??/five bits stored in the three lower bits)
+ case 0x3D2BC210: // CEPO? SEPO? AppleSEPROM-A12-D331pAP
+ ////case 0x3D2BC310: // CEPO? SEPO? AppleSEPROM-S4-S5-B1
+ case 0x3D2BC610: // CEPO? SEPO? AppleSEPROM-Sicily-A0
+ //uint64_t sep_bit30 = 0;
+ uint64_t sep_bit30 = ((sep->misc5_regs[0] & 0x1) != 0);
+ //return (1 << 5) | (0 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (0 << 30) | (1 << 31) for SEP
+ return (1 << 5) | (sep_bit30 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (sep_bit30 << 30) | (1 << 31) for SEP
+ case 0x3D2BC020: // T8030 iBSS: FUN_19c07feac_return_value_causes_crash
+ //return 0xA050C030; // causes panic, so does a invalid value
+ return 0xA55AC33C;
+ //0x3d2bc024 T8030
+ //0x3d2bc028 T8030
+ //0x3d2bc02c T8030
+ //case 0x3D2BC028: // CPRV (Chip Revision) AppleSEPROM-S4-S5-B1
+ //case 0x3D2BC02c: // T8030 iBSS: _DAT_23d2bc02c >> 30 | (_DAT_23d2bc030 & 15) << 2;
+ case 0x3D2BC030: // CPRV (Chip Revision) T8030? T8020?
+ return ((chip_revision & 0x7) << 6) | (((chip_revision & 0x70) >> 4) << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1
+ case 0x3D2BC03c: // CPRV (Chip Revision) AppleSEPROM-Sicily-A0
+ return ((chip_revision & 0x7) << 10) | (((chip_revision & 0x70) >> 4) << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0
+ //// return 0xFFFFFFFF; // CPRV
+ //// return (0x7 << 6) | (0x70 << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1
+ //// return (0x7 << 10) | (0x70 << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0
+ //return 0x1 << 6; // my ; (1 << 6) == 0x40 == revision:0x1
+ //return 0x240; // Ntrung // == revision:0x11
+ case 0x3D2BC100: // ECID lower T8020?
+ ////case 0x3D2BC200: // ECID lower AppleSEPROM-S4-S5-B1
+ case 0x3D2BC300: // ECID lower T8030?
+ case 0x3D2BC500: // ECID lower AppleSEPROM-Sicily-A0
+ //return 0xCAFEBABE; // ECID lower
+ return tms->ecid & 0xffffffff; // ECID lower
+ case 0x3D2BC104: // ECID upper T8020?
+ ////case 0x3D2BC204: // ECID upper AppleSEPROM-S4-S5-B1
+ case 0x3D2BC304: // ECID upper T8030?
+ case 0x3D2BC504: // ECID upper AppleSEPROM-Sicily-A0
+ //return 0xDEADBEEF; // ECID upper
+ return tms->ecid >> 32; // ECID upper
+ case 0x3D2BC400: // EKEY_0
// if 0xBC404 returns 1==0xA55AC33C, this will get ignored
- // return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
- return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C
- case 0x3D2BC404:
- // return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C
- return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
- case 0x3D2BC604: //?
- return 0xA050C030;
+ //// return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
+ return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C // my
+ //return 0xA050C030; // Ntrung
+ case 0x3D2BC404: // EKEY_1
+ return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C
+ //return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
+ case 0x3D2BC600: //? EPRO (Effective Production Status)? CPRO (Certificate Production Status)?
+ //return 0xA55AC33C; // avoided panic(0x74/0xf1) with patches
+ //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off
+ //return 0;
+ return 0xA55AC33C; // EPRO enabled
+ //return 0xA050C030; // EPRO disabled
+ case 0x3D2BC604: //? CSEC (Certificate Security Mode)?
+ //return 0xA55AC33C; // set at 0x24000b070, causes crash at 0x240008928 // avoided panic(0x74/0xf1) with patches
+ //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off
+ //return 0; // panic(0x74) ?
+ return 0xA55AC33C; // CSEC enabled
+ //return 0xA050C030; // CSEC disabled
case 0x3D2E8000: // ????
- return 0x32B3; // memory encryption AMK (Authentication Master Key)
- // disabled
- // return 0xC2E9; // memory encryption AMK (Authentication Master Key)
- // enabled
- case 0x3D2D0034: //?
- return (1 << 24) | (1 << 25);
+ //return 0x32B3; // memory encryption AMK (Authentication Master Key) disabled // avoided panic(0x74/0xf1) with patches
+ return 0xC2E9; // memory encryption AMK (Authentication Master Key) enabled // needed to avoid panic(0x74) ?
+ case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4
+ //////return 0x3; // 0x2400037a4
+ return pmgr_unk_e4800; // 0x240002c00 and 0x2400037a4
+ case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c
+ return pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4]; // 0x24000377c
+#if 0
+ //case 0x3D2D0034: //? in AES
+ // return (1 << 24) | (1 << 25);
+#endif
+#if 0
+#if 0
+ //case 0x3D2D0020: // ???? in AES
+ // return 4;
+#endif
+ //case 0x3D2BC200: // ????
+ // return 0xA050C030;
+ //case 0x3D2BC204: // ????
+ // return 0xA050C030;
+#endif
+#ifdef DO_SECUREROM
+ case 0x3d2d4040: // SecureROM: prevent panic in platform_bootprep(_panics_on_plain_payload)
+ return (1 << 16);
+ case 0x3d12c014: // while ((*(int64_t*)0x23d12c014 & 0x1ff) == 0)
+ return 0x1;
+#endif
default:
if (((base + addr) & 0x10E70000) == 0x10E70000) {
return (108 << 4) | 0x200000; //?
@@ -672,6 +869,7 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data,
{
MachineState *machine = MACHINE(opaque);
T8030MachineState *tms = T8030_MACHINE(opaque);
+ AppleSEPState *sep;
uint32_t value = data;
if (addr >= 0x80000 && addr <= 0x8C000) {
@@ -687,6 +885,34 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data,
case 0xD4004:
t8030_start_cpus(machine, data);
return;
+#if 1
+ case 0x80C00:
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal));
+#ifdef DO_SECUREROM
+ if ((data & 0xf) == 0xf) {
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) {
+ apple_a13_cpu_start(APPLE_A13(sep->cpu));
+ }
+ }
+#else
+ //if ((data >> 31) == 1) {
+ if (((data >> 31) & 1) == 1) {
+ apple_a13_cpu_reset(APPLE_A13(sep->cpu));
+ //} else if ((data & 0xf) == 0xf) {
+ //} else if (((data & (1 << 28)) == 0) && ((data & (1 << 10)) == 0)) {
+ } else if (((data >> 10) & 1) == 0) {
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) {
+ apple_a13_cpu_start(APPLE_A13(sep->cpu));
+ }
+ //} else if ((data & 0xf) == 0x0) {
+ //} else if (((data & (1 << 28)) != 0) && ((data & (1 << 10)) != 0)) {
+ //} else if (((data & (1 << 28)) != 0) || ((data & (1 << 10)) != 0)) {
+ } else if (((data >> 10) & 1) == 1) {
+ apple_a13_cpu_off(APPLE_A13(sep->cpu));
+ }
+#endif
+ break;
+#endif
}
memcpy(tms->pmgr_reg + addr, &value, size);
}
@@ -699,9 +925,15 @@ static uint64_t pmgr_reg_read(void *opaque, hwaddr addr, unsigned size)
case 0xF0010: //! AppleT8030PMGR::commonSramCheck
result = 0x5000;
break;
+#ifdef DO_SECUREROM
case 0x80C00: //! SEP Power State, Manual & Actual: Run Max
result = 0xFF;
break;
+ case 0x30000: // ??? T8030 IBSS
+ memcpy(&result, tms->pmgr_reg + addr, size);
+ result &= ~(1 << 25); // prevent two busy-loops in T8030 IBSS
+ break;
+#endif
#if 0
case 0xBC008:
result = 0xFFFFFFFF;
@@ -734,44 +966,69 @@ static void amcc_reg_write(void *opaque, hwaddr addr, uint64_t data,
T8030MachineState *tms = T8030_MACHINE(opaque);
uint32_t value = data;
+#if 1
+ qemu_log_mask(LOG_UNIMP,
+ "AMCC reg WRITE @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx
+ "\n",
+ addr, data);
+#endif
memcpy(tms->amcc_reg + addr, &value, size);
}
static uint64_t amcc_reg_read(void *opaque, hwaddr addr, unsigned size)
{
- T8030MachineState *tms = T8030_MACHINE(opaque);
+ MachineState *machine = MACHINE(opaque);
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ hwaddr orig_addr = addr;
+ uint64_t result = 0;
+ uint64_t base = (T8030_KERNEL_REGION_BASE-T8030_DRAM_BASE)+T8030_KERNEL_REGION_SIZE;
switch (addr) {
+#if 1
case 0x6A0:
case 0x406A0:
case 0x806A0:
case 0xC06A0:
- return 0x0;
+ //result = 0x080000; // Don't know if this is correct.
+ //result = 0x080000000ULL >> 12;
+ result = base >> 12;
+ break;
case 0x6A4:
- // return 0x1003;
case 0x406A4:
- // return 0x2003;
case 0x806A4:
- // return 0x3003;
case 0xC06A4:
- // return 0x3;
- return 0x1003; // 0x1003 == 0x1004000
- // return 0x4003;
+ //result = 0xad9f+0x080000; // Don't know if this is correct.
+ //result = ((0x20000000+0x080000000ULL)-1)>>12;
+ //result = ((0xada0000+0x080000000ULL)-1)>>12;
+ result = ((0xada0000+base)-1)>>12;
+ break;
case 0x6A8:
case 0x406A8:
case 0x806A8:
case 0xC06A8:
- return 0x1;
+ result = 0x1;
+ break;
case 0x6B8:
case 0x406B8:
case 0x806B8:
case 0xC06B8:
- return 0x1;
- default: {
- uint64_t result = 0;
+ result = 0x1;
+ break;
+ case 0x4:
+ result = 0xcf;
+ break;
+#endif
+ default:// {
memcpy(&result, tms->amcc_reg + addr, size);
- return result;
- }
+ break;
+ //}
}
+#if 1
+ qemu_log_mask(LOG_UNIMP,
+ "AMCC reg READ @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx
+ "\n",
+ orig_addr, result);
+#endif
+ return result;
}
static const MemoryRegionOps amcc_reg_ops = {
@@ -895,19 +1152,15 @@ static void t8030_pmgr_setup(MachineState *machine)
for (i = 0; i < prop->length / 8; i += 2) {
MemoryRegion *mem = g_new(MemoryRegion, 1);
- if (i > 0) {
- snprintf(name, 32, "pmgr-unk-reg-%d", i);
- memory_region_init_io(mem, OBJECT(machine), &pmgr_unk_reg_ops,
- (void *)reg[i], name, reg[i + 1]);
- } else {
+ if (i == 0) {
memory_region_init_io(mem, OBJECT(machine), &pmgr_reg_ops, tms,
"pmgr-reg", reg[i + 1]);
+ } else {
+ snprintf(name, sizeof(name), "pmgr-unk-reg-%d", i);
+ memory_region_init_io(mem, OBJECT(machine), &pmgr_unk_reg_ops,
+ (void *)reg[i], name, reg[i + 1]);
}
- memory_region_add_subregion(tms->sysmem,
- reg[i] + reg[i + 1] < tms->soc_size ?
- tms->soc_base_pa + reg[i] :
- reg[i],
- mem);
+ memory_region_add_subregion(tms->sysmem, reg[i] + reg[i + 1] < tms->soc_size ? tms->soc_base_pa + reg[i] : reg[i], mem);
}
{
@@ -1702,14 +1955,44 @@ static void t8030_create_sep(MachineState *machine)
g_assert(prop);
reg = (uint64_t *)prop->value;
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 0, tms->soc_base_pa + reg[0]);
+ // 0x23d2d0000: XPRT_PMSC == apple.aes.disable_key.mmio
+ // 0x23d2bc000: XPRT_FUSE == pmgr_unk_reg
+ // 0x23d2e8000: XPRT_MISC == pmgr_unk_reg
+ // 0x242400000: AKF_MBOX == apple.mbox.SEP.akf-reg
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 1,
- tms->soc_base_pa + 0x41180000); // TRNG
+ tms->soc_base_pa + 0x41000000); // PMGR_BASE T8020
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 2,
tms->soc_base_pa + 0x41080000); // MISC0
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 3,
tms->soc_base_pa + 0x41040000); // MISC1
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 4,
tms->soc_base_pa + 0x410C4000); // MISC2
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 5,
+ tms->soc_base_pa + 0x41100000); // TRNG T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 6,
+ tms->soc_base_pa + 0x41180000); // KEY_BASE T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 7,
+ tms->soc_base_pa + 0x41400000); // KEY_FCFG T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 8,
+ tms->soc_base_pa + 0x41380000); // MONI_BASE T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 9,
+ tms->soc_base_pa + 0x413c0000); // MONI_THRM T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 10,
+ tms->soc_base_pa + 0x40800000); // EISP_BASE T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 11,
+ tms->soc_base_pa + 0x40a60000); // EISP_HMAC T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 12,
+ tms->soc_base_pa + 0x41388000); // MISC3 T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 13,
+ tms->soc_base_pa + 0x41440000); // MISC4 // 0x241440000
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 14,
+ tms->soc_base_pa + 0x41008000); // MISC5
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 15,
+ tms->soc_base_pa + 0x41280000); // MISC6 // T8020's dart-sep?
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 16,
+ tms->soc_base_pa + 0x41240000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM.
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 17,
+ tms->soc_base_pa + 0x41200000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8.
prop = find_dtb_prop(child, "interrupts");
g_assert(prop);
@@ -1720,6 +2003,7 @@ static void t8030_create_sep(MachineState *machine)
qdev_get_gpio_in(DEVICE(tms->aic), ints[i]));
}
+#if 1
dart = APPLE_DART(
object_property_get_link(OBJECT(machine), "dart-sep", &error_fatal));
g_assert(dart);
@@ -1735,7 +2019,64 @@ static void t8030_create_sep(MachineState *machine)
g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr",
OBJECT(sep->dma_mr)));
sep->dma_as = g_new0(AddressSpace, 1);
+ //sep->dma_as = g_new0(AddressSpace, 0x10000+0x810000);
address_space_init(sep->dma_as, sep->dma_mr, "sep.dma");
+#if 1
+ // after trying out stuff for too long, Visual told me how to do it approximately, but I had to skip the early addresses because SEPOS is there.
+ MemoryRegion *mr = g_new0(MemoryRegion, 1);
+ //MemoryRegion *mr = g_new0(MemoryRegion, 0x10000+0x80c000);
+ //MemoryRegion *mr = g_new0(MemoryRegion, 0x10000+0x810000);
+ ////memory_region_init_alias(sep->dma_mr, OBJECT(tms), "sep.dma.alias", tms->sysmem, T8030_SEPROM_BASE, T8030_SEPROM_SIZE);
+ //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x80c000, 0x10000);
+ memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x80c000, 0x10000+0x4000);
+ //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0, 0x10000+0x80c000);
+ //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0, 0x10000+0x810000);
+ //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x4000, 0x10000+0x80c000);
+ //memory_region_add_subregion(tms->sysmem, 0x0, mr);
+ //memory_region_add_subregion(tms->sysmem, 0x80c000, mr);
+#if 0
+ //MemoryRegion *sysmem = tms->sysmem;
+ AddressSpace *nsas = &address_space_memory;
+ size_t garbage = 0;
+ if (tms->sepfw_filename) {
+ //macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x4000ULL, &garbage);
+ //macho_load_raw_file(tms->sepfw_filename, nsas, tms->sysmem, "sepfw", 0x340000000ULL, &garbage);
+ macho_load_raw_file(tms->sepfw_filename, nsas, tms->sysmem, "sepfw", 0x4000ULL, &garbage);
+ //macho_load_raw_file(tms->sepfw_filename, nsas, mr, "sepfw", 0x4000ULL, &garbage);
+ //macho_load_raw_file(tms->sepfw_filename, nsas, mr, "sepfw", 0x340000000ULL, &garbage);
+ }
+#endif
+ ////memory_region_add_subregion(tms->sysmem, 0, &sep->dma_mr);
+ ////memory_region_add_subregion(tms->sysmem, 0, mr);
+ memory_region_add_subregion(tms->sysmem, 0x80c000, mr);
+ //memory_region_add_subregion(tms->sysmem, 0x4000, mr);
+ //memory_region_add_subregion(tms->sysmem, 0x0, mr);
+ //memory_region_add_subregion(tms->sysmem, 0x340000000ULL, mr);
+ //memory_region_add_subregion(tms->sysmem, 0x340000000ULL, sep->dma_mr);
+ //memory_region_add_subregion(tms->sysmem, 0x0, sep->dma_mr);
+#if 0
+ MemoryRegion *mr1 = g_new0(MemoryRegion, 1);
+ memory_region_init_alias(mr1, OBJECT(tms), "sep.t8030.sepdart.alias0", tms->sysmem, tms->soc_base_pa + 0x41280000, 0x4000);
+ memory_region_add_subregion_overlap(tms->sysmem, tms->soc_base_pa + 0x412c0000, mr1, 1);
+#endif
+#if 0
+ MemoryRegion *mr2 = g_new0(MemoryRegion, 1);
+ memory_region_init_alias(mr2, OBJECT(tms), "sep.t8030.sepdart.alias1", tms->sysmem, tms->soc_base_pa + 0x412c0000, 0x4000);
+ memory_region_add_subregion_overlap(tms->sysmem, tms->soc_base_pa + 0x41280000, mr2, 1);
+#endif
+#if 0
+ MemoryRegion *mr3 = g_new0(MemoryRegion, 1);
+ memory_region_init_alias(mr3, OBJECT(tms), "sep.t8030.sepdart.alias2", tms->sysmem, 0x4000, 0x800000);
+ //memory_region_init_alias(mr3, OBJECT(tms), "sep.t8030.sepdart.alias2", sep->dma_mr, 0x4000, 0x800000);
+ //memory_region_init_alias(mr3, OBJECT(tms), "sep.t8030.sepdart.alias2", mr, 0x4000, 0x800000);
+ memory_region_add_subregion_overlap(tms->sysmem, 0x340000000ULL, mr3, 1);
+#endif
+
+#endif
+
+#else
+ g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr", OBJECT(tms->sysmem)));
+#endif
sysbus_realize_and_unref(SYS_BUS_DEVICE(sep), &error_fatal);
}
@@ -1750,8 +2091,12 @@ static void t8030_cpu_reset_work(CPUState *cpu, run_on_cpu_data data)
}
cpu_reset(cpu);
env = &ARM_CPU(cpu)->env;
+#ifndef DO_SECUREROM
env->xregs[0] = tms->bootinfo.kern_boot_args_pa;
cpu_set_pc(cpu, tms->bootinfo.kern_entry);
+#else
+ cpu_set_pc(cpu, T8030_SROM_BASE);
+#endif
}
static void t8030_cpu_reset(void *opaque)
@@ -1828,13 +2173,50 @@ static void t8030_machine_init(MachineState *machine)
tms = T8030_MACHINE(machine);
tms->sysmem = get_system_memory();
- // allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0);
- // allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0);
+#ifdef DO_SECUREROM
+ allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0);
+ allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0);
+ //allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x00000038 * 4, 0);
+ allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x1000, 0);
+ allocate_ram(tms->sysmem, "SRAM_TEST_1", 0x23b2c4000, 0x1000, 0); // 0x23b2c401c
+ allocate_ram(tms->sysmem, "SRAM_TEST_2", 0x23b2c8000, 0x1000, 0); // 0x23b2c801c
+ allocate_ram(tms->sysmem, "SRAM_TEST_3", 0x23b2cc000, 0x1000, 0); // 0x23b2cc01c
+ allocate_ram(tms->sysmem, "SRAM_TEST_4", 0x23e804000, 0x1000, 0); // 0x23e8040fc
+ allocate_ram(tms->sysmem, "SRAM_TEST_5", 0x23e808000, 0x1000, 0); // 0x23e808004
+ allocate_ram(tms->sysmem, "SRAM_TEST_6", 0x23D008000, 0x1000, 0); // 0x23D008000
+ allocate_ram(tms->sysmem, "SRAM_TEST_7", 0x24A854000, 0x1000, 0); // 0x24A85401C
+ allocate_ram(tms->sysmem, "SRAM_TEST_8", 0x24a858000, 0x1000, 0); // 0x24a85801c
+ allocate_ram(tms->sysmem, "SRAM_TEST_9", 0x23C260000, 0x1000, 0); // 0x23C260000
+ allocate_ram(tms->sysmem, "SRAM_TEST_10", 0x23C280000, 0x1000, 0); // 0x23C280000
+ allocate_ram(tms->sysmem, "SRAM_TEST_11", 0x23c290000, 0x1000, 0); // 0x23c290000
+ allocate_ram(tms->sysmem, "SRAM_TEST_12", 0x23c2a0000, 0x1000, 0); // 0x23c2a0000
+ //allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x1000, 0); // 0x23FE00000
+ allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x60000, 0); // 0x23FE00000
+ allocate_ram(tms->sysmem, "SRAM_TEST_14", 0x23E041000, 0x1000, 0); // 0x23E041010
+ allocate_ram(tms->sysmem, "SRAM_TEST_15", 0x23E80C000, 0x1000, 0); // 0x23E80C000
+#endif
allocate_ram(tms->sysmem, "DRAM", T8030_DRAM_BASE, T8030_DRAM_SIZE, 0);
- allocate_ram(tms->sysmem, "SEPROM", T8030_SEPROM_BASE, T8030_SEPROM_SIZE,
- 0);
- allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0);
+ allocate_ram(tms->sysmem, "SEP", T8030_SEP_BASE, T8030_SEP_SIZE, 0);
+#if 1
+ //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x500000000ULL, 0);
+ allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x60000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_30", 0x300000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_32", 0x320000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_34", 0x340000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3_8", 0x300000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3_8_0", 0x380000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_f_8", 0xf00000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_f_8_0", 0xf80000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW_0", 0x000000000ULL, 0x800000ULL, 0);
+ //allocate_ram(sysmem, "SEPFW", 0x0, info->sepfw_size+0x4000, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL+0x4000ULL, 0);
+ allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x1000000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x2000000ULL, 0);
+#endif
+#ifndef DO_SECUREROM
hdr = macho_load_file(machine->kernel_filename, NULL);
g_assert(hdr);
tms->kernel = hdr;
@@ -1873,10 +2255,15 @@ static void t8030_machine_init(MachineState *machine)
g_phys_base = (hwaddr)macho_get_buffer(hdr);
t8030_patch_kernel(hdr);
+#else
+ tms->rtbuddyv2_protocol_version = 11;
+#endif
tms->device_tree = load_dtb_from_file(machine->dtb);
+#ifndef DO_SECUREROM
tms->trustcache = load_trustcache_from_file(tms->trustcache_filename,
&tms->bootinfo.trustcache_size);
+#endif
data = 24000000;
set_dtb_prop(tms->device_tree, "clock-frequency", sizeof(data), &data);
child = find_dtb_node(tms->device_tree, "arm-io");
@@ -1885,7 +2272,7 @@ static void t8030_machine_init(MachineState *machine)
data = 0x20;
set_dtb_prop(child, "chip-revision", sizeof(data), &data);
- set_dtb_prop(child, "clock-frequencies", sizeof(clock_freq), clock_freq);
+ // set_dtb_prop(child, "clock-frequencies", sizeof(clock_freq), clock_freq);
prop = find_dtb_prop(child, "ranges");
g_assert(prop);
diff --git a/hw/arm/xnu.c b/hw/arm/xnu.c
index bf91bc622e..a4fa20c8af 100644
--- a/hw/arm/xnu.c
+++ b/hw/arm/xnu.c
@@ -86,6 +86,16 @@ static const char *KEEP_COMP[] = {
"usb-drd,t8030\0usb-drd,t8027\0$",
"wdt,s8000\0wdt,s5l8960x\0$",
"wdt,t8030\0wdt,s5l8960x\0$",
+#if 0
+ "adbe0,s8000\0$",
+ "nco,s8000\0$",
+ "mcc,s8000\0$",
+ //"dwi,s8000\0$",
+ "iop,s8000\0$",
+ "usb-device,s8000\0usb-device,t7000\0usb-device,s5l8900x\0$",
+ "pmu,d2255\0$",
+ "dart,s8000\0dart,s5l8960x\0$",
+#endif
};
static const char *REM_NAMES[] = {
@@ -94,10 +104,14 @@ static const char *REM_NAMES[] = {
"dart-ave\0$", "dart-isp\0$", "dart-jpeg0\0$", "dart-jpeg1\0$",
"dart-pmp\0$", "dart-rsm\0$", "dart-scaler\0$", "dockchannel-uart\0$",
"dotara\0$", "pmp\0$", "stockholm-spmi\0$",
+ //"dart-sep\0$", "sep\0$",
+ //"dart-disp0\0$", "disp0\0$",
};
static const char *REM_DEV_TYPES[] = {
"aop\0$", "backlight\0$", "bluetooth\0$", "pmp\0$", "wlan\0$",
+ //"sep\0$",
+ //"disp0\0$",
};
static const char *REM_PROPS[] = {
@@ -116,6 +130,8 @@ static const char *REM_PROPS[] = {
"nvme-coastguard",
"pmp",
"soc-tuning",
+ "function-wait_for_power_gate",
+ "self-power-gate",
};
static void allocate_and_copy(MemoryRegion *mem, AddressSpace *as,
@@ -457,12 +473,65 @@ void macho_populate_dtb(DTBNode *root, AppleBootInfo *info)
prop = set_dtb_prop(child, "effective-production-status-ap", sizeof(data),
&data);
+ //data = 0;
+ data = 1;
// these are needed by the image4 parser module$
set_dtb_prop(child, "security-domain", sizeof(data), &data);
set_dtb_prop(child, "chip-epoch", sizeof(data), &data);
+ data = 1;
set_dtb_prop(child, "amfi-allows-trust-cache-load", sizeof(data), &data);
- // data = 1;
- // set_dtb_prop(child, "debug-enabled", sizeof(data), &data);
+ data = 0;
+ //data = 1;
+ //data = 0xffffffff;
+ set_dtb_prop(child, "debug-enabled", sizeof(data), &data);
+#if 0
+ data = 1;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ data = 0;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+#endif
+#if 0
+ data = 1;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+ data = 0;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 1
+ data = 0;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+ data = 1;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 0
+ data = 1;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+ data = 0;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 0
+ data = 0;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+ data = 1;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 1
+ child = get_dtb_node(root, "defaults");
+ data = 1;
+ //data = 0;
+ set_dtb_prop(child, "no-effaceable-storage", sizeof(data), &data);
+ child = get_dtb_node(root, "product");
+ data = 1;
+ //data = 0;
+ set_dtb_prop(child, "boot-ios-diagnostics", sizeof(data), &data);
+#endif
child = get_dtb_node(root, "chosen/manifest-properties");
set_dtb_prop(child, "BNCH", sizeof(info->boot_nonce_hash),
@@ -471,8 +540,13 @@ void macho_populate_dtb(DTBNode *root, AppleBootInfo *info)
child = get_dtb_node(root, "filesystems");
child = get_dtb_node(child, "fstab");
+ //remove_dtb_node_by_name(child, "xart-vol");
remove_dtb_node_by_name(child, "baseband-vol");
+ //prop = find_dtb_prop(root, "secure-root-prefix");
+ //assert(prop);
+ //remove_dtb_prop(root, prop);
+
macho_dtb_node_process(root, NULL);
child = get_dtb_node(root, "chosen/memory-map");
@@ -663,7 +737,9 @@ void macho_load_ramdisk(const char *filename, AddressSpace *as,
file_size = length;
file_data = g_realloc(file_data, file_size);
- allocate_and_copy(mem, as, "RamDisk", pa, file_size, file_data);
+ if (pa != NULL) {
+ allocate_and_copy(mem, as, "RamDisk", pa, file_size, file_data);
+ }
*size = file_size;
g_free(file_data);
}
@@ -726,6 +802,8 @@ void apple_monitor_setup_boot_args(const char *name, AddressSpace *as,
boot_args.kern_phys_base = kern_phys_base;
boot_args.kern_phys_slide = 0;
boot_args.kern_virt_slide = 0;
+ //boot_args.kern_phys_slide = 0x4000;
+ //boot_args.kern_virt_slide = 0x4004000;
boot_args.kern_text_section_off = kern_text_section_off;
qcrypto_random_bytes(&boot_args.random_bytes, 0x10, NULL);
diff --git a/hw/misc/apple_aes.c b/hw/misc/apple_aes.c
index cd55638d3c..bb665150d1 100644
--- a/hw/misc/apple_aes.c
+++ b/hw/misc/apple_aes.c
@@ -372,8 +372,9 @@ static uint64_t aes_security_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case 0x20: //! board-id
return 0x4;
- case 0x34: //? bit 24 = is fresh boot?
- return (1 << 24) | (1 << 25);
+ case 0x34: //? bit 24 = is first boot ; bit 25 = something with memory encryption?
+ //return (1 << 24) | (1 << 25);
+ return (1 << 24) | (0 << 25);
default: //! We don't know the rest
return 0xFF;
}
diff --git a/hw/misc/apple_mbox.c b/hw/misc/apple_mbox.c
index fbe337fce3..dd69e92da5 100644
--- a/hw/misc/apple_mbox.c
+++ b/hw/misc/apple_mbox.c
@@ -9,25 +9,6 @@
#include "qemu/main-loop.h"
#include "trace.h"
-#define IOP_LOG_MSG(s, t, msg) \
- do { \
- qemu_log_mask(LOG_GUEST_ERROR, \
- "%s: %s message (msg->endpoint: 0x%X " \
- "msg->data[0]: 0x" HWADDR_FMT_plx \
- " msg->data[1]: 0x" HWADDR_FMT_plx \
- " s->ep0_status: 0x%X)\n", \
- s->role, t, msg->endpoint, msg->data[0], msg->data[1], \
- s->ep0_status); \
- } while (0)
-
-#define IOP_LOG_MGMT_MSG(s, msg) \
- do { \
- qemu_log_mask(LOG_GUEST_ERROR, \
- "%s: IOP received management message (msg->endpoint: " \
- "0x0 msg->raw: 0x" HWADDR_FMT_plx \
- " s->ep0_status: 0x%X)\n", \
- s->role, msg->raw, s->ep0_status); \
- } while (0)
//! ------ V3 ------
@@ -37,20 +18,29 @@
#define REG_V3_CPU_STATUS (0x0048)
#define V3_CPU_STATUS_IDLE (0x1)
+#define REG_V3_UNKNOWN0 (0x004c)
+#define REG_V3_UNKNOWN1 (0x0818)
+#define REG_V3_UNKNOWN2 (0x081c) // "akf: READ IRQ %x"
+
#define REG_V3_NMI0 (0xC04) // ??
#define REG_V3_NMI1 (0xC14) // ??
#define REG_AKF_CONFIG (0x2043) // ??
-#define REG_V3_IOP_INT_MASK_SET (0x4100)
-#define REG_V3_IOP_INT_MASK_CLR (0x4108)
+//#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8101 64-bit
+//#define REG_V3_IOP_INT_MASK_CLR (0x4108) // T8101 64-bit
+#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8020 32-bit
+#define REG_V3_IOP_INT_MASK_CLR (0x4104) // T8020 32-bit
+
-#define REG_V3_IOP_I2A_CTRL (0x4114)
+//#define REG_V3_IOP_I2A_CTRL (0x4114) // T8101 32-bit
+#define REG_V3_IOP_I2A_CTRL (0x410c) // T8020 32-bit
#define REG_V3_IOP_I2A_SEND0 (0x4820)
#define REG_V3_IOP_I2A_SEND1 (0x4824)
#define REG_V3_IOP_I2A_SEND2 (0x4828)
#define REG_V3_IOP_I2A_SEND3 (0x482C)
-#define REG_V3_IOP_A2I_CTRL (0x4110)
+//#define REG_V3_IOP_A2I_CTRL (0x4110) // T8101 32-bit
+#define REG_V3_IOP_A2I_CTRL (0x4108) // T8020 32-bit
#define REG_V3_IOP_A2I_RECV0 (0x4810)
#define REG_V3_IOP_A2I_RECV1 (0x4814)
#define REG_V3_IOP_A2I_RECV2 (0x4818)
@@ -142,7 +132,7 @@ static gint g_uint_cmp(gconstpointer a, gconstpointer b)
return a - b;
}
-static bool apple_mbox_outbox_empty(AppleMboxState *s)
+bool apple_mbox_outbox_empty(AppleMboxState *s)
{
return QTAILQ_EMPTY(&s->outbox);
}
@@ -203,7 +193,7 @@ static void ap_update_irq(AppleMboxState *s)
* Push a message from AP to IOP,
* take ownership of msg
*/
-static void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
+void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
{
QTAILQ_INSERT_TAIL(&s->inbox, msg, entry);
s->inboxCount++;
@@ -236,7 +226,7 @@ static void apple_mbox_outbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
iop_update_irq(s);
}
-static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
+apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
{
apple_mbox_msg_t msg = QTAILQ_FIRST(&s->outbox);
if (msg) {
@@ -248,6 +238,15 @@ static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
return msg;
}
+void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep,
+ uint64_t msg)
+{
+ apple_mbox_msg_t m = g_new0(struct apple_mbox_msg, 1);
+ m->msg = msg;
+ m->endpoint = ep;
+ apple_mbox_inbox_push(s, m);
+}
+
void apple_mbox_send_control_message(AppleMboxState *s, uint32_t ep,
uint64_t msg)
{
@@ -455,15 +454,24 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
{
AppleMboxState *s = APPLE_MBOX(opaque);
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
s->int_mask = 0;
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v3: Begin write to 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, data);
+#endif
memcpy(&s->regs[addr], &data, size);
switch (addr) {
case REG_V3_CPU_CTRL:
- if (data & V3_CPU_CTRL_RUN) {
+ if (data & V3_CPU_CTRL_RUN)
+ //if ((data & V3_CPU_CTRL_RUN) || (data & 0x10000))
+ {
struct apple_mbox_mgmt_msg m = { 0 };
s->regs[REG_V3_CPU_STATUS] &= ~V3_CPU_STATUS_IDLE;
iop_start(s);
@@ -486,6 +494,11 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V3_A2I_PUSH3 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V3_A2I_PUSH0], 16);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_A2I_PUSH3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_inbox_push(s, msg);
IOP_LOG_MSG(s, "AP sent", msg);
}
@@ -518,6 +531,26 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V3_IOP_I2A_SEND3 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V3_IOP_I2A_SEND0], 16);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_I2A_SEND3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 103 || sep_msg.opcode == 117))
+ {
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ g_free(msg);
+ break;
+ }
+#if 0
+ else if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 0x66 || sep_msg.opcode == 0xd2) && sep_msg.data == 0x2)
+ {
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: change_status: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ sep_msg.data = 0x8;
+ memcpy(msg->data, &sep_msg.raw, 8);
+ }
+#endif
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: not skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_outbox_push(s, msg);
IOP_LOG_MSG(s, "IOP sent", msg);
}
@@ -545,6 +578,7 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
AppleMboxState *s = APPLE_MBOX(opaque);
uint64_t ret = 0;
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
@@ -552,9 +586,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case REG_V3_INT_MASK_SET:
- return s->int_mask;
+ //return s->int_mask;
+ ret = s->int_mask;
+ break;
case REG_V3_INT_MASK_CLR:
- return ~s->int_mask;
+ //return ~s->int_mask;
+ ret = ~s->int_mask;
+ break;
case REG_V3_I2A_POP_0_LOW:
msg = apple_mbox_outbox_pop(s);
if (!msg) {
@@ -563,6 +601,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
msg->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "AP received", msg);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_I2A_POP_0_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[REG_V3_I2A_POP_0_LOW], msg->data, 16);
memcpy(&ret, &s->regs[addr], size);
@@ -575,9 +618,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
case REG_V3_I2A_POP_1_HIGH:
break;
case REG_V3_IOP_INT_MASK_SET:
- return s->iop_int_mask;
+ //return s->iop_int_mask;
+ ret = s->iop_int_mask;
+ break;
case REG_V3_IOP_INT_MASK_CLR:
- return ~s->iop_int_mask;
+ //return ~s->iop_int_mask;
+ ret = ~s->iop_int_mask;
+ break;
case REG_V3_A2I_CTRL:
QEMU_FALLTHROUGH;
case REG_V3_IOP_A2I_CTRL:
@@ -602,6 +649,27 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
case REG_V3_CPU_STATUS:
break;
+ case REG_V3_UNKNOWN0:
+#if 0
+ ret = ((apple_mbox_inbox_empty(s) &&
+ !(s->iop_int_mask & V2_A2I_EMPTY)) ||
+ (!apple_mbox_inbox_empty(s) &&
+ !(s->iop_int_mask & V2_A2I_NONEMPTY)) ||
+ (apple_mbox_outbox_empty(s) &&
+ !(s->iop_int_mask & V2_I2A_EMPTY)) ||
+ (!apple_mbox_outbox_empty(s) &&
+ !(s->iop_int_mask & V2_I2A_NONEMPTY)));
+#endif
+ ret = 1;
+ // TODO: response not interrupt available, but something with REG_V3_CPU_CTRL?
+ break;
+ case REG_V3_UNKNOWN1:
+ break;
+ case REG_V3_UNKNOWN2:
+ //ret = 1;
+ //ret = 0xffffffff;
+ return 0;
+ break;
case REG_V3_IOP_A2I_RECV0:
msg = apple_mbox_inbox_pop(s);
if (!msg) {
@@ -609,6 +677,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
}
msg->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "IOP received", msg);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_A2I_RECV0: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[addr], msg->data, 16);
memcpy(&ret, &s->regs[addr], size);
g_free(msg);
@@ -626,6 +699,12 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
}
}
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v3: End read from 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, ret);
+#endif
return ret;
}
@@ -646,9 +725,16 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
{
AppleMboxState *s = APPLE_MBOX(opaque);
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v2: Begin write to 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, data);
+#endif
memcpy(&s->regs[addr], &data, size);
switch (addr) {
@@ -671,6 +757,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V2_A2I_PUSH_HIGH + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V2_A2I_PUSH_LOW], 8);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_A2I_PUSH_HIGH: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_inbox_push(s, msg);
IOP_LOG_MSG(s, "AP sent", msg);
}
@@ -699,6 +790,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V2_IOP_I2A_SEND1 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V2_IOP_I2A_SEND0], 8);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_I2A_SEND1: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_outbox_push(s, msg);
IOP_LOG_MSG(s, "IOP sent", msg);
}
@@ -724,6 +820,7 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
{
AppleMboxState *s = APPLE_MBOX(opaque);
+ struct sep_message sep_msg = { 0 };
uint64_t ret = 0;
WITH_QEMU_LOCK_GUARD(&s->mutex)
@@ -733,9 +830,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case REG_V2_INT_MASK_SET:
- return s->int_mask;
+ //return s->int_mask;
+ ret = s->int_mask;
+ break;
case REG_V2_INT_MASK_CLR:
- return ~s->int_mask;
+ //return ~s->int_mask;
+ ret = ~s->int_mask;
+ break;
case REG_V2_I2A_POP_LOW:
m = apple_mbox_outbox_pop(s);
if (!m) {
@@ -744,6 +845,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
m->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "AP received", m);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, m->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_I2A_POP_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[REG_V2_I2A_POP_LOW], m->data, 8);
memcpy(&ret, &s->regs[addr], size);
@@ -752,9 +858,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
case REG_V2_I2A_POP_HIGH:
break;
case REG_V2_IOP_INT_MASK_SET:
- return s->iop_int_mask;
+ //return s->iop_int_mask;
+ ret = s->iop_int_mask;
+ break;
case REG_V2_IOP_INT_MASK_CLR:
- return ~s->iop_int_mask;
+ //return ~s->iop_int_mask;
+ ret = ~s->iop_int_mask;
+ break;
case REG_V2_A2I_CTRL:
QEMU_FALLTHROUGH;
case REG_V2_IOP_A2I_CTRL:
@@ -780,6 +890,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
}
m->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "IOP received", m);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, m->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_A2I_RECV_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[addr], m->data, 8);
memcpy(&ret, &s->regs[addr], size);
g_free(m);
@@ -793,6 +908,12 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
}
}
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v2: End read from 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, ret);
+#endif
return ret;
}
@@ -901,6 +1022,7 @@ AppleMboxState *apple_mbox_create(const char *role, void *opaque,
}
qdev_init_gpio_out_named(DEVICE(dev), &s->iop_irq, APPLE_MBOX_IOP_IRQ, 1);
+ qdev_init_gpio_out_named(DEVICE(dev), &s->test_irq, APPLE_MBOX_TEST_IRQ, 1);
QTAILQ_INIT(&s->inbox);
QTAILQ_INIT(&s->outbox);
QTAILQ_INIT(&s->rollcall);
diff --git a/hw/usb/apple_otg.c b/hw/usb/apple_otg.c
index ee5a5d2ad7..1185797c24 100644
--- a/hw/usb/apple_otg.c
+++ b/hw/usb/apple_otg.c
@@ -51,12 +51,15 @@ static void apple_otg_realize(DeviceState *dev, Error **errp)
error_reportf_err(local_err,
"%s: no DMA memory region found: ", __func__);
}
- warn_report("%s: Redirecting all DMA accesses to 0x88DA7C000",
- __func__);
+ //warn_report("%s: Redirecting all DMA accesses to 0x800000000", __func__);
+ warn_report("%s: Redirecting all DMA accesses to 0x98DA7C000", __func__);
+ //warn_report("%s: Redirecting all DMA accesses to 0x88DA7C000", __func__);
+ //warn_report("%s: Redirecting all DMA accesses to 0x78DA7C000", __func__);
s->dma_mr = g_new(MemoryRegion, 1);
- memory_region_init_alias(s->dma_mr, OBJECT(dev),
- TYPE_APPLE_OTG ".dma-mr", get_system_memory(),
- 0x88DA7C000, UINT32_MAX);
+ //memory_region_init_alias(s->dma_mr, OBJECT(dev), TYPE_APPLE_OTG ".dma-mr", get_system_memory(), 0x800000000, UINT32_MAX);
+ memory_region_init_alias(s->dma_mr, OBJECT(dev), TYPE_APPLE_OTG ".dma-mr", get_system_memory(), 0x98DA7C000, UINT32_MAX);
+ //memory_region_init_alias(s->dma_mr, OBJECT(dev), TYPE_APPLE_OTG ".dma-mr", get_system_memory(), 0x88DA7C000, UINT32_MAX);
+ //memory_region_init_alias(s->dma_mr, OBJECT(dev), TYPE_APPLE_OTG ".dma-mr", get_system_memory(), 0x78DA7C000, UINT32_MAX);
memory_region_add_subregion(&s->dma_container_mr, 0, s->dma_mr);
s->dart = false;
}
diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
index 9e224ffc72..fd7ae6fc2e 100644
--- a/hw/usb/hcd-dwc2.c
+++ b/hw/usb/hcd-dwc2.c
@@ -45,7 +45,13 @@
#include "trace.h"
// #define SOC_DMA_BASE (0x100000000ULL)
+//#define DO_T8030_SECUREROM 1
+
+#ifdef DO_T8030_SECUREROM
+#define SOC_DMA_BASE (0x100000000ULL)
+#else
#define SOC_DMA_BASE (0x0ULL)
+#endif
#define USB_HZ_FS 12000000
#define USB_HZ_HS 96000000
diff --git a/include/hw/arm/apple_a13.h b/include/hw/arm/apple_a13.h
index f591f780cf..51b9a6b251 100644
--- a/include/hw/arm/apple_a13.h
+++ b/include/hw/arm/apple_a13.h
@@ -66,6 +66,8 @@ typedef struct AppleA13State {
A13_CPREG_VAR_DEF(ARM64_REG_HID14);
A13_CPREG_VAR_DEF(ARM64_REG_HID16);
A13_CPREG_VAR_DEF(ARM64_REG_LSU_ERR_STS);
+ A13_CPREG_VAR_DEF(SYS_E_LSU_ERR_STS);
+ A13_CPREG_VAR_DEF(SYS_E_FED_ERR_STS);
A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0);
A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0);
A13_CPREG_VAR_DEF(ARM64_REG_3_3_15_7);
@@ -75,6 +77,10 @@ typedef struct AppleA13State {
A13_CPREG_VAR_DEF(PMCR1);
A13_CPREG_VAR_DEF(PMSR);
A13_CPREG_VAR_DEF(S3_4_c15_c0_5);
+ A13_CPREG_VAR_DEF(SYS_HCR_EL2); // TODO: already exists in target/arm/helper.c
+ A13_CPREG_VAR_DEF(SYS_PRE_LLCFLUSH_TMR);
+ A13_CPREG_VAR_DEF(SYS_ACC_PWR_DN_SAVE);
+ A13_CPREG_VAR_DEF(SYS_AON_CNT_CTL);
A13_CPREG_VAR_DEF(AMX_STATUS_EL1);
A13_CPREG_VAR_DEF(AMX_CTL_EL1);
A13_CPREG_VAR_DEF(ARM64_REG_CYC_OVRD);
diff --git a/include/hw/arm/apple_sep.h b/include/hw/arm/apple_sep.h
index 96740ccd58..6b06270943 100644
--- a/include/hw/arm/apple_sep.h
+++ b/include/hw/arm/apple_sep.h
@@ -24,6 +24,7 @@
#include "hw/arm/apple_a13.h"
#include "hw/arm/xnu_dtb.h"
#include "hw/misc/apple_mbox.h"
+#include "hw/boards.h"
#include "hw/sysbus.h"
#include "qemu/typedefs.h"
#include "qom/object.h"
@@ -42,13 +43,41 @@ struct AppleSEPState {
AppleMboxState *mbox;
MemoryRegion *dma_mr;
AddressSpace *dma_as;
- MemoryRegion trng_mr;
+ MemoryRegion pmgr_base_mr;
+ MemoryRegion key_base_mr;
+ MemoryRegion key_fcfg_mr;
+ MemoryRegion moni_base_mr;
+ MemoryRegion moni_thrm_mr;
+ MemoryRegion eisp_base_mr;
+ MemoryRegion eisp_hmac_mr;
+ MemoryRegion trng_t8020_mr;
MemoryRegion misc0_mr;
MemoryRegion misc1_mr;
MemoryRegion misc2_mr;
+ MemoryRegion misc3_mr;
+ MemoryRegion misc4_mr; // MISC4 // T8101 BootMonitor for SEPOS loading?
+ MemoryRegion misc5_mr;
+ MemoryRegion misc6_mr;
+ MemoryRegion misc7_mr;
+ MemoryRegion misc8_mr;
+ uint8_t pmgr_base_regs[REG_SIZE];
+ uint8_t key_base_regs[REG_SIZE];
+ uint8_t key_fcfg_regs[REG_SIZE];
+ uint8_t moni_base_regs[REG_SIZE];
+ uint8_t moni_thrm_regs[REG_SIZE];
+ uint8_t eisp_base_regs[REG_SIZE];
+ uint8_t eisp_hmac_regs[REG_SIZE];
+ //uint8_t trng_t8020_regs[REG_SIZE];
uint8_t misc0_regs[REG_SIZE];
uint8_t misc1_regs[REG_SIZE];
uint8_t misc2_regs[REG_SIZE];
+ uint8_t misc3_regs[REG_SIZE];
+ uint8_t misc4_regs[REG_SIZE];
+ uint8_t misc5_regs[REG_SIZE];
+ uint8_t misc6_regs[REG_SIZE];
+ uint8_t misc7_regs[REG_SIZE];
+ uint8_t misc8_regs[REG_SIZE];
+ QEMUTimer *timer;
};
AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
diff --git a/include/hw/arm/s8000.h b/include/hw/arm/s8000.h
index 62b414a88d..2292cafab4 100644
--- a/include/hw/arm/s8000.h
+++ b/include/hw/arm/s8000.h
@@ -80,5 +80,6 @@ typedef struct {
char pmgr_reg[0x100000];
bool kaslr_off;
bool force_dfu;
+ uint64_t g_virt_diff;
} S8000MachineState;
#endif
diff --git a/include/hw/arm/t8030.h b/include/hw/arm/t8030.h
index c63abffa9a..16a2e81633 100644
--- a/include/hw/arm/t8030.h
+++ b/include/hw/arm/t8030.h
@@ -81,6 +81,7 @@ typedef struct {
uint8_t amcc_reg[0x100000];
bool kaslr_off;
bool force_dfu;
+ uint64_t g_virt_diff;
} T8030MachineState;
#endif
diff --git a/include/hw/misc/apple_mbox.h b/include/hw/misc/apple_mbox.h
index d802cffd40..412fb5d7f0 100644
--- a/include/hw/misc/apple_mbox.h
+++ b/include/hw/misc/apple_mbox.h
@@ -11,6 +11,7 @@
#define APPLE_MBOX_IRQ_I2A_NONEMPTY 2
#define APPLE_MBOX_IRQ_I2A_EMPTY 3
#define APPLE_MBOX_IOP_IRQ "apple-mbox-iop-irq"
+#define APPLE_MBOX_TEST_IRQ "apple-mbox-test-irq"
#define APPLE_MBOX_MMIO_V3 0
#define APPLE_MBOX_MMIO_V2 1
@@ -23,6 +24,28 @@ OBJECT_DECLARE_SIMPLE_TYPE(AppleMboxState, APPLE_MBOX)
#define EP_MANAGEMENT (0)
#define EP_CRASHLOG (1)
+
+#define IOP_LOG_MSG(s, t, msg) \
+ do { \
+ qemu_log_mask(LOG_GUEST_ERROR, \
+ "%s: %s message (msg->endpoint: 0x%X " \
+ "msg->data[0]: 0x" HWADDR_FMT_plx \
+ " msg->data[1]: 0x" HWADDR_FMT_plx \
+ " s->ep0_status: 0x%X)\n", \
+ s->role, t, msg->endpoint, msg->data[0], msg->data[1], \
+ s->ep0_status); \
+ } while (0)
+
+#define IOP_LOG_MGMT_MSG(s, msg) \
+ do { \
+ qemu_log_mask(LOG_GUEST_ERROR, \
+ "%s: IOP received management message (msg->endpoint: " \
+ "0x0 msg->raw: 0x" HWADDR_FMT_plx \
+ " s->ep0_status: 0x%X)\n", \
+ s->role, msg->raw, s->ep0_status); \
+ } while (0)
+
+
enum apple_mbox_ep0_state {
EP0_IDLE,
EP0_WAIT_HELLO,
@@ -102,6 +125,7 @@ struct AppleMboxState {
uint32_t protocol_version;
qemu_irq irqs[4];
qemu_irq iop_irq;
+ qemu_irq test_irq;
QTAILQ_HEAD(, apple_mbox_msg) inbox;
QTAILQ_HEAD(, apple_mbox_msg) outbox;
QTAILQ_HEAD(, apple_mbox_msg) rollcall;
@@ -128,6 +152,25 @@ struct AppleMboxOps {
void (*wakeup)(void *opaque);
};
+void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg);
+apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s);
+bool apple_mbox_outbox_empty(AppleMboxState *s);
+void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep, uint64_t msg);
+
+struct QEMU_PACKED sep_message {
+ union {
+ struct QEMU_PACKED {
+ uint8_t endpoint;
+ uint8_t tag;
+ uint8_t opcode;
+ uint8_t param;
+ uint32_t data;
+ };
+ uint64_t raw;
+ };
+};
+
+
/*
* Send message to an endpoint
*/
diff --git a/meson.build b/meson.build
index 7d26691204..ba57333214 100644
--- a/meson.build
+++ b/meson.build
@@ -1365,8 +1365,10 @@ endif
liblzfse = not_found
if not get_option('lzfse').auto() or have_block
- liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'],
- required: get_option('lzfse'))
+ liblzfse = dependency('lzfse', required: get_option('lzfse'),
+ method: 'pkg-config')
+# liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'],
+# required: get_option('lzfse'))
endif
if liblzfse.found() and not cc.links('''
#include <lzfse.h>
diff --git a/softmmu/memory.c b/softmmu/memory.c
index 7d9494ce70..78a1ed7475 100644
--- a/softmmu/memory.c
+++ b/softmmu/memory.c
@@ -1397,6 +1397,8 @@ bool memory_region_access_valid(MemoryRegion *mr,
{
if (mr->ops->valid.accepts
&& !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+ CPUState *cpu = first_cpu;
+ cpu_dump_state(cpu, stderr, CPU_DUMP_CODE);
qemu_log_mask(LOG_GUEST_ERROR, "Invalid %s at addr 0x%" HWADDR_PRIX
", size %u, region '%s', reason: rejected\n",
is_write ? "write" : "read",
@@ -1469,6 +1471,8 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
pval, op, attrs);
}
if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
+ fprintf(stderr, "Invalid read: addr: 0x%llx ; size : %d\n", addr, size);
+ //__asm__("int3");
*pval = unassigned_mem_read(mr, addr, size);
return MEMTX_DECODE_ERROR;
}
@@ -1518,6 +1522,8 @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
data, op, attrs);
}
if (!memory_region_access_valid(mr, addr, size, true, attrs)) {
+ fprintf(stderr, "Invalid write: addr: 0x%llx ; data: 0x%llx ; size : %d\n", addr, data, size);
+ //__asm__("int3");
unassigned_mem_write(mr, addr, data, size);
return MEMTX_DECODE_ERROR;
}
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 63f439d162..b3da79aa59 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -2990,8 +2990,10 @@ typedef enum ARMMMUIdx {
ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB,
ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB,
ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB,
- ARMMMUIdx_Stage1_GE1 = 3 | ARM_MMU_IDX_NOTLB,
- ARMMMUIdx_Stage1_GE1_PAN = 4 | ARM_MMU_IDX_NOTLB,
+ //ARMMMUIdx_Stage1_GE1 = 3 | ARM_MMU_IDX_NOTLB,
+ //ARMMMUIdx_Stage1_GE1_PAN = 4 | ARM_MMU_IDX_NOTLB,
+ ARMMMUIdx_Stage1_GE1 = ARMMMUIdx_Stage1_E1 | ARM_MMU_IDX_NOTLB | ARM_MMU_IDX_A_GXF,
+ ARMMMUIdx_Stage1_GE1_PAN = ARMMMUIdx_Stage1_E1_PAN | ARM_MMU_IDX_NOTLB | ARM_MMU_IDX_A_GXF,
/*
* M-profile.
diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index abe72e35ae..3d2fbea790 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -444,9 +444,6 @@ static uint32_t arm_debug_exception_fsr(CPUARMState *env)
using_lpae = false;
} else if (target_el == 2 || arm_el_is_aa64(env, target_el)) {
using_lpae = true;
- } else if (arm_feature(env, ARM_FEATURE_PMSA) &&
- arm_feature(env, ARM_FEATURE_V8)) {
- using_lpae = true;
} else if (arm_feature(env, ARM_FEATURE_LPAE) &&
(env->cp15.tcr_el[target_el] & TTBCR_EAE)) {
using_lpae = true;
diff --git a/ui/gtk.c b/ui/gtk.c
index cddbc46791..ebf5bdb7c6 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -967,10 +967,9 @@ static gboolean gd_button_event(GtkWidget *widget, GdkEventButton *button,
if (button->button == 1 && button->type == GDK_BUTTON_PRESS &&
!qemu_input_is_absolute() && s->ptr_owner != vc) {
if (!vc->window) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- TRUE);
+ //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE);
} else {
- gd_grab_pointer(vc, "relative-mode-click");
+ //gd_grab_pointer(vc, "relative-mode-click");
}
return TRUE;
}
@@ -1369,7 +1368,7 @@ static gboolean gd_win_grab(void *opaque)
if (vc->s->ptr_owner) {
gd_ungrab_pointer(vc->s);
} else {
- gd_grab_pointer(vc, "user-request-detached-tab");
+ //gd_grab_pointer(vc, "user-request-detached-tab");
}
return TRUE;
}
@@ -1445,7 +1444,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque)
{
GtkDisplayState *s = opaque;
VirtualConsole *vc = gd_vc_find_current(s);
-
+#if 0
if (!s->full_screen) {
gtk_notebook_set_show_tabs(GTK_NOTEBOOK(s->notebook), FALSE);
gtk_widget_hide(s->menu_bar);
@@ -1468,7 +1467,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque)
gd_update_windowsize(vc);
}
}
-
+#endif
gd_update_cursor(vc);
}
@@ -1644,8 +1643,8 @@ static void gd_menu_grab_input(GtkMenuItem *item, void *opaque)
VirtualConsole *vc = gd_vc_find_current(s);
if (gd_is_grab_active(s)) {
- gd_grab_keyboard(vc, "user-request-main-window");
- gd_grab_pointer(vc, "user-request-main-window");
+ //gd_grab_keyboard(vc, "user-request-main-window");
+ //gd_grab_pointer(vc, "user-request-main-window");
} else {
gd_ungrab_keyboard(s);
gd_ungrab_pointer(s);
@@ -1669,16 +1668,13 @@ static void gd_change_page(GtkNotebook *nb, gpointer arg1, guint arg2,
if (!vc) {
return;
}
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item),
- TRUE);
+ gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item), TRUE);
on_vga = (vc->type == GD_VC_GFX &&
qemu_console_is_graphic(vc->gfx.dcl.con));
if (!on_vga) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- FALSE);
+ gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), FALSE);
} else if (s->full_screen) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- TRUE);
+ //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE);
}
gtk_widget_set_sensitive(s->grab_item, on_vga);
#ifdef CONFIG_VTE
@@ -1696,7 +1692,7 @@ static gboolean gd_enter_event(GtkWidget *widget, GdkEventCrossing *crossing,
GtkDisplayState *s = vc->s;
if (gd_grab_on_hover(s)) {
- gd_grab_keyboard(vc, "grab-on-hover");
+ //gd_grab_keyboard(vc, "grab-on-hover");
}
return TRUE;
}
diff --git a/ui/sdl2.c b/ui/sdl2.c
index 0d91b555e3..2e8bbe5c8d 100644
--- a/ui/sdl2.c
+++ b/ui/sdl2.c
@@ -274,24 +274,25 @@ static void absolute_mouse_grab(struct sdl2_console *scon)
SDL_GetWindowSize(scon->real_window, &scr_w, &scr_h);
if (mouse_x > 0 && mouse_x < scr_w - 1 &&
mouse_y > 0 && mouse_y < scr_h - 1) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
}
static void sdl_mouse_mode_change(Notifier *notify, void *data)
{
- if (qemu_input_is_absolute()) {
+ if (qemu_input_is_absolute() && 0) {
if (!absolute_enabled) {
- absolute_enabled = 1;
- SDL_SetRelativeMouseMode(SDL_FALSE);
- absolute_mouse_grab(&sdl2_console[0]);
+ //absolute_enabled = 1;
+ //SDL_SetRelativeMouseMode(SDL_FALSE);
+ //absolute_mouse_grab(&sdl2_console[0]);
}
} else if (absolute_enabled) {
if (!gui_fullscreen) {
- sdl_grab_end(&sdl2_console[0]);
+ //sdl_grab_end(&sdl2_console[0]);
}
absolute_enabled = 0;
}
+ absolute_enabled = 0;
}
static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy,
@@ -333,15 +334,14 @@ static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy,
static void toggle_full_screen(struct sdl2_console *scon)
{
- gui_fullscreen = !gui_fullscreen;
+ gui_fullscreen = 0;//!gui_fullscreen;
if (gui_fullscreen) {
- SDL_SetWindowFullscreen(scon->real_window,
- SDL_WINDOW_FULLSCREEN_DESKTOP);
- gui_saved_grab = gui_grab;
- sdl_grab_start(scon);
+ //SDL_SetWindowFullscreen(scon->real_window, SDL_WINDOW_FULLSCREEN_DESKTOP);
+ //gui_saved_grab = gui_grab;
+ //sdl_grab_start(scon);
} else {
if (!gui_saved_grab) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
SDL_SetWindowFullscreen(scon->real_window, 0);
}
@@ -397,7 +397,7 @@ static void handle_keydown(SDL_Event *ev)
case SDL_SCANCODE_8:
case SDL_SCANCODE_9:
if (gui_grab) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
win = ev->key.keysym.scancode - SDL_SCANCODE_1;
@@ -414,15 +414,15 @@ static void handle_keydown(SDL_Event *ev)
}
break;
case SDL_SCANCODE_F:
- toggle_full_screen(scon);
+ //toggle_full_screen(scon);
gui_keysym = 1;
break;
case SDL_SCANCODE_G:
gui_keysym = 1;
if (!gui_grab) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
} else if (!gui_fullscreen) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
break;
case SDL_SCANCODE_U:
@@ -506,12 +506,12 @@ static void handle_mousemotion(SDL_Event *ev)
if (gui_grab && !gui_fullscreen
&& (ev->motion.x == 0 || ev->motion.y == 0 ||
ev->motion.x == max_x || ev->motion.y == max_y)) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
if (!gui_grab &&
(ev->motion.x > 0 && ev->motion.x < max_x &&
ev->motion.y > 0 && ev->motion.y < max_y)) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
}
if (gui_grab || qemu_input_is_absolute() || absolute_enabled) {
@@ -534,7 +534,7 @@ static void handle_mousebutton(SDL_Event *ev)
if (!gui_grab && !qemu_input_is_absolute()) {
if (ev->type == SDL_MOUSEBUTTONUP && bev->button == SDL_BUTTON_LEFT) {
/* start grabbing all events */
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
} else {
if (ev->type == SDL_MOUSEBUTTONDOWN) {
@@ -605,7 +605,7 @@ static void handle_windowevent(SDL_Event *ev)
/* fall through */
case SDL_WINDOWEVENT_ENTER:
if (!gui_grab && (qemu_input_is_absolute() || absolute_enabled)) {
- absolute_mouse_grab(scon);
+ //absolute_mouse_grab(scon);
}
/* If a new console window opened using a hotkey receives the
* focus, SDL sends another KEYDOWN event to the new window,
@@ -621,7 +621,7 @@ static void handle_windowevent(SDL_Event *ev)
win32_kbd_set_window(NULL);
}
if (gui_grab && !gui_fullscreen) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
break;
case SDL_WINDOWEVENT_RESTORED:
@@ -950,7 +950,7 @@ static void sdl2_display_init(DisplayState *ds, DisplayOptions *o)
sdl_cursor_normal = SDL_GetCursor();
if (gui_fullscreen) {
- sdl_grab_start(&sdl2_console[0]);
+ //sdl_grab_start(&sdl2_console[0]);
}
atexit(sdl_cleanup);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment