Skip to content

Instantly share code, notes, and snippets.

@chris-pcguy

chris-pcguy/qemu-t8030_seprom_securerom_t8030_20231101_0.patch

Created November 1, 2023 21:30
Show Gist options
  • Save chris-pcguy/ad2e51598f773444e4400c455115445b to your computer and use it in GitHub Desktop.
Save chris-pcguy/ad2e51598f773444e4400c455115445b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
qemu-t8030_seprom_securerom_t8030_20231101_0.patch
diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c
index 2188683992..928ffaa988 100644
--- a/hw/arm/apple_a13.c
+++ b/hw/arm/apple_a13.c
@@ -504,14 +504,16 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0),
- A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0),
+ A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS
+ A13_CPREG_DEF(SYS_E_LSU_ERR_STS, 3, 3, 15, 2, 0, PL1_RW, 0), // A16 SYS_E_LSU_ERR_STS
+ A13_CPREG_DEF(SYS_E_FED_ERR_STS, 3, 4, 15, 0, 2, PL1_RW, 0), // A16 SYS_E_FED_ERR_STS
A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0, 3, 3, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0, 3, 3, 15, 15, 1, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_3_3_15_7, 3, 3, 15, 7, 0, PL1_RW,
0x8000000000332211ULL),
A13_CPREG_DEF(PMC0, 3, 2, 15, 0, 0, PL1_RW, 0),
A13_CPREG_DEF(PMC1, 3, 2, 15, 1, 0, PL1_RW, 0),
- A13_CPREG_DEF(PMCR0, 3, 1, 15, 0, 0, PL1_RW, 0),
+ A13_CPREG_DEF(PMCR0, 3, 1, 15, 0, 0, PL1_RW, 0), // duplicate of L2ACTLR?
A13_CPREG_DEF(PMCR1, 3, 1, 15, 1, 0, PL1_RW, 0),
A13_CPREG_DEF(PMSR, 3, 1, 15, 13, 0, PL1_RW, 0),
A13_CPREG_DEF(S3_4_c15_c0_5, 3, 4, 15, 0, 5, PL1_RW, 0),
@@ -520,7 +522,10 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_CYC_OVRD, 3, 5, 15, 5, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_ACC_CFG, 3, 5, 15, 4, 0, PL1_RW, 0),
A13_CPREG_DEF(S3_5_c15_c10_1, 3, 5, 15, 10, 1, PL0_RW, 0),
- A13_CPREG_DEF(SYS_HCR_EL2, 3, 4, 1, 1, 0, PL1_RW, 0),
+ A13_CPREG_DEF(SYS_HCR_EL2, 3, 4, 1, 1, 0, PL1_RW, 0), // duplicate of HCR_EL2?
+ A13_CPREG_DEF(SYS_PRE_LLCFLUSH_TMR, 3, 5, 15, 7, 0, PL1_RW, 0),
+ A13_CPREG_DEF(SYS_ACC_PWR_DN_SAVE, 3, 7, 15, 2, 0, PL1_RW, 0),
+ A13_CPREG_DEF(SYS_AON_CNT_CTL, 3, 7, 15, 4, 0, PL1_RW, 0),
A13_CPREG_DEF(UPMPCM, 3, 7, 15, 5, 4, PL1_RW, 0),
A13_CPREG_DEF(UPMCR0, 3, 7, 15, 0, 4, PL1_RW, 0),
A13_CPREG_DEF(UPMSR, 3, 7, 15, 6, 4, PL1_RW, 0),
@@ -586,6 +591,24 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
.readfn = apple_a13_ipi_read_cr,
.writefn = apple_a13_ipi_write_cr,
},
+#if 0
+ {
+ .cp = CP_REG_ARM64_SYSREG_CP,
+ .name = "SYS_ACC_PWR_DN_SAVE",
+ .opc0 = 3,
+ .crn = 15,
+ .crm = 2,
+ .opc1 = 7,
+ .opc2 = 0,
+ .access = PL1_RW,
+ .resetvalue = 0,
+ .state = ARM_CP_STATE_AA64,
+ .fieldoffset =
+ offsetof(AppleA13State, A13_CPREG_VAR_NAME(SYS_ACC_PWR_DN_SAVE)) -
+ offsetof(ARMCPU, env),
+ .resetfn = arm_cp_reset_ignore,
+ },
+#endif
};
static void apple_a13_add_cpregs(AppleA13State *tcpu)
@@ -593,6 +616,7 @@ static void apple_a13_add_cpregs(AppleA13State *tcpu)
ARMCPU *cpu = ARM_CPU(tcpu);
define_arm_cp_regs(cpu, apple_a13_cp_reginfo_tcg);
apple_a13_init_gxf(tcpu);
+ //object_property_set_bool(OBJECT(tcpu), "has_gxf", false, NULL);
}
static void apple_a13_realize(DeviceState *dev, Error **errp)
@@ -719,7 +743,9 @@ AppleA13State *apple_a13_cpu_create(DTBNode *node, char *name, uint32_t cpu_id,
}
}
- if (tcpu->cpu_id == 0 || node == NULL) {
+ if (tcpu->cpu_id == 0/* || node == NULL*/)
+ //if (/*tcpu->cpu_id == 0 || */node == NULL)
+ {
if (node) {
set_dtb_prop(node, "state", 8, "running");
}
@@ -730,6 +756,7 @@ AppleA13State *apple_a13_cpu_create(DTBNode *node, char *name, uint32_t cpu_id,
// XXX: QARMA is too slow
object_property_set_bool(obj, "pauth-impdef", true, NULL);
+ //object_property_set_bool(obj, "pauth-impdef", false, NULL);
//! Need to set the CPU frequencies instead of iBoot
if (node) {
@@ -743,8 +770,13 @@ AppleA13State *apple_a13_cpu_create(DTBNode *node, char *name, uint32_t cpu_id,
set_dtb_prop(node, "clock-frequency", sizeof(freq), &freq);
}
- object_property_set_bool(obj, "has_el3", false, NULL);
- object_property_set_bool(obj, "has_el2", false, NULL);
+ //if (node != NULL)
+ {
+ object_property_set_bool(obj, "has_el3", false, NULL);
+ object_property_set_bool(obj, "has_el2", false, NULL);
+ //object_property_set_bool(obj, "has_gxf", false, NULL);
+ //object_property_set_bool(obj, "sve", false, NULL);
+ }
memory_region_init(&tcpu->memory, obj, "cpu-memory", UINT64_MAX);
memory_region_init_alias(&tcpu->sysmem, obj, "sysmem", get_system_memory(),
@@ -818,9 +850,11 @@ static const VMStateDescription vmstate_apple_a13 = {
VMSTATE_A13_CPREG(ARM64_REG_HID14),
VMSTATE_A13_CPREG(ARM64_REG_HID16),
VMSTATE_A13_CPREG(ARM64_REG_LSU_ERR_STS),
+ VMSTATE_A13_CPREG(SYS_E_LSU_ERR_STS),
+ VMSTATE_A13_CPREG(SYS_E_FED_ERR_STS),
VMSTATE_A13_CPREG(PMC0),
VMSTATE_A13_CPREG(PMC1),
- VMSTATE_A13_CPREG(PMCR0),
+ VMSTATE_A13_CPREG(PMCR0), //
VMSTATE_A13_CPREG(PMCR1),
VMSTATE_A13_CPREG(PMSR),
VMSTATE_A13_CPREG(S3_4_c15_c0_5),
@@ -829,7 +863,10 @@ static const VMStateDescription vmstate_apple_a13 = {
VMSTATE_A13_CPREG(ARM64_REG_CYC_OVRD),
VMSTATE_A13_CPREG(ARM64_REG_ACC_CFG),
VMSTATE_A13_CPREG(S3_5_c15_c10_1),
- VMSTATE_A13_CPREG(SYS_HCR_EL2),
+ VMSTATE_A13_CPREG(SYS_HCR_EL2), //
+ VMSTATE_A13_CPREG(SYS_PRE_LLCFLUSH_TMR),
+ VMSTATE_A13_CPREG(SYS_ACC_PWR_DN_SAVE),
+ VMSTATE_A13_CPREG(SYS_AON_CNT_CTL),
VMSTATE_A13_CPREG(UPMPCM),
VMSTATE_A13_CPREG(UPMCR0),
VMSTATE_A13_CPREG(UPMSR),
diff --git a/hw/arm/apple_a13_gxf.c b/hw/arm/apple_a13_gxf.c
index 6420b4d451..93b22a7185 100644
--- a/hw/arm/apple_a13_gxf.c
+++ b/hw/arm/apple_a13_gxf.c
@@ -7,9 +7,6 @@
#include "target/arm/cpu.h"
#include "target/arm/internals.h"
-CPAccessResult access_tvm_trvm(CPUARMState *env, const ARMCPRegInfo *ri,
- bool isread);
-
static CPAccessResult access_gxf(CPUARMState *env, const ARMCPRegInfo *ri,
bool isread)
{
diff --git a/hw/arm/apple_a9.c b/hw/arm/apple_a9.c
index be1a484135..933d01ac2c 100644
--- a/hw/arm/apple_a9.c
+++ b/hw/arm/apple_a9.c
@@ -215,6 +215,11 @@ AppleA9State *apple_a9_create(DTBNode *node, char *name, uint32_t cpu_id,
set_dtb_prop(node, "fixed-frequency", sizeof(freq), &freq);
}
+ object_property_set_bool(obj, "pauth-impdef", false, NULL);
+ object_property_set_bool(obj, "has_el3", true, NULL);
+ object_property_set_bool(obj, "has_el2", true, NULL);
+ object_property_set_bool(obj, "has_gxf", false, NULL);
+
memory_region_init(&tcpu->memory, obj, "cpu-memory", UINT64_MAX);
memory_region_init_alias(&tcpu->sysmem, obj, "sysmem", get_system_memory(),
0, UINT64_MAX);
diff --git a/hw/arm/apple_dart.c b/hw/arm/apple_dart.c
index fc2fddd374..25c3bdff69 100644
--- a/hw/arm/apple_dart.c
+++ b/hw/arm/apple_dart.c
@@ -14,7 +14,7 @@
#include "qemu/module.h"
#include "sysemu/dma.h"
-// #define DEBUG_DART
+//#define DEBUG_DART
#ifdef DEBUG_DART
#define DPRINTF(fmt, ...) \
@@ -595,8 +595,9 @@ AppleDARTState *apple_dart_create(DTBNode *node)
s->num_instances++;
o->id = i;
o->s = s;
- memory_region_init_io(&o->iomem, OBJECT(dev), &base_reg_ops, o,
- TYPE_APPLE_DART ".reg", reg[i * 2 + 1]);
+ memory_region_init_io(&o->iomem, OBJECT(dev), &base_reg_ops, o, TYPE_APPLE_DART ".reg", reg[i * 2 + 1]);
+ //memory_region_init_io(&o->iomem, OBJECT(dev), &base_reg_ops, o, TYPE_APPLE_DART ".reg", 0x4000); // 0x4000 == reg[i * 2 + 1] for T8030 dart-sep
+ //memory_region_init_io(&o->iomem, OBJECT(dev), &base_reg_ops, o, TYPE_APPLE_DART ".reg", 0x180000); // value from T8020 SEPOS. causes crash, dart-disp.
sysbus_init_mmio(sbd, &o->iomem);
switch (*instance) {
diff --git a/hw/arm/apple_sep.c b/hw/arm/apple_sep.c
index 36b67dee06..8db0e6b3fc 100644
--- a/hw/arm/apple_sep.c
+++ b/hw/arm/apple_sep.c
@@ -22,17 +22,80 @@
#include "hw/arm/apple_a13.h"
#include "hw/arm/apple_a9.h"
#include "hw/arm/apple_sep.h"
+#include "hw/misc/apple_mbox.h"
#include "hw/arm/xnu.h"
#include "hw/core/cpu.h"
#include "qapi/error.h"
#include "qemu/error-report.h"
#include "qemu/log.h"
#include "qemu/units.h"
+#include "hw/arm/t8030.h"
+#include "exec/address-spaces.h"
+#include "hw/irq.h"
+#include "sysemu/dma.h"
+
+//#define DO_SECUREROM 1
+
+static void apple_sep_reset(DeviceState *dev);
+static void apple_sep_cpu_reset_work(CPUState *cpu, run_on_cpu_data data);
+//static void apple_sep_cpu_reset_work_only_pc(CPUState *cpu, run_on_cpu_data data);
+
+#if 0
+static void AppleSEPResetMisc_func(vaddr vector) {
+ MachineState *machine = MACHINE(qdev_get_machine());
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ //CPUARMState *env;
+ AppleSEPState *sep;
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal));
+ AppleA13State *tcpu = APPLE_A13(sep->cpu);
+ fprintf(stderr, "AppleSEPResetMisc: entered function: vector=0x" HWADDR_FMT_plx "\n", vector);
+#if 0
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ MemoryRegion *sysmem = tms->sysmem;
+ AddressSpace *nsas = &address_space_memory;
+ size_t garbage = 0;
+ macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x800000000ULL, &garbage);
+#endif
+#if 1
+ sep->base = vector;
+ object_property_set_uint(OBJECT(sep->cpu), "rvbar", sep->base & ~0xFFF, NULL);
+ //AppleA13State *tcpu = APPLE_A13(sep->cpu);
+ //object_property_set_uint(OBJECT(sep->cpu), "x0", 0x800734000ULL, NULL);
+ //env = &ARM_CPU(cpu)->env;
+ //env->xregs[0] = 0x800734000ULL;
+ //apple_sep_reset(DEVICE(sep));
+ //AppleSEPState *s = APPLE_SEP(dev);
+ //run_on_cpu(CPU(sep->cpu), apple_sep_cpu_reset_work, RUN_ON_CPU_HOST_PTR(sep));
+ run_on_cpu(CPU(sep->cpu), apple_sep_cpu_reset_work_only_pc, RUN_ON_CPU_HOST_PTR(sep));
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) {
+ apple_a13_cpu_start(APPLE_A13(sep->cpu));
+ }
+#endif
+#if 0
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(sep->cpu), ARM_CPU_IRQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(sep->cpu), ARM_CPU_FIQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(sep->cpu), GTIMER_VIRT));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(sep->cpu), 0));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(sep->cpu), 1));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(sep->cpu), 2));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(sep->cpu), 3));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(tms->aic), 0xd4));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(tms->aic), 0xd5));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(tms->aic), 0xd6));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(tms->aic), 0xd7));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(tms->aic), 0xba));
+ qemu_irq_raise(tcpu->fast_ipi);
+#endif
+ fprintf(stderr, "AppleSEPResetMisc: left function\n");
+}
+#endif
static void trng_reg_write(void *opaque, hwaddr addr, uint64_t data,
unsigned size)
{
+ //AppleSEPResetMisc_func(0x800000000ULL);
switch (addr) {
+ //case 0x10: value == 0x1, maybe refresh/reseed
default:
qemu_log_mask(LOG_UNIMP,
"TRNG: Unknown write at 0x" HWADDR_FMT_plx
@@ -152,8 +215,22 @@ static uint64_t misc1_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case 0xc: // ???? bit1 clear, bit0 set
return (0 << 1) | (1 << 0);
- // case 0x20:
- // return 0x1;
+ //case 0x1c: // returning hardcoded values causes panics
+ // //return 0; // disabling memory encryption?
+ // return (1 << 29); // part1 of enabling FUN_240003fcc_wait_for_DAT_23d2bc004 ; memory encryption?
+ // case 0x20: // returning hardcoded values causes panics
+ // return 0; // disabling memory encryption?
+ // //return 0x1; // part0 of enabling FUN_240003fcc_wait_for_DAT_23d2bc004 ; memory encryption?
+#if 0
+ case 0x1c:
+ memcpy(&ret, &s->misc1_regs[addr], size);
+ ret |= (1 << 29);
+ break;
+ case 0x20:
+ memcpy(&ret, &s->misc1_regs[addr], size);
+ ret |= 0x1;
+ break;
+#endif
case 0xe4: // ????
return 0x0;
case 0x280: // ????
@@ -203,6 +280,7 @@ static uint64_t misc2_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case 0x24: // ????
return 0x0;
+ //return 0x2;
default:
memcpy(&ret, &s->misc2_regs[addr], size);
qemu_log_mask(LOG_UNIMP,
@@ -225,6 +303,477 @@ static const MemoryRegionOps misc2_reg_ops = {
.valid.unaligned = false,
};
+static void misc39_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc39_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC39: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc39_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+ // 0x0;0x4 == T8101
+ // 0x4;0x8 == T8020
+
+ switch (addr) {
+#if 0
+ //case 0x00: // ???? T8101
+ // return 0x1;
+ //case 0x04: // ???? T8101
+ // return 0x1;
+ case 0x04: // ???? T8020
+ //return 0x1;
+ return 0x0; // required for misc9 0x318
+ case 0x08: // ???? T8020
+ //return 0x1;
+ return 0x0;
+#endif
+ default:
+ memcpy(&ret, &s->misc39_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC39: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc39_reg_ops = {
+ .write = misc39_reg_write,
+ .read = misc39_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+#if 1
+static void misc4_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+#if 0
+ case 0x14:
+ if (!!(data & 1)) {
+ uint64_t vector = *(uint64_t*)(&s->misc4_regs[0x20]);
+ AppleSEPResetMisc_func(vector);
+ }
+ break;
+#endif
+ default:
+ memcpy(&s->misc4_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC4: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc4_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+#if 0
+ case 0x00: // ???? because of WFE FUN_240011488_DAT_241500000_wfe, hangs otherwise, fix it properly!
+ return 0x0;
+ case 0x04: // ???? because of WFE FUN_2400113cc_DAT_241500004_wfe, hangs otherwise, fix it properly!
+ return 0x0;
+ case 0x0c: // ???? because of switch case FUN_2400113ec_DAT_24150000c_should_be_0, panics otherwise
+ return 0x0;
+#endif
+ default:
+ memcpy(&ret, &s->misc4_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC4: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc4_reg_ops = {
+ .write = misc4_reg_write,
+ .read = misc4_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+#endif
+
+static void misc5_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc5_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC5: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc5_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->misc5_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC5: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc5_reg_ops = {
+ .write = misc5_reg_write,
+ .read = misc5_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+static void misc6_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc6_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC6: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc6_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ default:
+ memcpy(&ret, &s->misc6_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC6: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc6_reg_ops = {
+ .write = misc6_reg_write,
+ .read = misc6_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+#if 0
+static int pop_from_outbox(void *opaque)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ apple_mbox_msg_t msg = NULL;
+ sep_message_t sep_msg = NULL;
+ msg = apple_mbox_outbox_pop(s->mbox);
+ if (!msg) {
+ return 0;
+ }
+ sep_msg = g_new0(struct sep_message, 1);
+ memcpy(sep_msg, msg->data, 16);
+ g_free(msg);
+ qemu_log_mask(LOG_UNIMP, "SEP pop_from_outbox: ep=0x%02x, tag=0x%02x, opcode=0x%02x, param=0x%02x, data=0x%08x\n", sep_msg->endpoint, sep_msg->tag, sep_msg->opcode, sep_msg->param, sep_msg->data);
+ g_free(sep_msg);
+ return 1;
+}
+#endif
+
+static void misc7_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ //apple_mbox_msg_t msg0 = NULL;
+ //apple_mbox_msg_t msg1 = NULL;
+ //apple_mbox_msg_t msg2 = NULL;
+ //apple_mbox_msg_t msg3 = NULL;
+ //apple_mbox_msg_t msg4 = NULL;
+ //apple_mbox_msg_t msg5 = NULL;
+ //sep_message_t sep_msg = NULL;
+ struct sep_message sep_msg = { 0 };
+ switch (addr) {
+ //case 0x8:
+ case 0x4:
+ //if (data == 0x2cbd3509)
+ if (data == 0xf2e31133)
+ {
+ //sep_msg = g_new0(struct sep_message, 1);
+ //msg0 = g_new0(struct apple_mbox_msg, 1);
+ //msg1 = g_new0(struct apple_mbox_msg, 1);
+ //msg2 = g_new0(struct apple_mbox_msg, 1);
+ //msg3 = g_new0(struct apple_mbox_msg, 1);
+ //msg4 = g_new0(struct apple_mbox_msg, 1);
+ //msg5 = g_new0(struct apple_mbox_msg, 1);
+ sep_msg.endpoint = 0xff;
+
+#if 0
+ sep_msg->opcode = 1; // kOpCode_Ping
+ sep_msg->tag = 0x70;
+ memcpy(msg5->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg5);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode1/kOpCode_Ping", msg5);
+#endif
+
+ sep_msg.opcode = 3; // kOpCode_GenerateNonce
+ sep_msg.tag = 0x67;
+ //memcpy(msg0->data, sep_msg, 16);
+ //apple_mbox_inbox_push(s->mbox, msg0);
+ //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce", msg0);
+ apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw);
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce\n");
+
+#if 0
+ sep_msg->opcode = 4; // Opcode 4
+ sep_msg->tag = 0x6e;
+ memcpy(msg4->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg4);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode4/kOpCode_GetNonceWord", msg4);
+
+ sep_msg->opcode = 15; // Opcode 15
+ sep_msg->tag = 0x0;
+ memcpy(msg2->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg2);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode15/kOpCode_SendDpa", msg2);
+
+ sep_msg->opcode = 16; // Opcode 16
+ sep_msg->tag = 0x0;
+ memcpy(msg3->data, sep_msg, 16);
+ apple_mbox_inbox_push(s->mbox, msg3);
+ IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode16", msg3);
+#endif
+
+ sep_msg.opcode = 17; // Opcode 17
+ sep_msg.tag = 0x0;
+ //sep_msg->data = 0x2000; // 0x2000
+ //sep_msg->data = 0x3200; // iBoot on iOS 12.0 for T8020 says 0x3200 (0x1c52000 bytes). Might not be enough for SEPOS in iOS 14.4.2.
+ //sep_msg->data = 0x4000; // iBoot on iOS 13.0/13.7 for T8020 says 0x4000 (0x2440000 bytes). Might not be enough for SEPOS in iOS 14.4.2.
+ //sep_msg->data = 0x3400; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ //sep_msg->data = 0x3800; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ //sep_msg->data = 0x6000; // SEPFW on iOS 14.4.2 for T8020 wants something higher
+ sep_msg.data = 0x8000; // SEPFW on iOS 14.0/14.4.2 for T8020, if I found the correct data in Ghidra.
+ // max value 0x8000, checked in SEPROM:FUN_240011564_maybe_check_amcc.
+ // size in bytes == value * 0x910
+ //memcpy(msg1->data, sep_msg, 16);
+ //apple_mbox_inbox_push(s->mbox, msg1);
+ //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode17", msg1);
+ apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw);
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode17\n");
+#if 0
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: before response loop, this will surely dead-lock, but let's try it anyway. YOLO.\n");
+ int response_count = 2;
+ while (response_count > 0) {
+ while (!apple_mbox_outbox_empty(s->mbox)) {
+ response_count -= pop_from_outbox(opaque);
+ }
+ }
+ qemu_log_mask(LOG_UNIMP, "SEP MISC7: after response loop\n");
+#endif
+ //g_free(sep_msg);
+ ////g_free(msg0);
+ ////g_free(msg1);
+ ////g_free(msg2);
+ ////g_free(msg3);
+ ////g_free(msg4);
+ ////g_free(msg5);
+ }
+ //goto jump_default;
+ //QEMU_FALLTHROUGH;
+ break;
+ case 0x0:
+ //case 0x4:
+ case 0x8:
+ case 0x114:
+ case 0x214:
+ case 0x218:
+ case 0x21c:
+ case 0x220:
+ case 0x2d8:
+ case 0x2dc:
+ case 0x2e0: // ecid low
+ case 0x2e4: // ecid high
+ case 0x2e8: // board-id
+ case 0x2ec: // chip-id
+ case 0x314:
+ case 0x318:
+ case 0x31c:
+ memcpy(&s->misc7_regs[addr], &data, size);
+ break;
+ default:
+ jump_default:
+ memcpy(&s->misc7_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc7_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+ case 0xc: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+#if 1
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT));
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+ qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2));
+ qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 0));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 1));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 2));
+ //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 3));
+ ret = 0xdeadbeef;
+#endif
+ break;
+ default:
+ memcpy(&ret, &s->misc7_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC7: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc7_reg_ops = {
+ .write = misc7_reg_write,
+ .read = misc7_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
+static void misc8_reg_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ switch (addr) {
+ default:
+ memcpy(&s->misc8_regs[addr], &data, size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC8: Unknown write at 0x" HWADDR_FMT_plx
+ " with value 0x" HWADDR_FMT_plx "\n",
+ addr, data);
+ break;
+ }
+}
+
+static uint64_t misc8_reg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ AppleSEPState *s = APPLE_SEP(opaque);
+ uint64_t ret = 0;
+
+ switch (addr) {
+#if 0
+ case 0x310:
+ memcpy(&ret, &s->misc8_regs[addr], size);
+ //ret = 8 * 1024; // size in KiB ; param_1_DAT_800013fe0[1]
+ ////ret = 1 * 1024 * 1024; // size in KiB ; param_1_DAT_800013fe0[1]
+ ////ret = 2 * 1024 * 1024; // size in KiB ; param_1_DAT_800013fe0[1]
+ break;
+#endif
+#if 0
+ case 0x318:
+ //memcpy(&ret, &s->misc8_regs[addr], size);
+ // maybe size for base 0x800000000
+ //ret = 8 * 1024; // size in KiB ; field489_0x10e0_amcc_entry_base_plus_misc8_00318_bytes = amcc_entry_base + (ulong)misc8_00318 * -0x400 >> 1 & 0x7fffffffffffc000;
+ ////ret = 2 * 1024 * 1024;
+ ////ret = 0;
+ //ret = 0xd00000;
+ //ret = 0xe00000;
+ ret = 32 * 1024;
+ break;
+#endif
+ default:
+ memcpy(&ret, &s->misc8_regs[addr], size);
+ qemu_log_mask(LOG_UNIMP,
+ "SEP MISC8: Unknown read at 0x" HWADDR_FMT_plx "\n",
+ addr);
+ break;
+ }
+
+ return ret;
+}
+
+static const MemoryRegionOps misc8_reg_ops = {
+ .write = misc8_reg_write,
+ .read = misc8_reg_read,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid.min_access_size = 4,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 4,
+ .impl.max_access_size = 4,
+ .valid.unaligned = false,
+};
+
static const struct AppleMboxOps sep_mailbox_ops = {};
@@ -262,6 +811,7 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
BUILD_VERSION_MAJOR(build_version) - 3,
&sep_mailbox_ops);
apple_mbox_set_real(s->mbox, true);
+ //s->mbox->AppleSEPResetMisc_func = (AppleSEPResetMisc*)AppleSEPResetMisc_func;
object_property_add_child(OBJECT(s), "mbox", OBJECT(s->mbox));
@@ -271,32 +821,118 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
sysbus_pass_irq(sbd, SYS_BUS_DEVICE(s->mbox));
sysbus_pass_irq(sbd, SYS_BUS_DEVICE(s->cpu));
- memory_region_init_io(&s->trng_mr, OBJECT(dev), &trng_reg_ops, s,
- "sep.trng", 0x100);
- sysbus_init_mmio(sbd, &s->trng_mr);
+ memory_region_init_io(&s->trng_t8101_mr, OBJECT(dev), &trng_reg_ops, s,
+ "sep.trng_t8101", 0x100); // TRNG T8101
+ sysbus_init_mmio(sbd, &s->trng_t8101_mr);
memory_region_init_io(&s->misc0_mr, OBJECT(dev), &misc0_reg_ops, s,
- "sep.misc0", 0x100);
+ "sep.misc0", 0x100); // MISC0
sysbus_init_mmio(sbd, &s->misc0_mr);
memory_region_init_io(&s->misc1_mr, OBJECT(dev), &misc1_reg_ops, s,
- "sep.misc1", 0x1000);
+ "sep.misc1", 0x1000); // MISC1
sysbus_init_mmio(sbd, &s->misc1_mr);
memory_region_init_io(&s->misc2_mr, OBJECT(dev), &misc2_reg_ops, s,
- "sep.misc2", 0x100);
+ "sep.misc2", 0x100); // MISC2
sysbus_init_mmio(sbd, &s->misc2_mr);
+ memory_region_init_io(&s->misc3_mr, OBJECT(dev), &misc39_reg_ops, s,
+ "sep.misc39_t8101", 0x100); // MISC39 T8101
+ sysbus_init_mmio(sbd, &s->misc3_mr);
+ memory_region_init_io(&s->misc4_mr, OBJECT(dev), &misc4_reg_ops, s,
+ "sep.misc4", 0x100); // MISC4 // 0x241440000
+ sysbus_init_mmio(sbd, &s->misc4_mr);
+ memory_region_init_io(&s->misc5_mr, OBJECT(dev), &misc5_reg_ops, s,
+ "sep.misc5", 0x100); // MISC5
+ sysbus_init_mmio(sbd, &s->misc5_mr);
+ memory_region_init_io(&s->misc6_mr, OBJECT(dev), &misc6_reg_ops, s,
+ "sep.misc6", 0x1000); // MISC6
+ sysbus_init_mmio(sbd, &s->misc6_mr);
+ memory_region_init_io(&s->misc7_mr, OBJECT(dev), &misc7_reg_ops, s,
+ "sep.misc7", 0x1000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM.
+ sysbus_init_mmio(sbd, &s->misc7_mr);
+ memory_region_init_io(&s->misc8_mr, OBJECT(dev), &misc8_reg_ops, s,
+ "sep.misc8", 0x40000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8.
+ sysbus_init_mmio(sbd, &s->misc8_mr);
+ memory_region_init_io(&s->trng_t8020_mr, OBJECT(dev), &trng_reg_ops, s,
+ "sep.trng_t8020", 0x100); // TRNG T8020
+ sysbus_init_mmio(sbd, &s->trng_t8020_mr);
+ memory_region_init_io(&s->misc9_mr, OBJECT(dev), &misc39_reg_ops, s,
+ "sep.misc39_t8020", 0x100); // MISC39 T8020
+ sysbus_init_mmio(sbd, &s->misc9_mr);
DTBNode *child = find_dtb_node(node, "iop-sep-nub");
assert(child);
//! SEPFW needs to be loaded by restore, supposedly
// uint32_t data = 1;
// set_dtb_prop(child, "sepfw-loaded", sizeof(data), &data);
+ //uint32_t data = 0;
+ //uint32_t data = 1;
+ //set_dtb_prop(child, "has-art", sizeof(data), &data);
+#if 0
+ //uint64_t a = le64_to_cpu(0x80c000);
+ //uint32_t l = le32_to_cpu(0x10000);
+ uint64_t a = 0x80c000;
+ uint32_t l = 0x10000;
+ hwaddr len;
+ void *map;
+ AddressSpace *nsas = &address_space_memory;
+ len = l;
+ //map = dma_memory_map(s->dma_as, a, &len, DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ map = dma_memory_map(nsas, a, &len, DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ if (!map) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory\n", __func__);
+ }
+#endif
+ //remove_dtb_node_by_name(child, "hilo");
+ //remove_dtb_node_by_name(child, "Lynx");
+ //remove_dtb_node_by_name(child, "xArt");
return s;
}
static void apple_sep_cpu_reset_work(CPUState *cpu, run_on_cpu_data data)
{
AppleSEPState *s = data.host_ptr;
+ AddressSpace *nsas = &address_space_memory;
+ MachineState *machine = MACHINE(qdev_get_machine());
+ T8030MachineState *tms = T8030_MACHINE(machine);
cpu_reset(cpu);
+#ifdef DO_SECUREROM
+ // make it possible to re-run SEPROM after SecureROM panics without powering off
+ // replaces e.g.: set *0x241130840=0x0 ; set *0x241130800=0x0
+ //address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x3000000, MEMTXATTRS_UNSPECIFIED);
+ address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x1000000, MEMTXATTRS_UNSPECIFIED);
+#endif
+ fprintf(stderr, "apple_sep_cpu_reset_work: before cpu_set_pc: base=0x" HWADDR_FMT_plx "\n", s->base);
+ cpu_set_pc(cpu, s->base);
+}
+
+#if 0
+static void apple_sep_cpu_reset_work_only_pc(CPUState *cpu, run_on_cpu_data data)
+{
+ AppleSEPState *s = data.host_ptr;
+ CPUARMState *env;
+ AppleA13State *tcpu = APPLE_A13(cpu);
+ uint64_t pwr_dn_save;
+ //uint64_t cpacr_tmp;
+ env = &ARM_CPU(cpu)->env;
+ pwr_dn_save = tcpu->A13_CPREG_VAR_NAME(SYS_ACC_PWR_DN_SAVE);
+ //cpacr_tmp = env->cp15.cpacr_el1;
+ //cpacr_tmp = FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, FPEN);
+ //fprintf(stderr, "apple_sep_cpu_reset_work_only_pc: t0: cpacr_tmp=0x" HWADDR_FMT_plx "\n", cpacr_tmp);
+ //fprintf(stderr, "apple_sep_cpu_reset_work_only_pc: t0: env->cp15.cpacr_el1=0x" HWADDR_FMT_plx "\n", env->cp15.cpacr_el1);
+ //cpu_reset(cpu);
+ tcpu->A13_CPREG_VAR_NAME(SYS_ACC_PWR_DN_SAVE) = pwr_dn_save;
+ //tcpu->A13_CPREG_VAR_NAME(CPACR) = cpacr_tmp;
+ //env->cp15.cpacr_el1 = cpacr_tmp;
+ //env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1, CPACR_EL1, FPEN, cpacr_tmp);
+ //fprintf(stderr, "apple_sep_cpu_reset_work_only_pc: t1: env->cp15.cpacr_el1=0x" HWADDR_FMT_plx "\n", env->cp15.cpacr_el1);
+ //arm_rebuild_hflags(env);
+ //fprintf(stderr, "apple_sep_cpu_reset_work_only_pc: t2: env->cp15.cpacr_el1=0x" HWADDR_FMT_plx "\n", env->cp15.cpacr_el1);
+ fprintf(stderr, "apple_sep_cpu_reset_work_only_pc: before cpu_set_pc: base=0x" HWADDR_FMT_plx "\n", s->base);
+ //env->xregs[0] = 0x800734000ULL;
+ env->xregs[0] = tcpu->A13_CPREG_VAR_NAME(SYS_ACC_PWR_DN_SAVE);
+ env->xregs[1] = s->base; // HACK because the first instruction sometimes gets skipped. Maybe because of the commented out cpu_reset(), because of FPU stuff. (0x800005da4)
+ fprintf(stderr, "apple_sep_cpu_reset_work_only_pc: new x0=0x" HWADDR_FMT_plx "\n", env->xregs[0]);
cpu_set_pc(cpu, s->base);
}
+#endif
static void apple_sep_reset(DeviceState *dev)
{
@@ -310,8 +946,8 @@ static void apple_sep_realize(DeviceState *dev, Error **errp)
sysbus_realize(SYS_BUS_DEVICE(s->mbox), errp);
qdev_realize(DEVICE(s->cpu), NULL, errp);
- qdev_connect_gpio_out_named(DEVICE(s->mbox), APPLE_MBOX_IOP_IRQ, 0,
- qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ qdev_connect_gpio_out_named(DEVICE(s->mbox), APPLE_MBOX_IOP_IRQ, 0, qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+ //qdev_connect_gpio_out_named(DEVICE(s->mbox), APPLE_MBOX_TEST_IRQ, 0, qdev_get_gpio_in(DEVICE(s->cpu), 1));
}
static void apple_sep_unrealize(DeviceState *dev)
diff --git a/hw/arm/s8000.c b/hw/arm/s8000.c
index 03010cc099..45454b26ad 100644
--- a/hw/arm/s8000.c
+++ b/hw/arm/s8000.c
@@ -198,16 +198,66 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size)
{
hwaddr base = (hwaddr)opaque;
+ uint64_t ret = 0;
switch (base + addr) {
case 0x102BC000: //! CFG_FUSE0
- return (1 << 2);
+ //return (1 << 2);
+ //return 0;
+ //return -1;
+ ret |= (1 << 2);
+ ret |= (0x12ULL << 9); // SCEP: max: 0x7f
+ //ret |= (1 << 8);
+ //ret |= 0xf << 4;
+ ret |= 0x1 << 4; // BDID |= 0x20
+ //ret |= 0x1 << 5; // BDID |= 0x40
+ //ret |= 0x1 << 6; // BDID |= 0x80
+ //ret |= 0x1 << 7;
+ ret |= (1 << 0); // IBFL |= 0x10
+ return ret;
case 0x102BC200: //! CFG_FUSE0_RAW
- return 0x0;
+ //return 0x0;
+ //return (1 << 2);
+ //return -1;
+ //return 0xffffffffULL << 16;
+ //ret |= (0x1 << 1); // CPFM |= 0x1 ; IBFL |= 0x08
+ ret |= (0x1 << 0); // CPFM |= 0x3 ; IBFL |= 0x08
+ return ret;
+ case 0x102BC010:
+ //return 0x1 << 22; // CPRV |= 0x01
+ //return 0x1 << 23; // CPRV |= 0x02
+ //return 0x1 << 24; // CPRV |= 0x04
+ //return 0x1 << 25; // CPRV |= 0x10
+ //return 0x1 << 26; // CPRV |= 0x20
+ //return 0x1 << 27; // CPRV |= 0x40
+ return (3 << 22);
+#if 0
+ case 0x102BC004:
+ case 0x102BC008:
+ case 0x102BC00c:
+ case 0x102BC010:
+ case 0x102BC014:
+ case 0x102BC018:
+ case 0x102BC01c:
+ case 0x102BC020:
+ return -1;
+#endif
+#if 0
+ case 0x102BC204:
+ case 0x102BC208:
+ case 0x102BC20c:
+ case 0x102BC210:
+ case 0x102BC214:
+ case 0x102BC218:
+ case 0x102BC21c:
+ case 0x102BC220:
+ return -1;
+#endif
case 0x102BC080: //! ECID_LO
return 0x13371337;
case 0x102BC084: //! ECID_HI
- return 0xDEADBEEF;
+ //return 0xDEADBEEF;
+ return 0x7EADBEEF;
case 0x102E8000: // ????
return 0x4;
case 0x102BC104: // ???? bit 24 => is fresh boot?
diff --git a/hw/arm/t8030.c b/hw/arm/t8030.c
index 4dd4c14d75..bad4d97909 100644
--- a/hw/arm/t8030.c
+++ b/hw/arm/t8030.c
@@ -1,3 +1,6 @@
+
+//#define DO_SECUREROM 1
+
/*
* iPhone 11 - T8030
*
@@ -71,8 +74,12 @@
#define T8030_DRAM_BASE (0x800000000ULL)
#define T8030_DRAM_SIZE (4ULL * GiB)
+#define T8030_SEP_BASE (0x240000000ULL)
+#define T8030_SEP_SIZE (0x4000000ULL)
+
#define T8030_SEPROM_BASE (0x240000000ULL)
-#define T8030_SEPROM_SIZE (0x4000000ULL)
+//#define T8030_SEPROM_BASE (0x242200000ULL) // Visual told me to
+#define T8030_SEPROM_SIZE (0x40000ULL)
#define T8030_GPIO_FORCE_DFU (161)
@@ -164,6 +171,14 @@ static void t8030_create_s3c_uart(const T8030MachineState *tms, uint32_t port,
static void t8030_patch_kernel(struct mach_header_64 *hdr)
{
+#ifndef DO_SECUREROM
+ *(uint32_t *)vtop_static(0xFFFFFFF0077142C8) = 0;
+ //*(uint32_t *)vtop_static(0xfffffff009845140) = 0xFFFFFFFF; // AMCC
+ // gAppleSMCDebugLevel = 0xFFFFFFFF;
+ //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA18) = 0xFFFFFFFF;
+ // gAppleSMCDebugPath = 0x2;
+ //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA1C) = 0x2;
+#endif
kpf();
}
@@ -311,13 +326,38 @@ static void t8030_load_classic_kc(T8030MachineState *tms, const char *cmdline)
dtb_va = ptov_static(info->dtb_pa);
phys_ptr += align_16k_high(info->dtb_size);
+#if 0
if (tms->sepfw_filename) {
info->sepfw_pa = phys_ptr;
+ //info->sepfw_pa = 0x800000000ULL;
macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw",
info->sepfw_pa, &info->sepfw_size);
- info->sepfw_size = align_16k_high(15 * MiB);
+ //info->sepfw_size = align_16k_high(15 * MiB);
+ info->sepfw_size = align_16k_high(8 * MiB);
+ fprintf(stderr, "sepfw_pa: 0x" TARGET_FMT_lx " sepfw_size: 0x" TARGET_FMT_lx "\n", info->sepfw_pa, info->sepfw_size);
+ phys_ptr += info->sepfw_size;
+#if 1
+ MemoryRegion *mr = g_new0(MemoryRegion, 1);
+ memory_region_init_alias(mr, OBJECT(tms), "t8030.sepfw.alias", tms->sysmem, info->sepfw_pa, info->sepfw_size);
+ //memory_region_add_subregion_overlap(tms->sysmem, 0x0, mr, 1);
+ memory_region_add_subregion_overlap(tms->sysmem, 0x4000, mr, 1);
+#endif
+ }
+#endif
+#if 01
+ if (tms->sepfw_filename) {
+ info->sepfw_pa = phys_ptr;
+ info->sepfw_size = align_16k_high(8 * MiB);
phys_ptr += info->sepfw_size;
+ size_t garbage = 0;
+ //allocate_ram(sysmem, "SEPFW", 0x4000, info->sepfw_size, 0);
+ //allocate_ram(sysmem, "SEPFW", 0x0, info->sepfw_size+0x4000, 0);
+ macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x4000ULL, &garbage);
+ //macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x240100000ULL, &garbage);
+ //macho_load_raw_file("/home/ios/satamnt_1/qemu_t8030_data_0/ios_t8020_v14.4.2_0/iphone/Firmware/all_flash/sep-firmware.d321.RELEASE.im4p.out_offs_4000", nsas, sysmem, "sepfw", 0x240104000ULL, &garbage);
+ //macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", info->sepfw_pa, &garbage);
}
+#endif
mem_size =
machine->maxram_size -
@@ -465,7 +505,7 @@ static void t8030_memory_setup(MachineState *machine)
DTBNode *memory_map = get_dtb_node(tms->device_tree, "/chosen/memory-map");
g_autofree char *cmdline = NULL;
AddressSpace *nsas = &address_space_memory;
- // g_autofree char *securerom = NULL;
+ g_autofree char *securerom = NULL;
g_autofree char *seprom = NULL;
unsigned long fsize = 0;
@@ -476,17 +516,19 @@ static void t8030_memory_setup(MachineState *machine)
info->dram_base = T8030_DRAM_BASE;
info->dram_size = T8030_DRAM_SIZE;
- // if (!machine->firmware) {
- // error_report("Please set firmware to SecureROM's path");
- // exit(EXIT_FAILURE);
- // }
+#ifdef DO_SECUREROM
+ if (!machine->firmware) {
+ error_report("Please set firmware to SecureROM's path");
+ exit(EXIT_FAILURE);
+ }
- // if (!g_file_get_contents(machine->firmware, &securerom, &fsize, NULL)) {
- // error_report("Could not load data from file '%s'",
- // machine->firmware); exit(EXIT_FAILURE);
- // }
- // address_space_rw(nsas, T8030_SROM_BASE, MEMTXATTRS_UNSPECIFIED,
- // (uint8_t *)securerom, fsize, 1);
+ if (!g_file_get_contents(machine->firmware, &securerom, &fsize, NULL)) {
+ error_report("Could not load data from file '%s'",
+ machine->firmware); exit(EXIT_FAILURE);
+ }
+ address_space_rw(nsas, T8030_SROM_BASE, MEMTXATTRS_UNSPECIFIED,
+ (uint8_t *)securerom, fsize, 1);
+#endif
if (tms->seprom_filename == NULL) {
error_report("Please set path to SEPROM");
@@ -498,15 +540,108 @@ static void t8030_memory_setup(MachineState *machine)
tms->seprom_filename);
exit(EXIT_FAILURE);
}
- address_space_rw(nsas, T8030_SEPROM_BASE, MEMTXATTRS_UNSPECIFIED,
- (uint8_t *)seprom, fsize, 1);
+ address_space_rw(nsas, T8030_SEPROM_BASE, MEMTXATTRS_UNSPECIFIED, (uint8_t *)seprom, fsize, 1);
uint64_t value = 0x8000000000000000;
- address_space_write(nsas, tms->soc_base_pa + 0x42140108,
- MEMTXATTRS_UNSPECIFIED, &value, sizeof(value));
uint32_t value32 = 0x1;
- address_space_write(nsas, tms->soc_base_pa + 0x41448000,
- MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32));
+ uint32_t value32_mov_w8_0 = 0x52800008; // mov w8, #0x0
+ uint32_t value32_mov_w8_1 = 0x52800028; // mov w8, #0x1
+ uint32_t value32_mov_x0_1 = 0xd2800020; // mov x0, #0x1
+ uint32_t value32_mov_x0_0 = 0xd2800000; // mov x0, #0x0
+ uint32_t value32_mov_x0_0x10 = 0xd2800200; // mov x0, #0x10
+ uint32_t value32_mov_x0_0x2000 = 0xd2840000; // mov x0, #0x2000
+ uint32_t value32_mov_x0_0x5000 = 0xd28a0000; // mov x0, #0x5000
+ uint32_t value32_mov_x0_0x200000 = 0xd2a00400; // mov x0, #0x200000
+ uint32_t value32_mov_x0_0xe20 = 0xd281c400; // mov x0, #0xe20
+ uint32_t value32_mov_x20_1 = 0xd2800034; // mov x20, #0x1
+ uint32_t value32_nop = 0xd503201f; // nop
+ uint32_t value32_mov_w0_8030 = 0x52900600; // mov w0, #0x8030
+ uint32_t value32_cmp_x0_x0 = 0xeb00001f; // cmp x0, x0
+ uint32_t value32_bl_GenerateNonce_t8101 = 0x9400026d; // bl generate_random_GenerateNonce for T8101 from 0x24000edec
+ uint32_t value32_bl_GenerateNonce_t8020 = 0x94000187; // bl generate_random_GenerateNonce for T8020 from 0x24000b574
+ uint32_t value32_mov_x5_0xf0000000 = 0xd2be0005; // mov x5,#0xf0000000
+ uint32_t value32_retab = 0xd65f0fff; // retab
+ uint32_t value32_ret = 0xd65f03c0; // ret
+ uint32_t value32_mov_w0_minus1 = 0x12800000; // mov w0, #0xffffffff
+ uint32_t value32_mov_w0_0x10000000 = 0x52a20000; // mov w0, #0x10000000
+ uint32_t value32_mov_w0_sp_0x4 = 0xb90007e0; // mov w0, [sp, #0x4]
+#if 0 // for Sicily
+ address_space_write(nsas, tms->soc_base_pa + 0x42140108, MEMTXATTRS_UNSPECIFIED, &value, sizeof(value)); // _entry: prevent busy-loop (data section)
+ address_space_write(nsas, tms->soc_base_pa + 0x41448000, MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32)); // check_first_boot: prevent busy-loop (data section)
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x09008, MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32)); // avoid panic(0x74)
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x09510, MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32)); // avoid panic(0xf1);
+ // mov w8, #0x1 ; strb w8,[sp, #0xf8] // avoids both, panic(0x74/0xf1)
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x09004, MEMTXATTRS_UNSPECIFIED, &value32_mov_w8_1, sizeof(value32_mov_w8_1));
+ //value32 = 0x3903e3e8; // strb w8,[sp, #0xf8] // img4_out[0xc0]
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x09008, MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32)); // avoid panic(0x74)
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0c824, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0));
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x10a74, MEMTXATTRS_UNSPECIFIED, &value32_mov_x20_1, sizeof(value32_mov_x20_1));
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x10a78, MEMTXATTRS_UNSPECIFIED, &value32_mov_w8_1, sizeof(value32_mov_w8_1));
+ //value32 = 0x3902ea68; // strb w8,[x19, #0xba] // img4_out[0xba]
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x10a7c, MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32));
+ //value32 = 0x14000023; // b LAB_240010b0c
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x10a80, MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32));
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0d2c8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // image4_validate_property_callback: skip AMNM
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x17bf8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: Skip RSA verification result.
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x17c9c, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: payload_raw hashing stuck, nop'ing
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x17ca0, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: nop'ing result of payload_raw hashing
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0e014, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // memcmp_validstrs30_true_on_success: fake success
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x10c04, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // memcmp_validstrs14_true_on_success: fake success
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b484, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_8030, sizeof(value32_mov_w0_8030)); // get_chipid: patch get_chipid to return 0x8030 instead of 0x8101
+#if 0
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x107bc, MEMTXATTRS_UNSPECIFIED, &value32_cmp_x0_x0, sizeof(value32_cmp_x0_x0)); // img4_compare_verified_values_true_on_success: jump over ECID check
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x10824, MEMTXATTRS_UNSPECIFIED, &value32_cmp_x0_x0, sizeof(value32_cmp_x0_x0)); // img4_compare_verified_values_true_on_success: jump over SDOM check
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x10828, MEMTXATTRS_UNSPECIFIED, &value32_mov_w8_0, sizeof(value32_mov_w8_0)); // img4_compare_verified_values_true_on_success: jump over SDOM check
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x108a4, MEMTXATTRS_UNSPECIFIED, &value32_mov_x20_1, sizeof(value32_mov_x20_1)); // img4_compare_verified_values_true_on_success: jump over CPRO&CSEC check
+#endif
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x090d4, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // load_sepos: jump over img4_compare_verified_values_true_on_success
+#if 0
+ uint8_t securerom_snon[0x14] = {0};
+ //qemu_guest_getrandom(&securerom_snon, sizeof(securerom_snon), NULL);
+ qcrypto_random_bytes(&securerom_snon, sizeof(securerom_snon), NULL);
+ address_space_write(nsas, tms->soc_base_pa + 0x42214888, MEMTXATTRS_UNSPECIFIED, &securerom_snon, sizeof(securerom_snon)); // maybe_GenerateNonce_validstr0x14_from_DAT_242214888: Normally gets generated by a SecureROM call.
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0edec, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // boot: prevent calling clear_GenerateNonce_nonce
+#endif
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0edec, MEMTXATTRS_UNSPECIFIED, &value32_bl_GenerateNonce_t8101, sizeof(value32_bl_GenerateNonce_t8101)); // boot: replace calling clear_GenerateNonce_nonce with a call generating the nonce T8101. Needed because we don't run iBoot.
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0426c, MEMTXATTRS_UNSPECIFIED, &value32_mov_x5_0xf0000000, sizeof(value32_mov_x5_0xf0000000)); // provoke crash/exception
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x04e44, MEMTXATTRS_UNSPECIFIED, &value32_retab, sizeof(value32_retab)); // bzero: stubbing/nop'ing it
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x14c00, MEMTXATTRS_UNSPECIFIED, &value32_ret, sizeof(value32_ret)); // cc_clear: stubbing/nop'ing it
+#ifndef DO_SECUREROM
+ //*(uint32_t *)vtop_static(0xfffffff008b4e018) = value32_mov_w0_0x10000000; // AppleSEPBooter::getBootTimeout: increase timeout for debugging (GDB tracing)
+ //*(uint32_t *)vtop_static(0xfffffff008b576b4) = value32_nop; // AppleSEPManager::_tracingEnabled: Don't require _PE_i_can_has_debugger.
+#else
+ address_space_write(nsas, 0x100005b64, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: image4_load: fake success for maybe_verify_zero_on_success. unused because of the next patches.
+ address_space_write(nsas, 0x1000020e4, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: _main: fake success for image_load
+ address_space_write(nsas, 0x1000021d4, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // SecureROM: _main: nop because it panics of plain payload
+#endif
+
+#endif // for Sicily
+#if 1 // for T8020 SEPROM
+ address_space_write(nsas, tms->soc_base_pa + 0x42140108, MEMTXATTRS_UNSPECIFIED, &value, sizeof(value)); // _entry: prevent busy-loop (data section)
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0d2c8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // image4_validate_property_callback: skip AMNM
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x12144, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: Skip RSA verification result.
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x121d8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: payload_raw hashing stuck, nop'ing
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x121dc, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: nop'ing result of payload_raw hashing
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0abd8, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs30: fake success
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x0ca84, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs14: fake success
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x091b4, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_8030, sizeof(value32_mov_w0_8030)); // get_chipid: patch get_chipid to return 0x8030 instead of 0x8020
+ address_space_write(nsas, T8030_SEPROM_BASE + 0x077ac, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // load_sepos: jump over img4_compare_verified_values_true_on_success
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b574, MEMTXATTRS_UNSPECIFIED, &value32_bl_GenerateNonce_t8020, sizeof(value32_bl_GenerateNonce_t8020)); // boot: replace calling clear_GenerateNonce_nonce with a call generating the nonce T8020 (Opcode3). Needed because we don't run iBoot/SecureROM.
+ ////address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // boot: set opcode_17_inbox_msg_data
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0x2000, sizeof(value32_mov_x0_0x2000)); // boot: set opcode_17_inbox_msg_data
+ //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b588, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_sp_0x4, sizeof(value32_mov_w0_sp_0x4)); // boot: set opcode_17_inbox_msg_data
+#ifndef DO_SECUREROM
+ *(uint32_t *)vtop_static(0xfffffff008b4e018) = value32_mov_w0_0x10000000; // AppleSEPBooter::getBootTimeout: increase timeout for debugging (GDB tracing)
+ *(uint32_t *)vtop_static(0xfffffff008b576b4) = value32_nop; // AppleSEPManager::_tracingEnabled: Don't require _PE_i_can_has_debugger.
+ //*(uint32_t *)vtop_static(0xfffffff008b57ad4) = value32_mov_x0_1; // AppleSEPManager::_bootSEP:: Don't require _PE_i_can_has_debugger.
+ *(uint32_t *)vtop_static(0xfffffff007a231d8) = value32_mov_x0_1; // _kern_config_is_development
+#else
+ address_space_write(nsas, 0x100005b64, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: image4_load: fake success for maybe_verify_zero_on_success. unused because of the next patches.
+ address_space_write(nsas, 0x1000020e4, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: _main: fake success for image_load
+ address_space_write(nsas, 0x1000021d4, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // SecureROM: _main: nop because it panics of plain payload
+#endif
+
+#endif // for T8020 SEPROM
nvram = APPLE_NVRAM(qdev_find_recursive(sysbus_get_default(), "nvram"));
if (!nvram) {
@@ -567,11 +702,10 @@ static void t8030_memory_setup(MachineState *machine)
if (xnu_contains_boot_arg(cmdline, "-restore", false)) {
//! HACK: Use DEV Hardware model to restore without FDR errors
- set_dtb_prop(tms->device_tree, "compatible", 29,
- "N104DEV\0iPhone12,1\0AppleARM\0$");
+ set_dtb_prop(tms->device_tree, "compatible", 29, "N104DEV\0iPhone12,1\0AppleARM\0$");
+ //set_dtb_prop(tms->device_tree, "compatible", 28, "N104AP\0iPhone12,1\0AppleARM\0$");
} else {
- set_dtb_prop(tms->device_tree, "compatible", 28,
- "N104AP\0iPhone12,1\0AppleARM\0$");
+ set_dtb_prop(tms->device_tree, "compatible", 28, "N104AP\0iPhone12,1\0AppleARM\0$");
}
if (!xnu_contains_boot_arg(cmdline, "rd=", true)) {
@@ -612,6 +746,7 @@ static void t8030_memory_setup(MachineState *machine)
set_dtb_prop(vram, "reg", sizeof(vram_reg), &vram_reg);
}
+#ifndef DO_SECUREROM
hdr = tms->kernel;
g_assert(hdr);
@@ -631,12 +766,26 @@ static void t8030_memory_setup(MachineState *machine)
__func__, hdr->filetype);
break;
}
+#endif
}
+static uint64_t pmgr_unk_e4800 = 0;
+static uint32_t pmgr_unk_e4000[0x180/4] = {0};
+
static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
unsigned size)
{
hwaddr base = (hwaddr)opaque;
+ switch (base + addr) {
+ case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4
+ pmgr_unk_e4800 = data; // 0x240002c00 and 0x2400037a4
+ break;
+ case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c
+ pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4] = data; // 0x24000377c
+ break;
+ default:
+ break;
+ }
#if 1
qemu_log_mask(LOG_UNIMP,
"PMGR reg WRITE unk @ 0x" TARGET_FMT_lx
@@ -647,7 +796,11 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data,
static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size)
{
+ MachineState *machine = MACHINE(qdev_get_machine());
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ AppleSEPState *sep;
hwaddr base = (hwaddr)opaque;
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal));
#if 1
qemu_log_mask(LOG_UNIMP,
@@ -655,43 +808,120 @@ static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size)
" base: 0x" TARGET_FMT_lx "\n",
base + addr, base);
#endif
+ uint32_t chip_revision;
+ //chip_revision = 0x01;
+ chip_revision = 0x11;
switch (base + addr) {
- case 0x3D2BC000:
- // return 0xA050C030; // IBFL | 0x00
- return 0xA55AC33C; // IBFL | 0x10
- case 0x3D2BC008:
+ case 0x3D2BC000: // DPRO
+ case 0x3D2BC200:
+ //// return 0xA050C030; // IBFL | 0x00
+ return 0xA55AC33C; // IBFL | 0x10 // my
+ //return 0xA050C030; // Ntrung
+ case 0x3D2BC004: // ??? DPRO? is value==0xA050C030 (disabled), take value from 0xbc600
+ case 0x3D2BC204:
+ return 0xA55AC33C; // force return enabled
+ //return 0xA050C030; // force return disabled ; skip loop inside FUN_240003fcc_wait_for_DAT_23d2bc004_maybe_memory_encryption
+ // FUN_240003fcc_wait_for_DAT_23d2bc004
+ if ((sep->misc5_regs[0] & 0x2) != 0)
+ return 0xA050C030; // if bit1 is set
+ else
+ return 0xA55AC33C; // if bit1 is unset
+ case 0x3D2BC008: // EDOM_0? Effective SDOM_0? (Security Domain) T8030?
+ case 0x3D2BC208: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-A12-D331pAP
+ //case 0x3D2BC308: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-S4-S5-B1
+ case 0x3D2BC608: // SDOM_0? (Security Domain) AppleSEPROM-Sicily-A0
return 0xA55AC33C; // security domain | 0x1
- case 0x3D2BC00C:
- // return 0xA55AC33C; // security domain | 0x2
+ //return 0xA050C030; // MAYBE security domain | 0x0
+ case 0x3D2BC00C: // EDOM_1? Effective SDOM_1? (Security Domain) T8030?
+ case 0x3D2BC20C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-A12-D331pAP
+ //case 0x3D2BC30C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-S4-S5-B1
+ case 0x3D2BC60C: // SDOM_1? (Security Domain) AppleSEPROM-Sicily-A0
+ //return 0xA55AC33C; // security domain | 0x2
return 0xA050C030; // security domain | 0x0
- case 0x3D2BC010:
- return (1 << 5) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) <<
- // 5 ;; (1 << 31) for SEP
- case 0x3D2BC030:
- // return 0xFFFFFFFF; // CPRV
- // return 0x7 << 6; // LOW NIBBLE
- // return 0x70 << 5; // HIGH NIBBLE
- return 0x1 << 6;
- case 0x3D2BC300: // TODO
- return 0xCAFEBABE; // ECID lower
- case 0x3D2BC304: // TODO
- return 0xDEADBEEF; // ECID upper
- case 0x3D2BC400:
+ case 0x3D2BC010: // maybe effective CEPO? SEPO/BOARDID (upper three??/five bits stored in the three lower bits)
+ case 0x3D2BC210: // CEPO? SEPO? AppleSEPROM-A12-D331pAP
+ //case 0x3D2BC310: // CEPO? SEPO? AppleSEPROM-S4-S5-B1
+ case 0x3D2BC610: // CEPO? SEPO? AppleSEPROM-Sicily-A0
+ uint64_t sep_bit30 = ((sep->misc5_regs[0] & 0x1) != 0);
+ //return (1 << 5) | (0 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (0 << 30) | (1 << 31) for SEP
+ return (1 << 5) | (sep_bit30 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (sep_bit30 << 30) | (1 << 31) for SEP
+ case 0x3D2BC020: // T8030 iBSS: FUN_19c07feac_return_value_causes_crash
+ //return 0xA050C030; // causes panic, so does a invalid value
+ return 0xA55AC33C;
+ //0x3d2bc024 T8030
+ //0x3d2bc028 T8030
+ //0x3d2bc02c T8030
+ //case 0x3D2BC028: // CPRV (Chip Revision) AppleSEPROM-S4-S5-B1
+ //case 0x3D2BC02c: // T8030 iBSS: _DAT_23d2bc02c >> 30 | (_DAT_23d2bc030 & 15) << 2;
+ case 0x3D2BC030: // CPRV (Chip Revision) T8030? T8020?
+ return ((chip_revision & 0x7) << 6) | (((chip_revision & 0x70) >> 4) << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1
+ case 0x3D2BC03c: // CPRV (Chip Revision) AppleSEPROM-Sicily-A0
+ return ((chip_revision & 0x7) << 10) | (((chip_revision & 0x70) >> 4) << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0
+ //// return 0xFFFFFFFF; // CPRV
+ //// return (0x7 << 6) | (0x70 << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1
+ //// return (0x7 << 10) | (0x70 << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0
+ //return 0x1 << 6; // my ; (1 << 6) == 0x40 == revision:0x1
+ //return 0x240; // Ntrung // == revision:0x11
+ case 0x3D2BC100: // ECID lower T8020?
+ //case 0x3D2BC200: // ECID lower AppleSEPROM-S4-S5-B1
+ case 0x3D2BC300: // ECID lower T8030?
+ case 0x3D2BC500: // ECID lower AppleSEPROM-Sicily-A0
+ //return 0xCAFEBABE; // ECID lower
+ return tms->ecid & 0xffffffff; // ECID lower
+ case 0x3D2BC104: // ECID upper T8020?
+ //case 0x3D2BC204: // ECID upper AppleSEPROM-S4-S5-B1
+ case 0x3D2BC304: // ECID upper T8030?
+ case 0x3D2BC504: // ECID upper AppleSEPROM-Sicily-A0
+ //return 0xDEADBEEF; // ECID upper
+ return tms->ecid >> 32; // ECID upper
+ case 0x3D2BC400: // EKEY_0
// if 0xBC404 returns 1==0xA55AC33C, this will get ignored
- // return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
- return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C
- case 0x3D2BC404:
- // return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C
- return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
- case 0x3D2BC604: //?
- return 0xA050C030;
+ //// return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
+ return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C // my
+ //return 0xA050C030; // Ntrung
+ case 0x3D2BC404: // EKEY_1
+ return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C
+ //return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04
+ case 0x3D2BC600: //? EPRO (Effective Production Status)? CPRO (Certificate Production Status)?
+ //return 0xA55AC33C; // avoided panic(0x74/0xf1) with patches
+ //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off
+ //return 0;
+ return 0xA55AC33C; // EPRO enabled
+ //return 0xA050C030; // EPRO disabled
+ case 0x3D2BC604: //? CSEC (Certificate Security Mode)?
+ //return 0xA55AC33C; // set at 0x24000b070, causes crash at 0x240008928 // avoided panic(0x74/0xf1) with patches
+ //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off
+ //return 0; // panic(0x74) ?
+ return 0xA55AC33C; // CSEC enabled
+ //return 0xA050C030; // CSEC disabled
case 0x3D2E8000: // ????
- return 0x32B3; // memory encryption AMK (Authentication Master Key)
- // disabled
- // return 0xC2E9; // memory encryption AMK (Authentication Master Key)
- // enabled
- case 0x3D2D0034: //?
- return (1 << 24) | (1 << 25);
+ //return 0x32B3; // memory encryption AMK (Authentication Master Key) disabled // avoided panic(0x74/0xf1) with patches
+ return 0xC2E9; // memory encryption AMK (Authentication Master Key) enabled // needed to avoid panic(0x74) ?
+ case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4
+ //////return 0x3; // 0x2400037a4
+ return pmgr_unk_e4800; // 0x240002c00 and 0x2400037a4
+ case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c
+ return pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4]; // 0x24000377c
+#if 0
+ //case 0x3D2D0034: //? in AES
+ // return (1 << 24) | (1 << 25);
+#endif
+#if 1
+#if 0
+ //case 0x3D2D0020: // ???? in AES
+ // return 4;
+#endif
+ //case 0x3D2BC200: // ????
+ // return 0xA050C030;
+ //case 0x3D2BC204: // ????
+ // return 0xA050C030;
+#endif
+#ifdef DO_SECUREROM
+ case 0x3d2d4040: // SecureROM: prevent panic in platform_bootprep(_panics_on_plain_payload)
+ return (1 << 16);
+ case 0x3d12c014: // while ((*(int64_t*)0x23d12c014 & 0x1ff) == 0)
+ return 0x1;
+#endif
default:
if (((base + addr) & 0x10E70000) == 0x10E70000) {
return (108 << 4) | 0x200000; //?
@@ -710,6 +940,7 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data,
{
MachineState *machine = MACHINE(opaque);
T8030MachineState *tms = T8030_MACHINE(opaque);
+ AppleSEPState *sep;
uint32_t value = data;
if (addr >= 0x80000 && addr <= 0x8C000) {
@@ -725,6 +956,32 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data,
case 0xD4004:
t8030_start_cpus(machine, data);
return;
+ case 0x80C00:
+ sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal));
+#ifdef DO_SECUREROM
+ if ((data & 0xf) == 0xf) {
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) {
+ apple_a13_cpu_start(APPLE_A13(sep->cpu));
+ }
+ }
+#else
+ //if ((data >> 31) == 1) {
+ if (((data >> 31) & 1) == 1) {
+ apple_a13_cpu_reset(APPLE_A13(sep->cpu));
+ //} else if ((data & 0xf) == 0xf) {
+ //} else if (((data & (1 << 28)) == 0) && ((data & (1 << 10)) == 0)) {
+ } else if (((data >> 10) & 1) == 0) {
+ if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) {
+ apple_a13_cpu_start(APPLE_A13(sep->cpu));
+ }
+ //} else if ((data & 0xf) == 0x0) {
+ //} else if (((data & (1 << 28)) != 0) && ((data & (1 << 10)) != 0)) {
+ //} else if (((data & (1 << 28)) != 0) || ((data & (1 << 10)) != 0)) {
+ } else if (((data >> 10) & 1) == 1) {
+ apple_a13_cpu_off(APPLE_A13(sep->cpu));
+ }
+#endif
+ break;
}
memcpy(tms->pmgr_reg + addr, &value, size);
}
@@ -737,9 +994,15 @@ static uint64_t pmgr_reg_read(void *opaque, hwaddr addr, unsigned size)
case 0xF0010: //! AppleT8030PMGR::commonSramCheck
result = 0x5000;
break;
+#ifdef DO_SECUREROM
case 0x80C00: //! SEP Power State, Manual & Actual: Run Max
result = 0xFF;
break;
+ case 0x30000: // ??? T8030 IBSS
+ memcpy(&result, tms->pmgr_reg + addr, size);
+ result &= ~(1 << 25); // prevent two busy-loops in T8030 IBSS
+ break;
+#endif
#if 0
case 0xBC008:
result = 0xFFFFFFFF;
@@ -772,44 +1035,154 @@ static void amcc_reg_write(void *opaque, hwaddr addr, uint64_t data,
T8030MachineState *tms = T8030_MACHINE(opaque);
uint32_t value = data;
+#if 1
+ qemu_log_mask(LOG_UNIMP,
+ "AMCC reg WRITE @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx
+ "\n",
+ addr, data);
+#endif
memcpy(tms->amcc_reg + addr, &value, size);
}
static uint64_t amcc_reg_read(void *opaque, hwaddr addr, unsigned size)
{
- T8030MachineState *tms = T8030_MACHINE(opaque);
+ MachineState *machine = MACHINE(opaque);
+ T8030MachineState *tms = T8030_MACHINE(machine);
+ hwaddr orig_addr = addr;
+ uint64_t result = 0;
+#if 0
+ if (current_cpu && current_cpu->cpu_index == machine->smp.cpus - 1) {
+ if ((addr & 0xfb0) == 0x6a0) {
+ addr -= 0x20;
+ }// else if ((addr & 0xfb0) == 0x6b0) {
+ // addr -= 0x30;
+ //}
+ //if ((addr & 0xf) == 0x8) {
+ // addr |= 0x4;
+ //}
+ }
+#endif
switch (addr) {
+#if 1
case 0x6A0:
+ //result = 0x800000;
+ //break;
case 0x406A0:
case 0x806A0:
case 0xC06A0:
- return 0x0;
+ //result = 0x0;
+ //result = 0x800000;
+ //result = 0x340000;
+ //result = 0x810000;
+ //result = 0x8f0000;
+ //result = 0x7f0000;
+ //result = 0x3f0000;
+ //result = 0x430000; // at least 0x430000? ; if (misc8_0x318_1_KiB_blocks <= misc8_0x300_amcc_0x6a0_1_KiB_blocks) panic_0_wrapper_0(&DAT_000137c0);
+ //result = 0xff0000;
+ //result = 0xbf0000;
+ //result = 0x18f0000;
+ //result = 0x7ffff0;
+ //result = 0x7ff000;
+ //result = 0x7f8000;
+ //result = 0x300000;
+ //result = 0x340000;
+ //result = 0x2c0000;
+ //result = 0x080000; // Don't know if this is correct.
+ //result = 0x000000;
+ //result = 0x0c0000;
+ //result = 0x020000;
+ result = 0x080000000ULL >> 12;
+ break;
case 0x6A4:
+ //result = 0x8007ff;
+ //break;
// return 0x1003;
case 0x406A4:
// return 0x2003;
case 0x806A4:
// return 0x3003;
case 0xC06A4:
- // return 0x3;
- return 0x1003; // 0x1003 == 0x1004000
- // return 0x4003;
+ // result = 0x3;
+ //result = 0x1003; // 0x1003 << 12 + 0x1000 == 0x1004000
+ // result = 0x4003;
+ //result = 0x8007ff;
+ //result = 0x3407ff;
+ //result = 0x340803;
+ //result = 0x3412ff; // 0x1300000
+ //result = 0x341cff;
+ //result = 0x34243f; // opcode17_val: hex(((0x340000000+(0x4000*0x910)-1))>>12)
+ //result = 0x34aeff;
+ //result = 0x34ffff;
+ //result = 0x34ad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x80ad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x81ad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x8fad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x7fad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x3fad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x43ad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0xffad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0xbfad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x18fad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x80ad9f; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0x81ffff; // SEPOS: SEPOS: init_0: pc=0x0000e060
+ //result = 0xad9f+0x7f8000;
+ //result = 0xad9f+0x300000;
+ //result = 0xad9f+0x340000;
+ //result = 0xad9f+0x080000; // Don't know if this is correct.
+ //result = 0x20000+0x000000-1;
+ //result = 0x20000+0x0c0000-1;
+ //result = 0x20000+0x080000-1;
+ //result = 0x20000+0x020000-1;
+ //result = ((0x20000000+0x080000000ULL)-1)>>12;
+ result = ((0xada0000+0x080000000ULL)-1)>>12;
+ break;
case 0x6A8:
case 0x406A8:
case 0x806A8:
case 0xC06A8:
- return 0x1;
+ result = 0x1;
+ break;
case 0x6B8:
case 0x406B8:
case 0x806B8:
case 0xC06B8:
- return 0x1;
+ result = 0x1;
+ break;
+ case 0x4:
+ result = 0xcf;
+ break;
+#endif
default: {
- uint64_t result = 0;
memcpy(&result, tms->amcc_reg + addr, size);
- return result;
+ break;
+ }
}
+#if 1
+ qemu_log_mask(LOG_UNIMP,
+ "AMCC reg READ @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx
+ "\n",
+ orig_addr, result);
+#endif
+#if 0
+ if (current_cpu && current_cpu->cpu_index == machine->smp.cpus - 1) {
+ /*if ((addr & 0xff) == 0x80) {
+ //result = 0x0;
+ } else */if ((addr & 0xff) == 0x84) {
+ //result += 0x1000;
+ result |= 0x3;
+ //result = 0x1003;
+ } else if ((addr & 0xf) == 0x8) {
+ result = 0x1;
+ }
}
+#if 1
+ qemu_log_mask(LOG_UNIMP,
+ "AMCC reg READ MOD @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx
+ "\n",
+ addr, result);
+#endif
+#endif
+ return result;
}
static const MemoryRegionOps amcc_reg_ops = {
@@ -1730,8 +2103,7 @@ static void t8030_create_sep(MachineState *machine)
child = find_dtb_node(armio, "sep");
g_assert(child);
- sep = apple_sep_create(child, T8030_SEPROM_BASE, A13_MAX_CPU + 1,
- tms->build_version, true);
+ sep = apple_sep_create(child, T8030_SEPROM_BASE, A13_MAX_CPU + 1, tms->build_version, true);
g_assert(sep);
object_property_add_child(OBJECT(machine), "sep", OBJECT(sep));
@@ -1741,13 +2113,29 @@ static void t8030_create_sep(MachineState *machine)
reg = (uint64_t *)prop->value;
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 0, tms->soc_base_pa + reg[0]);
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 1,
- tms->soc_base_pa + 0x41180000); // TRNG
+ tms->soc_base_pa + 0x41180000); // TRNG T8101
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 2,
tms->soc_base_pa + 0x41080000); // MISC0
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 3,
tms->soc_base_pa + 0x41040000); // MISC1
sysbus_mmio_map(SYS_BUS_DEVICE(sep), 4,
tms->soc_base_pa + 0x410C4000); // MISC2
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 5,
+ tms->soc_base_pa + 0x413CA000); // MISC39 T8101
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 6,
+ tms->soc_base_pa + 0x41440000); // MISC4 // 0x241440000
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 7,
+ tms->soc_base_pa + 0x41008000); // MISC5
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 8,
+ tms->soc_base_pa + 0x41280000); // MISC6
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 9,
+ tms->soc_base_pa + 0x41240000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM.
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 10,
+ tms->soc_base_pa + 0x41200000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8.
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 11,
+ tms->soc_base_pa + 0x41100000); // TRNG T8020
+ sysbus_mmio_map(SYS_BUS_DEVICE(sep), 12,
+ tms->soc_base_pa + 0x41388000); // MISC39 T8020
prop = find_dtb_prop(child, "interrupts");
g_assert(prop);
@@ -1758,8 +2146,8 @@ static void t8030_create_sep(MachineState *machine)
qdev_get_gpio_in(DEVICE(tms->aic), ints[i]));
}
- dart = APPLE_DART(
- object_property_get_link(OBJECT(machine), "dart-sep", &error_fatal));
+#if 1
+ dart = APPLE_DART(object_property_get_link(OBJECT(machine), "dart-sep", &error_fatal));
g_assert(dart);
child = find_dtb_node(armio, "dart-sep");
g_assert(child);
@@ -1767,13 +2155,51 @@ static void t8030_create_sep(MachineState *machine)
g_assert(child);
prop = find_dtb_prop(child, "reg");
g_assert(prop);
- sep->dma_mr =
- MEMORY_REGION(apple_dart_iommu_mr(dart, *(uint32_t *)prop->value));
+ sep->dma_mr = MEMORY_REGION(apple_dart_iommu_mr(dart, *(uint32_t *)prop->value));
g_assert(sep->dma_mr);
- g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr",
- OBJECT(sep->dma_mr)));
+ g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr", OBJECT(sep->dma_mr)));
sep->dma_as = g_new0(AddressSpace, 1);
address_space_init(sep->dma_as, sep->dma_mr, "sep.dma");
+#if 1
+ // after trying out stuff for too long, Visual told me how to do it approximately, but I had to skip the early addresses because SEPOS is there.
+ MemoryRegion *mr = g_new0(MemoryRegion, 1);
+ //MemoryRegion *mr = g_new0(MemoryRegion, 0x10000+0x80c000);
+ ////memory_region_init_alias(sep->dma_mr, OBJECT(tms), "sep.dma.alias", tms->sysmem, T8030_SEPROM_BASE, T8030_SEPROM_SIZE);
+ memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x80c000, 0x10000);
+ //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0, 0x10000+0x80c000);
+ ////memory_region_add_subregion(tms->sysmem, 0, &sep->dma_mr);
+ ////memory_region_add_subregion(tms->sysmem, 0, mr);
+ memory_region_add_subregion(tms->sysmem, 0x80c000, mr);
+ //memory_region_add_subregion(tms->sysmem, 0x0, mr);
+#if 0
+ if (tms->sepfw_filename) {
+ AddressSpace *nsas = &address_space_memory;
+ size_t garbage = 0;
+ //macho_load_raw_file(tms->sepfw_filename, nsas, tms->sysmem, "sepfw", 0x4000ULL, &garbage);
+ //macho_load_raw_file(tms->sepfw_filename, nsas, mr, "sepfw", 0x4000ULL, &garbage);
+ macho_load_raw_file(tms->sepfw_filename, nsas, sep->dma_mr, "sepfw", 0x4000ULL, &garbage);
+ }
+#endif
+#endif
+#else
+ g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr", OBJECT(tms->sysmem)));
+#endif
+#if 0
+ //uint64_t a = le64_to_cpu(0x80c000);
+ //uint32_t l = le32_to_cpu(0x10000);
+ uint64_t a = 0x80c000;
+ uint32_t l = 0x10000;
+ hwaddr len;
+ void *map;
+ //AddressSpace *nsas = &address_space_memory;
+ len = l;
+ map = dma_memory_map(sep->dma_as, a, &len, DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ //map = dma_memory_map(nsas, a, &len, DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ if (!map) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory\n", __func__);
+ }
+#endif
+ //sysbus_mmio_map(SYS_BUS_DEVICE(sep), 0, 0x80c000);
sysbus_realize_and_unref(SYS_BUS_DEVICE(sep), &error_fatal);
}
@@ -1788,9 +2214,12 @@ static void t8030_cpu_reset_work(CPUState *cpu, run_on_cpu_data data)
}
cpu_reset(cpu);
env = &ARM_CPU(cpu)->env;
+#ifndef DO_SECUREROM
env->xregs[0] = tms->bootinfo.bootargs_pa;
cpu_set_pc(cpu, tms->bootinfo.entry);
- // cpu_set_pc(cpu, T8030_SROM_BASE);
+#else
+ cpu_set_pc(cpu, T8030_SROM_BASE);
+#endif
}
static void t8030_cpu_reset(void *opaque)
@@ -1866,13 +2295,55 @@ static void t8030_machine_init(MachineState *machine)
tms = T8030_MACHINE(machine);
tms->sysmem = get_system_memory();
- // allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0);
- // allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0);
+#ifdef DO_SECUREROM
+ allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0);
+ allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0);
+ //allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x00000038 * 4, 0);
+ allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x1000, 0);
+ allocate_ram(tms->sysmem, "SRAM_TEST_1", 0x23b2c4000, 0x1000, 0); // 0x23b2c401c
+ allocate_ram(tms->sysmem, "SRAM_TEST_2", 0x23b2c8000, 0x1000, 0); // 0x23b2c801c
+ allocate_ram(tms->sysmem, "SRAM_TEST_3", 0x23b2cc000, 0x1000, 0); // 0x23b2cc01c
+ allocate_ram(tms->sysmem, "SRAM_TEST_4", 0x23e804000, 0x1000, 0); // 0x23e8040fc
+ allocate_ram(tms->sysmem, "SRAM_TEST_5", 0x23e808000, 0x1000, 0); // 0x23e808004
+ allocate_ram(tms->sysmem, "SRAM_TEST_6", 0x23D008000, 0x1000, 0); // 0x23D008000
+ allocate_ram(tms->sysmem, "SRAM_TEST_7", 0x24A854000, 0x1000, 0); // 0x24A85401C
+ allocate_ram(tms->sysmem, "SRAM_TEST_8", 0x24a858000, 0x1000, 0); // 0x24a85801c
+ allocate_ram(tms->sysmem, "SRAM_TEST_9", 0x23C260000, 0x1000, 0); // 0x23C260000
+ allocate_ram(tms->sysmem, "SRAM_TEST_10", 0x23C280000, 0x1000, 0); // 0x23C280000
+ allocate_ram(tms->sysmem, "SRAM_TEST_11", 0x23c290000, 0x1000, 0); // 0x23c290000
+ allocate_ram(tms->sysmem, "SRAM_TEST_12", 0x23c2a0000, 0x1000, 0); // 0x23c2a0000
+ //allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x1000, 0); // 0x23FE00000
+ allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x60000, 0); // 0x23FE00000
+ allocate_ram(tms->sysmem, "SRAM_TEST_14", 0x23E041000, 0x1000, 0); // 0x23E041010
+ allocate_ram(tms->sysmem, "SRAM_TEST_15", 0x23E80C000, 0x1000, 0); // 0x23E80C000
+#endif
allocate_ram(tms->sysmem, "DRAM", T8030_DRAM_BASE, T8030_DRAM_SIZE, 0);
- allocate_ram(tms->sysmem, "SEPROM", T8030_SEPROM_BASE, T8030_SEPROM_SIZE,
- 0);
- allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0);
+ allocate_ram(tms->sysmem, "SEP", T8030_SEP_BASE, T8030_SEP_SIZE, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x500000000ULL, 0);
+ allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x60000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_30", 0x300000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_32", 0x320000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_34", 0x340000000ULL, 0x20000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3_8", 0x300000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_3_8_0", 0x380000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_f_8", 0xf00000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "DRAM_f_8_0", 0xf80000000ULL, 0x80000000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW_0", 0x000000000ULL, 0x800000ULL, 0);
+ ////allocate_ram(sysmem, "SEPFW", 0x0, info->sepfw_size+0x4000, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL+0x4000ULL, 0);
+ allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x1000000ULL, 0);
+ //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x2000000ULL, 0);
+
+#if 0
+ MemoryRegion *mr = g_new0(MemoryRegion, 1);
+ memory_region_init_alias(mr, OBJECT(tms), "t8030.seprom.alias", tms->sysmem,
+ T8030_SEPROM_BASE, T8030_SEPROM_SIZE);
+ memory_region_add_subregion_overlap(tms->sysmem, 0, mr, 1);
+#endif
+#ifndef DO_SECUREROM
hdr = macho_load_file(machine->kernel_filename);
g_assert(hdr);
tms->kernel = hdr;
@@ -1911,10 +2382,15 @@ static void t8030_machine_init(MachineState *machine)
g_phys_base = (hwaddr)macho_get_buffer(hdr);
t8030_patch_kernel(hdr);
+#else
+ tms->rtbuddyv2_protocol_version = 11;
+#endif
tms->device_tree = load_dtb_from_file(machine->dtb);
+#ifndef DO_SECUREROM
tms->trustcache = load_trustcache_from_file(tms->trustcache_filename,
&tms->bootinfo.trustcache_size);
+#endif
data = 24000000;
set_dtb_prop(tms->device_tree, "clock-frequency", sizeof(data), &data);
child = find_dtb_node(tms->device_tree, "arm-io");
diff --git a/hw/arm/xnu.c b/hw/arm/xnu.c
index fd1529e93f..df0b70e537 100644
--- a/hw/arm/xnu.c
+++ b/hw/arm/xnu.c
@@ -91,7 +91,7 @@ static const char *REM_NAMES[] = {
"dart-rsm\0$", "dart-scaler\0$", "dart-jpeg0\0$",
"dart-jpeg1\0$", "dart-isp\0$", "dart-ave\0$",
"dart-avd\0$", "dart-ane\0$", "dart-apcie2\0$",
- "dart-apcie3\0$",
+ "dart-apcie3\0$", //"dart-sep\0$",
};
static const char *REM_DEV_TYPES[] = { "backlight\0$", "pmp\0$", "wlan\0$",
@@ -113,6 +113,8 @@ static const char *REM_PROPS[] = {
"soc-tuning",
"mcc-power-gating",
"function-dock_parent",
+ "function-wait_for_power_gate",
+ "self-power-gate",
};
static void allocate_and_copy(MemoryRegion *mem, AddressSpace *as,
@@ -421,8 +423,40 @@ void macho_populate_dtb(DTBNode *root, macho_boot_info_t info)
set_dtb_prop(child, "security-domain", sizeof(data), &data);
set_dtb_prop(child, "chip-epoch", sizeof(data), &data);
set_dtb_prop(child, "amfi-allows-trust-cache-load", sizeof(data), &data);
- // data = 1;
- // set_dtb_prop(child, "debug-enabled", sizeof(data), &data);
+ //data = 1;
+ //set_dtb_prop(child, "debug-enabled", sizeof(data), &data);
+#if 0
+ data = 1;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+ data = 0;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 0
+ data = 0;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+ data = 1;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 0
+ data = 1;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+ data = 0;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+#endif
+#if 0
+ data = 0;
+ set_dtb_prop(child, "protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data);
+ data = 1;
+ set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data);
+ set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data);
+#endif
child = get_dtb_node(root, "chosen/manifest-properties");
set_dtb_prop(child, "BNCH", sizeof(info->boot_nonce_hash),
@@ -431,6 +465,7 @@ void macho_populate_dtb(DTBNode *root, macho_boot_info_t info)
child = get_dtb_node(root, "filesystems");
child = get_dtb_node(child, "fstab");
+ //remove_dtb_node_by_name(child, "xart-vol");
remove_dtb_node_by_name(child, "baseband-vol");
macho_dtb_node_process(root, NULL);
diff --git a/hw/misc/apple_aes.c b/hw/misc/apple_aes.c
index cd55638d3c..bb665150d1 100644
--- a/hw/misc/apple_aes.c
+++ b/hw/misc/apple_aes.c
@@ -372,8 +372,9 @@ static uint64_t aes_security_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case 0x20: //! board-id
return 0x4;
- case 0x34: //? bit 24 = is fresh boot?
- return (1 << 24) | (1 << 25);
+ case 0x34: //? bit 24 = is first boot ; bit 25 = something with memory encryption?
+ //return (1 << 24) | (1 << 25);
+ return (1 << 24) | (0 << 25);
default: //! We don't know the rest
return 0xFF;
}
diff --git a/hw/misc/apple_mbox.c b/hw/misc/apple_mbox.c
index fbe337fce3..fb0ad3158f 100644
--- a/hw/misc/apple_mbox.c
+++ b/hw/misc/apple_mbox.c
@@ -9,25 +9,6 @@
#include "qemu/main-loop.h"
#include "trace.h"
-#define IOP_LOG_MSG(s, t, msg) \
- do { \
- qemu_log_mask(LOG_GUEST_ERROR, \
- "%s: %s message (msg->endpoint: 0x%X " \
- "msg->data[0]: 0x" HWADDR_FMT_plx \
- " msg->data[1]: 0x" HWADDR_FMT_plx \
- " s->ep0_status: 0x%X)\n", \
- s->role, t, msg->endpoint, msg->data[0], msg->data[1], \
- s->ep0_status); \
- } while (0)
-
-#define IOP_LOG_MGMT_MSG(s, msg) \
- do { \
- qemu_log_mask(LOG_GUEST_ERROR, \
- "%s: IOP received management message (msg->endpoint: " \
- "0x0 msg->raw: 0x" HWADDR_FMT_plx \
- " s->ep0_status: 0x%X)\n", \
- s->role, msg->raw, s->ep0_status); \
- } while (0)
//! ------ V3 ------
@@ -36,21 +17,30 @@
#define REG_V3_CPU_STATUS (0x0048)
#define V3_CPU_STATUS_IDLE (0x1)
+
+#define REG_V3_UNKNOWN0 (0x004c)
+#define REG_V3_UNKNOWN1 (0x0818)
+#define REG_V3_UNKNOWN2 (0x081c) // "akf: READ IRQ %x"
#define REG_V3_NMI0 (0xC04) // ??
#define REG_V3_NMI1 (0xC14) // ??
#define REG_AKF_CONFIG (0x2043) // ??
-#define REG_V3_IOP_INT_MASK_SET (0x4100)
-#define REG_V3_IOP_INT_MASK_CLR (0x4108)
+//#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8101 64-bit
+//#define REG_V3_IOP_INT_MASK_CLR (0x4108) // T8101 64-bit
+#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8020 32-bit
+#define REG_V3_IOP_INT_MASK_CLR (0x4104) // T8020 32-bit
-#define REG_V3_IOP_I2A_CTRL (0x4114)
+
+//#define REG_V3_IOP_I2A_CTRL (0x4114) // T8101 32-bit
+#define REG_V3_IOP_I2A_CTRL (0x410c) // T8020 32-bit
#define REG_V3_IOP_I2A_SEND0 (0x4820)
#define REG_V3_IOP_I2A_SEND1 (0x4824)
#define REG_V3_IOP_I2A_SEND2 (0x4828)
#define REG_V3_IOP_I2A_SEND3 (0x482C)
-#define REG_V3_IOP_A2I_CTRL (0x4110)
+//#define REG_V3_IOP_A2I_CTRL (0x4110) // T8101 32-bit
+#define REG_V3_IOP_A2I_CTRL (0x4108) // T8020 32-bit
#define REG_V3_IOP_A2I_RECV0 (0x4810)
#define REG_V3_IOP_A2I_RECV1 (0x4814)
#define REG_V3_IOP_A2I_RECV2 (0x4818)
@@ -142,7 +132,7 @@ static gint g_uint_cmp(gconstpointer a, gconstpointer b)
return a - b;
}
-static bool apple_mbox_outbox_empty(AppleMboxState *s)
+bool apple_mbox_outbox_empty(AppleMboxState *s)
{
return QTAILQ_EMPTY(&s->outbox);
}
@@ -203,7 +193,7 @@ static void ap_update_irq(AppleMboxState *s)
* Push a message from AP to IOP,
* take ownership of msg
*/
-static void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
+void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
{
QTAILQ_INSERT_TAIL(&s->inbox, msg, entry);
s->inboxCount++;
@@ -236,7 +226,7 @@ static void apple_mbox_outbox_push(AppleMboxState *s, apple_mbox_msg_t msg)
iop_update_irq(s);
}
-static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
+apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
{
apple_mbox_msg_t msg = QTAILQ_FIRST(&s->outbox);
if (msg) {
@@ -248,6 +238,15 @@ static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s)
return msg;
}
+void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep,
+ uint64_t msg)
+{
+ apple_mbox_msg_t m = g_new0(struct apple_mbox_msg, 1);
+ m->msg = msg;
+ m->endpoint = ep;
+ apple_mbox_inbox_push(s, m);
+}
+
void apple_mbox_send_control_message(AppleMboxState *s, uint32_t ep,
uint64_t msg)
{
@@ -455,15 +454,24 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
{
AppleMboxState *s = APPLE_MBOX(opaque);
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
s->int_mask = 0;
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v3: Begin write to 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, data);
+#endif
memcpy(&s->regs[addr], &data, size);
switch (addr) {
case REG_V3_CPU_CTRL:
- if (data & V3_CPU_CTRL_RUN) {
+ if (data & V3_CPU_CTRL_RUN)
+ //if ((data & V3_CPU_CTRL_RUN) || (data & 0x10000))
+ {
struct apple_mbox_mgmt_msg m = { 0 };
s->regs[REG_V3_CPU_STATUS] &= ~V3_CPU_STATUS_IDLE;
iop_start(s);
@@ -475,6 +483,16 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
apple_mbox_send_control_message(s, 0, m.raw);
}
+#if 0
+ if ((data & (1 << 16)) != 0) {
+ //qemu_set_irq(s->iop_irq, 1);
+ //qemu_set_irq(s->test_irq, 1);
+ ////qemu_set_irq(qdev_get_gpio_in(gpio, T8030_GPIO_FORCE_DFU), 1);
+ //if (s->AppleSEPResetMisc_func != NULL) {
+ // //s->AppleSEPResetMisc_func(0x800000000ULL);
+ //}
+ }
+#endif
break;
case REG_V3_A2I_PUSH0:
QEMU_FALLTHROUGH;
@@ -486,6 +504,11 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V3_A2I_PUSH3 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V3_A2I_PUSH0], 16);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_A2I_PUSH3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_inbox_push(s, msg);
IOP_LOG_MSG(s, "AP sent", msg);
}
@@ -518,6 +541,26 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V3_IOP_I2A_SEND3 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V3_IOP_I2A_SEND0], 16);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_I2A_SEND3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 103 || sep_msg.opcode == 117))
+ {
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ g_free(msg);
+ break;
+ }
+#if 0
+ else if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 0x66 || sep_msg.opcode == 0xd2) && sep_msg.data == 0x2)
+ {
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: change_status: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ sep_msg.data = 0x8;
+ memcpy(msg->data, &sep_msg.raw, 8);
+ }
+#endif
+ qemu_log_mask(LOG_UNIMP, "SEP skip_test: not skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_outbox_push(s, msg);
IOP_LOG_MSG(s, "IOP sent", msg);
}
@@ -545,6 +588,7 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
AppleMboxState *s = APPLE_MBOX(opaque);
uint64_t ret = 0;
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
@@ -552,9 +596,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case REG_V3_INT_MASK_SET:
- return s->int_mask;
+ //return s->int_mask;
+ ret = s->int_mask;
+ break;
case REG_V3_INT_MASK_CLR:
- return ~s->int_mask;
+ //return ~s->int_mask;
+ ret = ~s->int_mask;
+ break;
case REG_V3_I2A_POP_0_LOW:
msg = apple_mbox_outbox_pop(s);
if (!msg) {
@@ -562,7 +610,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
}
msg->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "AP received", msg);
-
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_I2A_POP_0_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[REG_V3_I2A_POP_0_LOW], msg->data, 16);
memcpy(&ret, &s->regs[addr], size);
@@ -575,9 +627,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
case REG_V3_I2A_POP_1_HIGH:
break;
case REG_V3_IOP_INT_MASK_SET:
- return s->iop_int_mask;
+ //return s->iop_int_mask;
+ ret = s->iop_int_mask;
+ break;
case REG_V3_IOP_INT_MASK_CLR:
- return ~s->iop_int_mask;
+ //return ~s->iop_int_mask;
+ ret = ~s->iop_int_mask;
+ break;
case REG_V3_A2I_CTRL:
QEMU_FALLTHROUGH;
case REG_V3_IOP_A2I_CTRL:
@@ -602,6 +658,27 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
case REG_V3_CPU_STATUS:
break;
+ case REG_V3_UNKNOWN0:
+#if 0
+ ret = ((apple_mbox_inbox_empty(s) &&
+ !(s->iop_int_mask & V2_A2I_EMPTY)) ||
+ (!apple_mbox_inbox_empty(s) &&
+ !(s->iop_int_mask & V2_A2I_NONEMPTY)) ||
+ (apple_mbox_outbox_empty(s) &&
+ !(s->iop_int_mask & V2_I2A_EMPTY)) ||
+ (!apple_mbox_outbox_empty(s) &&
+ !(s->iop_int_mask & V2_I2A_NONEMPTY)));
+#endif
+ ret = 1;
+ // TODO: response not interrupt available, but something with REG_V3_CPU_CTRL?
+ break;
+ case REG_V3_UNKNOWN1:
+ break;
+ case REG_V3_UNKNOWN2:
+ //ret = 1;
+ //ret = 0xffffffff;
+ return 0;
+ break;
case REG_V3_IOP_A2I_RECV0:
msg = apple_mbox_inbox_pop(s);
if (!msg) {
@@ -609,6 +686,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
}
msg->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "IOP received", msg);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_A2I_RECV0: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[addr], msg->data, 16);
memcpy(&ret, &s->regs[addr], size);
g_free(msg);
@@ -626,6 +708,12 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
}
}
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v3: End read from 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, ret);
+#endif
return ret;
}
@@ -646,9 +734,16 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
{
AppleMboxState *s = APPLE_MBOX(opaque);
apple_mbox_msg_t msg = NULL;
+ struct sep_message sep_msg = { 0 };
WITH_QEMU_LOCK_GUARD(&s->mutex)
{
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v2: Begin write to 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, data);
+#endif
memcpy(&s->regs[addr], &data, size);
switch (addr) {
@@ -671,6 +766,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V2_A2I_PUSH_HIGH + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V2_A2I_PUSH_LOW], 8);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_A2I_PUSH_HIGH: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_inbox_push(s, msg);
IOP_LOG_MSG(s, "AP sent", msg);
}
@@ -699,6 +799,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
if (addr + size == REG_V2_IOP_I2A_SEND1 + 4) {
msg = g_new0(struct apple_mbox_msg, 1);
memcpy(msg->data, &s->regs[REG_V2_IOP_I2A_SEND0], 8);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, msg->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_I2A_SEND1: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
apple_mbox_outbox_push(s, msg);
IOP_LOG_MSG(s, "IOP sent", msg);
}
@@ -724,6 +829,7 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr,
static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
{
AppleMboxState *s = APPLE_MBOX(opaque);
+ struct sep_message sep_msg = { 0 };
uint64_t ret = 0;
WITH_QEMU_LOCK_GUARD(&s->mutex)
@@ -733,9 +839,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
switch (addr) {
case REG_V2_INT_MASK_SET:
- return s->int_mask;
+ //return s->int_mask;
+ ret = s->int_mask;
+ break;
case REG_V2_INT_MASK_CLR:
- return ~s->int_mask;
+ //return ~s->int_mask;
+ ret = ~s->int_mask;
+ break;
case REG_V2_I2A_POP_LOW:
m = apple_mbox_outbox_pop(s);
if (!m) {
@@ -743,7 +853,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
}
m->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "AP received", m);
-
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, m->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_I2A_POP_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[REG_V2_I2A_POP_LOW], m->data, 8);
memcpy(&ret, &s->regs[addr], size);
@@ -752,9 +866,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
case REG_V2_I2A_POP_HIGH:
break;
case REG_V2_IOP_INT_MASK_SET:
- return s->iop_int_mask;
+ //return s->iop_int_mask;
+ ret = s->iop_int_mask;
+ break;
case REG_V2_IOP_INT_MASK_CLR:
- return ~s->iop_int_mask;
+ //return ~s->iop_int_mask;
+ ret = ~s->iop_int_mask;
+ break;
case REG_V2_A2I_CTRL:
QEMU_FALLTHROUGH;
case REG_V2_IOP_A2I_CTRL:
@@ -780,6 +898,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
}
m->flags = iop_outbox_flags(s);
IOP_LOG_MSG(s, "IOP received", m);
+ if (!strcmp(s->role, "SEP"))
+ {
+ memcpy(&sep_msg.raw, m->data, 8);
+ qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_A2I_RECV_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data);
+ }
memcpy(&s->regs[addr], m->data, 8);
memcpy(&ret, &s->regs[addr], size);
g_free(m);
@@ -793,6 +916,12 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size)
break;
}
}
+#if 0
+ qemu_log_mask(LOG_UNIMP,
+ "%s AKF_v2: End read from 0x" HWADDR_FMT_plx
+ " of value 0x" HWADDR_FMT_plx "\n",
+ s->role, addr, ret);
+#endif
return ret;
}
@@ -882,6 +1011,7 @@ AppleMboxState *apple_mbox_create(const char *role, void *opaque,
s->protocol_version = protocol_version;
s->role = g_strdup(role);
s->ops = ops;
+ //s->AppleSEPResetMisc_func = NULL;
snprintf(name, sizeof(name), TYPE_APPLE_MBOX ".%s.akf-reg", s->role);
@@ -901,6 +1031,7 @@ AppleMboxState *apple_mbox_create(const char *role, void *opaque,
}
qdev_init_gpio_out_named(DEVICE(dev), &s->iop_irq, APPLE_MBOX_IOP_IRQ, 1);
+ qdev_init_gpio_out_named(DEVICE(dev), &s->test_irq, APPLE_MBOX_TEST_IRQ, 1);
QTAILQ_INIT(&s->inbox);
QTAILQ_INIT(&s->outbox);
QTAILQ_INIT(&s->rollcall);
diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
index b5e29fbdd5..316127a239 100644
--- a/hw/usb/hcd-dwc2.c
+++ b/hw/usb/hcd-dwc2.c
@@ -44,8 +44,13 @@
#include "qemu/units.h"
#include "trace.h"
-// #define SOC_DMA_BASE (0x100000000ULL)
+//#define DO_T8030_SECUREROM 1
+
+#ifdef DO_T8030_SECUREROM
+#define SOC_DMA_BASE (0x100000000ULL)
+#else
#define SOC_DMA_BASE (0x0ULL)
+#endif
#define USB_HZ_FS 12000000
#define USB_HZ_HS 96000000
diff --git a/include/hw/arm/apple_a13.h b/include/hw/arm/apple_a13.h
index 44ecfefd46..51b9a6b251 100644
--- a/include/hw/arm/apple_a13.h
+++ b/include/hw/arm/apple_a13.h
@@ -66,6 +66,8 @@ typedef struct AppleA13State {
A13_CPREG_VAR_DEF(ARM64_REG_HID14);
A13_CPREG_VAR_DEF(ARM64_REG_HID16);
A13_CPREG_VAR_DEF(ARM64_REG_LSU_ERR_STS);
+ A13_CPREG_VAR_DEF(SYS_E_LSU_ERR_STS);
+ A13_CPREG_VAR_DEF(SYS_E_FED_ERR_STS);
A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0);
A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0);
A13_CPREG_VAR_DEF(ARM64_REG_3_3_15_7);
@@ -75,7 +77,10 @@ typedef struct AppleA13State {
A13_CPREG_VAR_DEF(PMCR1);
A13_CPREG_VAR_DEF(PMSR);
A13_CPREG_VAR_DEF(S3_4_c15_c0_5);
- A13_CPREG_VAR_DEF(SYS_HCR_EL2);
+ A13_CPREG_VAR_DEF(SYS_HCR_EL2); // TODO: already exists in target/arm/helper.c
+ A13_CPREG_VAR_DEF(SYS_PRE_LLCFLUSH_TMR);
+ A13_CPREG_VAR_DEF(SYS_ACC_PWR_DN_SAVE);
+ A13_CPREG_VAR_DEF(SYS_AON_CNT_CTL);
A13_CPREG_VAR_DEF(AMX_STATUS_EL1);
A13_CPREG_VAR_DEF(AMX_CTL_EL1);
A13_CPREG_VAR_DEF(ARM64_REG_CYC_OVRD);
diff --git a/include/hw/arm/apple_sep.h b/include/hw/arm/apple_sep.h
index 96740ccd58..e5a8540394 100644
--- a/include/hw/arm/apple_sep.h
+++ b/include/hw/arm/apple_sep.h
@@ -24,6 +24,7 @@
#include "hw/arm/apple_a13.h"
#include "hw/arm/xnu_dtb.h"
#include "hw/misc/apple_mbox.h"
+#include "hw/boards.h"
#include "hw/sysbus.h"
#include "qemu/typedefs.h"
#include "qom/object.h"
@@ -42,13 +43,27 @@ struct AppleSEPState {
AppleMboxState *mbox;
MemoryRegion *dma_mr;
AddressSpace *dma_as;
- MemoryRegion trng_mr;
+ MemoryRegion trng_t8020_mr;
+ MemoryRegion trng_t8101_mr;
MemoryRegion misc0_mr;
MemoryRegion misc1_mr;
MemoryRegion misc2_mr;
+ MemoryRegion misc3_mr;
+ MemoryRegion misc4_mr; // MISC4 // T8101 BootMonitor for SEPOS loading?
+ MemoryRegion misc5_mr;
+ MemoryRegion misc6_mr;
+ MemoryRegion misc7_mr;
+ MemoryRegion misc8_mr;
+ MemoryRegion misc9_mr;
uint8_t misc0_regs[REG_SIZE];
uint8_t misc1_regs[REG_SIZE];
uint8_t misc2_regs[REG_SIZE];
+ uint8_t misc39_regs[REG_SIZE];
+ uint8_t misc4_regs[REG_SIZE];
+ uint8_t misc5_regs[REG_SIZE];
+ uint8_t misc6_regs[REG_SIZE];
+ uint8_t misc7_regs[REG_SIZE];
+ uint8_t misc8_regs[REG_SIZE];
};
AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id,
diff --git a/include/hw/misc/apple_mbox.h b/include/hw/misc/apple_mbox.h
index d802cffd40..ea667afb68 100644
--- a/include/hw/misc/apple_mbox.h
+++ b/include/hw/misc/apple_mbox.h
@@ -11,6 +11,7 @@
#define APPLE_MBOX_IRQ_I2A_NONEMPTY 2
#define APPLE_MBOX_IRQ_I2A_EMPTY 3
#define APPLE_MBOX_IOP_IRQ "apple-mbox-iop-irq"
+#define APPLE_MBOX_TEST_IRQ "apple-mbox-test-irq"
#define APPLE_MBOX_MMIO_V3 0
#define APPLE_MBOX_MMIO_V2 1
@@ -19,10 +20,33 @@
OBJECT_DECLARE_SIMPLE_TYPE(AppleMboxState, APPLE_MBOX)
#define REG_SIZE (0x10000)
+//#define REG_SIZE (0x5c000)
#define EP_MANAGEMENT (0)
#define EP_CRASHLOG (1)
+
+#define IOP_LOG_MSG(s, t, msg) \
+ do { \
+ qemu_log_mask(LOG_GUEST_ERROR, \
+ "%s: %s message (msg->endpoint: 0x%X " \
+ "msg->data[0]: 0x" HWADDR_FMT_plx \
+ " msg->data[1]: 0x" HWADDR_FMT_plx \
+ " s->ep0_status: 0x%X)\n", \
+ s->role, t, msg->endpoint, msg->data[0], msg->data[1], \
+ s->ep0_status); \
+ } while (0)
+
+#define IOP_LOG_MGMT_MSG(s, msg) \
+ do { \
+ qemu_log_mask(LOG_GUEST_ERROR, \
+ "%s: IOP received management message (msg->endpoint: " \
+ "0x0 msg->raw: 0x" HWADDR_FMT_plx \
+ " s->ep0_status: 0x%X)\n", \
+ s->role, msg->raw, s->ep0_status); \
+ } while (0)
+
+
enum apple_mbox_ep0_state {
EP0_IDLE,
EP0_WAIT_HELLO,
@@ -89,6 +113,8 @@ typedef struct apple_mbox_ep_handler_data {
void *opaque;
} apple_mbox_ep_handler_data;
+typedef void AppleSEPResetMisc(vaddr vector);
+
struct AppleMboxState {
SysBusDevice parent_obj;
@@ -102,6 +128,7 @@ struct AppleMboxState {
uint32_t protocol_version;
qemu_irq irqs[4];
qemu_irq iop_irq;
+ qemu_irq test_irq;
QTAILQ_HEAD(, apple_mbox_msg) inbox;
QTAILQ_HEAD(, apple_mbox_msg) outbox;
QTAILQ_HEAD(, apple_mbox_msg) rollcall;
@@ -114,6 +141,7 @@ struct AppleMboxState {
uint32_t int_mask;
uint32_t iop_int_mask;
bool real;
+ //AppleSEPResetMisc *AppleSEPResetMisc_func;
};
struct iop_rollcall_data {
@@ -128,6 +156,25 @@ struct AppleMboxOps {
void (*wakeup)(void *opaque);
};
+void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg);
+apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s);
+bool apple_mbox_outbox_empty(AppleMboxState *s);
+void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep, uint64_t msg);
+
+struct QEMU_PACKED sep_message {
+ union {
+ struct QEMU_PACKED {
+ uint8_t endpoint;
+ uint8_t tag;
+ uint8_t opcode;
+ uint8_t param;
+ uint32_t data;
+ };
+ uint64_t raw;
+ };
+};
+
+
/*
* Send message to an endpoint
*/
diff --git a/meson.build b/meson.build
index 89bef2d3d4..4e02ceeaff 100644
--- a/meson.build
+++ b/meson.build
@@ -1092,9 +1092,11 @@ endif
liblzfse = not_found
if not get_option('lzfse').auto() or have_block
- liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'],
- required: get_option('lzfse'),
- kwargs: static_kwargs)
+ liblzfse = dependency('lzfse', required: get_option('lzfse'),
+ method: 'pkg-config', kwargs: static_kwargs)
+# liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'],
+# required: get_option('lzfse'),
+# kwargs: static_kwargs)
endif
if liblzfse.found() and not cc.links('''
#include <lzfse.h>
diff --git a/pc-bios/keymaps/meson.build b/pc-bios/keymaps/meson.build
index 1cbcdebefa..1815cce47f 100644
--- a/pc-bios/keymaps/meson.build
+++ b/pc-bios/keymaps/meson.build
@@ -1,36 +1,6 @@
keymaps = {
- 'ar': '-l ara',
- 'bepo': '-l fr -v dvorak',
- 'cz': '-l cz',
- 'da': '-l dk',
'de': '-l de -v nodeadkeys',
- 'de-ch': '-l ch',
- 'en-gb': '-l gb',
'en-us': '-l us',
- 'es': '-l es',
- 'et': '-l et',
- 'fi': '-l fi',
- 'fo': '-l fo',
- 'fr': '-l fr -v nodeadkeys',
- 'fr-be': '-l be',
- 'fr-ca': '-l ca -v fr',
- 'fr-ch': '-l ch -v fr',
- 'hr': '-l hr',
- 'hu': '-l hu',
- 'is': '-l is',
- 'it': '-l it',
- 'ja': '-l jp -m jp106',
- 'lt': '-l lt',
- 'lv': '-l lv',
- 'mk': '-l mk',
- 'nl': '-l nl',
- 'no': '-l no',
- 'pl': '-l pl',
- 'pt': '-l pt',
- 'pt-br': '-l br',
- 'ru': '-l ru',
- 'th': '-l th',
- 'tr': '-l tr',
}
if meson.is_cross_build() or not xkbcommon.found()
diff --git a/softmmu/memory.c b/softmmu/memory.c
index b1a6cae6f5..a8ccd4154b 100644
--- a/softmmu/memory.c
+++ b/softmmu/memory.c
@@ -1379,6 +1379,8 @@ bool memory_region_access_valid(MemoryRegion *mr,
{
if (mr->ops->valid.accepts
&& !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+ CPUState *cpu = first_cpu;
+ cpu_dump_state(cpu, stderr, CPU_DUMP_CODE);
qemu_log_mask(LOG_GUEST_ERROR, "Invalid %s at addr 0x%" HWADDR_PRIX
", size %u, region '%s', reason: rejected\n",
is_write ? "write" : "read",
@@ -1451,6 +1453,8 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
pval, op, attrs);
}
if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
+ fprintf(stderr, "Invalid read: addr: 0x%llx ; size : %d\n", addr, size);
+ //__asm__("int3");
*pval = unassigned_mem_read(mr, addr, size);
return MEMTX_DECODE_ERROR;
}
@@ -1500,6 +1504,8 @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
data, op, attrs);
}
if (!memory_region_access_valid(mr, addr, size, true, attrs)) {
+ fprintf(stderr, "Invalid write: addr: 0x%llx ; data: 0x%llx ; size : %d\n", addr, data, size);
+ //__asm__("int3");
unassigned_mem_write(mr, addr, data, size);
return MEMTX_DECODE_ERROR;
}
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index 21e29ed88c..823410116b 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -1193,6 +1193,7 @@ static void aarch64_max_initfn(Object *obj)
ARMCPU *cpu = ARM_CPU(obj);
uint64_t t;
uint32_t u;
+ fprintf(stderr, "aarch64_max_initfn: test0: entered\n");
if (kvm_enabled() || hvf_enabled()) {
/* With KVM or HVF, '-cpu max' is identical to '-cpu host' */
@@ -1425,17 +1426,30 @@ static void aarch64_cpu_finalizefn(Object *obj)
static gchar *aarch64_gdb_arch_name(CPUState *cs)
{
return g_strdup("aarch64");
+ //return g_strdup("arm");
}
+static int classinit_index = 0;
+
static void aarch64_cpu_class_init(ObjectClass *oc, void *data)
{
CPUClass *cc = CPU_CLASS(oc);
+ fprintf(stderr, "aarch64_cpu_class_init: test0: entered\n");
+ //if (classinit_index == 0)
+ //if (0)
+#if 1
+ {
cc->gdb_read_register = aarch64_cpu_gdb_read_register;
cc->gdb_write_register = aarch64_cpu_gdb_write_register;
cc->gdb_num_core_regs = 34;
cc->gdb_core_xml_file = "aarch64-core.xml";
+ //cc->gdb_num_core_regs = 26;
+ //cc->gdb_core_xml_file = "arm-core.xml";
cc->gdb_arch_name = aarch64_gdb_arch_name;
+ }
+#endif
+ classinit_index++;
object_class_property_add_bool(oc, "aarch64", aarch64_cpu_get_aarch64,
aarch64_cpu_set_aarch64);
diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index 13fbe9b0d7..df6aea25e7 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -506,6 +506,7 @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
CPUARMState *env = &cpu->env;
if (arm_feature(env, ARM_FEATURE_AARCH64)) {
+ fprintf(stderr, "arm_cpu_register_gdb_regs_for_features: test0: AARCH64 true\n");
/*
* The lower part of each SVE register aliases to the FPU
* registers so we don't need to include both.
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 0370c62ceb..eae7c0361e 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11787,22 +11787,26 @@ int fp_exception_el(CPUARMState *env, int cur_el)
* always accessible
*/
if (!arm_feature(env, ARM_FEATURE_V6)) {
+ //fprintf(stderr, "fp_exception_el: test0\n");
return 0;
}
if (arm_feature(env, ARM_FEATURE_M)) {
/* CPACR can cause a NOCP UsageFault taken to current security state */
if (!v7m_cpacr_pass(env, env->v7m.secure, cur_el != 0)) {
+ //fprintf(stderr, "fp_exception_el: test1\n");
return 1;
}
if (arm_feature(env, ARM_FEATURE_M_SECURITY) && !env->v7m.secure) {
if (!extract32(env->v7m.nsacr, 10, 1)) {
/* FP insns cause a NOCP UsageFault taken to Secure */
+ //fprintf(stderr, "fp_exception_el: test2\n");
return 3;
}
}
+ //fprintf(stderr, "fp_exception_el: test3\n");
return 0;
}
@@ -11829,9 +11833,11 @@ int fp_exception_el(CPUARMState *env, int cur_el)
/* Trap from Secure PL0 or PL1 to Secure PL1. */
if (!arm_el_is_aa64(env, 3)
&& (cur_el == 3 || arm_is_secure_below_el3(env))) {
+ //fprintf(stderr, "fp_exception_el: test4\n");
return 3;
}
if (cur_el <= 1) {
+ //fprintf(stderr, "fp_exception_el: test5\n");
return 1;
}
break;
@@ -11847,6 +11853,7 @@ int fp_exception_el(CPUARMState *env, int cur_el)
cur_el <= 2 && !arm_is_secure_below_el3(env))) {
if (!extract32(env->cp15.nsacr, 10, 1)) {
/* FP insns act as UNDEF */
+ //fprintf(stderr, "fp_exception_el: test6\n");
return cur_el == 2 ? 2 : 1;
}
}
@@ -11865,10 +11872,12 @@ int fp_exception_el(CPUARMState *env, int cur_el)
/* fall through */
case 0:
case 2:
+ //fprintf(stderr, "fp_exception_el: test7\n");
return 2;
}
} else if (arm_is_el2_enabled(env)) {
if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TFP)) {
+ //fprintf(stderr, "fp_exception_el: test8\n");
return 2;
}
}
@@ -11877,9 +11886,11 @@ int fp_exception_el(CPUARMState *env, int cur_el)
/* CPTR_EL3 : present in v8 */
if (FIELD_EX64(env->cp15.cptr_el[3], CPTR_EL3, TFP)) {
/* Trap all FP ops to EL3 */
+ //fprintf(stderr, "fp_exception_el: test9\n");
return 3;
}
#endif
+ //fprintf(stderr, "fp_exception_el: test10\n");
return 0;
}
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index 97bc141aa8..21509a6bba 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -36,6 +36,11 @@
#include "translate-a64.h"
#include "qemu/atomic128.h"
+
+//#define ENABLE_DUMPING 1
+
+
+
static TCGv_i64 cpu_X[32];
static TCGv_i64 cpu_pc;
@@ -67,6 +72,9 @@ typedef struct AArch64DecodeTable {
AArch64DecodeFn *disas_fn;
} AArch64DecodeTable;
+static CPUARMState *global_testenv = NULL;
+
+
/* initialize TCG globals. */
void a64_translate_init(void)
{
@@ -1096,9 +1104,14 @@ static void do_vec_ld(DisasContext *s, int destidx, int element,
*/
static bool fp_access_check_only(DisasContext *s)
{
+ //fprintf(stderr, "fp_access_check_only: entered function\n");
+ //s->fp_excp_el = false;
if (s->fp_excp_el) {
assert(!s->fp_access_checked);
s->fp_access_checked = true;
+ //fprintf(stderr, "fp_access_check_only: no soup^H^H^H^Hexception for you\n");
+ //s->fp_excp_el = false;
+ //return true;
gen_exception_insn_el(s, 0, EXCP_UDEF,
syn_fp_access_trap(1, 0xe, false, 0),
@@ -1111,12 +1124,15 @@ static bool fp_access_check_only(DisasContext *s)
static bool fp_access_check(DisasContext *s)
{
+ //fprintf(stderr, "fp_access_check: entered function\n");
if (!fp_access_check_only(s)) {
+ fprintf(stderr, "fp_access_check: fp_access_check_only returned false\n");
return false;
}
if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
gen_exception_insn(s, 0, EXCP_UDEF,
syn_smetrap(SME_ET_Streaming, false));
+ fprintf(stderr, "fp_access_check: s->sme_trap_nonstreaming && s->is_nonstreaming\n");
return false;
}
return true;
@@ -1129,6 +1145,7 @@ static bool fp_access_check(DisasContext *s)
*/
bool sve_access_check(DisasContext *s)
{
+ fprintf(stderr, "sve_access_check: entered function\n");
if (s->pstate_sm || !dc_isar_feature(aa64_sve, s)) {
assert(dc_isar_feature(aa64_sme, s));
if (!sme_sm_enabled_check(s)) {
@@ -1156,7 +1173,9 @@ bool sve_access_check(DisasContext *s)
*/
static bool sme_access_check(DisasContext *s)
{
+ fprintf(stderr, "sme_access_check: entered function\n");
if (s->sme_excp_el) {
+ fprintf(stderr, "sme_access_check: do exception\n");
gen_exception_insn_el(s, 0, EXCP_UDEF,
syn_smetrap(SME_ET_AccessTrap, false),
s->sme_excp_el);
@@ -2179,12 +2198,23 @@ static void disas_exc(DisasContext *s, uint32_t insn)
* | 1 1 0 1 0 1 1 | opc | op2 | op3 | Rn | op4 |
* +---------------+-------+-------+-------+------+-------+
*/
+
+static FILE *testfp0 = NULL;
+
static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
{
unsigned int opc, op2, op3, rn, op4;
unsigned btype_mod = 2; /* 0: BR, 1: BLR, 2: other */
TCGv_i64 dst;
TCGv_i64 modifier;
+ uint64_t testvar0, testvar1, testvar0_high;
+
+#if ENABLE_DUMPING
+ /* test0 */
+ //gen_a64_update_pc(s, 0);
+ //gen_ss_advance(s);
+ //s->base.is_jmp = DISAS_TOO_MANY;
+#endif
opc = extract32(insn, 21, 4);
op2 = extract32(insn, 16, 5);
@@ -2254,6 +2284,22 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
}
gen_pc_plus_diff(s, lr, curr_insn_len(s));
}
+#if ENABLE_DUMPING
+ testvar0 = s->pc_curr;
+ testvar1 = global_testenv->xregs[rn];
+ testvar0_high = (testvar0 >> 36);
+ testvar1 &= ~(0xfffffffULL << 36);
+ testvar1 |= (testvar0_high << 36);
+ if (testfp0 == NULL) {
+ testfp0 = fopen("/home/ios/satamnt_1/gdb_indirect_tracelog2", "a");
+ }
+ if (testfp0 != NULL) {
+ fprintf(testfp0, "%016llx %016llx\n", testvar0, testvar1);
+ fflush(testfp0);
+ //fclose(testfp0);
+ //testfp0 = NULL;
+ }
+#endif
gen_a64_set_pc(s, dst);
break;
@@ -2287,6 +2333,22 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
}
gen_pc_plus_diff(s, lr, curr_insn_len(s));
}
+#if ENABLE_DUMPING
+ testvar0 = s->pc_curr;
+ testvar1 = global_testenv->xregs[rn];
+ testvar0_high = (testvar0 >> 36);
+ testvar1 &= ~(0xfffffffULL << 36);
+ testvar1 |= (testvar0_high << 36);
+ if (testfp0 == NULL) {
+ testfp0 = fopen("/home/ios/satamnt_1/gdb_indirect_tracelog2", "a");
+ }
+ if (testfp0 != NULL) {
+ fprintf(testfp0, "%016llx %016llx\n", testvar0, testvar1);
+ fflush(testfp0);
+ //fclose(testfp0);
+ //testfp0 = NULL;
+ }
+#endif
gen_a64_set_pc(s, dst);
break;
@@ -4166,6 +4228,13 @@ static void disas_ldst_tag(DisasContext *s, uint32_t insn)
/* Loads and stores */
static void disas_ldst(DisasContext *s, uint32_t insn)
{
+#if ENABLE_DUMPING
+ /* test0 */
+ gen_a64_update_pc(s, 0);
+ gen_ss_advance(s);
+ s->base.is_jmp = DISAS_TOO_MANY;
+#endif
+
switch (extract32(insn, 24, 6)) {
case 0x08: /* Load/store exclusive */
disas_ldst_excl(s, insn);
@@ -8056,6 +8125,7 @@ static void disas_simd_mod_imm(DisasContext *s, uint32_t insn)
}
if (!fp_access_check(s)) {
+ fprintf(stderr, "disas_simd_mod_imm: fp_access_check returned false\n");
return;
}
@@ -14393,6 +14463,7 @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
CPUARMState *env = cpu->env_ptr;
uint64_t pc = s->base.pc_next;
uint32_t insn;
+ global_testenv = env;
/* Singlestep exceptions have the highest priority. */
if (s->ss_active && !s->pstate_ss) {
diff --git a/ui/gtk.c b/ui/gtk.c
index 0a9f24ee0a..1492ab1b21 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -960,10 +960,9 @@ static gboolean gd_button_event(GtkWidget *widget, GdkEventButton *button,
if (button->button == 1 && button->type == GDK_BUTTON_PRESS &&
!qemu_input_is_absolute() && s->ptr_owner != vc) {
if (!vc->window) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- TRUE);
+ //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE);
} else {
- gd_grab_pointer(vc, "relative-mode-click");
+ //gd_grab_pointer(vc, "relative-mode-click");
}
return TRUE;
}
@@ -1332,7 +1331,7 @@ static gboolean gd_win_grab(void *opaque)
if (vc->s->ptr_owner) {
gd_ungrab_pointer(vc->s);
} else {
- gd_grab_pointer(vc, "user-request-detached-tab");
+ //gd_grab_pointer(vc, "user-request-detached-tab");
}
return TRUE;
}
@@ -1408,7 +1407,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque)
{
GtkDisplayState *s = opaque;
VirtualConsole *vc = gd_vc_find_current(s);
-
+#if 0
if (!s->full_screen) {
gtk_notebook_set_show_tabs(GTK_NOTEBOOK(s->notebook), FALSE);
gtk_widget_hide(s->menu_bar);
@@ -1431,7 +1430,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque)
gd_update_windowsize(vc);
}
}
-
+#endif
gd_update_cursor(vc);
}
@@ -1607,8 +1606,8 @@ static void gd_menu_grab_input(GtkMenuItem *item, void *opaque)
VirtualConsole *vc = gd_vc_find_current(s);
if (gd_is_grab_active(s)) {
- gd_grab_keyboard(vc, "user-request-main-window");
- gd_grab_pointer(vc, "user-request-main-window");
+ //gd_grab_keyboard(vc, "user-request-main-window");
+ //gd_grab_pointer(vc, "user-request-main-window");
} else {
gd_ungrab_keyboard(s);
gd_ungrab_pointer(s);
@@ -1632,16 +1631,13 @@ static void gd_change_page(GtkNotebook *nb, gpointer arg1, guint arg2,
if (!vc) {
return;
}
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item),
- TRUE);
+ gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item), TRUE);
on_vga = (vc->type == GD_VC_GFX &&
qemu_console_is_graphic(vc->gfx.dcl.con));
if (!on_vga) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- FALSE);
+ gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), FALSE);
} else if (s->full_screen) {
- gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item),
- TRUE);
+ //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE);
}
gtk_widget_set_sensitive(s->grab_item, on_vga);
#ifdef CONFIG_VTE
@@ -1659,7 +1655,7 @@ static gboolean gd_enter_event(GtkWidget *widget, GdkEventCrossing *crossing,
GtkDisplayState *s = vc->s;
if (gd_grab_on_hover(s)) {
- gd_grab_keyboard(vc, "grab-on-hover");
+ //gd_grab_keyboard(vc, "grab-on-hover");
}
return TRUE;
}
diff --git a/ui/sdl2.c b/ui/sdl2.c
index 9d703200bf..3ac1374074 100644
--- a/ui/sdl2.c
+++ b/ui/sdl2.c
@@ -270,24 +270,25 @@ static void absolute_mouse_grab(struct sdl2_console *scon)
SDL_GetWindowSize(scon->real_window, &scr_w, &scr_h);
if (mouse_x > 0 && mouse_x < scr_w - 1 &&
mouse_y > 0 && mouse_y < scr_h - 1) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
}
static void sdl_mouse_mode_change(Notifier *notify, void *data)
{
- if (qemu_input_is_absolute()) {
+ if (qemu_input_is_absolute() && 0) {
if (!absolute_enabled) {
- absolute_enabled = 1;
- SDL_SetRelativeMouseMode(SDL_FALSE);
- absolute_mouse_grab(&sdl2_console[0]);
+ //absolute_enabled = 1;
+ //SDL_SetRelativeMouseMode(SDL_FALSE);
+ //absolute_mouse_grab(&sdl2_console[0]);
}
} else if (absolute_enabled) {
if (!gui_fullscreen) {
- sdl_grab_end(&sdl2_console[0]);
+ //sdl_grab_end(&sdl2_console[0]);
}
absolute_enabled = 0;
}
+ absolute_enabled = 0;
}
static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy,
@@ -329,15 +330,14 @@ static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy,
static void toggle_full_screen(struct sdl2_console *scon)
{
- gui_fullscreen = !gui_fullscreen;
+ gui_fullscreen = 0;//!gui_fullscreen;
if (gui_fullscreen) {
- SDL_SetWindowFullscreen(scon->real_window,
- SDL_WINDOW_FULLSCREEN_DESKTOP);
- gui_saved_grab = gui_grab;
- sdl_grab_start(scon);
+ //SDL_SetWindowFullscreen(scon->real_window, SDL_WINDOW_FULLSCREEN_DESKTOP);
+ //gui_saved_grab = gui_grab;
+ //sdl_grab_start(scon);
} else {
if (!gui_saved_grab) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
SDL_SetWindowFullscreen(scon->real_window, 0);
}
@@ -393,7 +393,7 @@ static void handle_keydown(SDL_Event *ev)
case SDL_SCANCODE_8:
case SDL_SCANCODE_9:
if (gui_grab) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
win = ev->key.keysym.scancode - SDL_SCANCODE_1;
@@ -410,15 +410,15 @@ static void handle_keydown(SDL_Event *ev)
}
break;
case SDL_SCANCODE_F:
- toggle_full_screen(scon);
+ //toggle_full_screen(scon);
gui_keysym = 1;
break;
case SDL_SCANCODE_G:
gui_keysym = 1;
if (!gui_grab) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
} else if (!gui_fullscreen) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
break;
case SDL_SCANCODE_U:
@@ -502,12 +502,12 @@ static void handle_mousemotion(SDL_Event *ev)
if (gui_grab && !gui_fullscreen
&& (ev->motion.x == 0 || ev->motion.y == 0 ||
ev->motion.x == max_x || ev->motion.y == max_y)) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
if (!gui_grab &&
(ev->motion.x > 0 && ev->motion.x < max_x &&
ev->motion.y > 0 && ev->motion.y < max_y)) {
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
}
if (gui_grab || qemu_input_is_absolute() || absolute_enabled) {
@@ -530,7 +530,7 @@ static void handle_mousebutton(SDL_Event *ev)
if (!gui_grab && !qemu_input_is_absolute()) {
if (ev->type == SDL_MOUSEBUTTONUP && bev->button == SDL_BUTTON_LEFT) {
/* start grabbing all events */
- sdl_grab_start(scon);
+ //sdl_grab_start(scon);
}
} else {
if (ev->type == SDL_MOUSEBUTTONDOWN) {
@@ -601,7 +601,7 @@ static void handle_windowevent(SDL_Event *ev)
/* fall through */
case SDL_WINDOWEVENT_ENTER:
if (!gui_grab && (qemu_input_is_absolute() || absolute_enabled)) {
- absolute_mouse_grab(scon);
+ //absolute_mouse_grab(scon);
}
/* If a new console window opened using a hotkey receives the
* focus, SDL sends another KEYDOWN event to the new window,
@@ -617,7 +617,7 @@ static void handle_windowevent(SDL_Event *ev)
win32_kbd_set_window(NULL);
}
if (gui_grab && !gui_fullscreen) {
- sdl_grab_end(scon);
+ //sdl_grab_end(scon);
}
break;
case SDL_WINDOWEVENT_RESTORED:
@@ -946,7 +946,7 @@ static void sdl2_display_init(DisplayState *ds, DisplayOptions *o)
sdl_cursor_normal = SDL_GetCursor();
if (gui_fullscreen) {
- sdl_grab_start(&sdl2_console[0]);
+ //sdl_grab_start(&sdl2_console[0]);
}
atexit(sdl_cleanup);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment