Last active
December 7, 2023 08:55
-
-
Save zhuowei/6f0fcc20d3529d8bd0ddb650055a4756 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # enable AMCC read-only region lockdown in m1n1 on M1 (Mac Mini 2020) for testing | |
| # see https://github.com/AsahiLinux/m1n1/blob/v1.1.4/src/mcc.c | |
| # https://github.com/apple-oss-distributions/xnu/blob/xnu-7195.50.7.100.1/osfmk/arm64/amcc_rorgn.c | |
| lockdownstart = 0x8_4000_0000 | |
| # amcc's protection page size seems to be 0x8000? | |
| lockdownend = 0x8_4000_8000 | |
| rambase = 0x8_0000_0000 | |
| for plane in range(3, -1, -1): | |
| print(hex(0x2_0000_0000 + 0x40000*plane + 0x680)) | |
| write32(0x2_0000_0000 + 0x40000*plane + 0x680, (lockdownstart - rambase) >> 14) | |
| write32(0x2_0000_0000 + 0x40000*plane + 0x684, (lockdownend - rambase) >> 14) | |
| write32(0x2_0000_0000 + 0x40000*plane + 0x688, 1) | |
| write32(0x2_0000_0000 + 0x40000*plane + 0x68c, 1) | |
| # wait a second, then check that it's dropping writes: | |
| read32(lockdownstart) # 0x0 | |
| write32(lockdownstart, 1) | |
| read32(lockdownstart) # 0x1 | |
| # now do a large memcpy to evict out of cache | |
| memcpy64(0x8_6000_0000, 0x8_7000_0000, 0x1000_0000) | |
| read32(lockdownstart) # 0x0 | |
| # for some reason errsts0 doesn't populate for write32 but does for writemem??? | |
| # see https://github.com/AsahiLinux/m1n1/blob/v1.1.4/proxyclient/experiments/amcc_err_handler.py | |
| writemem(0x8_4000_0000, [0x41]*0x1000000) | |
| read32(0x200000708) # AFERRLOG0 = 0x40000200 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment