API tools faq
paste
Advertisement
Guest User

isp.py

a guest
Jul 14th, 2023
84
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.37 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python3
  2. # SPDX-License-Identifier: MIT
  3. import sys, pathlib, time
  4. sys.path.append(str(pathlib.Path(__file__).resolve().parents[1]))
  5.  
  6. from m1n1.setup import *
  7. from m1n1.hw.dart import DART
  8. from m1n1.shell import run_shell
  9. #from m1n1.hw.isp import *
  10. from m1n1.fw.common import *
  11. import struct
  12. from construct import *
  13.  
  14. p.pmgr_adt_clocks_enable("/arm-io/isp")
  15. p.pmgr_adt_clocks_enable("/arm-io/dart-isp")
  16.  
  17. dart = DART.from_adt(u, "arm-io/dart-isp")
  18. dart.initialize()
  19.  
  20.  
  21. def w_tun_a():
  22. p.mask32(0x22a000000, 0x10, 0x10)
  23. p.mask32(0x22a000040, 0xffff, 0x50030)
  24. p.mask32(0x22a000044, 0xffff, 0xa0040)
  25. p.mask32(0x22a000400, 0x4, 0x40000001)
  26. p.mask32(0x22a000600, 0x0, 0x1ffffff)
  27. p.mask32(0x22a000738, 0x1ff01ff, 0x2)
  28. p.mask32(0x22a000798, 0x1ff01ff, 0x300008)
  29. p.mask32(0x22a0007f8, 0x1ff01ff, 0x880020)
  30. p.mask32(0x22a000858, 0x1ff01ff, 0x200080)
  31. p.mask32(0x22a000900, 0x1, 0x101)
  32. p.mask32(0x22a000410, 0x100, 0x1100)
  33. p.mask32(0x22a000420, 0x100, 0x1100)
  34. p.mask32(0x22a000430, 0x100, 0x1100)
  35. p.mask32(0x22a008000, 0x0, 0x9)
  36. p.mask32(0x22a008000, 0x0, 0x9)
  37. p.mask32(0x22a000920, 0x0, 0x80)
  38. p.write32(0x22a008008, 0x7)
  39. p.write32(0x22a008014, 0x1)
  40. p.mask32(0x22a008018, 0x0, 0x1)
  41. p.mask32(0x22a0007a8, 0x0, 0x1)
  42. p.write32(0x22a008208, 0x5)
  43. p.write32(0x22a008280, 0x20)
  44. p.write32(0x22a008288, 0x3)
  45. p.write32(0x22a00828c, 0xc)
  46. p.write32(0x22a008290, 0x18)
  47. p.write32(0x22a008294, 0x30)
  48. p.write32(0x22a008298, 0x78)
  49. p.write32(0x22a00829c, 0xff)
  50. p.mask32(0x22a0082b8, 0x0, 0x1)
  51. p.write32(0x22a0082bc, 0x1)
  52. p.mask32(0x22a0082c0, 0x0, 0x1)
  53. p.mask32(0x22a000748, 0x0, 0x1)
  54. p.write32(0x22a00820c, 0x3)
  55. p.write32(0x22a008284, 0x20)
  56. p.write32(0x22a0082a0, 0x3)
  57. p.write32(0x22a0082a4, 0xc)
  58. p.write32(0x22a0082a8, 0x18)
  59. p.write32(0x22a0082ac, 0x30)
  60. p.write32(0x22a0082b0, 0x78)
  61. p.write32(0x22a0082b4, 0xff)
  62. p.mask32(0x22a0082b8, 0x1, 0x3)
  63. p.write32(0x22a0082bc, 0x2)
  64. p.mask32(0x22a0082c0, 0x1, 0x3)
  65. p.write32(0x22a008210, 0x0)
  66. p.write32(0x22a008408, 0x3)
  67. p.write32(0x22a008418, 0x3)
  68. p.write32(0x22a00841c, 0x0)
  69. p.write32(0x22a008420, 0xffffffff)
  70. p.write32(0x22a008424, 0x0)
  71. p.write32(0x22a008428, 0xfff)
  72. p.mask32(0x22a0082b8, 0x3, 0x7)
  73. p.write32(0x22a0082bc, 0x4)
  74. p.mask32(0x22a0082c0, 0x3, 0x7)
  75.  
  76. def w_tun_b():
  77. p.write32(0x22c0e0080, 0x1)
  78. p.mask32(0x22c0f0020, 0x0, 0x80000000)
  79. p.mask32(0x22c0f8020, 0x0, 0x80000000)
  80.  
  81. def w_tun_c():
  82. p.write32(0x22c0ec004, 0x1)
  83. p.write32(0x22c0ec008, 0x9e8000)
  84. p.write32(0x22c0ec00c, 0x8)
  85. p.write32(0x22c0ec010, 0x139bfff)
  86. p.write32(0x22c0ec014, 0x8)
  87. p.write32(0x22c0ec000, 0x11)
  88. p.write32(0x22c0ec044, 0x1)
  89. p.write32(0x22c0ec048, 0x0)
  90. p.write32(0x22c0ec04c, 0xf)
  91. p.write32(0x22c0ec050, 0xffffffff)
  92. p.write32(0x22c0ec054, 0xf)
  93. p.write32(0x22c0ec040, 0x33)
  94. p.write32(0x22c0ec084, 0x1)
  95. p.write32(0x22c0ec088, 0x3b704000)
  96. p.write32(0x22c0ec08c, 0x2)
  97. p.write32(0x22c0ec090, 0x3b704063)
  98. p.write32(0x22c0ec094, 0x2)
  99. p.write32(0x22c0ec080, 0x31)
  100. p.write32(0x22c0ec0c4, 0x1)
  101. p.write32(0x22c0ec0c8, 0x3b738000)
  102. p.write32(0x22c0ec0cc, 0x2)
  103. p.write32(0x22c0ec0d0, 0x3b73bfff)
  104. p.write32(0x22c0ec0d4, 0x2)
  105. p.write32(0x22c0ec0c0, 0x31)
  106. p.write32(0x22c0ec104, 0x1)
  107. p.write32(0x22c0ec108, 0x3c260000)
  108. p.write32(0x22c0ec10c, 0x2)
  109. p.write32(0x22c0ec110, 0x3c26006b)
  110. p.write32(0x22c0ec114, 0x2)
  111. p.write32(0x22c0ec100, 0x31)
  112. p.write32(0x22c0ec144, 0x1)
  113. p.write32(0x22c0ec148, 0x3c280000)
  114. p.write32(0x22c0ec14c, 0x2)
  115. p.write32(0x22c0ec150, 0x3c2830b3)
  116. p.write32(0x22c0ec154, 0x2)
  117. p.write32(0x22c0ec140, 0x31)
  118. p.write32(0x22c0ec184, 0x1)
  119. p.write32(0x22c0ec188, 0x3c290000)
  120. p.write32(0x22c0ec18c, 0x2)
  121. p.write32(0x22c0ec190, 0x3c2930b3)
  122. p.write32(0x22c0ec194, 0x2)
  123. p.write32(0x22c0ec180, 0x31)
  124. p.write32(0x22c0ec1c4, 0x1)
  125. p.write32(0x22c0ec1c8, 0x3c2a0000)
  126. p.write32(0x22c0ec1cc, 0x2)
  127. p.write32(0x22c0ec1d0, 0x3c2a30b3)
  128. p.write32(0x22c0ec1d4, 0x2)
  129. p.write32(0x22c0ec1c0, 0x31)
  130. p.write32(0x22c0ec204, 0x1)
  131. p.write32(0x22c0ec208, 0x3bc3c000)
  132. p.write32(0x22c0ec20c, 0x2)
  133. p.write32(0x22c0ec210, 0x3bc3c003)
  134. p.write32(0x22c0ec214, 0x2)
  135. p.write32(0x22c0ec200, 0x31)
  136. p.write32(0x22c0ec244, 0x1)
  137. p.write32(0x22c0ec248, 0x4a42c000)
  138. p.write32(0x22c0ec24c, 0x2)
  139. p.write32(0x22c0ec250, 0x4a42c003)
  140. p.write32(0x22c0ec254, 0x2)
  141. p.write32(0x22c0ec240, 0x31)
  142. p.write32(0x22c0ec284, 0x1)
  143. p.write32(0x22c0ec288, 0x4a448000)
  144. p.write32(0x22c0ec28c, 0x2)
  145. p.write32(0x22c0ec290, 0x4a448003)
  146. p.write32(0x22c0ec294, 0x2)
  147. p.write32(0x22c0ec280, 0x31)
  148. p.write32(0x22c0ec2c4, 0x1)
  149. p.write32(0x22c0ec2c8, 0x6b460000)
  150. p.write32(0x22c0ec2cc, 0x2)
  151. p.write32(0x22c0ec2d0, 0x6b460003)
  152. p.write32(0x22c0ec2d4, 0x2)
  153. p.write32(0x22c0ec2c0, 0x31)
  154. p.write32(0x22c0ec304, 0x1)
  155. p.write32(0x22c0ec308, 0x14000)
  156. p.write32(0x22c0ec30c, 0x2)
  157. p.write32(0x22c0ec310, 0x163fb)
  158. p.write32(0x22c0ec314, 0x2)
  159. p.write32(0x22c0ec300, 0x31)
  160. p.write32(0x22c0ec344, 0x1)
  161. p.write32(0x22c0ec348, 0x54000)
  162. p.write32(0x22c0ec34c, 0x2)
  163. p.write32(0x22c0ec350, 0x563fb)
  164. p.write32(0x22c0ec354, 0x2)
  165. p.write32(0x22c0ec340, 0x31)
  166. p.write32(0x22c0ec384, 0x1)
  167. p.write32(0x22c0ec388, 0x94000)
  168. p.write32(0x22c0ec38c, 0x2)
  169. p.write32(0x22c0ec390, 0x963fb)
  170. p.write32(0x22c0ec394, 0x2)
  171. p.write32(0x22c0ec380, 0x31)
  172. p.write32(0x22c0ec3c4, 0x1)
  173. p.write32(0x22c0ec3c8, 0xd4000)
  174. p.write32(0x22c0ec3cc, 0x2)
  175. p.write32(0x22c0ec3d0, 0xd63fb)
  176. p.write32(0x22c0ec3d4, 0x2)
  177. p.write32(0x22c0ec3c0, 0x31)
  178.  
  179. def w_tun_d():
  180. p.write32(0x22c0e8100, 0x80) # TCR[0] = 0x80
  181. p.write32(0x22c0e813c, 0x100) # TCR[0] = 0x80
  182.  
  183. p.write32(0x22c0f40fc, 0x1)
  184. p.write32(0x22c0f4200, dart.dart.regs.TTBR[0, 0].val)
  185. p.write32(0x22c0f42f0, 0x0)
  186. p.write32(0x22c0f4034, 0xffffffff)
  187. p.write32(0x22c0f4020, 0x100000)
  188. p.mask32(0x22c0f4060, 0x10000, 0x80016100)
  189. p.mask32(0x22c0f4068, 0x20202, 0xf0f0f)
  190. p.mask32(0x22c0f406c, 0x0, 0x80808)
  191. p.write32(0x22c0f4100, 0x80)
  192. p.write32(0x22c0f413c, 0x20000)
  193.  
  194. p.write32(0x22c0fc0fc, 0x1)
  195. p.write32(0x22c0fc200, dart.dart.regs.TTBR[0, 0].val)
  196. p.write32(0x22c0fc2f0, 0x0)
  197. p.write32(0x22c0fc034, 0xffffffff)
  198. p.write32(0x22c0fc020, 0x100000)
  199. p.mask32(0x22c0fc060, 0x10000, 0x80016100)
  200. p.mask32(0x22c0fc068, 0x20202, 0xf0f0f)
  201. p.mask32(0x22c0fc06c, 0x0, 0x80808)
  202. p.write32(0x22c0fc100, 0x80)
  203. p.write32(0x22c0fc13c, 0x20000)
  204.  
  205. def w_tun():
  206. w_tun_a()
  207. w_tun_b()
  208. w_tun_c()
  209. w_tun_d()
  210.  
  211.  
  212. def power_on():
  213. p.pmgr_adt_clocks_enable("/arm-io/isp")
  214. p.pmgr_adt_clocks_enable("/arm-io/dart-isp")
  215.  
  216. base = 0x23b700000
  217. p.write32(base + 0x4000, 0xf)
  218. p.write32(base + 0x4008, 0xf)
  219. p.write32(base + 0x4010, 0xf)
  220. p.write32(base + 0x4018, 0xf)
  221. p.write32(base + 0x4020, 0xf)
  222. p.write32(base + 0x4028, 0xf)
  223. p.write32(base + 0x4030, 0xf)
  224. p.write32(base + 0x4038, 0xf)
  225. p.write32(base + 0x4040, 0xf)
  226. p.write32(base + 0x4048, 0xf)
  227. p.write32(base + 0x4050, 0xf)
  228. p.write32(base + 0x4058, 0xf)
  229. p.write32(base + 0x4060, 0xf)
  230.  
  231. def power_off():
  232. base = 0x23b700000
  233. p.write32(base + 0x4060, 0x0)
  234. p.write32(base + 0x4058, 0x0)
  235. p.write32(base + 0x4050, 0x0)
  236. p.write32(base + 0x4048, 0x0)
  237. p.write32(base + 0x4040, 0x0)
  238. p.write32(base + 0x4038, 0x0)
  239. p.write32(base + 0x4030, 0x0)
  240. p.write32(base + 0x4028, 0x0)
  241. p.write32(base + 0x4020, 0x0)
  242. p.write32(base + 0x4018, 0x0)
  243.  
  244. p.write32(base + 0x4010, 0xf0017ff)
  245. p.write32(base + 0x4008, 0xf0017ff)
  246. p.write32(base + 0x4000, 0x7ff)
  247. p.write32(base + 0x4010, 0x0)
  248. p.write32(base + 0x4008, 0x0)
  249. p.write32(base + 0x4000, 0x0)
  250.  
  251. p.write32(0x22c508000, 0x103)
  252. p.mask32(0x22c504000, 0xc01, 0xc03)
  253.  
  254. p.write32(0x22a008014, 0x1)
  255. p.write32(0x22a0082bc, 0x1)
  256. p.write32(0x22a0082bc, 0x2)
  257. p.write32(0x22a0082bc, 0x4)
  258.  
  259.  
  260. def load_fw():
  261. text_phys = 0x8009e8000
  262. text_virt = 0x0
  263. text_size = 0x9b4000
  264.  
  265. data_phys = 0x8019b8000
  266. data_virt = 0x9b4000
  267. data_size = 0x41c000
  268.  
  269. dart.iomap_at(0, text_virt, text_phys, text_size)
  270. dart.iomap_at(0, data_virt, data_phys, data_size)
  271.  
  272. heap_virt = 0xdd0000
  273. heap_size = 0xa30000
  274. heap_phys = u.heap.memalign(0x4000, heap_size)
  275. p.memset32(heap_phys, 0, heap_size)
  276. dart.iomap_at(0, heap_virt, heap_phys, heap_size)
  277.  
  278. p.write32(0x22c0f4200, dart.dart.regs.TTBR[0, 0].val)
  279. p.write32(0x22c0fc200, dart.dart.regs.TTBR[0, 0].val)
  280.  
  281. power_on()
  282.  
  283. w_tun()
  284. load_fw()
  285.  
  286. def power_gating_disabled_reset():
  287. base = 0x22a000000
  288. p.write32(base + 0x1010310, 0x2) # ANE_H11_ASC_CPU_EDPRCR
  289.  
  290. p.write32(base + 0x738, 0xff00ff)
  291. p.write32(base + 0x798, 0xff00ff)
  292. p.write32(base + 0x7f8, 0xff00ff)
  293. p.write32(base + 0x1400a00, 0xffffffff)
  294. p.write32(base + 0x1400a04, 0xffffffff)
  295. p.write32(base + 0x1400a08, 0xffffffff)
  296. p.write32(base + 0x1400a0c, 0xffffffff)
  297. p.write32(base + 0x1400a10, 0xffffffff)
  298. p.write32(base + 0x1400a14, 0xffffffff)
  299.  
  300. power_gating_disabled_reset()
  301. time.sleep(0.1)
  302.  
  303. def get_asc_status():
  304. base = 0x22a000000
  305. status = p.read32(base + 0x1400048) # ASCWRAP_IDLE_STATUS
  306. print("asc status: 0x%x" % status)
  307. if (status & 3) == 0:
  308. # can't be 0x28, 0x2c
  309. print("ANECPU not in WFI")
  310. return 0
  311. print("ANECPU in WFI")
  312. return 1
  313.  
  314. # it should be wfi for now
  315. assert(get_asc_status())
  316.  
  317. def gpio_seq():
  318. p.read32(0x22c0fc2f0)
  319. p.write32(0x22c104190, 0x1)
  320.  
  321. p.write32(0x22c104170, 0x0)
  322. p.write32(0x22c104174, 0x0)
  323. p.write32(0x22c104178, 0x0)
  324. p.write32(0x22c10417c, 0x0)
  325. p.write32(0x22c104180, 0x0)
  326. p.write32(0x22c104184, 0x0)
  327. p.write32(0x22c104188, 0x0)
  328. p.write32(0x22c10418c, 0x0)
  329.  
  330. p.write32(0x22b400044, 0x0) # asc turn on
  331. p.write32(0x22b400044, 0x10)
  332.  
  333. p.write32(0x22c10418c, 0x0) # init call
  334.  
  335. gpio_seq()
  336. time.sleep(0.1)
  337.  
  338. for n in range(10):
  339. val = p.read32(0x22c10418c)
  340. print('val is: 0x%x' % val)
  341. if (val == 0x8042006):
  342. print('MAGIC; BOOT PT1 SUCCESS')
  343. break
  344. time.sleep(0.1)
  345.  
  346.  
  347. ipc_chan_count = p.read32(0x22c104170) # 0x7; channel count; < 0x21
  348. ipc_queue_size = p.read32(0x22c104174) # 0xef40
  349. unk_2 = p.read32(0x22c104178) # 0x1;
  350. unk_3 = p.read32(0x22c104180) # 0x0
  351. extra_heap_size = p.read32(0x22c10417c) # 0x2200000
  352. print('ISP_GPIO0: IPC_CHAN_COUNT: %d' % ipc_chan_count)
  353. print('ISP_GPIO1: IPC_QUEUE_SIZE: 0x%x' % ipc_queue_size)
  354. print('ISP_GPIO3: fw requested extra heap size: 0x%x' % extra_heap_size)
  355.  
  356.  
  357. #----------------------------------------------------------------------------------------------
  358.  
  359. def prep_ipc():
  360. # prep shared ipc buf
  361. ipc_virt = 0x1804000
  362. ipc_size = 0x1c000
  363. ipc_phys = u.heap.memalign(0x4000, ipc_size)
  364. p.memset32(ipc_phys, 0, ipc_size)
  365. dart.iomap_at(0, ipc_virt, ipc_phys, ipc_size)
  366.  
  367. """
  368. 00003380: 00000000 00000000 00704000 00000000 .........@p.....
  369. 00003390: 00700000 00000000 0f900000 00000000 ..p.............
  370. 000033a0: 00748000 00000000 01800000 00000000 ..t.............
  371. 000033d0: 00040000 00000000 00000000 00000000 ................
  372. 000033e0: 00000000 00000000 00000040 00000004 ........@.......
  373.  
  374. ipc_msg_buf = IPCMsg.build(dict(
  375. ipc_base=ipc_virt,
  376. ctrr_size=CTRR_FW_SIZE, ctrr_size2=0x10000000-CTRR_FW_SIZE,
  377. shared_base=SHARED_HEAP_BASE, shared_size=SHARED_HEAP_SIZE,
  378. ipc_size=ipc_size, unk0=0x40, unk1=0x0))
  379. """
  380. ipc_data = open("ipc.bin", "rb").read()
  381. dart.iowrite(0, ipc_virt, ipc_data)
  382.  
  383.  
  384. def fw_requested_heap_alloc():
  385. extra_heap_virt = 0x1824000
  386. extra_heap_phys = u.heap.memalign(0x4000, extra_heap_size)
  387. p.memset32(extra_heap_phys, 0, extra_heap_size)
  388. dart.iomap_at(0, extra_heap_virt, extra_heap_phys, extra_heap_size)
  389.  
  390.  
  391. IPCChanTableEntry = Struct(
  392. "name" / PaddedString(0x40, "utf8"),
  393. "type" / Int32ul,
  394. "idx" / Int32ul,
  395. "size" / Int32ul,
  396. "pad" / Int32ul,
  397. "iova" / Hex(Int32ul),
  398. "pad" / Default(Int32ul, 0),
  399. "pad" / Default(Int32ul, 0),
  400. "pad" / Default(Int32ul, 0),
  401. "pad" / Padding(0xa0),
  402. )
  403.  
  404. class ISPChannel:
  405. def __init__(self, name, type_, idx, size, iova):
  406. self.name = name
  407. self.type = type_
  408. self.idx = idx
  409. self.size = size
  410. self.iova = iova
  411.  
  412. class ISPChannelTable:
  413. def __init__(self, terminal, io, debug, buf_h2t, buf_t2h, sharedmalloc, io_t2h):
  414. self.terminal = terminal
  415. self.io = io
  416. self.debug = debug
  417. self.buf_h2t = buf_h2t
  418. self.buf_t2h = buf_t2h
  419. self.sharedmalloc = sharedmalloc
  420. self.io_t2h = io_t2h
  421.  
  422.  
  423. def stage2():
  424. prep_ipc()
  425. fw_requested_heap_alloc()
  426.  
  427. p.write32(0x22c104170, 0x1812f80) # IPC_WIRED_BASE + ipc_msg_offset 0x1812f80
  428. p.write32(0x22c104174, 0x0)
  429. p.write32(0x22c10418c, 0xf7fbdff9) # signal to fw
  430.  
  431. for n in range(10):
  432. val = p.read32(0x22c10418c)
  433. print('ISP_GPIO7: 0x%x' % val)
  434. if (val == 0x8042006):
  435. print('MAGIC; BOOT PT2 SUCCESS')
  436. break
  437. time.sleep(0.1)
  438.  
  439. unk_0 = p.read32(0x22c104170) # 0x1804000
  440. unk_1 = p.read32(0x22c104174) # 0x0
  441. print('ISP_GPIO0: 0x%x' % unk_0)
  442. print('ISP_GPIO1: 0x%x' % unk_1)
  443. print("channel description table at iova 0x%x" % unk_0)
  444.  
  445. ipc_width = IPCChanTableEntry.sizeof() # 0x100
  446. chan_table_data = dart.ioread(0, unk_0, ipc_chan_count*ipc_width)
  447. channels = []
  448. for n in range(ipc_chan_count):
  449. chan_data = chan_table_data[n*ipc_width:(n+1)*ipc_width]
  450. parsed = IPCChanTableEntry.parse(chan_data)
  451. print(parsed)
  452. chan = ISPChannel(parsed.name, parsed.type, parsed.idx, parsed.size, parsed.iova)
  453. channels.append(chan)
  454. table = ISPChannelTable(*channels)
  455.  
  456.  
  457. p.write32(0x22c10417c, 0x8042006)
  458. for n in range(10):
  459. val = p.read32(0x22c10417c)
  460. print('ISP_GPIO6: 0x%x' % val)
  461. if (val == 0x0):
  462. print('MAGIC; BOOT PT3 SUCCESS')
  463. break
  464. time.sleep(0.1)
  465.  
  466.  
  467. print('irq: 0x%x 0x%x' % (p.read32(0x22c104000), p.read32(0x22c104004)))
  468. p.write32(0x22c104004, 0xf)
  469. p.write32(0x22c1043f0, 0x2)
  470. print('irq: 0x%x 0x%x' % (p.read32(0x22c104000), p.read32(0x22c104004)))
  471. p.write32(0x22c1043fc, 0x8)
  472. p.write32(0x22c1043f0, 0x8)
  473. print('irq: 0x%x 0x%x' % (p.read32(0x22c104000), p.read32(0x22c104004)))
  474.  
  475.  
  476. stage2()
  477.  
  478. power_off()
  479. #run_shell(globals(), msg="Have fun!")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!