API tools faq
paste
Advertisement
Guest User

ave.py

a guest
Sep 10th, 2023
83
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.40 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python3
  2. # SPDX-License-Identifier: MIT
  3. import sys, pathlib
  4. sys.path.append(str(pathlib.Path(__file__).resolve().parents[1]))
  5.  
  6. import time
  7. import atexit
  8. import struct
  9. from m1n1.hw.ave import *
  10. from m1n1.hw.dart import DART
  11. from m1n1.utils import *
  12.  
  13.  
  14. PAGE_SIZE = 0x4000
  15. AVE_BASE = 0x266000000
  16. def ave_r32(off): return p.read32(AVE_BASE + off)
  17. def ave_w32(off, x): return p.write32(AVE_BASE + off, x)
  18. def ave_m32(off, cl, st): return p.mask32(AVE_BASE + off, cl, st)
  19. def printf(fmt, *args): print(fmt % (*args,), end='')
  20. def round_up(x, y): return ((x + (y - 1)) & (-y))
  21. def round_down(x, y): return (x - (x % y))
  22.  
  23. class AVE:
  24. def __init__(self, u):
  25. self.u = u
  26. self.p = u.proxy
  27. self.iface = u.iface
  28. self.PAGE_SIZE = 0x4000
  29. self.page_size = self.PAGE_SIZE
  30. self.dart = None
  31. self.AVE_BASE = 0x266000000
  32. self.regs = AVERegs(backend=u, base=self.AVE_BASE)
  33. self.asc_regs = AVEASCRegs(backend=u, base=self.AVE_BASE)
  34. self.ipc_iova = 0x0
  35.  
  36. def ave_r32(self, off): return self.p.read32(self.AVE_BASE + off)
  37. def ave_w32(self, off, x): return self.p.write32(self.AVE_BASE + off, x)
  38. def ave_m32(self, off, cl, st): return self.p.mask32(self.AVE_BASE + off, cl, st)
  39.  
  40. def ave_power_off(self):
  41. p = self.p
  42. p.write32(0x23b708020, 0x0)
  43. p.write32(0x23b708018, 0x0)
  44. p.write32(0x23b708010, 0x0)
  45. p.write32(0x23b708008, 0x0)
  46. p.write32(0x23b708000, 0x0)
  47.  
  48. def ave_power_on(self):
  49. p = self.p
  50. p.pmgr_adt_clocks_enable('/arm-io/ave')
  51. p.pmgr_adt_clocks_enable('/arm-io/dart-ave')
  52. self.ave_write_fabric()
  53. p.write32(0x23b708000, 0xf)
  54. p.write32(0x23b708008, 0xf)
  55. p.write32(0x23b708010, 0xf)
  56. p.write32(0x23b708018, 0xf)
  57. p.write32(0x23b708020, 0xf)
  58. atexit.register(self.ave_power_off)
  59.  
  60. def ave_write_fabric(self):
  61. p = self.p
  62. p.mask32(0x266000000, 0x10, 0x10)
  63. p.mask32(0x266000038, 0xffff, 0x50010)
  64. p.mask32(0x26600003c, 0xffff, 0xa0030)
  65. p.mask32(0x266000400, 0x4, 0x40010001)
  66. p.mask32(0x266000600, 0x0, 0x1ffffff)
  67. p.mask32(0x266000738, 0x1ff01ff, 0x100008)
  68. p.mask32(0x266000798, 0x1ff01ff, 0x80030)
  69. p.mask32(0x2660007f8, 0x1ff01ff, 0x60000a)
  70. p.mask32(0x266000900, 0x1, 0x101)
  71. p.mask32(0x266000410, 0x100, 0x1100)
  72. p.mask32(0x266000420, 0x100, 0x1100)
  73. p.mask32(0x266000430, 0x100, 0x1100)
  74.  
  75. def ave_init_iommu(self):
  76. u = self.u
  77. p = self.p
  78. p.write32(0x2670400fc, 0x0)
  79. p.write32(0x2670300fc, 0x0)
  80. p.write32(0x267020020, 0x80000000)
  81. dart = DART.from_adt(u, f'/arm-io/dart-ave', instance=0)
  82. dart.initialize()
  83. self.dart = dart
  84.  
  85. p.write32(0x267040080, 0x3020000)
  86. p.write32(0x267040084, 0x7060504)
  87. p.write32(0x267040088, 0xb0a0908)
  88. p.write32(0x26704008c, 0xf0e0d0c)
  89. p.write32(0x2670400fc, 0x0)
  90. p.write32(0x2670402f0, 0x0)
  91. p.write32(0x267040034, 0xffffffff)
  92. p.write32(0x267040020, 0x100000)
  93. p.mask32(0x267040060, p.read32(0x267040060), 0x80016100)
  94. p.mask32(0x267040068, p.read32(0x267040068), 0xf0f0f)
  95. p.mask32(0x26704006c, p.read32(0x26704006c), 0x80808)
  96.  
  97. p.write32(0x267044004, 0x1)
  98. text_phys_new, data_phys_new = self.patch_firmware()
  99. #p.write32(0x267044008, 0x8f4000)
  100. #p.write32(0x26704400c, 0x8)
  101. #p.write32(0x267044010, 0x9bffff)
  102. #p.write32(0x267044014, 0x8)
  103. p.write32(0x267044000, 0x11)
  104. p.write32(0x267044044, 0x1)
  105. p.write32(0x267044048, 0x0)
  106. p.write32(0x26704404c, 0xf)
  107. p.write32(0x267044050, 0xffffffff)
  108. p.write32(0x267044054, 0xf)
  109. p.write32(0x267044040, 0x33)
  110. p.write32(0x267040100, 0x80)
  111. p.write32(0x26704013c, 0x100)
  112.  
  113. p.write32(0x267030080, 0x3020000)
  114. p.write32(0x267030084, 0x7060504)
  115. p.write32(0x267030088, 0xb0a0908)
  116. p.write32(0x26703008c, 0xf0e0d0c)
  117. p.write32(0x2670300fc, 0x0)
  118. p.write32(0x2670302f0, 0x0)
  119. p.write32(0x267030034, 0xffffffff)
  120. p.write32(0x267030020, 0x100000)
  121. p.mask32(0x267030060, p.read32(0x267030060), 0x80016100)
  122. p.mask32(0x267030068, p.read32(0x267030068), 0xf0f0f)
  123. p.mask32(0x26703006c, p.read32(0x26703006c), 0x80808)
  124. p.write32(0x267030100, 0x80)
  125. p.write32(0x26703013c, 0x20000)
  126.  
  127. p.write32(0x267050038, 0x1)
  128. p.write32(0x2671dc400, 0x0)
  129. p.write32(0x2671dc400, 0x3)
  130. p.write32(0x2671dc000, 0x101)
  131.  
  132. (text_phys, text_iova, _, text_size, data_phys, data_iova, _, data_size) = struct.unpack('<QQQI4xQQQI4x', getattr(u.adt['/arm-io/ave'], 'segment-ranges'))
  133. self.dart.iomap_at(0, text_iova, text_phys_new, text_size)
  134. self.dart.iomap_at(0, data_iova, data_phys_new, data_size)
  135. p.write32(0x267040200, self.dart.dart.regs.TTBR[0, 0].val)
  136. p.write32(0x267030200, self.dart.dart.regs.TTBR[0, 0].val)
  137.  
  138. def boot(self):
  139. self.ave_power_on()
  140. self.ave_init_iommu()
  141.  
  142. def asc_boot(self):
  143. self.asc_regs.AVE_ASC_UNK_808.val = 0x1
  144. self.asc_regs.AVE_ASC_CONTROL.val = 0x0
  145. self.asc_regs.AVE_ASC_UNK_400.val = 0x10000
  146. self.asc_regs.AVE_ASC_CONTROL.val = 0x10
  147.  
  148. def ioread(self, iova, size):
  149. return self.dart.ioread(0, iova & 0xFFFFFFFFFF, size)
  150.  
  151. def iowrite(self, iova, data):
  152. return self.dart.iowrite(0, iova & 0xFFFFFFFFFF, data)
  153.  
  154. def iomap(self, phys, size):
  155. return self.dart.iomap(phys, size)
  156.  
  157. def iomap_at(self, iova, phys, size):
  158. return self.dart.iomap_at(0, iova & 0xFFFFFFFFFF, phys, size)
  159.  
  160. def ioalloc_at(self, iova, size):
  161. phys = self.u.memalign(self.PAGE_SIZE, size)
  162. self.p.memset32(phys, 0, size)
  163. return self.dart.iomap_at(0, iova & 0xFFFFFFFFFF, phys, size)
  164.  
  165.  
  166.  
  167. ave = AVE(u)
  168. ave.boot()
  169.  
  170. mon = RegMonitor(u)
  171. mon.add(0x267050000, 0x4000)
  172. mon.poll()
  173.  
  174. iomon = RegMonitor(u, ascii=True)
  175. def readmem_iova(addr, size, readfn=None):
  176. try:
  177. return ave.dart.ioread(0, addr, size)
  178. except Exception as e:
  179. print(e)
  180. return None
  181. iomon.readmem = readmem_iova
  182.  
  183. def ave_boot_stage1(ave):
  184. heap_size = 0x700000
  185. heap_iova = 0x1f8000
  186. heap_phys = u.heap.memalign(PAGE_SIZE, heap_size)
  187. ave.dart.iomap_at(0, heap_iova, heap_phys, heap_size)
  188. mon.poll()
  189. iomon.add(heap_iova, heap_size)
  190. iomon.poll()
  191. ave.ipc_iova = heap_iova
  192.  
  193. p.write32(0x267050018, 0x8042006)
  194. p.write32(0x26705001c, 0x0)
  195. p.write32(0x267050020, 0xd)
  196. ave.asc_boot()
  197. printf("asc status: 0x%x\n", p.read32(0x267c00048))
  198.  
  199. p.write32(0x267050010, 0x1)
  200. time.sleep(0.1)
  201. mon.poll()
  202. mon.poll()
  203. mon.poll()
  204. mon.poll()
  205. mon.poll()
  206.  
  207. num_chans = p.read32(0x267050018) # 7
  208. buf_size = p.read32(0x26705001c) # 0x9bc0
  209. desc_size = p.read32(0x267050020) # 0x100
  210. ipc_size = p.read32(0x267050024) # 0xc0000
  211. printf('num_chans: %d buf_size: 0x%x desc_size: 0x%x ipc_size: 0x%x\n', num_chans, buf_size, desc_size, ipc_size)
  212.  
  213. ipc_iova = heap_iova + heap_size
  214. ipc_phys = u.heap.memalign(PAGE_SIZE, ipc_size)
  215. p.memset32(ipc_phys, 0, ipc_size)
  216. ave.dart.iomap_at(0, ipc_iova, ipc_phys, ipc_size)
  217.  
  218. p.write32(0x267050018, heap_iova)
  219. p.write32(0x26705001c, 0x0)
  220. p.write32(0x267050020, heap_size)
  221. p.write32(0x267050024, 0x0)
  222. p.write32(0x26705000c, 0x1)
  223. time.sleep(0.1)
  224. mon.poll()
  225. mon.poll()
  226. mon.poll()
  227. mon.poll()
  228. mon.poll()
  229. iomon.poll()
  230.  
  231. def ave_boot_stage2(ave):
  232. unk_addr = p.read32(0x267050018) # 0x80000000
  233. unk_mask = p.read32(0x26705001c) # 0xffffffff
  234. printf('unk_addr: 0x%x unk_mask: 0x%x\n', unk_addr, unk_mask)
  235.  
  236. """
  237. 00000000 00000000 00000000 80000000 ffffffff 00000000 00000000 00000000 008fc000
  238. 00000020 00000000 000c0000 0000000a 00000000 00000000 00000000 00000000 00000000
  239. 00000040 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  240. 00000060 *
  241. """
  242. AVEBootArgs = Struct(
  243. "unk_0" / Default(Int32ul, 0),
  244. "unk_4" / Default(Int32ul, 0),
  245. "unk_8" / Default(Int32ul, 0),
  246. "unk_c" / Default(Int32ul, 0),
  247.  
  248. "unk_10" / Default(Int32ul, 0),
  249. "unk_14" / Default(Int32ul, 0),
  250. "unk_18" / Default(Int32ul, 0),
  251. "unk_1c" / Default(Int32ul, 0),
  252.  
  253. "unk_20" / Default(Int32ul, 0),
  254. "unk_24" / Default(Int32ul, 0),
  255. "unk_28" / Default(Int32ul, 0),
  256. "unk_2c" / Default(Int32ul, 0),
  257.  
  258. "unk_30" / Default(Int32ul, 0),
  259. "unk_34" / Default(Int32ul, 0),
  260. "unk_38" / Default(Int32ul, 0),
  261. "unk_3c" / Default(Int32ul, 0),
  262. )
  263. args = AVEBootArgs.build(dict(
  264. unk_8=0x80000000,
  265. unk_c=0xffffffff,
  266. unk_1c=0x8fc000,
  267. unk_24=0xc0000,
  268. unk_28=0xa,
  269. ))
  270. ave.iowrite(ave.ipc_iova + 0xe000, args)
  271.  
  272. # FwHeap
  273. chan_iova = 0x8fc000
  274. chan_size = 0xc0000
  275. ave.ioalloc_at(chan_iova, chan_size)
  276.  
  277. p.write32(0x267050018, 0x8000e000)
  278. p.write32(0x26705001c, 0xffffffff)
  279. p.write32(0x267050020, 0x0)
  280. p.write32(0x267050024, 0x0)
  281. p.write32(0x26705000c, 0x1)
  282. p.write32(0x267050010, 0x1)
  283. time.sleep(0.1)
  284. mon.poll()
  285. mon.poll()
  286. mon.poll()
  287. mon.poll()
  288. mon.poll()
  289.  
  290. def ave_boot_stage3(ave):
  291. unk_addr = p.read32(0x267050018) # 0x80000000
  292. unk_mask = p.read32(0x26705001c) # 0xffffffff
  293. unk_thing = p.read32(0x267050020) # 0xb0000
  294. printf('unk_thing: 0x%x unk_addr: 0x%x unk_mask: 0x%x\n', unk_thing, unk_addr, unk_mask)
  295.  
  296. AVEIPCChanTableDescEntry = Struct(
  297. "name" / PaddedString(0x40, "utf8"),
  298. "type" / Int32ul,
  299. "src" / Int32ul,
  300. "num" / Int32ul,
  301. "iova" / Hex(Int32ul),
  302. "mask" / Hex(Int32ul),
  303. "pad" / Default(Int32ul, 0),
  304. "pad" / Default(Int32ul, 0),
  305. "pad" / Default(Int32ul, 0),
  306. "pad" / Padding(0xa0),
  307. )
  308. assert((AVEIPCChanTableDescEntry.sizeof() == 0x100))
  309. for n in range(7):
  310. data = ave.ioread(ave.ipc_iova + (n * 0x100), 0x100)
  311. x = AVEIPCChanTableDescEntry.parse(data)
  312. print(x)
  313.  
  314. ave_boot_stage1(ave)
  315. ave_boot_stage2(ave)
  316. ave_boot_stage3(ave)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!