From 06d3d0d7264e8034245cf33044913fda99626401 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <mfritsche@reauktion.de>
Date: Wed, 15 Apr 2026 08:03:43 +0200
Subject: [PATCH] benchmark: AI-Ghidra landscape + case-4 harness (synthetic
 PHY)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- benchmark/ai_ghidra/SETUP.md documents the GhidrAssist 1.5.0 install
  at /opt/ghidra/Ghidra/Extensions/GhidrAssist/ on oppenheimer (CT131),
  with dirac endpoints (Hermes-2-Pro 8B @ :8080, Qwen-coder 1.5B @ :8081)
  already reachable + tested. Final enable+config is UI-only; two
  clicks on next Ghidra launch.
- gdb_debug/harness.c extended with case 4 = train_phy_block running
  under a synthetic PHY at 0x40000000. Static MMIO shim satisfies
  polls 1-3; poll 4 needs dynamic state-machine (next session, via
  SIGBUS handler or ptrace) — documented in the README.

Vendor tree investigation: Rockchip's own sdram_rk3588.c / sdram_rk3568.c
are STUBS (return -1). No free function names from there. Path forward:
mine the vendor kernel's rockchip_dmc.c (devfreq DDR scaling driver)
for register-offset naming hints at runtime-call level.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 benchmark/ai_ghidra/SETUP.md      |  72 +++++++++++++++++++++++++
 benchmark/gdb_debug/Makefile      |   3 +-
 benchmark/gdb_debug/func_04.o     | Bin 0 -> 720 bytes
 benchmark/gdb_debug/gdb_debug.elf | Bin 76152 -> 77280 bytes
 benchmark/gdb_debug/harness.c     |  86 +++++++++++++++++++++++++++---
 5 files changed, 154 insertions(+), 7 deletions(-)
 create mode 100644 benchmark/ai_ghidra/SETUP.md
 create mode 100644 benchmark/gdb_debug/func_04.o

diff --git a/benchmark/ai_ghidra/SETUP.md b/benchmark/ai_ghidra/SETUP.md
new file mode 100644
index 0000000..0146f1a
--- /dev/null
+++ b/benchmark/ai_ghidra/SETUP.md
@@ -0,0 +1,72 @@
+# AI-Ghidra on oppenheimer (2026-04-15)
+
+GhidrAssist wired to dirac's local LLMs. Two-click finish on next
+launch because Ghidra's plugin enable/config step is UI-only.
+
+## What's installed
+
+- **GhidrAssist 1.5.0** (jtang613 fork — actual
+  `github.com/symgraph/GhidrAssist`) at
+  `/opt/ghidra/Ghidra/Extensions/GhidrAssist/` on oppenheimer (CT131).
+- Built for Ghidra 11.4.3; our install is 11.3. Should load
+  (API-compatible) but if "Extension failed to load" appears, upgrade
+  Ghidra to 11.4.3+.
+
+## Dirac LLM endpoints (OpenAI v1 compatible)
+
+| port | model | size | role |
+|------|-------|------|------|
+| 8080 | `Hermes-2-Pro-Llama-3-8B-Q4_K_M.gguf` | ~4.8 GB | main — tool-calling, agentic rename, function-calling mode |
+| 8081 | `qwen2.5-coder-1.5b-instruct-q4_k_m.gguf` | ~1 GB | fast — quick renames, short comments |
+
+Base URLs:
+- `http://192.168.88.194:8080/v1/` (Hermes)
+- `http://192.168.88.194:8081/v1/` (Qwen-Coder)
+
+Fully OpenAI-compatible: `/v1/models`, `/v1/chat/completions`. Tested
+from oppenheimer; reachable, responses sane.
+
+## Finish config (UI, next launch)
+
+1. Open Ghidra, open any project.
+2. CodeBrowser → **File → Configure → Miscellaneous** → tick
+   **Enable GhidrAssist**.
+3. Reopen CodeBrowser; GhidrAssist tab appears.
+4. Settings:
+   - **API type:** OpenAI compatible
+   - **API base URL:** `http://192.168.88.194:8080/v1`
+   - **Model name:** `Hermes-2-Pro-Llama-3-8B-Q4_K_M.gguf`
+   - **API key:** any non-empty string (llama.cpp ignores it)
+   - **System prompt** (recommended):
+     ```
+     You are a reverse engineering assistant. When asked for a rename,
+     return ONLY the new name — do not use tool calls unless the
+     conversation is explicitly in function-calling mode.
+     ```
+
+## Tested calls
+
+- Qwen-coder 1.5B, memset-shaped function → returned `set_char` (close,
+  not ideal).
+- Hermes 8B w/o system prompt → invokes `rename_function` tool call
+  immediately — perfect for GhidrAssist's agentic rename mode, awkward
+  for plain Q&A.
+
+## Use patterns
+
+- **Agentic rename pass over our 118 DDR functions** (Hermes + tool
+  calls auto-invoked).
+- **Quick second opinion on a decompiler output** — Hermes or Qwen,
+  non-agentic.
+- **Bulk scripted pass** — Ghidra headless + GhidrAssist's JSON API
+  (see `ghidra_scripts/README.txt` in the extension dir).
+
+## Cold-start bookkeeping
+
+llama-server cold-loads in ~15 s. First call after dirac wake returns
+HTTP 503 `{"error":"Loading model"}` — retry after ~15 s.
+
+## Offline fallback
+
+Clevo (980M, 4 GB VRAM) can host Qwen-coder 1.5B when dirac is down.
+Hermes 8B won't fit in 4 GB.
diff --git a/benchmark/gdb_debug/Makefile b/benchmark/gdb_debug/Makefile
index dffc28e..7c4ac6e 100644
--- a/benchmark/gdb_debug/Makefile
+++ b/benchmark/gdb_debug/Makefile
@@ -18,8 +18,9 @@ endef
 $(eval $(call WRAP_BIN,func_01,01_memset))
 $(eval $(call WRAP_BIN,func_02,02_memcpy32))
 $(eval $(call WRAP_BIN,func_03,03_magic_memset))
+$(eval $(call WRAP_BIN,func_04,04_train_phy_block))
 
-gdb_debug.elf: harness.c func_01.o func_02.o func_03.o
+gdb_debug.elf: harness.c func_01.o func_02.o func_03.o func_04.o
 	gcc -O0 -g -Wall -o $@ $^
 
 clean:
diff --git a/benchmark/gdb_debug/func_04.o b/benchmark/gdb_debug/func_04.o
new file mode 100644
index 0000000000000000000000000000000000000000..2ec987bfec181e340899e67ad00fd5fc7d8b9b58
GIT binary patch
literal 720
zcmb<-^>JfjWMqH=MuzPS2p&w7fnfrYpaWRgfq|8Qg@GZ);pfAC79$1)hlz{=j5`@6
z9CzCDuoNBm|38FL0l|LQ&S1ot0F(~_;ufGdi^C_7nnZ>LLC9hUVPYV)4EusWW*%UU
zzlLxLCW{%1i$Ts6z#=XU70*C3#uzOA@jtpaLwr(ZUSd&Yd|GK<a=d{Fh#OyAl2}xN
zRVFnr1*>>*W>qQ!gI;lEZb@PikS-~L&>1jRN@7VOnv=-lg8T>aJ2RSY2Phxie@M{^
zRsrHOLDeEtE1;YTC=D_nq>cm1mw?ioKpNd{kdy+{A|I$a7=>=XAW#CE{v4=6MVLk?
HjjkU6lNVRm

literal 0
HcmV?d00001

diff --git a/benchmark/gdb_debug/gdb_debug.elf b/benchmark/gdb_debug/gdb_debug.elf
index 3c8cc43ff762de8be527ac406dec12f2af604d53..bf616fd3faad6bcb2275b47dcab0ff4c2e0d41cd 100755
GIT binary patch
literal 77280
zcmeHtdvsLCnP=U;ef35N2@o%%tA}mkpa&phz+hUELCAoOL5}hGan<U+Quom6ZubL3
z@YpgYGd>A(LMNVyC&3;P|1sF{WSLoK0vX3q9y7<8cxPBUu-+3VD{!3U#Mv2~kW6G7
z_x!%PRnqONmg7CUXV3morE~9B^{emu>Z@PXeSNJ*w(QvI(=;ZF&c4B@HD2K$0nsth
zGOZI}>sSQ~uol+LO3?4eA@#hn!-q~3Da)KD(;><33DNJBONE}4a&(f0=qn~JFK|#P
z8J~@FrdS8AI{gDz9gk98rhrh!DJWi?ehQE5lEN-2?4-Ob0+UkCkKE9a6!Y`S7W7e(
zl60w%q~olZhgX{Dqhj*2qf6CYZ)L({*E!$m@XD|QGbu@z%AK&I`F+$<BNTUw@n+-m
zgqXLKf+jvU3X$mUz5On>^YpqueD}{XfBn_3eZ_a>RM#~}UO0Mxdn`KG9t*d|qVeo#
zYcQA!Mb>t<r4wzdoOL8$(w_+DBMBY5cC37+s?O?Jl8Jytw*^@{Q<W{B1z#}>PTUsr
zGY;Iu;Vpdtn!F&|8*t1kf;R&z=6~-j_?%hrH-MWsyk!(Xv2jO$7aNz>r5HXm3!a_@
ze;c@o!&|xm6!YIT3(k_+OqwO_R4S2TmX*!~L;I{yWS=z@jK-Kf8qKg^CJ{v!HeHDN
zQyFU{7>%=ZCJZY!luSkAnIR~IMuXN+G#-paKWVcOdn9dVNQ9CHp_>YgBw27Ukpean
zOco3^oDHVJjQrCkUdxJa?cN=I-96UowpBMVSzXh~tiJx876P${qv?#D>fhNDOT_K|
z;9$(g7{eopxQN+uREsJK5`Ea?I^XA1bN=WKGF_*dQ#4#*PoPTIyNTlqxj)BN_Os_u
zr=mgg(~$Ch@B;7G+1CZ;==-Mh<$YEcH=c<~^1@g|+)pKbRN{HsNw`l4{c#al(u0qQ
z%{k`5j|=_BJ@_SopO^(d>A|I+QyyH#^RfpY6aLS7@V#^SblB@2e3#}hJ}T_wd}Vu7
z=xgAi)N#Sj$6UC4=1|9zF5G>qJMF^h9w5uO3$K<S<b(^abKy+H=|eo?k;!|@T)0>=
zj@P(w_j7xZ3wJ+%OcyR*LAak4E?jI8j(525Dvmg(buQdJ-+&7jOTrDdxp29ssbiN5
zci#v1x^VaXXuySwM=|#wapB_8&hgF7`njuzzWwY~o#p-juR~W4edpx2fsO0dc~ZEH
zzRM8vKIomSxwtuJ`WntRnEE++)M)J3JYQh4#>aRcZ<nCm<Z4%--R){uqdn+q*P?yc
z)n179S6uBSXn)t$UXJ!fSGx&qpEf=Ib!a!a+Bcxx?P|B7J?Lt$M*Fa<y%z1SIBibS
zhn%by{oFNd?A7Hs-qP7~7xcj7#b%cKIry9aZ|qX<q>es6j&J4jU-%IYj=#}68DQ*%
zSMvFK;#%_QmAKIzV*w+FSL9=jkeeBMdz`WU3-I0eV((-SJ}&Fpa}4Xk*UY2e$k-2?
z-hbq^uBt~r)A)YZ=f4B}i?Hp!+&ekQZGBU=R}a0!_rb3#*<>C340LZ<AJEuMe5{vy
zCm)4Ak7r|G(qx;@|98yAWMjJrx{dX}t_)0GJ@nm^-nqPi`CUEqE$(+>E}Ogn--g3S
zZI6F!_eI!i?C`4$*k2Gg^=xvYJ}}wfXMclO`x#@W7%R`E#8?r?ix}&|+yK`bK>Gsp
zCxDrZedYqzfb6^R_#k=p(D!&uQ!zBKGgIT2jO`x8_>JrY#y|P$K^ngf<JWn{H_LOo
z#rWGGo1m}3j`aG`=9~;*jo?GOk4-XmjQstI&!r)7rh%~sPiU;4;$Z{++=V*-YK^fo
zyglY=*OcUfoD+8D0{l-1`!UJISa}ZjJ-W0{u@mLFi<qy&QAKViVxj#b=bYE||9bUM
z<+E46=gUo$g8Nc-2Kr|vXkSkBPHGH1-pwG#UY#gKoHgu0vm9}XdaO#+s}O(bbp82C
zQTGE!TwK45J%}4}|0fXJ#4}nB>vu;38{5?2$5Do(YHZWQ54+Z5eQx0Kj#uOw5ijY!
zSsIx1`Nm#-v|_Aw0Q;&y&#cVVLoWco`MmGhd|rPxk2S<Sc>V=&bK>0J?`~r3hKYu;
zGwjO4uU%-?a!nEQH1USlg?SUu<s2?!5B})~`F`r3c!oJ+`o~`7<J}ZEGaXlD?!6E4
zUucmW4^-veMjLa)x^6y?_wV@=df-fq)}7X1Y)<Y?^vgYP0eU9%cpt0Iy+M6)KZw1>
z0)Fh3z!};<Y?qPq$@-X)W2nC=IXY3DdmZ-jo-iTS?c&`5zINSAdz;n{-1Pq)^sXM-
z{w&r!H?CXf-TR%cInDvr>v`IT<mVN-FFDr@#+;P<NE?`&o6z;=UV^^>_F<Ifi))LS
zjAEO70{BF;;1p}Vll)PCfYCg_5j&+#kPqK;U#8fx_XiLk-6wpUQ(QOK!@k+sZ-Eln
zi~0`QV^qg}GyT)`qf$riH`2k_bWOFw=LLMOHjejBVqRz2&wA-T@I!td5bX(y8TXZy
zQuhU+`y-Do+UJCBqtyMr(0$#bi}pVW-Gx&3mqPcfM;GmH3tif`JWj#?Ma+d^gJ`UV
z^F9DQ;+^y^;(l>K^s|AQ++FCqcs=$iFuHe?@jW=UTVC&SpSUHS-DhjQ**i(k2RAP3
zZ(%Pyv#9$_h_M@++0EykS>!wOrZ#cY;Er9d9YGvN%<nEa>}PlSSktF1>^C1cKk`uE
z^U}WQQ02L9=KsuQ=6m~OKHvYBH|yuV0)H2^OE-n8SnXl>=r+H%qz672YyNaMZ0Q;H
z1MCU%VP-4O;hhflY|8$BY<Av1-0vpd_Y!*lr@}vWgf!C!<C%z^iH6Kw+wS4rY**Kw
zJyhG%e^<|TbH#yZEM~?MiR8zeZdPDo;>#&%hs|Kd>=?Z^HoDSGCStL)xyigXEnWtb
zDSLxy4rYh$UDa{_CTMl69;L2iBAwab!Oa!+XwnXmv*6&z90%ca=H4}q;kr?mLf8(5
zJ32bn2sIW8#*ls(MnuEWkmY>snHR^NF!%KJ?%C4&iL{xBn>%jZZ6=1`e$|lO(a~u}
z<7PH(r_7N=*lu$sDE(wo_@=ayk%QJ?ED_qbB9s~B6nJnmWoNRfI5<dWLm@kz9?HgI
z2jR<^Ur+xIK4*k(_H6C7x(Zs|qD3>!rh~&^>e{q<Xw^fjA6oNJ=O3B(rZd^lzWX^5
zyh?iUeeuMBI6@EGqvo|?hb6{_vhh$RiaA~z#(D+A&Z=CSq<(Fwe)9k%y@wzDZ9YE=
z`Af*7kjwr(pFaV)7xD$j=OJH*JO%kn$j;y8^Hq5Gu9(c{S3<VDm(TBjTzNI0k3sH$
zJOWt*T`JlqcQgO!a&2i<1IHEttHM~F)Y(<Kob+&CVS9mf5Qain07nMcMo20qj(!}+
zfo+3iUDf7O{-^cs&--rw=}%tcpFU(qb9n_i@*8Fu+BB~hfgOQ_UB^=;PaD=xf5L63
z|9KoH=6A)_f5_GU3h*oFe;@OL{kYckl<#TH_s~y%TFuD*mpIOXk1I|;_wN%9=A)1J
zIt`wxP?v>brIhSA@Z%DMq`0Y%Tv2|F3Vo-!za2TKPKp7=fMP%~pcqgLC<YV*iUGxd
zVn8vV7*Gr-1{4E|0mXn~Krx^gPz)#r6a$I@#eiZ!F`yVw3@8Q^1BwB~fMP%~pcqgL
zC<YV*iUGxdVn8vV7*Gr-1{4E|0mXn~Krx^gPz)#r6a$I@#eiZ!F`yVw3@8Q^1BwB~
zfMP%~pcqgLC<YV*iUGxdVn8vV7*Gr-1{4E|0mXn~Krx^gPz)#r6a$I@#eiZ!F`yVw
z3@8Q^1BwB~fMP%~pcqgLC<YV*iUGxdVn8vV7*Gr-1{4E|0mXn~Krx^gPz)#r6a$I@
z#eiZ!F`yVw3@8Q^1BwB~fMP%~pcqgLC<YV*iUGxdVn8vV7*Gr-1{4E|0mXn~Krx^g
zPz)#r6a$I@#eiZ!F`yVw3@8Q^1BwB~fMP%~pcqgLC<YV*iUGxdVn8vV7*Gr-1{4E|
z0mXn~Krx^gPz)#r6a$I@#eiZ!F`yVw3@8Q^1BwB~fMP%~pcqgLC<YV*iUGxdVn8vV
z7*Gr-1{4E|0mXn~Krx^gPz)#r6a$I@#eiZ!F`yVw3@8Q^1BwB~fMP%~@c%Uf6O~SQ
zM}^cxw4WAIwx1B~Dj~<poyr{1URLW=7K`@4RmXCvXqO4OM97HfU*_rm%?J4eL8p99
zhavhW{7$7rw9ktE3eh%1pkf+qk-!%SDTOX7m-3E*aKm;9`}v~3RLFWEJH!Me9ua}a
zdA%&`1uawKzn6FB12<gt1JPb2?DL{6<G3u^KNl096m7|~2<QKrNQ!kBXHEoT^9o%b
z7x*P13ws%pxYUz=yn188e(zkTXO|{t?A0u6pAdxpzmjtFQ4z1s#$L6U{&p8*{o}fI
zUW+uZ3;9_N>ssHPdH8eG{|NI<^|wSqr~Q%U)1excdlxzr4e7saWMjJ<AAc_8^9RmY
zOxyP;d>yvOUe$nafDZX(_XQ>|eAd63nSq>Eqn*(fb)DH<<xh?0^ZlARUBB=rY_&Fk
z{(c-sfcpc#BAp;RvD=M(M`EPQUfNAQX`J4ko(<-T-rMi`n7Qi4w$*K`%+(#M*LJM#
zSkG2s?#`k(oBC(sT8hYPP;w*W{kRqkrg7zZI$xvrF4S44=q_e%Xl0LK2*X$U54c_o
zf9c;q*(fW0o`hENDfIb|q3*k`ehooBBL`@a--yOD%zrOzd^aq_QozRe6@)*5ZeQ!t
zZB)m>d`~WZi0YRJ|BIzmUtFet4FW?S1vr=L{?Fm0FRJ?l#FB3ka6eq@OXeq0pZh}s
z9)zyGbpB&hryG+0t$G@yCII|(W6d)VS_94D#?mNorrn8?v9A1Ch%&8~de-wsjrJ?(
z8XI_Hk@h5RK*r6yVQNp2+D6`3p)Dh|O}x>eeUZG~!W-+f>qu=gZv?d0snN|F+q5uw
z>*0-ES}8Sd<&C}CC&}B^g)c%3Xb+ILZS%i_MntP12e<L4lS{8qV>@pwI-zS1Qgdh7
zKSJ?<b{jQruly{GN43?|xU+Tx8e<wcGIr0s1C7I)P0sglo5!?&CAGWeo`=HY+U?Z1
zf6kYna7^o>hE+d-o+q`Z$-%(lUqGDDK1Fc{d2}bW!=yG?{#UR$rQJYkp#}d2aawzy
zdcr)^aqSMW8RCuaYu~0ur1~+~ysT}d#z@%}*qmklTOmqH7hgfwvKz@;YjxES9O>Uc
zLnpY5HU!06PU{QsKcQZA3+eorYF{G7x9CK(=GuM?!L>`7{&g~;-B5ZvoxW6EPUDvu
z{|h)aHqC?EtdlmInZ612YszTf^`W+$m3|eYY0GMEL96sxxY3ri^7={u+BFV7pVuAy
zF49@<;D1H<atGfJms*2^pW}6o`(LJdW6js0s(%xwIsbx_k7Dyt6uvibV*W$qsj242
zq%}cWzacGtdY5WkOQ)+t|8J!KQ;MRwrV<yPUV~GEzmJfXnrjGY!f8$`PL5s8&oRew
zt*al1nGA-R);)*nOnZ-vdaB9$X~tOz1LypHgO!9bqikzE`6<`;YEVU~@IjV+wTdph
zC(z@g1>q-F@d*r5KEk`6lU;1yXMx5v(*FknX^pskEt_`?T`Au6W2s-uD(;6ySywet
z^d7;SE3)_TT~fiQzn%9l#qH7Qr!{u^8|n3=yh5MTMxA8Gnlk7ujp%c_2%?Bt#hcKo
zSkJvAr@UOEQTR~PC%Oh%^XFltJ!%jvAER{rQqhi|hl9#7XgpfY?Q*foz0_Jt9lqQ^
z-4~$xnA4T4`!BFL;xsZPLvi-0Dq2QgZj|ZIqHF$3I6a`<C*C^f(xajse+jQG)zE*S
zmM?qm<%cWD?*onGOV54(;Y#xSz)Gh%{_uhy2^V|G9;FWsN(Qq-ELgn);pw@PkFW(R
ztDR1|{ZctjO5t>dMQUk4J$LEhl5{G>BBs-P{E>y7!epak!AhbmTI-DZ#>0#)d_nYQ
zWPdVpkR4e1&)nSvG|FfrQ&V2a|A_Yda;(U<IT7)eOZNvV+VRDuVD~*#x3$n9zFe$i
zg!NVOZIMfskn>&j<c%n7IR`J=b$ngrQ}77+LD7y^(@d^w=9?uKsgBukc3nGP^xQy6
zl3g#HjzV`1)2laB-dwr9vafC(p2j|d_0@roxva9WjB5UcE)CppT3BV}EtNXvUed|*
zvJH)zW9-B0a4C=}Z<`ly#G87VruEfn@KfFh$L$!QqD|YpSgKvWxUX*GV(PCn$ky$x
zstySGn6p5;p6gUYr*Oo%*YR*`>NLH&vXW1vv5ef!6QeYi-fXOItePIDmR{TIc%Xc+
z#`3;8ihX_?T!`_nUp!B%Ee$Msh>yCUQlln$UFcL9tDmP`TU}RqOsmXkC3?fs2GXd(
zoBSfdPZ{0{z#-<l<VGIiQa96cD)-@%SvE~A?$*~KuH}t5H7sD)W7Z}N%G^uSI7OVX
zzViCTf1-h43aY6PcfjT;5KBw5ch9JW&y}yby9;AiVOtsajM#^|U(?>Jp2IX0v~Zx(
zfc?kVEjV`J_+uPT<M=8LpVr`;TiJ=4^Lq9oD%$ty^cqh54z0h5n*Ix%{QS*|HoM;s
z$A;0#%6)Pl>(^?=-0eo$5n~zdV%kPyC4_IIVYF{Is)h}%(dg8dwi$Cb8D*c6DjTGV
zQN6>chw&{&%VuMJo6*ufeKtDCU&(D;7bkxkUI=#>H*Ov>jC%}CH_J?;S|2oxwZlfa
zX;f@CZoLPU?M7{LI{`F^Zt`&SjYcE2ZZnobAjXPKM)^JWG;`VB)XwF0W9cU2<F^>)
zt;WZjjPjMn$D57vkKbo#%|_#kM%i{_fn$3&gzxDR(^yi{Xv}LfZrvoOOk?-}K<ImM
z@|U!k5Qb@#LzKeAXfoE6br`jG8#O?*+l)IKjWtdGd+q8*qlb(SlfROtdyJ~>U>Q$9
zO|z`T(2$j3c$+tSR<H5C(3`Cz!Bi-+DVQ4BzpgciW-OY?#Ozi(9*zd%)IAv86icq{
zG+T$w);l_w)pv)LvV&nOnMpA#6bVM-%t}WRsSMq*)6q}b7|j}t#)GMY)=)McvN}4c
zX{9s46nd;I-qY8S4jjS68Vsgw7E8p3O@7M8)6wC$9X9E8J`{|_xDz(C3MTu5DFjvA
zJpy)lA>){xv66{cENvx&=`^#3qPUMHrYAra)=(@sj6M+yheFwu6-vaiBbXTQP$F!H
z_G8dQEKFpk?F<WM5>YXgHLJy3K;%9flyELEtI)n|k|?o;QnsD4(==H&luRMCA$A}V
z4Mn*71F2}ncE~IsZIz2O?$Rt^h9XM`_uCGAc(z#d7G%W|p?zXftC=-|&{;Z@3XLRL
zGG!;N^uc&0VrQZui=Ia0!x^5>8yfq?dZL3oiJ5Kf+p&cWb)uEdgzXgOSP<zNSESDJ
zt|eW|AtcSF;)e4SbLK+p!-tQCZ7Uqi1U){T+4HdWXM%$<TQYBtMl&pRU=+)eJjjOD
zV4#taU=oXgrE$hZ@O*>vjWuGAgrGP@7k60@{%RinY`EC9*?2Z>he4@RS;K;<;r$HG
zX*ZB_XT8O0fTKi;4bjekUTAs?#G-g%8R3`A6!$#LVvO>TGKowu##bqWmw@(2V#IDA
z8N!}Phaz@+GL`s4JCsScckSGTJ=Q*G$3qd~y?r=5Xoc;;>@WlAaXX!E3$gZWI@KPH
zhho_<RN=xwV$s3&;ZUeONOyv@ovqpUzIft5yfqe$XGdFy<Jop63m{Er`f1M`OxnVm
z@L#BuKA2`)r!7Kz2&>;pw}H6R4BJDzlFEiM7Hu}6m2l8#eAodHC@NTPvP0==#wlpy
z4rLA5!Av$~Tful3RAOe%6Aur=-&1sGCX1-)NOL?<6xXNnj&9dFatkuwScn^J0<X>9
zqO%ev^LOq(os}|~_bbH9n9L^@;^j={9SiXaHdgLNoVv~`naq>9dv#XD#$}?^)uFRF
zOy+G}FurZ7**cNWEyU-t&iQV{sq3tUJy{f=$If~aurSeCEtC0Sw>O>DF_{-G#OE`a
zr!2%5umO?BEyNcxncpqM>seByxC-$_$p6mV5IU3DY_~SWzoZZlEuG11cVV~AmK6e1
z`q#{YFP{Z(m<2ay;B<}n**ke}hqG;F?g!_Kr-nW6Sw{z-xsG$;SYy+;DF$-%XYL<j
z^26e};@O|%&xd_0aT%5q|IGdG;4}Ag>xYh8!H#*ZBk5;_Xa9G8sGllk;$y;H0%%bD
zUc6i2yFB_1Z}m*(ou#k4gueWJM&k4hpy5{rxo>H`sW^USUPlMerxm%r=nH}3oG2R4
z%<J?y?q??Mj9bIT<w8M^ii1zb>7b1L0F`3<!O^c~0T2Jqx>Paw9U}ek?-z_BarvE1
z=_KMu=8VRLfs9Au($54c#Dn+K|JMTdrb6U=P0#)9D)fuZOU6Io`F%zDIpOhBg$4aE
zKi=PI<h&M9Zp>8{!w>NwarwBC<DT}6OS$G^<4XNkJo+8ne+~2E6hbjSlvpL6B@d2Y
z#&&Q&@8rGr`MZE4CqLu46A}8}`@h5U%;(_4(D!U9a*V`uas0$A__t=k{{?srt7qew
zoxA)`()U#{xn9RbCoPldRuuK$aeU@;YB_N7FMnr~rfUT*e}|JeWut3c_XmmJ$MJXa
zD<mLf7I>2fqvmIUd$ugs`T_T|h?$=K_GOOOPu-WK%ag!seKYURUlaP?_+OsI|BuLz
zbn22nn+5-^@b7)@>qtHp<MSHe#r&@q`rh^31Kf1QA*+MHi}Cgd;l7#o`J=##jr$b$
zGyOc3*YESQ=)VY@<~8Qohv#R}zr^+5$$Q^WGz?TMo>jA~%ln-F>GukHUQ(F{KeP|M
z`(!c4-^sT)YE$RcLSH`DWXCPQYjNN3Ccb;P{>=S$FUQ}>^N$JX1Tq7h`1krB18%zX
zWcACyi}CP9!hJK}Lr%=1&-R2;nN@8G)`I*nauXJP*<^yl3~&@M&xRbZgZnIG*MY?e
zL*B(6j>h+(j&E~R(-}KuWk#$J(kb{Tv#fB!8jd9f@fjJ;BvNTBm>p%I#7GkP5j)(5
zj7~8PWJ}^vE0{_J4_bCSlft)lDma2~_3X$9KBtk?m}*(j%oM0je{xQJsZ(~MND5*)
z!Gn11AQCS@eAi+w$W(+{WrIr$Gn7EMm@&SLX}*@Vb$8d!E!LLXZ?!D6TppNp>pi!3
z?d<CTjMSI4Wt-65cI$3t_3pT%yK9Ga$JVWTw)9*5UEMpjSoATEOhKS`M_+f3g&)0d
zVw7uew=D}_pdlxbh3rN&KGnIVlO_2_{}clA!f$$4n!yrZ+LVq7IWx9W!T7L^OhW%o
ze74JF?BCf#i`Y*I5RW@of}|ju;Ur^t>cARIr$w+}r-&9M>xj0|Agy*VhNe4yC)wjh
zEZa%d(BANPEX?uI$cO=}LYXqR3nyjbMzH;m|B>mzf-oJ<Wa1DKDXCBd+dmkM6}Tv{
zD$GX>k0eCyk?)adC&SrbDqP^j3a1lR1Stft9UMePv!E9V8=ktbC=<kz*-W~iyC8&u
z<Q>ny{a#&K3(8~_C<+n_7f-O_EZ)=_i?mWf7|x>b%}@jv%a2VauOQle#rGav;xc*Z
zj*zvb4~`%~2boDZG9qj7M8<AI`lxL%8;ylqqhZ#DoR6JKGLA-q=?H5JAB@9;Bau+%
zJ^SrcI+}<VG%WO`>{yTtL@gQ1kVgd8ma#{1=G(F@mEfDS&5nqhR3r>r*<x)xtgi09
zR=Trtd*|Ne*vmSG364ZVh#>*bIJNQN9M>S7wc!>zf;%HZr!*Vv=n4kzH0fp~>%qZ6
zq*i4MX*FBcL6xi$j17i%*Y2Hd!AvF<9n5Cn@c+C}#sR-gPCe~qzDvp$&k%S#6_hr#
z@QONRFY{tjdNUfN>n>~2_$~fN4Ud0bPKk<?^1VWii=W;KN&qeT^py5zMMcUQ(Z(-w
z$h+VtOB___he9gba1bu-C&WNf%Kr-_T`J!A>6bG4A3SL<^LA3M<W}@8;}oeU<^6!^
zfBIxw=J%u||5PY`(vk5KMkR)Wd`o+o2b5C&U!fdd+RORVzkE<%Hx4Q?Unr&gzedto
zh{J0?28=l2KOI8KyrPtH{m{jWj6=2$q2jie`9~?egx5$zA?a62x4q0$N_ih`ZdVDo
z>Qp_7!)-6~nNmugq?tGV&k1|Uzs!3|`7Swk70I83zK9B`NPC$dl`<?9h4hYp(qk|4
zs8X)`J>&l^?A_PD%(qHuigBgzjz5kL`d10MhN#HA>;NS)P`vY%Z7E-Y4&?%+z0BW6
zKBE2Wu%*2x?dA7>QrKS>^QY^FiX2z&qYJ=DMcT`Jz<|hnK2AoiBJHL8Ir`l8GH-n8
zBijF)$6kJCCb?I}CR}4vRgNp+-v~^`FTYE6@!$37f7l9(*Zy5}Q~Vu;YWTh(l+DOU
zJE&tr{W<`NQCpUM!rtrGt4sgs=*7s#mxO)LbNzaCm(ODVewm{w@BcC`ul>qd?5iq2
znmt`#r0JdKvN?|ZKg)#?0XXRNoO@=m|3!_XDZ-H9PjMyv>_G)XB&QTa<#+QOjTTRb
z_xdF*dGB$nnzS$|C#xK^3F2-Xa{tKtBIV0GQ{)CO)54(qXU~8R%Dec9ava6%4>dcQ
KA&-Hl$^HYC<fqX9

literal 76152
zcmeHNeRLevb-%N-W672*%d%|w3u`19>`?UK4~%VWEXg*q!Cx4Wm<BRl?T)04SG$}2
zz%r&F2!|3NrxtJmX$bL2+Qtx0k4utMo07zQG))>#>ljSj7N~4U>XfuG&8Gmf{oOb3
z$+M#shjZGV(?8zxnYr)%-o5wT_j_+<=Uw@Zja#k`83w6h(qEHkP4SR+*)eEe&}pZY
zG=<t}AvMt?^oMaNy`XFhp%X>Pa<54yB-=eK`-5_x)KgN8&eD>7rNr;2d#IA+%|_fg
z*7SL=KYiZwsAN9}gp!t0*>QMmHze(bq@9xIWME3F`SINNO3V2L<wEpvQId7Ju;lBM
zoJUaF=;LCGyQj<59Y4***e+J>bp+*29!yHA@veg%&+nra>7I7V@h0N)fSk9Ik|r^?
zS`5ZCcWt|Y-uS|;_cTAXt@kS}tEwLUgYO>u{`3dVwI<>{t%+E3BA(0-Hb)|vX#a}k
zE!kAd5^q)5m-6>f<7Pb*yY`e?AfKU0b+nsgz!KjDS>w}D)ddsaizmRD+fsg>25#dD
zmdyYfgCN?gamg)F)Z2tsDgRR^!2bcbjVo9_4WN{N2Y4y}%zr7|odACwxQ#1VIsugO
z(=h=~>3l9rX*ZKeWyo=|xkz-66YbyQ^hV+datGr%isVvpbYT-kxj&P01|sn!WpgoD
zQExgEPv&}|5FLy-z42ru5x>=?0e2vp-baz1R3=9Q1Cex*^S*o}6C?J>+i(Sy-ke=q
zHg~RfmbNUpf>d?ca&k6zZ*?%V+ZWH~+)Ve@^@&u{?T+*$T#V5-kV?uZ9Z$8SqNFW^
zU22M*$~FGSZva(eY2e>IK>0bfaXm8p1#H1EJ%&0L13I@ss^|DyqTi&iOU%;`jp?iR
zqbXk)b_IJO8kFxrg})?!F9r*|Gw`fQ{lg+gqM-nOuu7=WfdKx1)PFR9pOX0D0Iu|p
z1aLL(@c^Edeoh7OT7F<q`enb0U$yU*`Ud7z=BbMNK_BjawH)%{lYRQfe0Ze~|A7ye
zp@`lQA71=?dhe?c;u-tNf<?KEpK-Ya!cVmi_y2y*_Tm2D0o#Ymr4@b_`*67x1m5Pu
z{qtJs!{w3-{dONdO(5QFlMh#WlzVpgaR2*amk*!e^RuqWJb8Zq_ntU!(r`CEGtTdS
z?$Gyu9W$L*eQI<LI_HSaP5+>4wEE1tVLMd+YQ1fqR9Ce@2d0PGN2^05`b2vY+Ks;U
z6tp{i?JBf;eC-;v@A9>0q5V}~doJ3~``Qc8KI3aQq8&0WjDHE*jlTA!Xm|SBEok?6
zZU0<L)t!ar$%|;{!~$GDHR;LIX8Y)wCK~=3cpCvP^oy=h6MbP^e_JR#atfEgN4iGa
ziN1BbP^e>06<<M#7tR6NZ4ToT^FRaSI-<9a5p|!2?}it<MkDZX&NQAR@GjOSpx;3B
zqsI5|c)6qU&ifnQ?|A4r=%0aY=ee%Y9$_0Avpv86yJEe6RY9XO;AeNw`c>@)T_MIg
z-ZgqB^hG?&+ed9$_v$}kE;bGA+}&fY`c*~y==uH69}3RpHO%k){_hCCBhzT~G<;hg
zA2sX4Lp#sF-k`fq;0<@;i_A?OjgHi{kJg9juMjJ?9_Bx^cKB8~RvPjQ#yUN%UFh|r
zeH!{Bz-*%XPh$<({u%69mgo1sAYv-K5c=`?{ZpPe|Jl&+NEzZNqoX6dK5uo68U%ma
z33BMfNLl;Q`bzrD!7}Pr^~!Qt4+BR`0xze};Kk9sil}xZY78UZ?ez$>K8&jzSLM*!
zk^4JVA)ZUc91gA>c6ol#eY326G!z;-ap#nwn%&^BNRO@>{v`D9T~b>p7*7-mp(hG;
zbQJH3TFmq4!IOWpvytf1k-DLy^y}MSKK&*QH}=~{FxR7aVNC~rN4Z`<pFZ>X4+`Df
zKN2Nx%<#|&G2Wu~qZi`3YIq&S!#kNjD-Tfny5VIUCt@VTruL)a>df|b!B;04Z!=%*
z;A0;2&+otH32;2j>p!;M^>mcid!!!mfUkoFxMR*=;b+2IGlD#WHN)74jopaVG@q=8
zzjo}4F6I{NN;VC%-uVv@*CNah@$(wlVfd5v%Pd(}Ys9!56MWT*J^X{NQ8E76F5W9Y
z5_^T?LHiRtXY9QOrTeVZJr&SJdyCYarF37Cx~~Ov(e9ACyng<<pFw<L&d0ntpTXRC
z&iJjUJ%fFFTK1D|4F3du+~)nf4gLsvYG3oaxBB_6QGWi_TKT1g=lE-{wI7WVUEV}j
zp8VQtbo5PQ<cgjxJ6^sUe(tuPpL<uBt_xA)eGb+%gf+VRw)TgVkH-BKCp#&8|2hi2
zeW+0A{>qi+$*;oS8RP5~(Mqbh3qCsS7v`>q52B{~I$_K2s2^fqun#+5agrzmdm6L<
z*LB|Si2pYx`1``&SzN@YBxE|{uD0!-eD5chwB5Y6ZSdl@rGxytnoebNs{^>b*d0u}
z(VX2j80q;KYvEj%&3$s2XSj0Erx0@^v9`9hWm1izkpzxSefB`4FCKO9RhxBl_L-rF
z?dvypUB9vG<5@eEw6|>7X{UPOeo3#}*0$V^C+&RJ&DaB}nA;+TqkJ~fhlnrE+WVK>
zw)D1Tf8>Qh`Q)BtYHt!IF?Z0uI3{80%_pO|IDB6mvlFRE%#GQRoPBYc`;B?#m3*G!
z`eUPoLK^aY$h#pgd$&+{6tW-kDadCbk3$}Vd<$~Jdxb*Sz{B-^p|B8g{s)D^2FNv#
zH$hfIhl_FRP6`h$Fy>X(3v4#9g&1QwcXpI5V7<$5rGd3EhQe4ot_Ogvf#hQ2;+OWf
zfNg@Ljw<`h;m6I+heF%lc>QJZ3Bz`SxZZ+}`o@}%_5-+H0mk!!UE7x@J#IN~ye@3G
zpXav{^GYCY^dB}lz8reo2<>|PjVj{)mvG&U`O1D_AG*<Vz%RF7;5rT-Dj`+jSeTzv
zz#mf}W4O4FhvIWK7yeH4f4d4$-!uc70nLDBKr^5j&<tn>Gy|Fe&46Y=GoTsJ3}^;4
z1DXNNfM!55pc&8%Xa+O`ngPv#W<WEb8PE)91~dbj0nLDBKr^5j&<tn>Gy|Fe&46Y=
zGoTsJ3}^;41DXNNfM!55pc&8%Xa+O`ngPv#W<WEb8PE)91~dbj0nLDBKr^5j&<tn>
zGy|Fe&46Y=GoTsJ3}^;41DXNNfM!55pc&8%Xa+O`ngPv#W<WEb8PE)91~dbj0nLDB
zKr^5j&<tn>Gy|Fe&46Y=GoTsJ3}^;41DXNNfM!55pc&8%Xa+O`ngPv#W<WEb8PE)9
z1~dbj0nLDBKr^5j&<tn>Gy|Fe&46Y=GoTsJ3}^;41DXNNfM!55pc&8%Xa+O`ngPv#
zW<WEb8PE)91~dbj0nLDBKr^5j&<tn>Gy|Fe&46Y=GoTsJ3}^;41DXNNfM!55pc&8%
zXa+O`ngPv#W<WEb8PE)91~dbj0nLDBKr^5j&<tn>Gy|Fe&46Y=GoTsJ3}^;41DXNN
zfM!55pc&8%Xa+O`ngPv#W<WEb8PE)91~dbj0nLDBKr^5j&<tn>{$Dd-S9syQG{uvK
zjP^DuRr?;<u9WgrxmTGg+iRwIl{vDVKJQu1lWnO^b7gx__RkOW|K@{2ilM_Hufvl4
zhr?cFl58KB{W5I&oy6sIXtr$6lu`*(R?Zf@_@o=M<wR>`f0>kZQXY|j!fhFdn%AS!
zezMe8<G)w%<^x!$ejwY&<-`iIt>QQ*+lOTTsBEiwN%#M2Vo0vTVe%q4SXJ!$0g0cI
zvbdK>^(*^ee_Gnrs*Ms<2(}f0|5s9u*DvETY3PJQ=Gz@a-N#JlRinRYWi(8~Shu>)
z-0cr?{~Z(>>tEO(JreG3Iufm>;dh}kQlEXgfrfTA-1}rE6mCE2kg?}Z_`1s-I$;1`
z4ITE|wSN6-dvVvc8$M<)xx8g*%MyEO+tL+nOWRh_WeCY5-`h+J<yzmQ_G*Bl-(qW6
zWC-OMe80%-nq|^*saDF|GRo&-2rE>!7yHx-mpuYytGw(%7RIFc=nLP1dgzk6WekO^
z#eizVRy>)b@Ko4@E}aF6U}GJD2pi}QHP73`bzBsBbPm5U!gnzK#d%zxS#JI%1cq(`
zSjF}5Aa3UD86W5RG<Y@V)}~Rf`aT0D)XaIcpXEBg1HwP8WB;>$0>x9-vhpGH8?OSn
zyey788Q0;qa`F?nmm5FCeU+$J8=r&XYEhqUG=Rh_Mcp>G!_gX1Uu=96^|hkjW(>jh
zDp6l)ypH-hQExZygHETYZ!&%jpX)_^hw(V-8$^AVQHlE1v%ZM?ZsSw1-BioH{l;^s
zUnAm7*F6qD*0rKB`=Dtwp}DpEYf#&37^rWn_!B4(8b8PVx|-Fv4;j1AyK~xh)bBD}
z+^-k<pEdY3bHlW6qW50ILjC5cUqbHz<M+5bb>9L0sBt;&yXX8J?gx!3Og|z*I%F(|
ze$V8uL-Vll9O}`TFG1&s@fWDaM0CfDp8@F=^%spzu<ftn<@kZ|I`Dz=ALD+U!v6w;
zNo8|>iJsXnp>8!-O_>d8K8${o;c{MWj&d@uAixJupYj{79pTziR(zgs%$CqTjf&7N
zBlFv=$jd!x1a8Z|RK;Oo>wObAcJ1dOgw0GuC~VeYC!s#4{26pzg4$e~bTdqi>DBYl
zn$!+^V|ufwzrghx5C4X!d-%Vx{tORqgOM>q;9;JMF|+zsK;|8|O?w!(5Yrgq(Lz7L
zjlyBJm{om{wf>y7o?$I<`ySVXmdX3vJi+>T9=WdiIP0IpZC=GpAmsy<ytRM97EB0L
zcOa^S!C)C4v=9>^dZtr#C%Q7C>mu%A{pnQk2*l*pDvob0!y-^7DkPR-ejobFr<hZB
za3}kvi=Kj`vVL<a-g|P`id&&IWtH&q;Fy;;p)5>%H{QCmU_SgCt1Wh?Ui1k#<zhVc
zA8=4P85*mrSRpi=sQe||ub#&pq2b;2o1to~ne27u%6gNuwvven4G)s}1WfEdV@FNK
zA^B#!;QOn17fyviQ;lG9_|)x{?5(MRoteY0+};qDUo5)-aM=lqvYvb|T~cLX40HI<
z9aM9ZRN|Krm$FzkN6j_t-5fr9ds#LUrDoe}-g`$)OscQ(v<VMPON}?;Tekx%=XHJ>
z#&Sb9CNN)Pj-XS$p6`~n#$!|2`<y1RM#KG66K;~`w7!XMa8s71xfNmw!37yp$*fx4
zU|m_Us$%num0%-e(dHQlavD`MlyfaSi&ZK-4LmIisiNYl3bP6i!E#^Ex;bm`rB(*0
ze0782X@_Pba>Lj>!+@X34RG9w5vI(587o(`80+RJ-;3sKp0Q>QD^^+}CZCU~K#ILq
zT_U2KHq%%nY^tTJhO#TIRSlIFoJ~gvR8wJ0H)_g=W=uCOu9{JCz^E8DCYkl~>KU%a
z7g?>GRXKiTFmpsXYldM~RaAHr=dkJoRg#CP6??E4voBDCSH&e5X>J2<^JdZ_OmF_!
z^sH4Ci{|{X0fyMoMa8%WE*Jx`5*$89);{|-VNvfVnn|@=5S$m<qB(xe25+W3Oru}t
zf<MI9gZ*sb<8cq_VZ(T@YAWGp10dl-rG65sbQP{0xbDIAIIeHt3K{jGX%*tTK-``M
zX1vI^m$~;f+)UnQ=D*_>{x810$G0$#Xf3D7A+=e}*@iXkTC4nSYd(d-#v1D~h|n6#
zYQ5H~?6ZspYw?m@mUW|Ln6=MXRc6w*R`gkuZEMQ4)`lBVxz?&_YGq(G3{6|un`^8F
zZe3%|^PEmuYfZlK#wLqpt7SA=4bNKT*IKi@-fa+}$0ym=+(`}A^cKsy%3AjKR?R1@
zYVN<rx~{=m*7)J=ss?L4E8hh#)}+Q8t;)5CJrn|sj+5%`b#jC+G<*HhWx<a$yLljz
ziT1CJWCm_o*&IPL5zplkZnK+=#Un}X?uoBWq*pAroBQnM?QP_2-tJ`FNX$v+GUP=2
zBk?3T+5S`}$1k63{8ksEIZhs5SSz^(b#ypAk*rIJRI<+&w|p`i?@PKdn?J;&kwn7j
z%_pPOy96c|w7AphjpNOcx-c#x1DJ^PWyhQgD4NeW(NrQofOs%yG!=8Bx4=G?h%pCQ
zSB14~sf-I#-{WEuB6>s^-IGuAB%I!i>t@_62Tr}|48rK8z5VfMzwo>_6VJKc^n2pT
zNM@gi-Dz9mpy_0DkxY(+OS@>698@-Pi|bM0BvR2mavn>`89=m@b~Bk2;(?+!hL~46
z<K7}^MhBb8@UPyyWg}&CF<21~eIb%%zDT^KSh1Xqya{J1l1s&DEI2sN$bbdmJbXOn
zI<ZJD5^(HIQG|6%F4B{56|?SOJV%+mgP=XVk9wD3w1I(08XE!BdxOKR*f(M)47dYP
zD2{O=To%n?shGn=xW}@SPv*034E%YOWfaNu-6FhttLbsw%L|U4=!KO{#PLHoAolJU
z+aj=1M2aACsazx>)+L7@vey38fZICIi>;82_Ped=OzP8aG?#7d*t!E-r?tmTM*ErW
z*1lMe6LWj=eFU15ZZ_KzrPh2l(;81k6Zsfa;le`_@t)ScXtXuLkK~Hw&H3b>WNL4+
zIT26h2b=qn`Bv|UrA){BY0d3RyV9HVU#yhfmnEUo($8B5>)p&xYSL@Q++I=1<fA!<
zx0lpPc@pt?-SK1}Dp+8)BkE|vE#l%$;q<zZTt4GEkz@=^Vq)I=9G?jvQcP&2OQ@JQ
zKJuq`u$W|y<x%{7CeCase^QKFr1C7q_#{&Kh+@2qR34)kFDI2BDaI$0%A*wHQ%L2L
zigEn1Pxd2T-6VW}sl<=3+oY+a@=!h)EL731X?{fcnMSedQg}5TD~V61Q`1Z7*O1D0
z`Fl;8K`PHxjMtLNyA<OyDJ}C-#rP~z`Kn^Pj&@`1gT+Mlt5m+mB$b^jwlK%CazR{W
z?}GUJVnDV`x@ZD?!322y1h_p8=jS6#?-YU^-u4*3AG|O0YI-HGjvhXK9eH~gI6tZN
zwdFvb{`mdFOnz8A%LDt9{e`e^6|VA(Ui{<tzlV?C&&?k??i4zUZ(@H@el`X6KYtK@
zSp2&K@wY>t;}7DU5<d{o_js!#m1l#RC^z8FepJ3$!s6@J@a<b(Z!Vsn@z2p-^cf|d
zFaGvr|0=J|KDc;(#y_V|qR*i5xTjxDXG`v%@z2)};inXzo}Vh(9pK+vmr7D!*c>Al
z@nw!^6|Rnn{ISmS3Lb$~oSOpgrJq5+R6J_jA)E;PMfo`t@WVNq5Azeu7khqY(`$&<
zUqV<=USEZWWv3eVSYTYv4wf2M>Aw=tpCkO^c@N+`OesH$pwE0N9z4IuEeb#H6oT*P
ztAHb`Gw%1|I;kIgZ+kqC|NZKNehs?{lzkK6pPK;Zq+KaLM}SvT9R>68$5}sANou_w
zljFY)+z!OT&2MA*Z1~w7SjRHp>|f>mm1(`igTFgh2z>nWvQgmg6c#H7Qho|}V*umk
zAn+1POOFaavuPv{=Y0aN8}~an47?^Z{=Ld+vuf<mpdU`tmg1R{o6JLypJNga^7GFV
z`1!5W53X0WS$bXSftTW84dbEl@7vA5OU3_(!q0`@HT68kC(z#qoad|lo}-rNA%VYB
z2!0VfHGv=gGejw#j|zV96w2Qbk+8rZ&kFzJ*X2by?m`ual&?$u;6D7hh^KN~dh$Pk
zGjBotcY)gh-`t!BqDt{u%Xnz~@A%va^y&I&Cby&|MGFUMAr9&ep9*r3J^~yEEYA9S
z-N+sX*-c<c#*jO3`{K##QO9W()ojkqIJp5Qid+EBGmaBWIem##4^CjQTq=`wBKbjz
zrUudpH|NG$kd-K<fz&}V?nE+~$UetS<}x^#W+DSP*yaZYaQ4J8f2`#|GgqW~;j}h(
zti6z@KwxeJ>4pf-eh50dFBxrC4I$yLH-)$`HJl!KVvck5&W^1cosHWzI1XAq59DmP
zaa+gM&FcXpPvdOdBy~4!*hx;;mhGJ#Tb%7zUw!??Zl}AWbIV4Dyz_H=*Otwl>mB^n
z?F!-(xWDZ<IIcy#bOa9m@#I+NvgI<<FowXq_}uF|d^_?q>hL7J89SLsvd_gayL&5+
zwrah)x31^a>gKdSz@0B`P;|!k@)Y8D?et``GFY%vLW?s?Oxs|Dmo<_=(;vT=2k|40
z>m@LF6Tp!DV<d3T*^eSck?D|$o8qB89%QnCHIRIX_G9lx;)x;`r2-a-Ajjz&NXe{_
zSoaG~`tp%XtjLQK%ch)uoSng7qz5UrqFy8_#F5?MoCl@zxolB)Q3(EARPmH#53|V`
znj#mHpkf2bfk*$?D#_%DgH=~snzuvg&A<<rN~HM*q?YWy0pyV&a~V(et6DOZb6b$}
zXz9tv6S3xaj9QSWa5HHVXn!QzPc5;1NqF!i(vhO)7B`cPr;<et2Yneg5n%&aODA&d
z5rMVj+(F#MK55CM#I9*^`{nDQKL%UXq81TWN9X2dey0h0@2%n4t2%~>48)^|AqCI4
zwTR(7*Wi#^@bVhKI|-q4ZU}b#NCEen{Ps}wNKX$kfU1RDkgMvTN>v%g?m)X^=hl`;
zE|-b-<a2QNKP`Mx#-A+4zCu)<M#<ps6n++pN()-}6dSWw`5YyKCvn#GmlbII7XMcS
zKck`?mK7z{@3R^=a7?6jSmA4RZ2aTWUda(TApVYmd<y<hgo_LR!G_BwT#S#6F9%Zj
zq~EcUuLR@Yfj<7fFv?!#o0L@Fi7I}jr{vAB=l@%y+A1%lB>U&W@w1MKpD`{8T<lxf
ztNfLc>i_qs@s+)rKmYFu?(4+GMdi7awB>|ZXBMuY{SYu#5r52qRQWI^)%u}J6cvYR
z??=UNKbAN14kGxjEiQp$t@yi9k-a+4OSy)L^ObgAovRPv^4qICoRW$sWfqM8L20k}
zSNS?6r?7KhQT!?BPf=kNWv}vjO5UUtr3{XLC}4j~5~L*m{|0{vj{h_|{m;M3BPnV7
zjZqJde+(EO$@v-LqVkF9^IkhRo@y)k64W@wpzKxNaquJBpMov#J!P-XzeCdgoSeVf
z25MZjk50puRg}Ft52t0uZV-L`qU@FAe1+d$<vY)QMEhR`?03tZuv>V=`O!Z(>S|mC
zbDo1S6~8(UoRaoI{owk&3tNuA4VS+t`-$G)Y{SJwMb$mTyZ=g}LBB!WnhETi#9xYu
z-c<`Hod@j~OkjUenWy=ifI*;1mrY<_GuhMZ4HyKPv{Kp!=Q$`J{7<Nb3B<4bte?RC
zANfD8p;Rcv3GA;&KZZ!l?lJLNm1nqc4Dl+#^=B>h?kQ5`L>9_f{&7WV#MO;U?I-nK
k<kxgyia=mD*RyX94CtXkMcg<iP|AL0y{8!s7zCR1-+dIML;wH)

diff --git a/benchmark/gdb_debug/harness.c b/benchmark/gdb_debug/harness.c
index c9a2633..951be17 100644
--- a/benchmark/gdb_debug/harness.c
+++ b/benchmark/gdb_debug/harness.c
@@ -1,10 +1,21 @@
-/* Generic harness for single-stepping one of the benchmark functions under GDB.
+/* Generic harness for single-stepping benchmark functions under GDB.
  * Copies the raw bytes of funcNN.bin into an RWX buffer and calls through
  * a function pointer. GDB stepi from the call site drops you right into the
  * target function's first instruction. No QEMU needed — boltzmann is aarch64.
  *
- * Build: run `make` in this dir (native aarch64 only, for now).
- * Run:   ./gdb_debug.elf {1|2|3}    (1=memset 2=memcpy32 3=magic_memset)
+ * Build: run `make` in this dir.
+ * Run:
+ *   ./gdb_debug.elf 1   — memset
+ *   ./gdb_debug.elf 2   — memcpy32
+ *   ./gdb_debug.elf 3   — magic_memset (will SIGSEGV unless 0x1fe000 is mapped)
+ *   ./gdb_debug.elf 4   — train_phy_block; mmaps a synthetic PHY block at
+ *                         FAKE_PHY_BASE pre-populated with "training-done"
+ *                         responses so all 4 polls exit on first iteration.
+ *   ./gdb_debug.elf 4 stuck
+ *                       — train_phy_block but with MMIO left at zero so the
+ *                         polls would loop forever (interrupt with Ctrl+C).
+ *                         Useful for confirming v3fb trampolines time out
+ *                         cleanly when applied to a patched func_04.bin.
  *
  * Under GDB: see README.md.
  */
@@ -17,10 +28,12 @@
 extern uint8_t _binary_func_01_bin_start[], _binary_func_01_bin_end[];
 extern uint8_t _binary_func_02_bin_start[], _binary_func_02_bin_end[];
 extern uint8_t _binary_func_03_bin_start[], _binary_func_03_bin_end[];
+extern uint8_t _binary_func_04_bin_start[], _binary_func_04_bin_end[];
 
 typedef void (*f1_t)(void *, uint8_t, uint64_t);
 typedef void (*f2_t)(uint32_t *, const uint32_t *, uint64_t);
 typedef void (*f3_t)(void);
+typedef void (*f4_t)(uint64_t /* ctx pointer */);
 
 static void *rwx_copy(const void *src, size_t len) {
     void *p = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC,
@@ -31,8 +44,54 @@ static void *rwx_copy(const void *src, size_t len) {
     return p;
 }
 
+/* For function 4 (train_phy_block) we need a synthetic PHY block.
+ * The function does:  base = *(u64 *)(ctx + 0xb8); base += 0x8000; ...
+ * So we need (a) a ctx struct with a valid base pointer at +0xb8,
+ *            (b) a PHY block at base + 0x8000 with the right register layout.
+ *
+ * We pick FAKE_PHY_BASE so PHY block (at +0x8000) lands somewhere mappable.
+ * 0x40000000 is well outside libc / stack / heap on aarch64 Linux.
+ */
+#define FAKE_PHY_BASE   0x40000000UL   /* requested via mmap MAP_FIXED */
+#define FAKE_PHY_LEN    0x10000        /* 64 KiB = enough for [+0x8000..+0x8200] */
+
+#define PHY_CTL_OFF        0x110
+#define PHY_STAT_A_OFF     0x118
+#define PHY_STAT_B_OFF     0x120
+#define PHY_CFG_A_OFF      0x154
+#define PHY_CFG_B_OFF      0x160
+#define PHY_HANDSHAKE_OFF  0x184
+
+struct phy_ctx {
+    uint8_t pad[0xB8];
+    uint64_t base;   /* lives at offset 0xB8 */
+};
+
+static struct phy_ctx ctx;
+
+static void prep_synthetic_phy(int let_polls_pass) {
+    void *m = mmap((void *)FAKE_PHY_BASE, FAKE_PHY_LEN,
+                   PROT_READ | PROT_WRITE,
+                   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+    if (m == MAP_FAILED) { perror("mmap synthetic PHY"); exit(1); }
+    memset(m, 0, FAKE_PHY_LEN);
+
+    ctx.base = FAKE_PHY_BASE;        /* ctx->base read by func at +0xB8 */
+    volatile uint8_t *phy = (volatile uint8_t *)(FAKE_PHY_BASE + 0x8000);
+
+    if (let_polls_pass) {
+        /* Pre-populate the registers the function polls so each LDR
+         * sees a "done" value on the first iteration. */
+        *(volatile uint32_t *)(phy + PHY_STAT_A_OFF)    = 0xF0000001U;  /* bits[31:28] non-zero */
+        *(volatile uint32_t *)(phy + PHY_STAT_B_OFF)    = 0xF0000001U;
+        *(volatile uint32_t *)(phy + PHY_HANDSHAKE_OFF) = 0x00000003U;  /* bits[1:0] non-zero */
+    }
+    printf("synthetic PHY mapped at 0x%lx, polls = %s\n",
+           (unsigned long)m, let_polls_pass ? "PASS" : "STUCK (will loop)");
+}
+
 static void __attribute__((noinline))
-call_func(void (*fn)(void), int which) {
+call_func(void (*fn)(void), int which, int variant) {
     switch (which) {
     case 1: {
         char buf[64] = {0};
@@ -52,12 +111,25 @@ call_func(void (*fn)(void), int which) {
         printf("calling magic_memset — SIGSEGVs on LDR of 0x1fe004 in user mode.\n");
         ((f3_t)fn)();
         break;
+    case 4: {
+        prep_synthetic_phy(variant);
+        printf("calling train_phy_block(ctx)\n");
+        ((f4_t)fn)((uint64_t)&ctx);
+        printf("train_phy_block returned successfully.\n");
+        volatile uint8_t *phy = (volatile uint8_t *)(FAKE_PHY_BASE + 0x8000);
+        printf("post: CTL=0x%08x  CFG_A=0x%08x  CFG_B=0x%08x\n",
+               *(volatile uint32_t *)(phy + PHY_CTL_OFF),
+               *(volatile uint32_t *)(phy + PHY_CFG_A_OFF),
+               *(volatile uint32_t *)(phy + PHY_CFG_B_OFF));
+        break;
+    }
     }
 }
 
 int main(int argc, char **argv) {
-    if (argc != 2) { fprintf(stderr, "usage: %s {1|2|3}\n", argv[0]); return 2; }
+    if (argc < 2) { fprintf(stderr, "usage: %s {1|2|3|4} [stuck]\n", argv[0]); return 2; }
     int which = atoi(argv[1]);
+    int variant = (argc >= 3 && strcmp(argv[2], "stuck") == 0) ? 0 : 1;
     void (*fn)(void);
     switch (which) {
     case 1: fn = rwx_copy(_binary_func_01_bin_start,
@@ -66,9 +138,11 @@ int main(int argc, char **argv) {
                           _binary_func_02_bin_end - _binary_func_02_bin_start); break;
     case 3: fn = rwx_copy(_binary_func_03_bin_start,
                           _binary_func_03_bin_end - _binary_func_03_bin_start); break;
+    case 4: fn = rwx_copy(_binary_func_04_bin_start,
+                          _binary_func_04_bin_end - _binary_func_04_bin_start); break;
     default: fprintf(stderr, "unknown index %d\n", which); return 2;
     }
     printf("function %d loaded at %p\n", which, fn);
-    call_func(fn, which);
+    call_func(fn, which, variant);
     return 0;
 }