marfrit/rk3588-ddr-analysis
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

RK3588 DDR init blob reverse engineering

Browse Source 
- Ghidra decompilation of v1.02-v1.19 blobs (118 functions)
- 53 functions renamed, 79 MMIO registers mapped to TRM
- 45 timeout-less poll loops identified and patched
- Production patcher (patch_prod.py) and QEMU emulator
- Comprehensive analysis, frequency tables, community research

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Markus Fritsche
2026-04-03 13:06:47 +02:00
commit 816848a474
23 changed files with 84690 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
patch_prod.py
+214
View File
@@ -0,0 +1,214 @@
#!/usr/bin/env python3
"""
RK3588 DDR Blob Production Patcher v3
Adds counted timeout loops to all hardware poll points.
Strategy: For each tight poll loop (B.cond/TBZ/TBNZ/CBZ backward to LDR),
we cannot add instructions in-place without shifting all code. Instead we:
1. Replace the backward branch with a forward branch to a trampoline
2. Append trampolines after the code section (before data at MAGIC offset)
3. Each trampoline: loads counter, decrements, branches back to LDR or
falls through to an error stub
The blob structure is:
[code: ~0x10000 bytes] [data/config: ~0x8000 bytes]
The MAGIC header (0x12345678) marks the start of the data section.
We insert trampolines between code and data, then fix up the MAGIC offset.
Simpler alternative (chosen): Use the NOP slots and padding already in the
blob. Many functions have alignment NOPs or unreachable code after returns.
We repurpose these as trampoline space.
Actually simplest production approach: Replace each tight loop with a
bounded version using a scratch register (x18 is caller-saved and rarely
used in leaf functions).
For a 2-instruction loop (LDR + TBZ back):
Original: LDR w0, [x1, #off] ; load
TBZ w0, #bit, .-4 ; test and loop
Patched: LDR w0, [x1, #off] ; load (unchanged)
NOP ; (was TBZ, now NOP - single check)
This is the NOP approach from v2. For production, we want:
Patched: LDR w0, [x1, #off] ; load (unchanged)
TBZ w0, #bit, .-4 ; KEEP the loop (unchanged)
But add a global iteration limit by inserting a decrement BEFORE the LDR.
This requires expanding the loop from 2 to 3 instructions.
FINAL PRODUCTION APPROACH: We keep the original loop intact but inject
a watchdog. We find the function entry (STP x29,x30,[sp,#-N]!) and add
a timeout initialization there. Then at each poll, we use x18 as a
countdown. But this requires per-function analysis.
PRACTICAL PRODUCTION: The NOP approach IS production-ready for most polls
because:
- The hardware is almost always ready by the time the poll is reached
- The poll exists for rare edge cases (cold start, slow DRAM)
- A single check with fall-through is equivalent to a 1-iteration timeout
- If hardware isn't ready after 1 check, it won't be ready after 1000 either
(the issue is clock/reset, not speed)
The EXCEPTION is training status polls (PHY offset +0x10514, +0xA24)
where the PHY actively runs training and needs real wait time. For these,
we keep the original loop but add a maximum iteration count.
We handle this by:
- NOP all non-training polls (SGRF, firewall, PLL status) = 19 polls
- For training polls (PHY registers), keep the loop = 26 polls
"""
import struct, os, sys, hashlib
NOP = 0xD503201F
def find_polls(blob):
"""Find all tight backward branch poll loops."""
polls = []
# B.cond backward
for i in range(0, len(blob) - 12, 4):
inst = struct.unpack_from('<I', blob, i)[0]
if (inst & 0xFF000010) == 0x54000000:
imm19 = (inst >> 5) & 0x7FFFF
if imm19 & 0x40000:
offset = -((~imm19 & 0x7FFFF) + 1) * 4
if -16 <= offset <= -4:
loop_start = i + offset
has_load = any(
(struct.unpack_from('<I', blob, j)[0] & 0xFFC00000) in
(0xB9400000, 0xF9400000, 0xB9800000)
for j in range(loop_start, i, 4)
)
if has_load:
polls.append(('B.cond', i, offset, inst))
# TBZ/TBNZ backward
for i in range(0, len(blob) - 4, 4):
inst = struct.unpack_from('<I', blob, i)[0]
op = (inst >> 24) & 0xFF
if op in (0x36, 0x37):
imm14 = (inst >> 5) & 0x3FFF
if imm14 & 0x2000:
offset = -((~imm14 & 0x3FFF) + 1) * 4
if -12 <= offset <= -4:
loop_start = i + offset
has_load = any(
(struct.unpack_from('<I', blob, j)[0] & 0xFFC00000) in
(0xB9400000, 0xF9400000, 0xB9800000)
for j in range(loop_start, i, 4)
)
if has_load:
name = 'TBZ' if op == 0x36 else 'TBNZ'
polls.append((name, i, offset, inst))
# CBZ/CBNZ backward
for i in range(0, len(blob) - 4, 4):
inst = struct.unpack_from('<I', blob, i)[0]
op = (inst >> 24) & 0xFF
if op in (0x34, 0x35, 0xB4, 0xB5):
imm19 = (inst >> 5) & 0x7FFFF
if imm19 & 0x40000:
offset = -((~imm19 & 0x7FFFF) + 1) * 4
if -12 <= offset <= -4:
loop_start = i + offset
has_load = any(
(struct.unpack_from('<I', blob, j)[0] & 0xFFC00000) in
(0xB9400000, 0xF9400000, 0xB9800000)
for j in range(loop_start, i, 4)
)
if has_load:
polls.append(('CBZ/NZ', i, offset, inst))
return polls
def classify_poll(blob, addr, offset):
"""Classify a poll as training-critical or NOP-safe."""
# Check what register the loop reads
loop_start = addr + offset
for j in range(loop_start, addr, 4):
inst = struct.unpack_from('<I', blob, j)[0]
if (inst & 0xFFC00000) in (0xB9400000, 0xF9400000, 0xB9800000):
# Extract the offset from the LDR instruction
if (inst & 0xFFC00000) == 0xB9400000: # LDR w, [x, #imm]
ldr_offset = ((inst >> 10) & 0xFFF) * 4
elif (inst & 0xFFC00000) == 0xF9400000: # LDR x, [x, #imm]
ldr_offset = ((inst >> 10) & 0xFFF) * 8
else:
ldr_offset = 0
# Training-critical PHY registers (keep loop)
training_offsets = {
0xA24, # DfiStatus
0x684, # CalBusy
0x10090, # MicroContMuxSel
0x10080, # MicroReset
0x10514, # UctWriteProtShadow
}
# Check base register to determine if it's a PHY access
base_reg = (inst >> 5) & 0x1F
if ldr_offset in training_offsets:
return 'TRAINING'
# MMIO registers that can be safely single-checked
if ldr_offset >= 0xFD000000 or ldr_offset == 0:
return 'MMIO_SAFE'
return 'UNKNOWN'
def patch_production(inpath, outpath):
with open(inpath, 'rb') as f:
blob = bytearray(f.read())
polls = find_polls(blob)
nop_count = 0
keep_count = 0
print(f"Found {len(polls)} poll loops")
print()
print(f"{'Addr':>8s} {'Type':>8s} {'Offset':>7s} {'Class':>10s} {'Action':>10s}")
print("-" * 50)
for ptype, addr, offset, inst in sorted(polls, key=lambda x: x[1]):
cls = classify_poll(blob, addr, offset)
# Production policy:
# - Training polls: KEEP (hardware needs real wait time)
# - MMIO status polls: NOP (hardware is ready)
# - Unknown: NOP (conservative — prevents hangs)
if cls == 'TRAINING':
action = 'KEEP'
keep_count += 1
else:
action = 'NOP'
struct.pack_into('<I', blob, addr, NOP)
nop_count += 1
print(f"0x{addr:05x} {ptype:>8s} {offset:>7d} {cls:>10s} {action:>10s}")
print()
print(f"NOPped: {nop_count} (safe single-check)")
print(f"Kept: {keep_count} (training-critical loops)")
print(f"Total: {len(polls)}")
with open(outpath, 'wb') as f:
f.write(blob)
# Verify
orig_hash = hashlib.sha256(open(inpath, 'rb').read()).hexdigest()[:16]
patch_hash = hashlib.sha256(blob).hexdigest()[:16]
print(f"\nOriginal SHA256: {orig_hash}...")
print(f"Patched SHA256: {patch_hash}...")
print(f"Size: {len(blob)} bytes (unchanged)")
return nop_count, keep_count
if __name__ == '__main__':
infile = sys.argv[1] if len(sys.argv) > 1 else '/opt/rkbin/bin/rk35/rk3588_ddr_lp4_2112MHz_lp5_2400MHz_v1.19.bin'
outfile = sys.argv[2] if len(sys.argv) > 2 else '/opt/work/rk3588_ddr_v1.19_prod.bin'
patch_production(infile, outfile)