rk3588-ddr-analysis

marfrit/rk3588-ddr-analysis

Fork 0

Commit Graph

Author	SHA1	Message	Date
marfrit	e30127d056	BUG_ANALYSIS + regs_annotated.h: TRM-canonical names for poll-site regs Per RK3588 TRM Part 2 chapter 2 (DMC, 522 pages): +0x10080 = DDRCTL_MRCTRL0 (Mode Register Control, was MicroReset) +0x10090 = DDRCTL_MRSTAT (MR Status mr_wr_busy, was MicroContMuxSel) +0x10514 = DDRCTL_DFISTAT (DFI Status dfi_init_complete, was UctWriteProtShadow) These are uMCTL2 controller registers — Rockchip-documented — NOT the opaque PHY firmware scratch regs our 2026-04 analysis guessed. Poll semantics now vendor-grounded: wait for MR command roundtrip, wait for PHY-side DFI handshake. Low-offset polls in train_phy_block (0x110, 0x118, 0x120, 0x154, 0x160, 0x184) plus the 0x684/0xa24/0xb88 ones remain DWC PUB and thus undocumented; kept the best-effort RE names with `(RE)` tag in the BUG_ANALYSIS table so a reader can tell which ones are vendor-canonical and which are guesses. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-15 08:38:49 +02:00
test0r	816848a474	RK3588 DDR init blob reverse engineering - Ghidra decompilation of v1.02-v1.19 blobs (118 functions) - 53 functions renamed, 79 MMIO registers mapped to TRM - 45 timeout-less poll loops identified and patched - Production patcher (patch_prod.py) and QEMU emulator - Comprehensive analysis, frequency tables, community research Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 13:06:47 +02:00

Author

SHA1

Message

Date

marfrit

e30127d056

BUG_ANALYSIS + regs_annotated.h: TRM-canonical names for poll-site regs

Per RK3588 TRM Part 2 chapter 2 (DMC, 522 pages):
  +0x10080 = DDRCTL_MRCTRL0   (Mode Register Control, was MicroReset)
  +0x10090 = DDRCTL_MRSTAT    (MR Status mr_wr_busy, was MicroContMuxSel)
  +0x10514 = DDRCTL_DFISTAT   (DFI Status dfi_init_complete, was UctWriteProtShadow)

These are uMCTL2 controller registers — Rockchip-documented — NOT the
opaque PHY firmware scratch regs our 2026-04 analysis guessed. Poll
semantics now vendor-grounded: wait for MR command roundtrip, wait
for PHY-side DFI handshake.

Low-offset polls in train_phy_block (0x110, 0x118, 0x120, 0x154, 0x160,
0x184) plus the 0x684/0xa24/0xb88 ones remain DWC PUB and thus
undocumented; kept the best-effort RE names with `(RE)` tag in the
BUG_ANALYSIS table so a reader can tell which ones are vendor-canonical
and which are guesses.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-15 08:38:49 +02:00

test0r

816848a474

RK3588 DDR init blob reverse engineering

- Ghidra decompilation of v1.02-v1.19 blobs (118 functions)
- 53 functions renamed, 79 MMIO registers mapped to TRM
- 45 timeout-less poll loops identified and patched
- Production patcher (patch_prod.py) and QEMU emulator
- Comprehensive analysis, frequency tables, community research

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-03 13:06:47 +02:00

2 Commits