rk3588-ddr-analysis

Author	SHA1	Message	Date
test0r	05d0d8edd5	patch_timeouts v2: counted-loop trampolines instead of NOPs v1 NOP approach was WRONG — removed the poll entirely, proceeding with stale/incomplete register values. ZQ cal, DFI handshake, and PHY mailbox all require actual polling until the hardware responds. v2 uses trampoline functions appended to the binary: - Each poll site jumps to a trampoline that retries with a W16 counter - 16384 iterations (~91us at 1.8GHz) before timeout - On timeout, returns with condition NOT met (hits existing error path) - On success, returns normally (original behavior preserved) - W16 (IP0) used as counter — caller-saved, not used by poll loop bodies 35 poll loops patched, 13 non-poll backward branches left intact. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-11 21:31:38 +02:00
test0r	5e1414fc28	Diary: sandbox 90% done, piclaudeio idea	2026-04-04 00:45:13 +02:00
test0r	1326b3f847	Diary: keyboard pct13x2 found in vendor DTS	2026-04-04 00:08:37 +02:00
test0r	b8efa8f742	OEM eDP analysis: force-hpd, power domains, clock parents	2026-04-03 23:48:00 +02:00
test0r	2a8e5ff714	Diary: eDP analysis - power domain issue	2026-04-03 23:39:11 +02:00
test0r	0389063b52	Diary: deep dive, DDRC direct addresses, retry loop Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 23:24:18 +02:00
test0r	815e890056	Deep trace: 3606 unique PCs, 30% code coverage with smart injection Aggressive MMIO injection (try 0xFFFFFFFF, then 0, then 0x2) breaks through all poll loops. Blob executes 19963 instructions visiting 3606 unique PCs before jumping to unmapped memory (0x100000FFF). Key findings: - DDRC channels at 0xF7000000/0xF8000000 (not 0xFE01 as in TRM - these are the direct DDRC addresses, not the MSCH wrapper) - Blob reads training params from internal data at 0x000154xx - 30% code path coverage achieved Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 23:20:03 +02:00
test0r	a93ce6c3e9	Add instrumented MMIO tracer and first trace Unicorn-based tracer captures every MMIO read/write with PC and instruction count. First trace of trampoline blob: 19 MMIO accesses in 200K instructions. Boot sequence: PMU_GRF read -> SRAM flag -> SRAM self-register -> BUS_GRF QoS -> DDRC reset -> SCRU PLL config -> BUS_GRF route -> polls Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 23:16:32 +02:00
test0r	d8f31784cb	Add project diary - the full journey from decompilation to bricking to recovery Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 23:15:06 +02:00
test0r	cd4d01fd69	Add trampoline patcher v5 - counted loop timeouts for all 45 polls Each poll loop branches to an appended trampoline that: - Initializes w18 = 0x20000 (128K iterations) - Copies the original loop body (LDR + condition check) - Decrements w18, retries until timeout - Falls through on timeout (no hang) QEMU verified: original stuck at 0x10350, trampoline progresses through all polls. Blob grows from 76704 to 78068 bytes (+1364 bytes trampoline section). NOT YET TESTED ON REAL HARDWARE - the NOP approach bricked the GenBook. This counted approach preserves the poll loops with a safety timeout. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 23:10:13 +02:00
test0r	d68ad1a59c	Add UART capture script, Makefile, updated README with prerequisites Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 13:41:50 +02:00
test0r	816848a474	RK3588 DDR init blob reverse engineering - Ghidra decompilation of v1.02-v1.19 blobs (118 functions) - 53 functions renamed, 79 MMIO registers mapped to TRM - 45 timeout-less poll loops identified and patched - Production patcher (patch_prod.py) and QEMU emulator - Comprehensive analysis, frequency tables, community research Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 13:06:47 +02:00

12 Commits