rk3588-ddr-analysis

marfrit/rk3588-ddr-analysis

Fork 0

Commit Graph

Author	SHA1	Message	Date
marfrit	4166f81768	regs + POLL_SITE_MAP: TRM §2.4.3 register names for low-offset polls Sibling went back into the TRM and found §2.4.3 'Registers Summary For DDRPHY' which I'd missed — it names almost every PHY PUB register we'd been calling 'RE guess': +0x110 = DDRPHY_CAL_RD_VWML0 (Read Valid Window Margin Left Code 0) +0x120 = DDRPHY_CAL_RD_VWMR0 (Read Valid Window Margin Right Code 0) +0x160 = DDRPHY_CAL_CON5 (Calibration Control 5: wrtrn_cyc_mode/en/th) +0x684 = DDRPHY_PRBS_CON0 (PRBS Training Control — was 'CalBusy') +0xa24 = DDRPHY_SCHD_TRAIN_CON0 (MASTER training scheduler; full bit map in the TRM — every training type + per-rank) +0xb88 = DDRPHY_DQSDUTY_CON2 (DQS rise-duty monitor — was 'UctShadow') SCHD_TRAIN_CON0 is the master — the blob selects a training type via its enable bits and polls bit[1] phy_train_done. Four of our 16 poll sites are almost certainly polling this bit across different training stages. Still reserved in TRM: +0x118, +0x154, +0x184 — training-engine private FSMs. Only dynamic tracing can name these. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-15 08:59:34 +02:00
marfrit	e30127d056	BUG_ANALYSIS + regs_annotated.h: TRM-canonical names for poll-site regs Per RK3588 TRM Part 2 chapter 2 (DMC, 522 pages): +0x10080 = DDRCTL_MRCTRL0 (Mode Register Control, was MicroReset) +0x10090 = DDRCTL_MRSTAT (MR Status mr_wr_busy, was MicroContMuxSel) +0x10514 = DDRCTL_DFISTAT (DFI Status dfi_init_complete, was UctWriteProtShadow) These are uMCTL2 controller registers — Rockchip-documented — NOT the opaque PHY firmware scratch regs our 2026-04 analysis guessed. Poll semantics now vendor-grounded: wait for MR command roundtrip, wait for PHY-side DFI handshake. Low-offset polls in train_phy_block (0x110, 0x118, 0x120, 0x154, 0x160, 0x184) plus the 0x684/0xa24/0xb88 ones remain DWC PUB and thus undocumented; kept the best-effort RE names with `(RE)` tag in the BUG_ANALYSIS table so a reader can tell which ones are vendor-canonical and which are guesses. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-15 08:38:49 +02:00
test0r	816848a474	RK3588 DDR init blob reverse engineering - Ghidra decompilation of v1.02-v1.19 blobs (118 functions) - 53 functions renamed, 79 MMIO registers mapped to TRM - 45 timeout-less poll loops identified and patched - Production patcher (patch_prod.py) and QEMU emulator - Comprehensive analysis, frequency tables, community research Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 13:06:47 +02:00

Author

SHA1

Message

Date

marfrit

4166f81768

regs + POLL_SITE_MAP: TRM §2.4.3 register names for low-offset polls

Sibling went back into the TRM and found §2.4.3 'Registers Summary
For DDRPHY' which I'd missed — it names almost every PHY PUB register
we'd been calling 'RE guess':

  +0x110 = DDRPHY_CAL_RD_VWML0     (Read Valid Window Margin Left Code 0)
  +0x120 = DDRPHY_CAL_RD_VWMR0     (Read Valid Window Margin Right Code 0)
  +0x160 = DDRPHY_CAL_CON5         (Calibration Control 5: wrtrn_cyc_mode/en/th)
  +0x684 = DDRPHY_PRBS_CON0        (PRBS Training Control — was 'CalBusy')
  +0xa24 = DDRPHY_SCHD_TRAIN_CON0  (MASTER training scheduler; full bit map
                                    in the TRM — every training type + per-rank)
  +0xb88 = DDRPHY_DQSDUTY_CON2     (DQS rise-duty monitor — was 'UctShadow')

SCHD_TRAIN_CON0 is the master — the blob selects a training type via
its enable bits and polls bit[1] phy_train_done. Four of our 16 poll
sites are almost certainly polling this bit across different training
stages.

Still reserved in TRM: +0x118, +0x154, +0x184 — training-engine
private FSMs. Only dynamic tracing can name these.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-15 08:59:34 +02:00

marfrit

e30127d056

BUG_ANALYSIS + regs_annotated.h: TRM-canonical names for poll-site regs

Per RK3588 TRM Part 2 chapter 2 (DMC, 522 pages):
  +0x10080 = DDRCTL_MRCTRL0   (Mode Register Control, was MicroReset)
  +0x10090 = DDRCTL_MRSTAT    (MR Status mr_wr_busy, was MicroContMuxSel)
  +0x10514 = DDRCTL_DFISTAT   (DFI Status dfi_init_complete, was UctWriteProtShadow)

These are uMCTL2 controller registers — Rockchip-documented — NOT the
opaque PHY firmware scratch regs our 2026-04 analysis guessed. Poll
semantics now vendor-grounded: wait for MR command roundtrip, wait
for PHY-side DFI handshake.

Low-offset polls in train_phy_block (0x110, 0x118, 0x120, 0x154, 0x160,
0x184) plus the 0x684/0xa24/0xb88 ones remain DWC PUB and thus
undocumented; kept the best-effort RE names with `(RE)` tag in the
BUG_ANALYSIS table so a reader can tell which ones are vendor-canonical
and which are guesses.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-15 08:38:49 +02:00

test0r

816848a474

RK3588 DDR init blob reverse engineering

- Ghidra decompilation of v1.02-v1.19 blobs (118 functions)
- 53 functions renamed, 79 MMIO registers mapped to TRM
- 45 timeout-less poll loops identified and patched
- Production patcher (patch_prod.py) and QEMU emulator
- Comprehensive analysis, frequency tables, community research

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-03 13:06:47 +02:00

3 Commits