rk3588-ddr-analysis

marfrit/rk3588-ddr-analysis

Fork 0

Commit Graph

Author	SHA1	Message	Date
test0r	e20563e2ef	blob_emu: sysreg skip + UART capture -> real DDR banner emulated Two extensions that finally get the emu producing useful output: 1. Catch UC_ERR_EXCEPTION on MSR/MRS access, decode the instruction, stub the destination register to 0 (for MRS) or silently accept (for MSR), advance PC, resume. Opaque sysregs the blob touches (CNTFRQ_EL0 etc.) no longer halt the emu. 2. Map UART2 (0xFEB50000), hook writes to THR (offset 0), collect printable bytes. Stub LSR (+0x14 = 0x60 THRE\|TEMT) and USR (+0x7C = 0x02 TFE) in ABS_STUB so the blob\|s putc polling loops resolve. Result: stock AND patched v3fb blob each emit the full 52-byte cold-boot banner under stub=0x00 -- DDR ff1a08bde6 typ 25/04/21-14:31.26,fwver: v1.19 -- byte-identical to what comes out of the GenBook\|s real UART. Under stub=0xFF both progress further, also identically: DDR ff1a08bde6 typ 25/04/21-14:31.26,fwver: v1.19 pd/pu vd_ddr Patched matches stock in both stub regimes. That\|s the regression gate we wanted: a patcher change that breaks the DDR blob\|s visible behavior now shows up as banner-divergence before any hardware flash.	2026-04-15 16:05:45 +02:00
test0r	2bec08a868	blob_emu: position-correct load + integrity-check pass + lazy mmap The blob is position-dependent: entry code at 0x14-0x1c does (return_addr & 0xFFFFFF00) == 0xFF001000 to validate the caller. Previously we loaded at 0x0, so the check could never pass and emu hung at 0x1c forever. Fixed: load blob at 0xFF001000 (bootrom TPL slot), map SRAM window 0xFF000000..0xFF100000, let x30 point at RET_STUB outside the window. Emu now runs through the integrity check, the first ~120 instructions of entry dispatch, and stops at blob+0x10A80 on an MSR/MRS sysreg access Unicorn doesn\|t model -- the same depth ddr_emu2.c (C version) historically reached. Stock and patched (--sites all) behave identically under both --stub 0x00 and 0xFF. That\|s the regression gate: any future patch that crashes in the pre-sysreg segment will diverge. Also added catch-all UC_HOOK_MEM_UNMAPPED with lazy 64KB page-map + stub fallback so unknown MMIO targets don\|t crash the emu before we know about them.	2026-04-15 15:33:49 +02:00
test0r	ba133803f7	blob_emu: phase-2 Unicorn harness, constant-byte MMIO stubs Executes a raw DDR blob in AArch64 Unicorn with configurable stub byte (--stub 0x00 / 0xFF) returned for every MMIO read. Intent: gate real-hardware flashing behind "blob doesn\|t crash the emu under either stubbing regime." Validated against rk3588_ddr_lp4_1848MHz_lp5_2112MHz_v1.19.bin (stock) and patch_timeouts_v3.py --sites all output: both reach max_pc=0xe0 and HALT cleanly via the return stub at RET_STUB, identical under 0x00 and 0xFF stubs. Phase 2 of test harness task #31. Phase 1 (spi_check.py, structural RKNS validation) committed earlier.	2026-04-15 15:20:33 +02:00

Author

SHA1

Message

Date

test0r

e20563e2ef

blob_emu: sysreg skip + UART capture -> real DDR banner emulated

Two extensions that finally get the emu producing useful output:

 1. Catch UC_ERR_EXCEPTION on MSR/MRS access, decode the instruction,
    stub the destination register to 0 (for MRS) or silently accept
    (for MSR), advance PC, resume. Opaque sysregs the blob touches
    (CNTFRQ_EL0 etc.) no longer halt the emu.

 2. Map UART2 (0xFEB50000), hook writes to THR (offset 0), collect
    printable bytes. Stub LSR (+0x14 = 0x60 THRE|TEMT) and USR (+0x7C
    = 0x02 TFE) in ABS_STUB so the blob|s putc polling loops resolve.

Result: stock AND patched v3fb blob each emit the full 52-byte
cold-boot banner under stub=0x00 --

  DDR ff1a08bde6 typ 25/04/21-14:31.26,fwver: v1.19

-- byte-identical to what comes out of the GenBook|s real UART.
Under stub=0xFF both progress further, also identically:

  DDR ff1a08bde6 typ 25/04/21-14:31.26,fwver: v1.19
  pd/pu vd_ddr

Patched matches stock in both stub regimes. That|s the regression
gate we wanted: a patcher change that breaks the DDR blob|s visible
behavior now shows up as banner-divergence before any hardware flash.

2026-04-15 16:05:45 +02:00

test0r

2bec08a868

blob_emu: position-correct load + integrity-check pass + lazy mmap

The blob is position-dependent: entry code at 0x14-0x1c does
(return_addr & 0xFFFFFF00) == 0xFF001000 to validate the caller.
Previously we loaded at 0x0, so the check could never pass and
emu hung at 0x1c forever.

Fixed: load blob at 0xFF001000 (bootrom TPL slot), map SRAM
window 0xFF000000..0xFF100000, let x30 point at RET_STUB outside
the window. Emu now runs through the integrity check, the first
~120 instructions of entry dispatch, and stops at blob+0x10A80
on an MSR/MRS sysreg access Unicorn doesn|t model -- the same
depth ddr_emu2.c (C version) historically reached.

Stock and patched (--sites all) behave identically under both
--stub 0x00 and 0xFF. That|s the regression gate: any future
patch that crashes in the pre-sysreg segment will diverge.

Also added catch-all UC_HOOK_MEM_UNMAPPED with lazy 64KB
page-map + stub fallback so unknown MMIO targets don|t crash
the emu before we know about them.

2026-04-15 15:33:49 +02:00

test0r

ba133803f7

blob_emu: phase-2 Unicorn harness, constant-byte MMIO stubs

Executes a raw DDR blob in AArch64 Unicorn with configurable stub
byte (--stub 0x00 / 0xFF) returned for every MMIO read. Intent:
gate real-hardware flashing behind "blob doesn|t crash the emu
under either stubbing regime."

Validated against rk3588_ddr_lp4_1848MHz_lp5_2112MHz_v1.19.bin
(stock) and patch_timeouts_v3.py --sites all output: both reach
max_pc=0xe0 and HALT cleanly via the return stub at RET_STUB,
identical under 0x00 and 0xFF stubs.

Phase 2 of test harness task #31. Phase 1 (spi_check.py,
structural RKNS validation) committed earlier.

2026-04-15 15:20:33 +02:00

3 Commits