jakebot has quit [Quit: Ping timeout (120 seconds)]
jakebot has joined #asahi-dev
jakebot has quit [Ping timeout: 480 seconds]
dost^ has joined #asahi-dev
jakebot has joined #asahi-dev
Raqbit has quit [Ping timeout: 480 seconds]
Raqbit has joined #asahi-dev
dost^ has quit [Ping timeout: 480 seconds]
dost^ has joined #asahi-dev
PhilippvK has joined #asahi-dev
phiologe has quit [Ping timeout: 480 seconds]
derzahl has quit [Ping timeout: 480 seconds]
winter has quit [Remote host closed the connection]
winter has joined #asahi-dev
conradev has quit [Quit: -]
conradev has joined #asahi-dev
derzahl has joined #asahi-dev
derzahl has quit [Ping timeout: 480 seconds]
bps has joined #asahi-dev
the_lanetly_052 has joined #asahi-dev
jluthra has quit [Remote host closed the connection]
jluthra has joined #asahi-dev
millenialhacker has joined #asahi-dev
<millenialhacker>
A fun story about Apple ISP. The IO IPC channel is used to send commands to ISP, that channel is 8 bytes wide, so they put the IOVA address of the CMD struct which is apparently 8 bytes wide too, but they never change the Address, they mostly use the same iova address and replace the contents of memory. Here's a couple of sessions I traced today: https://gist.github.com/kellermanrivero/c92aec82d59d6d0a4d27b3381d1038b7
<millenialhacker>
The weird stuff is: Apple something uses IOVA address X and sometimes it uses X + 1
<Jamie[m]>
oh wtf
<millenialhacker>
It's quite weird, maybe a bug? As long as ISP uses the address no matter if it is X or X+1, it will work, but I wonder why they have that little offset changing for some specific commands
<millenialhacker>
I still have no idea what those commands do, but after two samples, command stream looks quite the same in both samples.
<millenialhacker>
I'm learning a lot with this stuff btw
the_lanetly_052__ has joined #asahi-dev
the_lanetly_052 has quit [Ping timeout: 480 seconds]
the_lanetly_052__ has quit [Ping timeout: 480 seconds]
<povik>
the bottom bit could be a flag of some sorts, exploiting the fact that the address is always 4-aligned which frees the bottom two bits for auxiliary signalling
<Jamie[m]>
maybe it signifies thumb vs regular-arm ISP command struct encoding ;)
<povik>
that goes in hand with the fact that the x+1 messages have their first non-zero byte at an offset in comparison to the x+0
<povik>
so you should actually always be reading the address clearing the bottom bits
<_jannau_>
marcan: do you have time this week to add mac studio support to the installer? there's liitle left I can do
<marcan>
I think so
<marcan>
let me see if I can give it a shot tomorrow
<millenialhacker>
@povik, do you mean iova & 0xffffff00?
<povik>
yup
<povik>
wait no
<Jamie[m]>
no less
<marcan>
0x..fffc
<marcan>
for 4-byte alignment
<millenialhacker>
@povik, do you mean iova & 0xfffffffc?
<millenialhacker>
xD
<povik>
yeah
<millenialhacker>
I wonder how I can guess what those commands do, any suggestion beside doing static RE on Apple KEXT?
dost^ has quit [Remote host closed the connection]
dost^ has joined #asahi-dev
<millenialhacker>
btw, @povik and others thanks!
dost^ has quit [Ping timeout: 480 seconds]
kov has joined #asahi-dev
the_lanetly_052 has joined #asahi-dev
<yuni>
millenialhacker: Because addresses are aligned, it's common not to store the bottom bits.
<yuni>
Depending on the required alignment, that could be up to 6 bits that aren't stored and are assumed to be zero.
<yuni>
Then, where you would otherwise have those zero bits, other pieces of data can be squeezed in.
<yuni>
Like the type of data that's being pointed to, or the length (itself divided by a power-of-two, only storing the high bits), or so on.
<yuni>
As Jamie[m] correctly jokes, this scheme is used for instruction pointers on certain Arm CPUs.
<yuni>
Where the bottom bit distinguishes the Thumb encoding from the regular encoding.
<yuni>
The idea is also frequently used in page tables.
Guest489 is now known as svenpeter[m]
Gaspare has joined #asahi-dev
<millenialhacker>
Ty Yuni
millenialhacker has quit [Quit: Konversation terminated!]
dost^ has joined #asahi-dev
dost^ has quit [Remote host closed the connection]
Gaspare has quit [Quit: Gaspare]
Gaspare has joined #asahi-dev
kaprests has quit [autokilled: Possible botnet activity. Mail support@oftc.net with questions. (2022-05-23 14:49:59)]
kaprests has joined #asahi-dev
derzahl has joined #asahi-dev
the_lanetly_052 has quit [Remote host closed the connection]
nicolas17 has joined #asahi-dev
Gaspare has quit [Quit: Gaspare]
<j`ey>
in the adt, what section does clock-gates = [n] refer to? aka where do I look to see which n it is
<_jannau_>
pmgr, see src/pmgr.c
<j`ey>
thanks
Gaspare has joined #asahi-dev
Gaspare has quit [Quit: Gaspare]
<j`ey>
hm, still SErrors after adding power-domains
<_jannau_>
which device?
<j`ey>
fpwm0
<j`ey>
I added both ps_fpwm0 and ps_psm_fpwm0
<_jannau_>
using it from linux or m1n1?
<j`ey>
linux
<svenpeter[m]>
note that drivers that use more than one domain needs special support
<_jannau_>
you could try adding ps_pmp
<svenpeter[m]>
the core only handles a single domain automatically
<j`ey>
I also just tried adding always-on to the ps_fpwm0 and ps_psm_fpwm0 nodes
<j`ey>
I dont know which it actually needs yet, in the ADT is only has one thing in the clock-gates array
<svenpeter[m]>
that’s the one it should need
<j`ey>
(just trying a big hammer to get it working)
<svenpeter[m]>
does it work from m1n1?
<j`ey>
yeah
<j`ey>
(ok, I found the id in the adt, it's just ps_fpwm0)
<_jannau_>
does it have notify_pmp in dump_pmgr?
<j`ey>
notify_pmp = False
<j`ey>
let me try remove the pms* power domain I added
<_jannau_>
last resort is removing power-domains and pmgr from the device tree
<j`ey>
that's a huge hammer!
<j`ey>
_jannau_: seems like that helped actually, just commented out all the fpwm/pms_fpwm pmgr nodes
<j`ey>
adding them all back, and making them all always-on works too
<povik>
it first picks up region start/size at aop[2]+0x224/+0x228
<povik>
then reads the whole region and writes it back with those changes ^^
freefiree has joined #asahi-dev
jokerface has joined #asahi-dev
<jokerface>
Please join to my new channel on libera.chat if you like safari browser. The name of the channel of course is #safari
caef^ has quit [Remote host closed the connection]
<jannau>
akick #asahi ADD jokerface
jokerface was banned on #asahi-dev by ChanServ [*!~jokerface@85.194.207.61]
jokerface was kicked from #asahi-dev by ChanServ [You are not permitted on this channel]
nicolas17 has quit [Ping timeout: 480 seconds]
nicolas17 has joined #asahi-dev
freefiree has quit [autokilled: Please do not spam on IRC. Email support@oftc.net with questions. (2022-05-23 17:47:17)]
<povik>
ha... and of course if i re-do the patching *and* fix a bug in setting up DAPF entries, AOP finally boots
<j`ey>
what's this used for?
<povik>
AOP? it stands at the gate for microphones
<j`ey>
oh
<jn>
always-on processor?
<povik>
yes, never misses a word you are saying :-p
<povik>
(actually not always on through)
<povik>
*though
<nicolas17>
j`ey: the AOP is "always on" as in "even when the main CPU is in deep sleep" (that aspect is mostly relevant on mobile I guess)
<j`ey>
nicolas17: yeah, I was just wondering why povik was looking at it!
<nicolas17>
afaik a bunch of peripherals such as the microphone are hard-wired to the AOP, so you *have* to go through the AOP to get microphone on asahi
<povik>
not really though ;)
<povik>
bypassing the AOP is a path i haven't ruled out
<povik>
still, bringing up the AOP is useful even if for R/E only
<nicolas17>
povik: oh definitely
<nicolas17>
didn't know you can bypass it
<nicolas17>
ah I think audio on recent Intel Macs always goes through the T2, maybe I was mixing up with that
<svenpeter[m]>
povik: huh, interesting. I saw some section in the ANS firmware that very much looked as if it was supposed to be patched by iboot to pass some arguments iirc
millenialhacker has joined #asahi-dev
<povik>
nicolas17: you can access its peripherals, some of which we already know (ADMAC,MCA) because the AP has its own copy of them
<povik>
svenpeter[m]: yeah, here it looks like the arguments are obligatory...
<svenpeter[m]>
i think the same is true for ANS, but iboot has done that for us already
<povik>
ah
<povik>
makes sense (ANS is for NVME right?)
<svenpeter[m]>
yeah
<nicolas17>
I think there's *something* that is exclusively AOP?
<nicolas17>
maybe it's motion sensors and idk if Mac even has those
<povik>
wait those weird looking numbers in the argument section could be apple's favorite four-character keys
<povik>
nicolas17: it does have those and they are connected to AOP's SPI master IIRC
<povik>
but we can access that one directly from AP too (if it isn't special, which is unlikely)
bisko has quit [Ping timeout: 480 seconds]
<povik>
i guess they are four-char-keys, not that i like having to make sense of it: https://tpaste.us/8b46
Gaspare has quit [Quit: Gaspare]
bisko has joined #asahi-dev
<povik>
and macos seems to patch p0CE, laCn and tPOA