nicolas17 has quit [Quit: Konversation terminated!]
balrog has quit [Quit: Bye]
balrog has joined #asahi-re
Ariadne has quit [Read error: Connection reset by peer]
Ariadne has joined #asahi-re
<eaxk[m]>
<rqou_> "marcan: where does it make sense..." <- Does it work
<kode54>
eaxk[m]: it's a user space python script, I think
<kode54>
so it's only an example of what a regular driver needs to do
<eaxk[m]>
got it thanks
<rqou_>
yup, userspace python proof of concept / demonstration
<rqou_>
very much from the "unclean" side of the clean-room RE process as well
<rqou_>
somebody would need to write a real linux kernel-mode driver in C that complies with upstream conventions based on it
<rqou_>
i'm probably not a good choice for that because my sweng skills are weaker than my RE skills, and i am not familiar with linux kernel conventions at all
<rqou_>
but yes, it does "work"
<rqou_>
i could successfully OBEX files to my phone and play audio via A2DP
<marcan>
I think that belongs in its own repo, we don't really have a place for that
<rqou_>
fair enough, i'll just keep it on my github
<marcan>
if you had written as a m1n1 script that exposes the HCI on the host side that would've 1) been hilarious, and 2) fit in proxyclient/ :)
<marcan>
*written it
<rqou_>
trying to figure out how to init pcie from m1n1 seemed hard
<marcan>
yeah, I should write that up TBH
<chadmed_>
m1n1 control over bluetooth when :P
<marcan>
not the first time I've wanted it
<rqou_>
not sure if that would have been more or less hilarious than seeing `def interrupt_handler()` in python
<rqou_>
anyways, i'm not opposed to writing a proper driver for the bluetooth myself, but it would need people (i.e. marcan) to be okay with it from an IP/copyright perspective, and also I would need a lot of guidance on kernel/upstream conventions (never having done any of that myself)
<rqou_>
otherwise it is very likely that i driver i would write would end up with problems such as "that dril tweet"-style "PCIe ring buffers: MAstered. firmware loading:This ones hard"
<marcan>
I'd have to take a look re the IP perspective, but you seem to be pretty prolific at reversing the hardware so feel free to keep doing that, that is very helpful :)
<rqou_>
er, i also worked at broadcom a long time ago (not on anything related to wifi/bt chips, but still)
<marcan>
heh
<rqou_>
on top of having thrown tons of macos into ghidra
<marcan>
I mean, sven interned at Apple a long time ago
<rqou_>
lol ok
<rqou_>
guess that's fine then
<marcan>
if the work wasn't related and/or it's so long ago it's irrelevant and any NDAs are expired, it doesn't matter
<rqou_>
i have banned myself from ever touching the broadcom 1570 facetimehd driver because i saw the internal datasheet for it
<marcan>
it'd be different if you'd worked on these particular subsystems recently, of course
<marcan>
that's reasonable, yeah
<rqou_>
also the RE'd driver for that probably has lots of stuff copied from macos
<marcan>
yeah, that kind of thing is what we're trying to avoid...
<marcan>
generally, I always said we can't do textbook cleanroom because that's just too much overhead and we can't easily construct the documentation wall with the people we have (and it's not a legal requirement anyway, that's a myth)
<marcan>
*but* certainly, if folks come by and like to stick on one side of that wall, we'll certainly go with it and it helps
<rqou_>
yeah i'm pretty familiar with how the wall works (at least under US law)
<rqou_>
i find i'm much better at RE though
<marcan>
so if you enjoy doing the RE bit and writing PoCs and want to leave the kernel munging to others, that's encouraged and having a split between two people, even if not a strict documentation wall, still increases our legal defense in case anything happens
<marcan>
I was pretty happy with your JPEG stuff; I haven't looked at BT but from the sound of it there's enough shared concepts with WiFi that it sounds unlikely that we'd carry infringing stuff over across the layers from your PoC to a Linux driver (as long as whoever does the Linux side knows what they're doing with all this)
<marcan>
if anything there's going to be copypasta from *brcmfmac*, not from your PoC
<rqou_>
possibly
<rqou_>
btw bluetooth will need to be added to the firmware munging installer script
<rqou_>
but i don't understand the details of how that works
<rqou_>
it uses the same island codenames though
<marcan>
we need to first understand how firmware selection happens in macOS, i.e. what hardware IDs we need to pick one
<rqou_>
yeah idk it's controlled somewhere in userspace i think
<rqou_>
far from anything i looked at
<marcan>
this is why I added the last minute "package all the raw firmwares tarball" thing to the installer
<rqou_>
i just copied the files i needed for my own hardware
<marcan>
I'll ship a userspace tool to re-run the firmware extraction from linux and update it
<marcan>
so existing users need to do nothing
<rqou_>
you also need a calibration blob from the ADT
<rqou_>
which is submitted over HCI commands
<rqou_>
dunno how that should be handled
<marcan>
no surprise there either, we need to forward that into the DT in m1n1
<marcan>
I also suspect we're missing something along those lines for WiFi, since people report worse performance under Linux even though we use the same firmware/txcal/clm blobs
<rqou_>
i mean, there's a "wifi-calibration-msf" whatever that is
<rqou_>
i had assumed that you had sorted that out already
<marcan>
we aren't using that one yet :)
<marcan>
need to figure out how it gets sent
<rqou_>
ah
<rqou_>
btw bluetooth has two calibration blobs, but i don't know why one is different from the other or how they're chosen
<rqou_>
which is also fun
<marcan>
heh
<marcan>
IIRC that wifical stuff was in OTP on the T2s, so it makes sense that apple put it in the ADT on these since it seems they've stopped using OTP for anything device-specific
<marcan>
just need to figure out how it gets sent over
<rqou_>
i wonder if the seemoo people know?
<rqou_>
some of their stuff has been vaguely helpful for overall big picture understanding, but it's all a bit dated / not quite looking at the same areas
<marcan>
ah wait, I'm dumb, I do have brcm,cal-blob implemented already
<marcan>
m1n1 just doesn't pass it through yet :D
<marcan>
or does it?
<marcan>
wait it does
<marcan>
damn my memory is crap lol
<marcan>
so yeah, I guess we do pass that through if I'm not mistaken
<marcan>
(haven't touched wifi since january)
<marcan>
too many things inside my head lately...
<rqou_>
yeah, bluetooth needs bluetooth-taurus-calibration-bf
<rqou_>
i have no idea why it's not using bluetooth-taurus-calibration
<marcan>
see src/kboot.c:561
<marcan>
so anyway, bluetooth would be identical to that
<rqou_>
oh yeah i see that
<rqou_>
does that actually get uploaded properly?
<marcan>
it should
<marcan>
grep for "calload" in the asahi branch brcmfmac source
<rqou_>
fwiw i never noticed any issues with wifi
<marcan>
it does *work* but some people have reported worse performance than macos in identical situations
<marcan>
I need to do a controlled test myself and see
<rqou_>
anyways, since this is the -re channel where cursed stuff can be discussed, i ran `strings` on the camera firmware a while back and suspect that some of the information from the `facetimehd` driver carries over
<rqou_>
at least the command names are the same
<marcan>
like the ISP firmware?
<rqou_>
yeah
<marcan>
huuh
<marcan>
like high level commands?
<rqou_>
yeah
<rqou_>
the facetimehd chip on older macbooks is mostly non-broadcom IP, broadcom only did the pcie and ram
<rqou_>
even the internal datasheet was missing everything else
<marcan>
what cpu did that use? some arm?
<rqou_>
yeah
<rqou_>
if you actually load the REd facetimehd driver it prints the ISP boot log to dmesg
<marcan>
oh it literally has a thing called isp too, heh
<rqou_>
[3110795.099343] FWMSG: Tool-chain : iPhone OS - 7.0.3 [clang/clang++]
<rqou_>
so yeah, it runs a 32-bit ARM of some kind
<rqou_>
basically all apple stuff, even though everyone out there thinks it's a "broadcom webcam chip"
<marcan>
sounds like they probably ported the actual processing into RTKit then
<rqou_>
yeah
<marcan>
ISP is a 64-bit chinook or so, so definitely not a direct transfer
<marcan>
but they've done this with lots of other copros
<rqou_>
i wonder if the old facetimehd chip was some kind of test of putting apple custom IP into a macbook?
<marcan>
I wouldn't call it a test, they've been doing this over time with everything
<rqou_>
iirc the T1 touchbar macs were next
<marcan>
but now broadcom+pcie is starting to sound like this bluetooth thing :p
<marcan>
apple platforms increasingly have more and more custom silicon
<rqou_>
yeah, having seen the (mostly empty) internal datasheet for the old webcam is a big part of why i suspected the bluetooth pcie is custom
<marcan>
like the jack codec on the new macs, unclear if CS will release a public equivalent or not but so far it's pretty different from existing public ones
<marcan>
their PMUs are by Dialog but also quite custom, e.g. the RTC is totally different
<marcan>
Broadcom is out making custom wifi/bt chips for them
<marcan>
their NAND flash chips are off the shelf flash + custom controller dies, running 64-bit chinooks again (yes really, every flash chip in these things has a 64-bit ARM)
<rqou_>
yup, saw your tweets about that
<marcan>
also their display TCONs are custom AIUI and have been for a while (though related to public ones)
<rqou_>
btw the bluetooth has a _ton_ of vendor-specific commands
<rqou_>
btw marcan have you had a chance to take a look at my t8110 dart code for m1n1?
<rqou_>
feel free to yell at me for doing a huge copypasta
<rqou_>
the code itself is basically all m1n1 code, but i got a bunch of register names and bit positions by dumping the DWARF data from the KDK
<rqou_>
e.g. that's how i figured out that bit1 of the PTE is probably "uncacheable"
<jannau>
rqou_: is there a reason why it's no integrated into dart.py? it probably uses the same pte format as dart-t6000 are
<rqou_>
reason? yes. good reason? probably not
<rqou_>
i duplicated the code before i was sure about the page table format (and suspected it had additional page table levels)
<rqou_>
i then realized it didn't, at least not in the t600x
<rqou_>
also i ended up removing the L0 logic because t8110 obviously didn't have it, and afterwards i was lazy and didn't want to figure out the appropriate place to stick if statements to unify the code
alexsv has quit [Ping timeout: 480 seconds]
<rqou_>
especially since the original dart code wasn't particularly well parameterized over device type
<sven>
might make sense to integrate it into dart.py
<sven>
proxyclient is deliberately full of hacks but at least merging the dart variants into a single file should be doable :D
the_lanetly_052___ has joined #asahi-re
boardwalk has quit [Quit: Ping timeout (120 seconds)]
boardwalk has joined #asahi-re
the_lanetly_052__ has quit [Ping timeout: 480 seconds]
<marcan>
yeah
boardwalk has quit [Quit: Ping timeout (120 seconds)]
boardwalk has joined #asahi-re
user982492 has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zopieux has joined #asahi-re
r_rei[m] has joined #asahi-re
the_lanetly_052___ has quit [Remote host closed the connection]
the_lanetly_052___ has joined #asahi-re
millenialhacker has joined #asahi-re
jakebot has joined #asahi-re
PhilippvK has quit [Quit: No Ping reply in 180 seconds.]
phiologe has joined #asahi-re
millenialhacker has quit [Quit: Konversation terminated!]
millenialhacker has joined #asahi-re
the_lanetly_052___ has quit [Remote host closed the connection]
the_lanetly_052___ has joined #asahi-re
kameks has joined #asahi-re
Shiz has joined #asahi-re
xet7 has joined #asahi-re
Shiz has quit [Ping timeout: 480 seconds]
robinp has quit [Remote host closed the connection]
kameks has quit [Ping timeout: 480 seconds]
willow[m]1 has joined #asahi-re
yuyichao_ has quit [Ping timeout: 480 seconds]
bisko has joined #asahi-re
xet7 has quit [Remote host closed the connection]
bisko has quit []
yuyichao_ has joined #asahi-re
bisko has joined #asahi-re
bisko has quit []
millenialhacker has quit [Quit: Konversation terminated!]
alexsv has joined #asahi-re
roxfan2 has joined #asahi-re
roxfan has quit [Ping timeout: 480 seconds]
millenialhacker has joined #asahi-re
millenialhacker has quit []
bisko has joined #asahi-re
bisko has quit []
bisko has joined #asahi-re
bisko has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]