ChanServ changed the topic of #asahi-re to: Asahi Linux: porting Linux to Apple Silicon macs | Hardware / boot process / firmware interface reverse engineering | WARNING: this channel (only) may contain binary reverse engineering discussion | RE policy: https://alx.sh/re (MANDATORY READ) | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Logs: https://alx.sh/l/asahi-re
yuyichao has quit [Ping timeout: 480 seconds]
doggkruse has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
doggkruse has joined #asahi-re
PhilippvK has joined #asahi-re
phiologe has quit [Ping timeout: 480 seconds]
doggkruse has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
doggkruse has joined #asahi-re
the_lanetly_052__ has joined #asahi-re
doggkruse has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
nicolas17 has quit [Ping timeout: 480 seconds]
X-Scale` has joined #asahi-re
X-Scale has quit [Ping timeout: 480 seconds]
X-Scale` is now known as X-Scale
Catyre has joined #asahi-re
MajorBiscuit has joined #asahi-re
Catyre has quit [Ping timeout: 480 seconds]
Catyre has joined #asahi-re
Catyre has quit [Ping timeout: 480 seconds]
the_lanetly_052__ has quit [Remote host closed the connection]
doggkruse has joined #asahi-re
doggkruse has quit [Ping timeout: 480 seconds]
doggkruse has joined #asahi-re
doggkruse has quit [Ping timeout: 480 seconds]
kloenk_ has joined #asahi-re
kloenk has quit [Ping timeout: 480 seconds]
kloenk_ is now known as kloenk
amarioguy has quit [Quit: Leaving]
rqou_ has joined #asahi-re
<rqou_>
is there an easy way in m1n1 to see whether or not there are IRQs pending (for the AP)?
<rqou_>
i think i have most of the AVD Cortex-M3 mailbox-and-related stuff figured out
<rqou_>
also, unless i'm reading it wrong, apple once again managed to Think Different on this firmware
<rqou_>
afaict you queue commands by poking them into the MMIO registers (on the AP) that correspond to the cortex-m data space (at 0x10000000) and then writing the address to a mailbox
<rqou_>
but not the address from the m3's perspective, the address relative to the beginning of the hardware ip's range of addresses
<rqou_>
and then the firmware adds a magic offset to make it work out
<rqou_>
also, i confirmed that you can run arbitrary code on the m3, no signing etc.
<rqou_>
(needed this to work out some IRQ stuff on the m3 side, also i'm cheekily naming this terrible hack "m1cro")
nicolas17 has joined #asahi-re
<j`ey>
I don't see anything obvious in linux for AIC either for checking if an interrupt is pending
Catyre has quit [Remote host closed the connection]
Catyre has joined #asahi-re
Catyre has quit [Ping timeout: 480 seconds]
doggkruse has joined #asahi-re
Catyre has joined #asahi-re
doggkruse has quit [Ping timeout: 480 seconds]
<Jamie[m]>
ah crap giving you the notes totally slipped my mind rqou_
<Jamie[m]>
and yeah i agree with that assessment of the mailbox
<Jamie[m]>
it's a pretty messy interface, macos hardcodes the offset of the memory region in the m3 which it knows is free for writing those mailbox messages to
<Jamie[m]>
it's not even aligned to anything more than word size, just a random blob in the middle of its memory
<Jamie[m]>
rqou_: shared my notes with you on github
<Jamie[m]>
github's renderer doesn't include single newlines so you might wanna view it as plain text
<Jamie[m]>
they start out comprehensible and devolve into random ravings and big lists of numbers
<Jamie[m]>
also i just git hard reset over my m1n1 experiments
<Jamie[m]>
sigh
<_jannau_>
git reflog if those where at least committed
<Jamie[m]>
nah staged
<Jamie[m]>
so they exist as dangling files i can access in gc
<Jamie[m]>
but should be easier to recover the whole directory from my backups
<Jamie[m]>
s/in gc/in fsck/
<Jamie[m]>
i gotta untrain myself from using hard-reset when i wanna change what commit a branch is pointing to lol
Catyre has quit [Remote host closed the connection]
<Jamie[m]>
rqou_: if you were looking at the kext to grab the firmware, I assume you also noticed the tunables structures which include register names?
<Jamie[m]>
alright m1n1 shared as well
<Jamie[m]>
and now i know my backups work :)
MajorBiscuit has quit [Ping timeout: 480 seconds]
<Jamie[m]>
in trace_avd_new.py i'm dumping out the entire DART-mapped ranges before and after each frame
<Jamie[m]>
then in proxyclient/experiments/avd.py I'm replaying register interactions and overwriting the memory contents with those dumps
<Jamie[m]>
and iirc confirmed that it was successfully producing a picture in memory
<Jamie[m]>
my plan was then to start messing around with offsets in what i think my notes refer to as "the cool zone"
<Jamie[m]>
dart stream 1, which has big 0xbc000-size descriptors for each frame
<Jamie[m]>
to figure out the pointers to the different blocks of data in dart stream 0
<Jamie[m]>
(which is where the actual video data is read and written)
Catyre has joined #asahi-re
<Jamie[m]>
once I understood those, I was gonna go back a level and mess around with offsets from the 0x60-byte mailbox messages into the cool zone descriptors, to figure out the relationships between those pointers as well
bisko has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
bisko has joined #asahi-re
<Jamie[m]>
oh my code is on the prores branch in my m1n1 repo btw
<Jamie[m]>
(it was a fork of your m1n1 which added t8110 dart support for prores)
Catyre has quit [Remote host closed the connection]
bisko has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
bisko has joined #asahi-re
Catyre has joined #asahi-re
Catyre has quit [Remote host closed the connection]
Catyre has joined #asahi-re
bisko has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
bisko has joined #asahi-re
roxfan2 has joined #asahi-re
bisko has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
bisko has joined #asahi-re
roxfan has quit [Ping timeout: 480 seconds]
Catyre has quit [Remote host closed the connection]
bisko has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
bisko has joined #asahi-re
bisko has quit []
quarkyalice_ has joined #asahi-re
bisko has joined #asahi-re
bisko has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
rqou_ has joined #asahi-re
<rqou_>
Jamie[m]: thanks. what you have so far looks consistent with what i've got, but rn i'm focusing down a bit on the M3<->AP interface to make sure the fine details are understood
<rqou_>
e.g. there's actually four mailboxes, but you'd never know that by just tracing and copying macos
<rqou_>
btw, if you have any idea how to clear the overflow error flag on the mailbox, i'd be interested (no matter what i poke it doesn't seem to go away)
quarkyalice_ has quit [Ping timeout: 480 seconds]
<rqou_>
also i'm definitely just randomly guessing about this, but i think dart stream 2 is for DRM
<rqou_>
the kext has symbol names that contain "ADS" near symbol names referencing FairPlay
Catyre has joined #asahi-re
bisko has joined #asahi-re
Catyre has quit [Remote host closed the connection]
Catyre has joined #asahi-re
yamii has quit [Quit: WeeChat 3.5]
doggkruse has joined #asahi-re
yamii has joined #asahi-re
doggkruse has quit [Ping timeout: 480 seconds]
Catyre has quit [Ping timeout: 480 seconds]
Catyre has joined #asahi-re
Catyre has quit [Ping timeout: 480 seconds]
Catyre has joined #asahi-re
doggkruse has joined #asahi-re
Catyre has quit [Ping timeout: 480 seconds]
doggkruse has quit [Ping timeout: 480 seconds]
Catyre has joined #asahi-re
X-Scale` has joined #asahi-re
X-Scale has quit [Ping timeout: 480 seconds]
X-Scale` is now known as X-Scale
Catyre has quit [Remote host closed the connection]
Catyre has joined #asahi-re
Catyre has quit [Ping timeout: 480 seconds]
Catyre has joined #asahi-re
Catyre has quit [Remote host closed the connection]
Catyre has joined #asahi-re
Catyre has quit [Remote host closed the connection]
Catyre has joined #asahi-re
Catyre has quit [Remote host closed the connection]