diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c index 551a055715..661d9c799c 100644 --- a/hw/arm/apple_a13.c +++ b/hw/arm/apple_a13.c @@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = { A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0), A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0), A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0), - A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), + A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS + A13_CPREG_DEF(SYS_E_LSU_ERR_STS, 3, 3, 15, 2, 0, PL1_RW, 0), // A16 SYS_E_LSU_ERR_STS + A13_CPREG_DEF(SYS_E_FED_ERR_STS, 3, 4, 15, 0, 2, PL1_RW, 0), // A16 SYS_E_FED_ERR_STS A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0, 3, 3, 15, 15, 0, PL1_RW, 0), A13_CPREG_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0, 3, 3, 15, 15, 1, PL1_RW, 0), A13_CPREG_DEF(ARM64_REG_3_3_15_7, 3, 3, 15, 7, 0, PL1_RW, @@ -520,6 +522,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = { A13_CPREG_DEF(ARM64_REG_CYC_OVRD, 3, 5, 15, 5, 0, PL1_RW, 0), A13_CPREG_DEF(ARM64_REG_ACC_CFG, 3, 5, 15, 4, 0, PL1_RW, 0), A13_CPREG_DEF(S3_5_c15_c10_1, 3, 5, 15, 10, 1, PL0_RW, 0), + A13_CPREG_DEF(SYS_PRE_LLCFLUSH_TMR, 3, 5, 15, 7, 0, PL1_RW, 0), + A13_CPREG_DEF(SYS_ACC_PWR_DN_SAVE, 3, 7, 15, 2, 0, PL1_RW, 0), + A13_CPREG_DEF(SYS_AON_CNT_CTL, 3, 7, 15, 4, 0, PL1_RW, 0), A13_CPREG_DEF(UPMPCM, 3, 7, 15, 5, 4, PL1_RW, 0), A13_CPREG_DEF(UPMCR0, 3, 7, 15, 0, 4, PL1_RW, 0), A13_CPREG_DEF(UPMSR, 3, 7, 15, 6, 4, PL1_RW, 0), @@ -718,7 +723,7 @@ AppleA13State *apple_a13_cpu_create(DTBNode *node, char *name, uint32_t cpu_id, } } - if (tcpu->cpu_id == 0 || node == NULL) { + if (tcpu->cpu_id == 0/* || node == NULL*/) { if (node) { set_dtb_prop(node, "state", 8, "running"); } @@ -817,6 +822,8 @@ static const VMStateDescription vmstate_apple_a13 = { VMSTATE_A13_CPREG(ARM64_REG_HID14), VMSTATE_A13_CPREG(ARM64_REG_HID16), VMSTATE_A13_CPREG(ARM64_REG_LSU_ERR_STS), + VMSTATE_A13_CPREG(SYS_E_LSU_ERR_STS), + VMSTATE_A13_CPREG(SYS_E_FED_ERR_STS), VMSTATE_A13_CPREG(PMC0), VMSTATE_A13_CPREG(PMC1), VMSTATE_A13_CPREG(PMCR0), @@ -828,6 +835,9 @@ static const VMStateDescription vmstate_apple_a13 = { VMSTATE_A13_CPREG(ARM64_REG_CYC_OVRD), VMSTATE_A13_CPREG(ARM64_REG_ACC_CFG), VMSTATE_A13_CPREG(S3_5_c15_c10_1), + VMSTATE_A13_CPREG(SYS_PRE_LLCFLUSH_TMR), + VMSTATE_A13_CPREG(SYS_ACC_PWR_DN_SAVE), + VMSTATE_A13_CPREG(SYS_AON_CNT_CTL), VMSTATE_A13_CPREG(UPMPCM), VMSTATE_A13_CPREG(UPMCR0), VMSTATE_A13_CPREG(UPMSR), diff --git a/hw/arm/apple_sep.c b/hw/arm/apple_sep.c index da318ca250..4b95a9272f 100644 --- a/hw/arm/apple_sep.c +++ b/hw/arm/apple_sep.c @@ -22,12 +22,19 @@ #include "hw/arm/apple_a13.h" #include "hw/arm/apple_a9.h" #include "hw/arm/apple_sep.h" +#include "hw/misc/apple_mbox.h" #include "hw/arm/xnu.h" #include "hw/core/cpu.h" #include "qapi/error.h" #include "qemu/error-report.h" #include "qemu/log.h" #include "qemu/units.h" +#include "hw/arm/t8030.h" +#include "exec/address-spaces.h" +#include "hw/irq.h" +#include "sysemu/dma.h" + +//#define DO_SECUREROM 1 static void trng_reg_write(void *opaque, hwaddr addr, uint64_t data, unsigned size) @@ -225,6 +232,536 @@ static const MemoryRegionOps misc2_reg_ops = { .valid.unaligned = false, }; +static void misc39_reg_write(void *opaque, hwaddr addr, uint64_t data, + unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + switch (addr) { + default: + memcpy(&s->misc39_regs[addr], &data, size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC39: Unknown write at 0x" HWADDR_FMT_plx + " with value 0x" HWADDR_FMT_plx "\n", + addr, data); + break; + } +} + +static uint64_t misc39_reg_read(void *opaque, hwaddr addr, unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + uint64_t ret = 0; + // 0x0;0x4 == T8101 + // 0x4;0x8 == T8020 + + switch (addr) { +#if 0 + //case 0x00: // ???? T8101 + // return 0x1; + //case 0x04: // ???? T8101 + // return 0x1; + case 0x04: // ???? T8020 + //return 0x1; + return 0x0; // required for misc9 0x318 + case 0x08: // ???? T8020 + //return 0x1; + return 0x0; +#endif + default: + memcpy(&ret, &s->misc39_regs[addr], size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC39: Unknown read at 0x" HWADDR_FMT_plx "\n", + addr); + break; + } + + return ret; +} + +static const MemoryRegionOps misc39_reg_ops = { + .write = misc39_reg_write, + .read = misc39_reg_read, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid.min_access_size = 4, + .valid.max_access_size = 4, + .impl.min_access_size = 4, + .impl.max_access_size = 4, + .valid.unaligned = false, +}; + +#if 1 +static void misc4_reg_write(void *opaque, hwaddr addr, uint64_t data, + unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + switch (addr) { +#if 0 + case 0x14: + if (!!(data & 1)) { + uint64_t vector = *(uint64_t*)(&s->misc4_regs[0x20]); + AppleSEPResetMisc_func(vector); + } + break; +#endif + default: + memcpy(&s->misc4_regs[addr], &data, size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC4: Unknown write at 0x" HWADDR_FMT_plx + " with value 0x" HWADDR_FMT_plx "\n", + addr, data); + break; + } +} + +static uint64_t misc4_reg_read(void *opaque, hwaddr addr, unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + uint64_t ret = 0; + + switch (addr) { +#if 0 + case 0x00: // ???? because of WFE FUN_240011488_DAT_241500000_wfe, hangs otherwise, fix it properly! + return 0x0; + case 0x04: // ???? because of WFE FUN_2400113cc_DAT_241500004_wfe, hangs otherwise, fix it properly! + return 0x0; + case 0x0c: // ???? because of switch case FUN_2400113ec_DAT_24150000c_should_be_0, panics otherwise + return 0x0; +#endif + default: + memcpy(&ret, &s->misc4_regs[addr], size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC4: Unknown read at 0x" HWADDR_FMT_plx "\n", + addr); + break; + } + + return ret; +} + +static const MemoryRegionOps misc4_reg_ops = { + .write = misc4_reg_write, + .read = misc4_reg_read, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid.min_access_size = 4, + .valid.max_access_size = 4, + .impl.min_access_size = 4, + .impl.max_access_size = 4, + .valid.unaligned = false, +}; +#endif + +static void misc5_reg_write(void *opaque, hwaddr addr, uint64_t data, + unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + switch (addr) { + default: + memcpy(&s->misc5_regs[addr], &data, size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC5: Unknown write at 0x" HWADDR_FMT_plx + " with value 0x" HWADDR_FMT_plx "\n", + addr, data); + break; + } +} + +static uint64_t misc5_reg_read(void *opaque, hwaddr addr, unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + uint64_t ret = 0; + + switch (addr) { + default: + memcpy(&ret, &s->misc5_regs[addr], size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC5: Unknown read at 0x" HWADDR_FMT_plx "\n", + addr); + break; + } + + return ret; +} + +static const MemoryRegionOps misc5_reg_ops = { + .write = misc5_reg_write, + .read = misc5_reg_read, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid.min_access_size = 4, + .valid.max_access_size = 4, + .impl.min_access_size = 4, + .impl.max_access_size = 4, + .valid.unaligned = false, +}; + +static void misc6_reg_write(void *opaque, hwaddr addr, uint64_t data, + unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + switch (addr) { + default: + memcpy(&s->misc6_regs[addr], &data, size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC6: Unknown write at 0x" HWADDR_FMT_plx + " with value 0x" HWADDR_FMT_plx "\n", + addr, data); + break; + } +} + +static uint64_t misc6_reg_read(void *opaque, hwaddr addr, unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + uint64_t ret = 0; + + switch (addr) { + default: + memcpy(&ret, &s->misc6_regs[addr], size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC6: Unknown read at 0x" HWADDR_FMT_plx "\n", + addr); + break; + } + + return ret; +} + +static const MemoryRegionOps misc6_reg_ops = { + .write = misc6_reg_write, + .read = misc6_reg_read, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid.min_access_size = 4, + .valid.max_access_size = 4, + .impl.min_access_size = 4, + .impl.max_access_size = 4, + .valid.unaligned = false, +}; + +static void misc7_reg_write(void *opaque, hwaddr addr, uint64_t data, + unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + //apple_mbox_msg_t msg0 = NULL; + //apple_mbox_msg_t msg1 = NULL; + //apple_mbox_msg_t msg2 = NULL; + //apple_mbox_msg_t msg3 = NULL; + //apple_mbox_msg_t msg4 = NULL; + //apple_mbox_msg_t msg5 = NULL; + //sep_message_t sep_msg = NULL; + struct sep_message sep_msg = { 0 }; + switch (addr) { + //case 0x8: + case 0x4: + //if (data == 0x2cbd3509) + if (data == 0xf2e31133) + { + //sep_msg = g_new0(struct sep_message, 1); + //msg0 = g_new0(struct apple_mbox_msg, 1); + //msg1 = g_new0(struct apple_mbox_msg, 1); + //msg2 = g_new0(struct apple_mbox_msg, 1); + //msg3 = g_new0(struct apple_mbox_msg, 1); + //msg4 = g_new0(struct apple_mbox_msg, 1); + //msg5 = g_new0(struct apple_mbox_msg, 1); + sep_msg.endpoint = 0xff; + +#if 0 + sep_msg->opcode = 1; // kOpCode_Ping + sep_msg->tag = 0x70; + memcpy(msg5->data, sep_msg, 16); + apple_mbox_inbox_push(s->mbox, msg5); + IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode1/kOpCode_Ping", msg5); +#endif + + sep_msg.opcode = 3; // kOpCode_GenerateNonce + sep_msg.tag = 0x67; + //memcpy(msg0->data, sep_msg, 16); + //apple_mbox_inbox_push(s->mbox, msg0); + //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce", msg0); + apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw); + qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode3/kOpCode_GenerateNonce\n"); + +#if 0 + sep_msg->opcode = 4; // Opcode 4 + sep_msg->tag = 0x6e; + memcpy(msg4->data, sep_msg, 16); + apple_mbox_inbox_push(s->mbox, msg4); + IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode4/kOpCode_GetNonceWord", msg4); + + sep_msg->opcode = 15; // Opcode 15 + sep_msg->tag = 0x0; + memcpy(msg2->data, sep_msg, 16); + apple_mbox_inbox_push(s->mbox, msg2); + IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode15/kOpCode_SendDpa", msg2); + + sep_msg->opcode = 16; // Opcode 16 + sep_msg->tag = 0x0; + memcpy(msg3->data, sep_msg, 16); + apple_mbox_inbox_push(s->mbox, msg3); + IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode16", msg3); +#endif + + sep_msg.opcode = 17; // Opcode 17 + sep_msg.tag = 0x0; + //sep_msg->data = 0x2000; // 0x2000 + //sep_msg->data = 0x3200; // iBoot on iOS 12.0 for T8020 says 0x3200 (0x1c52000 bytes). Might not be enough for SEPOS in iOS 14.4.2. + //sep_msg->data = 0x4000; // iBoot on iOS 13.0/13.7 for T8020 says 0x4000 (0x2440000 bytes). Might not be enough for SEPOS in iOS 14.4.2. + //sep_msg->data = 0x3400; // SEPFW on iOS 14.4.2 for T8020 wants something higher + //sep_msg->data = 0x3800; // SEPFW on iOS 14.4.2 for T8020 wants something higher + //sep_msg->data = 0x6000; // SEPFW on iOS 14.4.2 for T8020 wants something higher + sep_msg.data = 0x8000; // SEPFW on iOS 14.0/14.4.2 for T8020, if I found the correct data in Ghidra. + // max value 0x8000, checked in SEPROM:FUN_240011564_maybe_check_amcc. + // size in bytes == value * 0x910 + //memcpy(msg1->data, sep_msg, 16); + //apple_mbox_inbox_push(s->mbox, msg1); + //IOP_LOG_MSG(s->mbox, "SEP MISC7: Sent fake SEPROM_Opcode17", msg1); + apple_mbox_send_inbox_control_message(s->mbox, 0, sep_msg.raw); + qemu_log_mask(LOG_UNIMP, "SEP MISC7: Sent fake SEPROM_Opcode17\n"); +#if 0 + qemu_log_mask(LOG_UNIMP, "SEP MISC7: before response loop, this will surely dead-lock, but let's try it anyway. YOLO.\n"); + int response_count = 2; + while (response_count > 0) { + while (!apple_mbox_outbox_empty(s->mbox)) { + response_count -= pop_from_outbox(opaque); + } + } + qemu_log_mask(LOG_UNIMP, "SEP MISC7: after response loop\n"); +#endif + //g_free(sep_msg); + ////g_free(msg0); + ////g_free(msg1); + ////g_free(msg2); + ////g_free(msg3); + ////g_free(msg4); + ////g_free(msg5); + } + //goto jump_default; + //QEMU_FALLTHROUGH; + break; + case 0x8: + if (data == 0x23bfdfe7) + { + AddressSpace *nsas = &address_space_memory; + uint32_t value32_mov_x8_0 = 0xd2800008; // mov x8, #0x0 + //address_space_write(nsas, 0x340000000ULL+0xa114, MEMTXATTRS_UNSPECIFIED, &value32_mov_x8_0, sizeof(value32_mov_x8_0)); // SEPOS: kernel: maybe_sepos_main_called_by_FUN_800005ddc_write_to_TTBR01_wrapper: random_0_16 + //address_space_write(nsas, 0x340000000ULL+0xa120, MEMTXATTRS_UNSPECIFIED, &value32_mov_x8_0, sizeof(value32_mov_x8_0)); // SEPOS: kernel: maybe_sepos_main_called_by_FUN_800005ddc_write_to_TTBR01_wrapper: random_0_24 + uint8_t zeroes_16bytes[16] = {0}; + // The first 16bytes of SEPB.random_0 are being used for SEPOS' ASLR. GDB's awatch refuses to tell me where it ends up, so here you go, I'm just zeroing that shit. + ////address_space_write(nsas, 0x340021098ULL, MEMTXATTRS_UNSPECIFIED, &zeroes_16bytes, sizeof(zeroes_16bytes)); + ////address_space_write(nsas, 0x24221bce0ULL, MEMTXATTRS_UNSPECIFIED, &zeroes_16bytes, sizeof(zeroes_16bytes)); + ////address_space_write(nsas, 0x340000080ULL, MEMTXATTRS_UNSPECIFIED, &zeroes_16bytes, sizeof(zeroes_16bytes)); + address_space_write(nsas, 0x340736380ULL, MEMTXATTRS_UNSPECIFIED, &zeroes_16bytes, sizeof(zeroes_16bytes)); + } + break; + case 0x0: + //case 0x4: + //case 0x8: + case 0x114: + case 0x214: + case 0x218: + case 0x21c: + case 0x220: + case 0x2d8: + case 0x2dc: + case 0x2e0: // ecid low + case 0x2e4: // ecid high + case 0x2e8: // board-id + case 0x2ec: // chip-id + case 0x314: + case 0x318: + case 0x31c: + memcpy(&s->misc7_regs[addr], &data, size); + break; + default: + jump_default: + memcpy(&s->misc7_regs[addr], &data, size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: Unknown write at 0x" HWADDR_FMT_plx + " with value 0x" HWADDR_FMT_plx "\n", + addr, data); + break; + } +} + +static uint64_t misc7_reg_read(void *opaque, hwaddr addr, unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + uint64_t ret = 0; + + switch (addr) { + case 0xc: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", + addr); +#if 1 + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); // ARM_CPU_IRQ == 0 + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); + + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); // ARM_CPU_FIQ == 1 + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); + + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); // GTIMER_VIRT == 1 + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); + + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0)); + + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1)); + + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2)); + + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3)); + + //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 0)); + //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 1)); + //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 2)); + //qemu_irq_raise(qdev_get_gpio_in(DEVICE(s), 3)); + ret = 0xdeadbeef; +#endif + break; + case 0x10: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing? + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", + addr); +#if 1 + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ)); + + ret = 0xdeadbeef; +#endif + break; + case 0x14: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", + addr); +#if 1 + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_FIQ)); + + ret = 0xdeadbeef; +#endif + break; + case 0x18: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // panic(cpu 3 caller 0xfffffff008b69bb0): SEP Panic: [elfour panic] [&&&&&&&&] sep,*.c:*(+ + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", + addr); +#if 1 + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), GTIMER_VIRT)); + + ret = 0xdeadbeef; +#endif + break; + case 0x1c: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing? + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", + addr); +#if 1 + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 0)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 0)); + + ret = 0xdeadbeef; +#endif + break; + case 0x20: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", + addr); +#if 1 + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 1)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 1)); + + ret = 0xdeadbeef; +#endif + break; + case 0x24: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing? + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", + addr); +#if 1 + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 2)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 2)); + + ret = 0xdeadbeef; +#endif + break; + case 0x28: // IRQTEST: ignore and remove this ; read because writes were unreliable for some reason // nothing? + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: IRQTEST read at 0x" HWADDR_FMT_plx "\n", + addr); +#if 1 + qemu_irq_lower(qdev_get_gpio_in(DEVICE(s->cpu), 3)); + qemu_irq_raise(qdev_get_gpio_in(DEVICE(s->cpu), 3)); + + ret = 0xdeadbeef; +#endif + break; + default: + memcpy(&ret, &s->misc7_regs[addr], size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC7: Unknown read at 0x" HWADDR_FMT_plx "\n", + addr); + break; + } + + return ret; +} + +static const MemoryRegionOps misc7_reg_ops = { + .write = misc7_reg_write, + .read = misc7_reg_read, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid.min_access_size = 4, + .valid.max_access_size = 4, + .impl.min_access_size = 4, + .impl.max_access_size = 4, + .valid.unaligned = false, +}; + +static void misc8_reg_write(void *opaque, hwaddr addr, uint64_t data, + unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + switch (addr) { + default: + memcpy(&s->misc8_regs[addr], &data, size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC8: Unknown write at 0x" HWADDR_FMT_plx + " with value 0x" HWADDR_FMT_plx "\n", + addr, data); + break; + } +} + +static uint64_t misc8_reg_read(void *opaque, hwaddr addr, unsigned size) +{ + AppleSEPState *s = APPLE_SEP(opaque); + uint64_t ret = 0; + + switch (addr) { + default: + memcpy(&ret, &s->misc8_regs[addr], size); + qemu_log_mask(LOG_UNIMP, + "SEP MISC8: Unknown read at 0x" HWADDR_FMT_plx "\n", + addr); + break; + } + + return ret; +} + +static const MemoryRegionOps misc8_reg_ops = { + .write = misc8_reg_write, + .read = misc8_reg_read, + .endianness = DEVICE_NATIVE_ENDIAN, + .valid.min_access_size = 4, + .valid.max_access_size = 4, + .impl.min_access_size = 4, + .impl.max_access_size = 4, + .valid.unaligned = false, +}; + static const struct AppleMboxOps sep_mailbox_ops = {}; @@ -270,9 +807,9 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id, APPLE_MBOX_MMIO_V2)); sysbus_pass_irq(sbd, SYS_BUS_DEVICE(s->mbox)); - memory_region_init_io(&s->trng_mr, OBJECT(dev), &trng_reg_ops, s, - "sep.trng", 0x100); - sysbus_init_mmio(sbd, &s->trng_mr); + memory_region_init_io(&s->trng_t8101_mr, OBJECT(dev), &trng_reg_ops, s, + "sep.trng_t8101", 0x100); // TRNG T8101 + sysbus_init_mmio(sbd, &s->trng_t8101_mr); memory_region_init_io(&s->misc0_mr, OBJECT(dev), &misc0_reg_ops, s, "sep.misc0", 0x100); sysbus_init_mmio(sbd, &s->misc0_mr); @@ -282,6 +819,30 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id, memory_region_init_io(&s->misc2_mr, OBJECT(dev), &misc2_reg_ops, s, "sep.misc2", 0x100); sysbus_init_mmio(sbd, &s->misc2_mr); + memory_region_init_io(&s->misc3_mr, OBJECT(dev), &misc39_reg_ops, s, + "sep.misc39_t8101", 0x100); // MISC39 T8101 + sysbus_init_mmio(sbd, &s->misc3_mr); + memory_region_init_io(&s->misc4_mr, OBJECT(dev), &misc4_reg_ops, s, + "sep.misc4", 0x100); // MISC4 // 0x241440000 + sysbus_init_mmio(sbd, &s->misc4_mr); + memory_region_init_io(&s->misc5_mr, OBJECT(dev), &misc5_reg_ops, s, + "sep.misc5", 0x100); // MISC5 + sysbus_init_mmio(sbd, &s->misc5_mr); + memory_region_init_io(&s->misc6_mr, OBJECT(dev), &misc6_reg_ops, s, + "sep.misc6", 0x4000); // MISC6 // T8020's dart-sep? + sysbus_init_mmio(sbd, &s->misc6_mr); + memory_region_init_io(&s->misc7_mr, OBJECT(dev), &misc7_reg_ops, s, + "sep.misc7", 0x1000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM. + sysbus_init_mmio(sbd, &s->misc7_mr); + memory_region_init_io(&s->misc8_mr, OBJECT(dev), &misc8_reg_ops, s, + "sep.misc8", 0x40000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8. + sysbus_init_mmio(sbd, &s->misc8_mr); + memory_region_init_io(&s->trng_t8020_mr, OBJECT(dev), &trng_reg_ops, s, + "sep.trng_t8020", 0x100); // TRNG T8020 + sysbus_init_mmio(sbd, &s->trng_t8020_mr); + memory_region_init_io(&s->misc9_mr, OBJECT(dev), &misc39_reg_ops, s, + "sep.misc39_t8020", 0x100); // MISC39 T8020 + sysbus_init_mmio(sbd, &s->misc9_mr); DTBNode *child = find_dtb_node(node, "iop-sep-nub"); assert(child); //! SEPFW needs to be loaded by restore, supposedly @@ -293,7 +854,17 @@ AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id, static void apple_sep_cpu_reset_work(CPUState *cpu, run_on_cpu_data data) { AppleSEPState *s = data.host_ptr; + AddressSpace *nsas = &address_space_memory; + MachineState *machine = MACHINE(qdev_get_machine()); + T8030MachineState *tms = T8030_MACHINE(machine); cpu_reset(cpu); +#ifdef DO_SECUREROM + // make it possible to re-run SEPROM after SecureROM panics without powering off + // replaces e.g.: set *0x241130840=0x0 ; set *0x241130800=0x0 + //address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x3000000, MEMTXATTRS_UNSPECIFIED); + address_space_set(nsas, tms->soc_base_pa + 0x41000000, 0, 0x1000000, MEMTXATTRS_UNSPECIFIED); +#endif + fprintf(stderr, "apple_sep_cpu_reset_work: before cpu_set_pc: base=0x" HWADDR_FMT_plx "\n", s->base); cpu_set_pc(cpu, s->base); } diff --git a/hw/arm/s8000.c b/hw/arm/s8000.c index 7b3e89eb17..3ed35dd78c 100644 --- a/hw/arm/s8000.c +++ b/hw/arm/s8000.c @@ -617,16 +617,44 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data, static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size) { hwaddr base = (hwaddr)opaque; + uint64_t ret = 0; switch (base + addr) { - case 0x102BC000: //! CFG_FUSE0 - return (1 << 2); + case 0x102BC000: //! CFG_FUSE0 + //return (1 << 2); + //return 0; + //return -1; + ret |= (1 << 2); + ret |= (0x12ULL << 9); // SCEP: max: 0x7f + //ret |= (1 << 8); + //ret |= 0xf << 4; + ret |= 0x1 << 4; // BDID |= 0x20 + //ret |= 0x1 << 5; // BDID |= 0x40 + //ret |= 0x1 << 6; // BDID |= 0x80 + //ret |= 0x1 << 7; + ret |= (1 << 0); // IBFL |= 0x10 + return ret; case 0x102BC200: //! CFG_FUSE0_RAW - return 0x0; + //return 0x0; + //return (1 << 2); + //return -1; + //return 0xffffffffULL << 16; + //ret |= (0x1 << 1); // CPFM |= 0x1 ; IBFL |= 0x08 + ret |= (0x1 << 0); // CPFM |= 0x3 ; IBFL |= 0x08 + return ret; + case 0x102BC010: + //return 0x1 << 22; // CPRV |= 0x01 + //return 0x1 << 23; // CPRV |= 0x02 + //return 0x1 << 24; // CPRV |= 0x04 + //return 0x1 << 25; // CPRV |= 0x10 + //return 0x1 << 26; // CPRV |= 0x20 + //return 0x1 << 27; // CPRV |= 0x40 + return (3 << 22); case 0x102BC080: //! ECID_LO return 0x13371337; case 0x102BC084: //! ECID_HI - return 0xDEADBEEF; + return 0x7EADBEEF; + //return 0xDEADBEEF; case 0x102E8000: // ???? return 0x4; case 0x102BC104: // ???? bit 24 => is fresh boot? diff --git a/hw/arm/t8030.c b/hw/arm/t8030.c index f704899133..e2d246baff 100644 --- a/hw/arm/t8030.c +++ b/hw/arm/t8030.c @@ -1,3 +1,6 @@ + +//#define DO_SECUREROM 1 + /* * Apple t8030 SoC. * @@ -65,13 +68,29 @@ #define T8030_DRAM_BASE (0x800000000ULL) #define T8030_DRAM_SIZE (4ULL * GiB) +#define T8030_SEP_BASE (0x240000000ULL) +#define T8030_SEP_SIZE (0x4000000ULL) + #define T8030_SEPROM_BASE (0x240000000ULL) -#define T8030_SEPROM_SIZE (0x4000000ULL) +//#define T8030_SEPROM_BASE (0x242200000ULL) // Visual told me to +#define T8030_SEPROM_SIZE (0x40000ULL) #define T8030_GPIO_FORCE_DFU (161) -#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x10000000) -#define T8030_KERNEL_REGION_SIZE (0x3F00000) +/* + * This is from /chosen/carveout-memory-map/region-id-24 + */ +//#define T8030_KERNEL_REGION_BASE (0x801964000) +//#define T8030_KERNEL_REGION_SIZE (0xF09CC000) + +/* Those values are from Visual. */ +//#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x10000000) +//#define T8030_KERNEL_REGION_SIZE (0x3F00000) +//#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x1000000) +//#define T8030_KERNEL_REGION_SIZE (0xF000000) +#define T8030_KERNEL_REGION_BASE (T8030_DRAM_BASE + 0x2000000ULL) +#define T8030_KERNEL_REGION_SIZE (0xF000000ULL) +/* */ #define T8030_SPI_BASE(_x) (0x35100000 + (_x)*APPLE_SPI_MMIO_SIZE) @@ -158,6 +177,20 @@ static void t8030_create_s3c_uart(const T8030MachineState *tms, uint32_t port, static void t8030_patch_kernel(MachoHeader64 *hdr) { +#ifndef DO_SECUREROM +#if 1 + uint32_t value32_nop = 0xd503201f; // nop + *(uint32_t *)vtop_static(0xFFFFFFF0077142C8) = 0; + //*(uint32_t *)vtop_static(0xfffffff009845140) = 0xFFFFFFFF; // AMCC + // gAppleSMCDebugLevel = 0xFFFFFFFF; + //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA18) = 0xFFFFFFFF; + // gAppleSMCDebugPath = 0x2; + //*(uint32_t *)vtop_static(0xFFFFFFF0099EAA1C) = 0x2; + *(uint32_t *)vtop_static(0xfffffff007eef5c0) = value32_nop; + *(uint32_t *)vtop_static(0xfffffff007eef600) = value32_nop; + *(uint32_t *)vtop_static(0xfffffff007eef6a4) = value32_nop; +#endif +#endif kpf(); } @@ -305,17 +338,18 @@ static void t8030_load_classic_kc(T8030MachineState *tms, const char *cmdline) dtb_va = ptov_static(info->device_tree_pa); phys_ptr += align_16k_high(info->device_tree_size); +#if 1 if (tms->sepfw_filename) { info->sep_fw_pa = phys_ptr; - macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", - info->sep_fw_pa, &info->sep_fw_size); info->sep_fw_size = align_16k_high(8 * MiB); phys_ptr += info->sep_fw_size; + size_t garbage = 0; + macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x4000ULL, &garbage); } +#endif - mem_size = - machine->maxram_size - - (T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE)); + //mem_size = T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE); + mem_size = machine->maxram_size - (T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE)); macho_load_dtb(tms->device_tree, nsas, sysmem, "DeviceTree", info); @@ -436,8 +470,7 @@ static void t8030_load_fileset_kc(T8030MachineState *tms, const char *cmdline) info->kern_boot_args_pa = phys_ptr; phys_ptr += align_16k_high(0x4000); - mem_size = - T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE); + mem_size = T8030_KERNEL_REGION_SIZE - (g_phys_base - T8030_KERNEL_REGION_BASE); macho_load_dtb(tms->device_tree, nsas, sysmem, "DeviceTree", info); @@ -460,6 +493,7 @@ static void t8030_memory_setup(MachineState *machine) DTBNode *memory_map = get_dtb_node(tms->device_tree, "/chosen/memory-map"); g_autofree char *cmdline = NULL; AddressSpace *nsas = &address_space_memory; + g_autofree char *securerom = NULL; g_autofree char *seprom = NULL; unsigned long fsize = 0; @@ -470,11 +504,25 @@ static void t8030_memory_setup(MachineState *machine) info->dram_base = T8030_DRAM_BASE; info->dram_size = T8030_DRAM_SIZE; +#ifdef DO_SECUREROM + if (!machine->firmware) { + error_report("Please set firmware to SecureROM's path"); + exit(EXIT_FAILURE); + } + + if (!g_file_get_contents(machine->firmware, &securerom, &fsize, NULL)) { + error_report("Could not load data from file '%s'", + machine->firmware); exit(EXIT_FAILURE); + } + address_space_rw(nsas, T8030_SROM_BASE, MEMTXATTRS_UNSPECIFIED, + (uint8_t *)securerom, fsize, 1); +#endif + if (tms->seprom_filename == NULL) { error_report("Please set path to SEPROM"); exit(EXIT_FAILURE); } - +#if 1 if (!g_file_get_contents(tms->seprom_filename, &seprom, &fsize, NULL)) { error_report("Could not load data from file '%s'", tms->seprom_filename); @@ -482,13 +530,63 @@ static void t8030_memory_setup(MachineState *machine) } address_space_rw(nsas, T8030_SEPROM_BASE, MEMTXATTRS_UNSPECIFIED, (uint8_t *)seprom, fsize, 1); - +#endif uint64_t value = 0x8000000000000000; - address_space_write(nsas, tms->soc_base_pa + 0x42140108, - MEMTXATTRS_UNSPECIFIED, &value, sizeof(value)); uint32_t value32 = 0x1; - address_space_write(nsas, tms->soc_base_pa + 0x41448000, - MEMTXATTRS_UNSPECIFIED, &value32, sizeof(value32)); + uint32_t value32_mov_w8_0 = 0x52800008; // mov w8, #0x0 + uint32_t value32_mov_w8_1 = 0x52800028; // mov w8, #0x1 + uint32_t value32_mov_x0_1 = 0xd2800020; // mov x0, #0x1 + uint32_t value32_mov_x0_0 = 0xd2800000; // mov x0, #0x0 + uint32_t value32_mov_x0_0x10 = 0xd2800200; // mov x0, #0x10 + uint32_t value32_mov_x0_0x2000 = 0xd2840000; // mov x0, #0x2000 + uint32_t value32_mov_x0_0x5000 = 0xd28a0000; // mov x0, #0x5000 + uint32_t value32_mov_x0_0x200000 = 0xd2a00400; // mov x0, #0x200000 + uint32_t value32_mov_x0_0xe20 = 0xd281c400; // mov x0, #0xe20 + uint32_t value32_mov_x8_0 = 0xd2800008; // mov x8, #0x0 + uint32_t value32_mov_x20_1 = 0xd2800034; // mov x20, #0x1 + uint32_t value32_nop = 0xd503201f; // nop + uint32_t value32_mov_w0_8030 = 0x52900600; // mov w0, #0x8030 + uint32_t value32_cmp_x0_x0 = 0xeb00001f; // cmp x0, x0 + uint32_t value32_bl_GenerateNonce_t8101 = 0x9400026d; // bl generate_random_GenerateNonce for T8101 from 0x24000edec + uint32_t value32_bl_GenerateNonce_t8020 = 0x94000187; // bl generate_random_GenerateNonce for T8020 from 0x24000b574 + uint32_t value32_mov_x5_0xf0000000 = 0xd2be0005; // mov x5,#0xf0000000 + uint32_t value32_retab = 0xd65f0fff; // retab + uint32_t value32_ret = 0xd65f03c0; // ret + uint32_t value32_mov_w0_minus1 = 0x12800000; // mov w0, #0xffffffff + uint32_t value32_mov_w0_0x10000000 = 0x52a20000; // mov w0, #0x10000000 + uint32_t value32_mov_w0_sp_0x4 = 0xb90007e0; // mov w0, [sp, #0x4] +#if 1 // for T8020 SEPROM + address_space_write(nsas, tms->soc_base_pa + 0x42140108, MEMTXATTRS_UNSPECIFIED, &value, sizeof(value)); // _entry: prevent busy-loop (data section) + //address_space_write(nsas, T8030_SEPROM_BASE + 0x0d2c8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // image4_validate_property_callback: skip AMNM + address_space_write(nsas, T8030_SEPROM_BASE + 0x12144, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: Skip RSA verification result. + address_space_write(nsas, T8030_SEPROM_BASE + 0x121d8, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: payload_raw hashing stuck, nop'ing + address_space_write(nsas, T8030_SEPROM_BASE + 0x121dc, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // maybe_Img4DecodeEvaluateTrust: nop'ing result of payload_raw hashing + address_space_write(nsas, T8030_SEPROM_BASE + 0x0abd8, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs30: fake success + address_space_write(nsas, T8030_SEPROM_BASE + 0x0ca84, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // memcmp_validstrs14: fake success + //address_space_write(nsas, T8030_SEPROM_BASE + 0x091b4, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_8030, sizeof(value32_mov_w0_8030)); // get_chipid: patch get_chipid to return 0x8030 instead of 0x8020 + address_space_write(nsas, T8030_SEPROM_BASE + 0x077ac, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // load_sepos: jump over img4_compare_verified_values_true_on_success + //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b574, MEMTXATTRS_UNSPECIFIED, &value32_bl_GenerateNonce_t8020, sizeof(value32_bl_GenerateNonce_t8020)); // boot: replace calling clear_GenerateNonce_nonce with a call generating the nonce T8020 (Opcode3). Needed because we don't run iBoot/SecureROM. + ////address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_1, sizeof(value32_mov_x0_1)); // boot: set opcode_17_inbox_msg_data + //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b584, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0x2000, sizeof(value32_mov_x0_0x2000)); // boot: set opcode_17_inbox_msg_data + //address_space_write(nsas, T8030_SEPROM_BASE + 0x0b588, MEMTXATTRS_UNSPECIFIED, &value32_mov_w0_sp_0x4, sizeof(value32_mov_w0_sp_0x4)); // boot: set opcode_17_inbox_msg_data +#ifndef DO_SECUREROM +#if 1 + *(uint32_t *)vtop_static(0xfffffff008b4e018) = value32_mov_w0_0x10000000; // AppleSEPBooter::getBootTimeout: increase timeout for debugging (GDB tracing) + *(uint32_t *)vtop_static(0xfffffff008b576b4) = value32_nop; // AppleSEPManager::_tracingEnabled: Don't require _PE_i_can_has_debugger. + ////*(uint32_t *)vtop_static(0xfffffff008b57ad4) = value32_mov_x0_1; // AppleSEPManager::_bootSEP:: Don't require _PE_i_can_has_debugger. + *(uint32_t *)vtop_static(0xfffffff008b56b18) = value32_nop; // AppleSEPManager::_initPMControl: Don't require _PE_i_can_has_debugger. // _PE_parse_boot_argn "sep_pm" + *(uint32_t *)vtop_static(0xfffffff007a231d8) = value32_mov_x0_1; // _kern_config_is_development + //address_space_write(nsas, 0x340000000ULL+0xa114, MEMTXATTRS_UNSPECIFIED, &value32_mov_x8_0, sizeof(value32_mov_x8_0)); // SEPOS: kernel: maybe_sepos_main_called_by_FUN_800005ddc_write_to_TTBR01_wrapper: random_0_16 + //address_space_write(nsas, 0x340000000ULL+0xa120, MEMTXATTRS_UNSPECIFIED, &value32_mov_x8_0, sizeof(value32_mov_x8_0)); // SEPOS: kernel: maybe_sepos_main_called_by_FUN_800005ddc_write_to_TTBR01_wrapper: random_0_24 + //address_space_write(nsas, T8030_SEPROM_BASE + 0xc210, MEMTXATTRS_UNSPECIFIED, &value32_ret, sizeof(value32_ret)); // SEPROM: generate_random +#endif +#else + address_space_write(nsas, 0x100005b64, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: image4_load: fake success for maybe_verify_zero_on_success. unused because of the next patches. + address_space_write(nsas, 0x1000020e4, MEMTXATTRS_UNSPECIFIED, &value32_mov_x0_0, sizeof(value32_mov_x0_0)); // SecureROM: _main: fake success for image_load + address_space_write(nsas, 0x1000021d4, MEMTXATTRS_UNSPECIFIED, &value32_nop, sizeof(value32_nop)); // SecureROM: _main: nop because it panics of plain payload +#endif + +#endif // for T8020 SEPROM nvram = APPLE_NVRAM(qdev_find_recursive(sysbus_get_default(), "nvram")); if (!nvram) { @@ -594,6 +692,7 @@ static void t8030_memory_setup(MachineState *machine) set_dtb_prop(vram, "reg", sizeof(vram_reg), &vram_reg); } +#ifndef DO_SECUREROM hdr = tms->kernel; g_assert(hdr); @@ -613,12 +712,26 @@ static void t8030_memory_setup(MachineState *machine) __func__, hdr->file_type); break; } +#endif } +static uint64_t pmgr_unk_e4800 = 0; +static uint32_t pmgr_unk_e4000[0x180/4] = {0}; + static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data, unsigned size) { hwaddr base = (hwaddr)opaque; + switch (base + addr) { + case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4 + pmgr_unk_e4800 = data; // 0x240002c00 and 0x2400037a4 + break; + case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c + pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4] = data; // 0x24000377c + break; + default: + break; + } #if 1 qemu_log_mask(LOG_UNIMP, "PMGR reg WRITE unk @ 0x" TARGET_FMT_lx @@ -629,51 +742,135 @@ static void pmgr_unk_reg_write(void *opaque, hwaddr addr, uint64_t data, static uint64_t pmgr_unk_reg_read(void *opaque, hwaddr addr, unsigned size) { + MachineState *machine = MACHINE(qdev_get_machine()); + T8030MachineState *tms = T8030_MACHINE(machine); + AppleSEPState *sep; hwaddr base = (hwaddr)opaque; + sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal)); #if 1 + if (((base + addr) & 0xfffffffb) != 0x10E20020) { qemu_log_mask(LOG_UNIMP, "PMGR reg READ unk @ 0x" TARGET_FMT_lx " base: 0x" TARGET_FMT_lx "\n", base + addr, base); + } #endif - switch (base + addr) { - case 0x3D2BC000: - // return 0xA050C030; // IBFL | 0x00 - return 0xA55AC33C; // IBFL | 0x10 - case 0x3D2BC008: + uint32_t chip_revision; + //chip_revision = 0x01; + chip_revision = 0x11; + switch (base + addr) { + case 0x3D2BC000: // DPRO + case 0x3D2BC200: + //// return 0xA050C030; // IBFL | 0x00 + return 0xA55AC33C; // IBFL | 0x10 // my + //return 0xA050C030; // Ntrung + case 0x3D2BC004: // ??? DPRO? is value==0xA050C030 (disabled), take value from 0xbc600 + case 0x3D2BC204: + return 0xA55AC33C; // force return enabled + //return 0xA050C030; // force return disabled ; skip loop inside FUN_240003fcc_wait_for_DAT_23d2bc004_maybe_memory_encryption + // FUN_240003fcc_wait_for_DAT_23d2bc004 + if ((sep->misc5_regs[0] & 0x2) != 0) + return 0xA050C030; // if bit1 is set + else + return 0xA55AC33C; // if bit1 is unset + case 0x3D2BC008: // EDOM_0? Effective SDOM_0? (Security Domain) T8030? + case 0x3D2BC208: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-A12-D331pAP + ////case 0x3D2BC308: // EDOM_0? Effective SDOM_0? (Security Domain) AppleSEPROM-S4-S5-B1 + case 0x3D2BC608: // SDOM_0? (Security Domain) AppleSEPROM-Sicily-A0 return 0xA55AC33C; // security domain | 0x1 - case 0x3D2BC00C: - // return 0xA55AC33C; // security domain | 0x2 + //return 0xA050C030; // MAYBE security domain | 0x0 + case 0x3D2BC00C: // EDOM_1? Effective SDOM_1? (Security Domain) T8030? + case 0x3D2BC20C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-A12-D331pAP + ////case 0x3D2BC30C: // EDOM_1? Effective SDOM_1? (Security Domain) AppleSEPROM-S4-S5-B1 + case 0x3D2BC60C: // SDOM_1? (Security Domain) AppleSEPROM-Sicily-A0 + //return 0xA55AC33C; // security domain | 0x2 return 0xA050C030; // security domain | 0x0 - case 0x3D2BC010: - return (1 << 5) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << - // 5 ;; (1 << 31) for SEP - case 0x3D2BC030: - // return 0xFFFFFFFF; // CPRV - // return 0x7 << 6; // LOW NIBBLE - // return 0x70 << 5; // HIGH NIBBLE - return 0x1 << 6; - case 0x3D2BC300: // TODO - return 0xCAFEBABE; // ECID lower - case 0x3D2BC304: // TODO - return 0xDEADBEEF; // ECID upper - case 0x3D2BC400: + case 0x3D2BC010: // maybe effective CEPO? SEPO/BOARDID (upper three??/five bits stored in the three lower bits) + case 0x3D2BC210: // CEPO? SEPO? AppleSEPROM-A12-D331pAP + ////case 0x3D2BC310: // CEPO? SEPO? AppleSEPROM-S4-S5-B1 + case 0x3D2BC610: // CEPO? SEPO? AppleSEPROM-Sicily-A0 + //uint64_t sep_bit30 = 0; + uint64_t sep_bit30 = ((sep->misc5_regs[0] & 0x1) != 0); + //return (1 << 5) | (0 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (0 << 30) | (1 << 31) for SEP + return (1 << 5) | (sep_bit30 << 30) | (1 << 31); // _rCFG_FUSE0 ; (security epoch & 0x7F) << 5 ;; (sep_bit30 << 30) | (1 << 31) for SEP + case 0x3D2BC020: // T8030 iBSS: FUN_19c07feac_return_value_causes_crash + //return 0xA050C030; // causes panic, so does a invalid value + return 0xA55AC33C; + //0x3d2bc024 T8030 + //0x3d2bc028 T8030 + //0x3d2bc02c T8030 + //case 0x3D2BC028: // CPRV (Chip Revision) AppleSEPROM-S4-S5-B1 + //case 0x3D2BC02c: // T8030 iBSS: _DAT_23d2bc02c >> 30 | (_DAT_23d2bc030 & 15) << 2; + case 0x3D2BC030: // CPRV (Chip Revision) T8030? T8020? + return ((chip_revision & 0x7) << 6) | (((chip_revision & 0x70) >> 4) << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1 + case 0x3D2BC03c: // CPRV (Chip Revision) AppleSEPROM-Sicily-A0 + return ((chip_revision & 0x7) << 10) | (((chip_revision & 0x70) >> 4) << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0 + //// return 0xFFFFFFFF; // CPRV + //// return (0x7 << 6) | (0x70 << 5); // LOW&HIGH NIBBLE T8030 and AppleSEPROM-S4-S5-B1 + //// return (0x7 << 10) | (0x70 << 9); // LOW&HIGH NIBBLE AppleSEPROM-Sicily-A0 + //return 0x1 << 6; // my ; (1 << 6) == 0x40 == revision:0x1 + //return 0x240; // Ntrung // == revision:0x11 + case 0x3D2BC100: // ECID lower T8020? + ////case 0x3D2BC200: // ECID lower AppleSEPROM-S4-S5-B1 + case 0x3D2BC300: // ECID lower T8030? + case 0x3D2BC500: // ECID lower AppleSEPROM-Sicily-A0 + //return 0xCAFEBABE; // ECID lower + return tms->ecid & 0xffffffff; // ECID lower + case 0x3D2BC104: // ECID upper T8020? + ////case 0x3D2BC204: // ECID upper AppleSEPROM-S4-S5-B1 + case 0x3D2BC304: // ECID upper T8030? + case 0x3D2BC504: // ECID upper AppleSEPROM-Sicily-A0 + //return 0xDEADBEEF; // ECID upper + return tms->ecid >> 32; // ECID upper + case 0x3D2BC400: // EKEY_0 // if 0xBC404 returns 1==0xA55AC33C, this will get ignored - // return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04 - return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C - case 0x3D2BC404: - // return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C - return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04 - case 0x3D2BC604: //? - return 0xA050C030; + //// return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04 + return 0xA55AC33C; // CPFM | 0x03 ; IBFL_base == 0x0C // my + //return 0xA050C030; // Ntrung + case 0x3D2BC404: // EKEY_1 + return 0xA55AC33C; // CPFM | 0x01 ; IBFL_base == 0x0C + //return 0xA050C030; // CPFM | 0x00 ; IBFL_base == 0x04 + case 0x3D2BC600: //? EPRO (Effective Production Status)? CPRO (Certificate Production Status)? + //return 0xA55AC33C; // avoided panic(0x74/0xf1) with patches + //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off + //return 0; + return 0xA55AC33C; // EPRO enabled + //return 0xA050C030; // EPRO disabled + case 0x3D2BC604: //? CSEC (Certificate Security Mode)? + //return 0xA55AC33C; // set at 0x24000b070, causes crash at 0x240008928 // avoided panic(0x74/0xf1) with patches + //return 0xA050C030; // needed to avoid panic(0x74) ? // maybe AMK off + //return 0; // panic(0x74) ? + return 0xA55AC33C; // CSEC enabled + //return 0xA050C030; // CSEC disabled case 0x3D2E8000: // ???? - return 0x32B3; // memory encryption AMK (Authentication Master Key) - // disabled - // return 0xC2E9; // memory encryption AMK (Authentication Master Key) - // enabled - case 0x3D2D0034: //? - return (1 << 24) | (1 << 25); + //return 0x32B3; // memory encryption AMK (Authentication Master Key) disabled // avoided panic(0x74/0xf1) with patches + return 0xC2E9; // memory encryption AMK (Authentication Master Key) enabled // needed to avoid panic(0x74) ? + case 0x3D2E4800: // ???? 0x240002c00 and 0x2400037a4 + //////return 0x3; // 0x2400037a4 + return pmgr_unk_e4800; // 0x240002c00 and 0x2400037a4 + case 0x3D2E4000 ... 0x3D2E417f: // ???? 0x24000377c + return pmgr_unk_e4000[((base + addr) - 0x3D2E4000)/4]; // 0x24000377c +#if 0 + //case 0x3D2D0034: //? in AES + // return (1 << 24) | (1 << 25); +#endif +#if 0 +#if 0 + //case 0x3D2D0020: // ???? in AES + // return 4; +#endif + //case 0x3D2BC200: // ???? + // return 0xA050C030; + //case 0x3D2BC204: // ???? + // return 0xA050C030; +#endif +#ifdef DO_SECUREROM + case 0x3d2d4040: // SecureROM: prevent panic in platform_bootprep(_panics_on_plain_payload) + return (1 << 16); + case 0x3d12c014: // while ((*(int64_t*)0x23d12c014 & 0x1ff) == 0) + return 0x1; +#endif default: if (((base + addr) & 0x10E70000) == 0x10E70000) { return (108 << 4) | 0x200000; //? @@ -692,6 +889,7 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data, { MachineState *machine = MACHINE(opaque); T8030MachineState *tms = T8030_MACHINE(opaque); + AppleSEPState *sep; uint32_t value = data; if (addr >= 0x80000 && addr <= 0x8C000) { @@ -707,6 +905,34 @@ static void pmgr_reg_write(void *opaque, hwaddr addr, uint64_t data, case 0xD4004: t8030_start_cpus(machine, data); return; +#if 1 + case 0x80C00: + sep = APPLE_SEP(object_property_get_link(OBJECT(machine), "sep", &error_fatal)); +#ifdef DO_SECUREROM + if ((data & 0xf) == 0xf) { + if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) { + apple_a13_cpu_start(APPLE_A13(sep->cpu)); + } + } +#else + //if ((data >> 31) == 1) { + if (((data >> 31) & 1) == 1) { + apple_a13_cpu_reset(APPLE_A13(sep->cpu)); + //} else if ((data & 0xf) == 0xf) { + //} else if (((data & (1 << 28)) == 0) && ((data & (1 << 10)) == 0)) { + } else if (((data >> 10) & 1) == 0) { + if (apple_a13_cpu_is_powered_off(APPLE_A13(sep->cpu))) { + apple_a13_cpu_start(APPLE_A13(sep->cpu)); + } + //} else if ((data & 0xf) == 0x0) { + //} else if (((data & (1 << 28)) != 0) && ((data & (1 << 10)) != 0)) { + //} else if (((data & (1 << 28)) != 0) || ((data & (1 << 10)) != 0)) { + } else if (((data >> 10) & 1) == 1) { + apple_a13_cpu_off(APPLE_A13(sep->cpu)); + } +#endif + break; +#endif } memcpy(tms->pmgr_reg + addr, &value, size); } @@ -719,9 +945,15 @@ static uint64_t pmgr_reg_read(void *opaque, hwaddr addr, unsigned size) case 0xF0010: //! AppleT8030PMGR::commonSramCheck result = 0x5000; break; +#ifdef DO_SECUREROM case 0x80C00: //! SEP Power State, Manual & Actual: Run Max result = 0xFF; break; + case 0x30000: // ??? T8030 IBSS + memcpy(&result, tms->pmgr_reg + addr, size); + result &= ~(1 << 25); // prevent two busy-loops in T8030 IBSS + break; +#endif #if 0 case 0xBC008: result = 0xFFFFFFFF; @@ -754,44 +986,69 @@ static void amcc_reg_write(void *opaque, hwaddr addr, uint64_t data, T8030MachineState *tms = T8030_MACHINE(opaque); uint32_t value = data; +#if 1 + qemu_log_mask(LOG_UNIMP, + "AMCC reg WRITE @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx + "\n", + addr, data); +#endif memcpy(tms->amcc_reg + addr, &value, size); } static uint64_t amcc_reg_read(void *opaque, hwaddr addr, unsigned size) { - T8030MachineState *tms = T8030_MACHINE(opaque); + MachineState *machine = MACHINE(opaque); + T8030MachineState *tms = T8030_MACHINE(machine); + hwaddr orig_addr = addr; + uint64_t result = 0; + uint64_t base = (T8030_KERNEL_REGION_BASE-T8030_DRAM_BASE)+T8030_KERNEL_REGION_SIZE; switch (addr) { +#if 1 case 0x6A0: case 0x406A0: case 0x806A0: case 0xC06A0: - return 0x0; + //result = 0x080000; // Don't know if this is correct. + //result = 0x080000000ULL >> 12; + result = base >> 12; + break; case 0x6A4: - // return 0x1003; case 0x406A4: - // return 0x2003; case 0x806A4: - // return 0x3003; case 0xC06A4: - // return 0x3; - return 0x1003; // 0x1003 == 0x1004000 - // return 0x4003; + //result = 0xad9f+0x080000; // Don't know if this is correct. + //result = ((0x20000000+0x080000000ULL)-1)>>12; + //result = ((0xada0000+0x080000000ULL)-1)>>12; + result = ((0xada0000+base)-1)>>12; + break; case 0x6A8: case 0x406A8: case 0x806A8: case 0xC06A8: - return 0x1; + result = 0x1; + break; case 0x6B8: case 0x406B8: case 0x806B8: case 0xC06B8: - return 0x1; - default: { - uint64_t result = 0; + result = 0x1; + break; + case 0x4: + result = 0xcf; + break; +#endif + default:// { memcpy(&result, tms->amcc_reg + addr, size); - return result; - } + break; + //} } +#if 1 + qemu_log_mask(LOG_UNIMP, + "AMCC reg READ @ 0x" TARGET_FMT_lx " value: 0x" TARGET_FMT_lx + "\n", + orig_addr, result); +#endif + return result; } static const MemoryRegionOps amcc_reg_ops = { @@ -1723,13 +1980,29 @@ static void t8030_create_sep(MachineState *machine) reg = (uint64_t *)prop->value; sysbus_mmio_map(SYS_BUS_DEVICE(sep), 0, tms->soc_base_pa + reg[0]); sysbus_mmio_map(SYS_BUS_DEVICE(sep), 1, - tms->soc_base_pa + 0x41180000); // TRNG + tms->soc_base_pa + 0x41180000); // TRNG T8101 sysbus_mmio_map(SYS_BUS_DEVICE(sep), 2, tms->soc_base_pa + 0x41080000); // MISC0 sysbus_mmio_map(SYS_BUS_DEVICE(sep), 3, tms->soc_base_pa + 0x41040000); // MISC1 sysbus_mmio_map(SYS_BUS_DEVICE(sep), 4, tms->soc_base_pa + 0x410C4000); // MISC2 + sysbus_mmio_map(SYS_BUS_DEVICE(sep), 5, + tms->soc_base_pa + 0x413CA000); // MISC39 T8101 + sysbus_mmio_map(SYS_BUS_DEVICE(sep), 6, + tms->soc_base_pa + 0x41440000); // MISC4 // 0x241440000 + sysbus_mmio_map(SYS_BUS_DEVICE(sep), 7, + tms->soc_base_pa + 0x41008000); // MISC5 + sysbus_mmio_map(SYS_BUS_DEVICE(sep), 8, + tms->soc_base_pa + 0x41280000); // MISC6 // T8020's dart-sep? + sysbus_mmio_map(SYS_BUS_DEVICE(sep), 9, + tms->soc_base_pa + 0x41240000); // MISC7 ; was: MISC78 Sicily(T8101). now: Some encrypted data from SEPROM. + sysbus_mmio_map(SYS_BUS_DEVICE(sep), 10, + tms->soc_base_pa + 0x41200000); // MISC8 ; was: MISC78 T8006/T8020. now: MISC8. + sysbus_mmio_map(SYS_BUS_DEVICE(sep), 11, + tms->soc_base_pa + 0x41100000); // TRNG T8020 + sysbus_mmio_map(SYS_BUS_DEVICE(sep), 12, + tms->soc_base_pa + 0x41388000); // MISC39 T8020 prop = find_dtb_prop(child, "interrupts"); g_assert(prop); @@ -1740,6 +2013,7 @@ static void t8030_create_sep(MachineState *machine) qdev_get_gpio_in(DEVICE(tms->aic), ints[i])); } +#if 1 dart = APPLE_DART( object_property_get_link(OBJECT(machine), "dart-sep", &error_fatal)); g_assert(dart); @@ -1755,7 +2029,64 @@ static void t8030_create_sep(MachineState *machine) g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr", OBJECT(sep->dma_mr))); sep->dma_as = g_new0(AddressSpace, 1); + //sep->dma_as = g_new0(AddressSpace, 0x10000+0x810000); address_space_init(sep->dma_as, sep->dma_mr, "sep.dma"); +#if 1 + // after trying out stuff for too long, Visual told me how to do it approximately, but I had to skip the early addresses because SEPOS is there. + MemoryRegion *mr = g_new0(MemoryRegion, 1); + //MemoryRegion *mr = g_new0(MemoryRegion, 0x10000+0x80c000); + //MemoryRegion *mr = g_new0(MemoryRegion, 0x10000+0x810000); + ////memory_region_init_alias(sep->dma_mr, OBJECT(tms), "sep.dma.alias", tms->sysmem, T8030_SEPROM_BASE, T8030_SEPROM_SIZE); + //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x80c000, 0x10000); + memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x80c000, 0x10000+0x4000); + //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0, 0x10000+0x80c000); + //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0, 0x10000+0x810000); + //memory_region_init_alias(mr, OBJECT(tms), "sep.dma.alias", sep->dma_mr, 0x4000, 0x10000+0x80c000); + //memory_region_add_subregion(tms->sysmem, 0x0, mr); + //memory_region_add_subregion(tms->sysmem, 0x80c000, mr); +#if 0 + //MemoryRegion *sysmem = tms->sysmem; + AddressSpace *nsas = &address_space_memory; + size_t garbage = 0; + if (tms->sepfw_filename) { + //macho_load_raw_file(tms->sepfw_filename, nsas, sysmem, "sepfw", 0x4000ULL, &garbage); + //macho_load_raw_file(tms->sepfw_filename, nsas, tms->sysmem, "sepfw", 0x340000000ULL, &garbage); + macho_load_raw_file(tms->sepfw_filename, nsas, tms->sysmem, "sepfw", 0x4000ULL, &garbage); + //macho_load_raw_file(tms->sepfw_filename, nsas, mr, "sepfw", 0x4000ULL, &garbage); + //macho_load_raw_file(tms->sepfw_filename, nsas, mr, "sepfw", 0x340000000ULL, &garbage); + } +#endif + ////memory_region_add_subregion(tms->sysmem, 0, &sep->dma_mr); + ////memory_region_add_subregion(tms->sysmem, 0, mr); + memory_region_add_subregion(tms->sysmem, 0x80c000, mr); + //memory_region_add_subregion(tms->sysmem, 0x4000, mr); + //memory_region_add_subregion(tms->sysmem, 0x0, mr); + //memory_region_add_subregion(tms->sysmem, 0x340000000ULL, mr); + //memory_region_add_subregion(tms->sysmem, 0x340000000ULL, sep->dma_mr); + //memory_region_add_subregion(tms->sysmem, 0x0, sep->dma_mr); +#if 0 + MemoryRegion *mr1 = g_new0(MemoryRegion, 1); + memory_region_init_alias(mr1, OBJECT(tms), "sep.t8030.sepdart.alias0", tms->sysmem, tms->soc_base_pa + 0x41280000, 0x4000); + memory_region_add_subregion_overlap(tms->sysmem, tms->soc_base_pa + 0x412c0000, mr1, 1); +#endif +#if 0 + MemoryRegion *mr2 = g_new0(MemoryRegion, 1); + memory_region_init_alias(mr2, OBJECT(tms), "sep.t8030.sepdart.alias1", tms->sysmem, tms->soc_base_pa + 0x412c0000, 0x4000); + memory_region_add_subregion_overlap(tms->sysmem, tms->soc_base_pa + 0x41280000, mr2, 1); +#endif +#if 0 + MemoryRegion *mr3 = g_new0(MemoryRegion, 1); + memory_region_init_alias(mr3, OBJECT(tms), "sep.t8030.sepdart.alias2", tms->sysmem, 0x4000, 0x800000); + //memory_region_init_alias(mr3, OBJECT(tms), "sep.t8030.sepdart.alias2", sep->dma_mr, 0x4000, 0x800000); + //memory_region_init_alias(mr3, OBJECT(tms), "sep.t8030.sepdart.alias2", mr, 0x4000, 0x800000); + memory_region_add_subregion_overlap(tms->sysmem, 0x340000000ULL, mr3, 1); +#endif + +#endif + +#else + g_assert(object_property_add_const_link(OBJECT(sep), "dma-mr", OBJECT(tms->sysmem))); +#endif sysbus_realize_and_unref(SYS_BUS_DEVICE(sep), &error_fatal); } @@ -1770,9 +2101,12 @@ static void t8030_cpu_reset_work(CPUState *cpu, run_on_cpu_data data) } cpu_reset(cpu); env = &ARM_CPU(cpu)->env; +#ifndef DO_SECUREROM env->xregs[0] = tms->bootinfo.kern_boot_args_pa; cpu_set_pc(cpu, tms->bootinfo.kern_entry); - // cpu_set_pc(cpu, T8030_SROM_BASE); +#else + cpu_set_pc(cpu, T8030_SROM_BASE); +#endif } static void t8030_cpu_reset(void *opaque) @@ -1849,13 +2183,50 @@ static void t8030_machine_init(MachineState *machine) tms = T8030_MACHINE(machine); tms->sysmem = get_system_memory(); - // allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0); - // allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0); +#ifdef DO_SECUREROM + allocate_ram(tms->sysmem, "SROM", T8030_SROM_BASE, T8030_SROM_SIZE, 0); + allocate_ram(tms->sysmem, "SRAM", T8030_SRAM_BASE, T8030_SRAM_SIZE, 0); + //allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x00000038 * 4, 0); + allocate_ram(tms->sysmem, "SRAM_TEST_0", 0x24a820000, 0x1000, 0); + allocate_ram(tms->sysmem, "SRAM_TEST_1", 0x23b2c4000, 0x1000, 0); // 0x23b2c401c + allocate_ram(tms->sysmem, "SRAM_TEST_2", 0x23b2c8000, 0x1000, 0); // 0x23b2c801c + allocate_ram(tms->sysmem, "SRAM_TEST_3", 0x23b2cc000, 0x1000, 0); // 0x23b2cc01c + allocate_ram(tms->sysmem, "SRAM_TEST_4", 0x23e804000, 0x1000, 0); // 0x23e8040fc + allocate_ram(tms->sysmem, "SRAM_TEST_5", 0x23e808000, 0x1000, 0); // 0x23e808004 + allocate_ram(tms->sysmem, "SRAM_TEST_6", 0x23D008000, 0x1000, 0); // 0x23D008000 + allocate_ram(tms->sysmem, "SRAM_TEST_7", 0x24A854000, 0x1000, 0); // 0x24A85401C + allocate_ram(tms->sysmem, "SRAM_TEST_8", 0x24a858000, 0x1000, 0); // 0x24a85801c + allocate_ram(tms->sysmem, "SRAM_TEST_9", 0x23C260000, 0x1000, 0); // 0x23C260000 + allocate_ram(tms->sysmem, "SRAM_TEST_10", 0x23C280000, 0x1000, 0); // 0x23C280000 + allocate_ram(tms->sysmem, "SRAM_TEST_11", 0x23c290000, 0x1000, 0); // 0x23c290000 + allocate_ram(tms->sysmem, "SRAM_TEST_12", 0x23c2a0000, 0x1000, 0); // 0x23c2a0000 + //allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x1000, 0); // 0x23FE00000 + allocate_ram(tms->sysmem, "SRAM_TEST_13", 0x23FE00000, 0x60000, 0); // 0x23FE00000 + allocate_ram(tms->sysmem, "SRAM_TEST_14", 0x23E041000, 0x1000, 0); // 0x23E041010 + allocate_ram(tms->sysmem, "SRAM_TEST_15", 0x23E80C000, 0x1000, 0); // 0x23E80C000 +#endif allocate_ram(tms->sysmem, "DRAM", T8030_DRAM_BASE, T8030_DRAM_SIZE, 0); - allocate_ram(tms->sysmem, "SEPROM", T8030_SEPROM_BASE, T8030_SEPROM_SIZE, - 0); - allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0); + allocate_ram(tms->sysmem, "SEP", T8030_SEP_BASE, T8030_SEP_SIZE, 0); +#if 1 + //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x100000000ULL, 0); + //allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x500000000ULL, 0); + allocate_ram(tms->sysmem, "DRAM_3", 0x300000000ULL, 0x60000000ULL, 0); + //allocate_ram(tms->sysmem, "DRAM_30", 0x300000000ULL, 0x20000000ULL, 0); + //allocate_ram(tms->sysmem, "DRAM_32", 0x320000000ULL, 0x20000000ULL, 0); + //allocate_ram(tms->sysmem, "DRAM_34", 0x340000000ULL, 0x20000000ULL, 0); + //allocate_ram(tms->sysmem, "DRAM_3_8", 0x300000000ULL, 0x80000000ULL, 0); + //allocate_ram(tms->sysmem, "DRAM_3_8_0", 0x380000000ULL, 0x80000000ULL, 0); + //allocate_ram(tms->sysmem, "DRAM_f_8", 0xf00000000ULL, 0x80000000ULL, 0); + //allocate_ram(tms->sysmem, "DRAM_f_8_0", 0xf80000000ULL, 0x80000000ULL, 0); + //allocate_ram(tms->sysmem, "SEPFW_0", 0x000000000ULL, 0x800000ULL, 0); + //allocate_ram(sysmem, "SEPFW", 0x0, info->sepfw_size+0x4000, 0); + //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL, 0); + //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x800000ULL+0x4000ULL, 0); + allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x1000000ULL, 0); + //allocate_ram(tms->sysmem, "SEPFW", 0x000000000ULL, 0x2000000ULL, 0); +#endif +#ifndef DO_SECUREROM hdr = macho_load_file(machine->kernel_filename, NULL); g_assert(hdr); tms->kernel = hdr; @@ -1894,10 +2265,15 @@ static void t8030_machine_init(MachineState *machine) g_phys_base = (hwaddr)macho_get_buffer(hdr); t8030_patch_kernel(hdr); +#else + tms->rtbuddyv2_protocol_version = 11; +#endif tms->device_tree = load_dtb_from_file(machine->dtb); +#ifndef DO_SECUREROM tms->trustcache = load_trustcache_from_file(tms->trustcache_filename, &tms->bootinfo.trustcache_size); +#endif data = 24000000; set_dtb_prop(tms->device_tree, "clock-frequency", sizeof(data), &data); child = find_dtb_node(tms->device_tree, "arm-io"); diff --git a/hw/arm/xnu.c b/hw/arm/xnu.c index dd58ba6756..994f9eeac2 100644 --- a/hw/arm/xnu.c +++ b/hw/arm/xnu.c @@ -89,11 +89,17 @@ static const char *REM_NAMES[] = { "dart-rsm\0$", "dart-scaler\0$", "dart-jpeg0\0$", "dart-jpeg1\0$", "dart-isp\0$", "dart-ave\0$", "dart-avd\0$", "dart-ane\0$", "dart-apcie2\0$", - "dart-apcie3\0$", + "dart-apcie3\0$", + //"dart-sep\0$", "sep\0$", + //"dart-disp0\0$", "disp0\0$", }; static const char *REM_DEV_TYPES[] = { "backlight\0$", "pmp\0$", "wlan\0$", - "bluetooth\0$", "aop\0$" }; + "bluetooth\0$", "aop\0$", + //"sep\0$", + //"disp0\0$", + +}; static const char *REM_PROPS[] = { "function-error_handler", @@ -111,6 +117,8 @@ static const char *REM_PROPS[] = { "soc-tuning", "mcc-power-gating", "function-dock_parent", + "function-wait_for_power_gate", + "self-power-gate", }; static void allocate_and_copy(MemoryRegion *mem, AddressSpace *as, @@ -458,8 +466,56 @@ void macho_populate_dtb(DTBNode *root, AppleBootInfo *info) set_dtb_prop(child, "security-domain", sizeof(data), &data); set_dtb_prop(child, "chip-epoch", sizeof(data), &data); set_dtb_prop(child, "amfi-allows-trust-cache-load", sizeof(data), &data); - // data = 1; - // set_dtb_prop(child, "debug-enabled", sizeof(data), &data); + //data = 1; + //set_dtb_prop(child, "debug-enabled", sizeof(data), &data); +#if 1 + data = 1; + set_dtb_prop(child, "protected-data-access", sizeof(data), &data); + data = 0; + set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); +#endif +#if 0 + data = 1; + set_dtb_prop(child, "protected-data-access", sizeof(data), &data); + set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data); + data = 0; + set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); + set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data); +#endif +#if 0 + data = 0; + set_dtb_prop(child, "protected-data-access", sizeof(data), &data); + set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data); + data = 1; + set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); + set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data); +#endif +#if 0 + data = 1; + set_dtb_prop(child, "protected-data-access", sizeof(data), &data); + set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data); + data = 0; + set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); + set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data); +#endif +#if 0 + data = 0; + set_dtb_prop(child, "protected-data-access", sizeof(data), &data); + set_dtb_prop(child, "no-sepfw-load-at-boot", sizeof(data), &data); + data = 1; + set_dtb_prop(child, "no-protected-data-access", sizeof(data), &data); + set_dtb_prop(child, "sepfw-load-at-boot", sizeof(data), &data); +#endif +#if 1 + child = get_dtb_node(root, "defaults"); + //data = 1; + data = 0; + set_dtb_prop(child, "no-effaceable-storage", sizeof(data), &data); + child = get_dtb_node(root, "product"); + //data = 1; + data = 0; + set_dtb_prop(child, "boot-ios-diagnostics", sizeof(data), &data); +#endif child = get_dtb_node(root, "chosen/manifest-properties"); set_dtb_prop(child, "BNCH", sizeof(info->boot_nonce_hash), @@ -468,6 +524,7 @@ void macho_populate_dtb(DTBNode *root, AppleBootInfo *info) child = get_dtb_node(root, "filesystems"); child = get_dtb_node(child, "fstab"); + //remove_dtb_node_by_name(child, "xart-vol"); remove_dtb_node_by_name(child, "baseband-vol"); macho_dtb_node_process(root, NULL); diff --git a/hw/misc/apple_aes.c b/hw/misc/apple_aes.c index cd55638d3c..bb665150d1 100644 --- a/hw/misc/apple_aes.c +++ b/hw/misc/apple_aes.c @@ -372,8 +372,9 @@ static uint64_t aes_security_reg_read(void *opaque, hwaddr addr, unsigned size) switch (addr) { case 0x20: //! board-id return 0x4; - case 0x34: //? bit 24 = is fresh boot? - return (1 << 24) | (1 << 25); + case 0x34: //? bit 24 = is first boot ; bit 25 = something with memory encryption? + //return (1 << 24) | (1 << 25); + return (1 << 24) | (0 << 25); default: //! We don't know the rest return 0xFF; } diff --git a/hw/misc/apple_mbox.c b/hw/misc/apple_mbox.c index fbe337fce3..dd69e92da5 100644 --- a/hw/misc/apple_mbox.c +++ b/hw/misc/apple_mbox.c @@ -9,25 +9,6 @@ #include "qemu/main-loop.h" #include "trace.h" -#define IOP_LOG_MSG(s, t, msg) \ - do { \ - qemu_log_mask(LOG_GUEST_ERROR, \ - "%s: %s message (msg->endpoint: 0x%X " \ - "msg->data[0]: 0x" HWADDR_FMT_plx \ - " msg->data[1]: 0x" HWADDR_FMT_plx \ - " s->ep0_status: 0x%X)\n", \ - s->role, t, msg->endpoint, msg->data[0], msg->data[1], \ - s->ep0_status); \ - } while (0) - -#define IOP_LOG_MGMT_MSG(s, msg) \ - do { \ - qemu_log_mask(LOG_GUEST_ERROR, \ - "%s: IOP received management message (msg->endpoint: " \ - "0x0 msg->raw: 0x" HWADDR_FMT_plx \ - " s->ep0_status: 0x%X)\n", \ - s->role, msg->raw, s->ep0_status); \ - } while (0) //! ------ V3 ------ @@ -37,20 +18,29 @@ #define REG_V3_CPU_STATUS (0x0048) #define V3_CPU_STATUS_IDLE (0x1) +#define REG_V3_UNKNOWN0 (0x004c) +#define REG_V3_UNKNOWN1 (0x0818) +#define REG_V3_UNKNOWN2 (0x081c) // "akf: READ IRQ %x" + #define REG_V3_NMI0 (0xC04) // ?? #define REG_V3_NMI1 (0xC14) // ?? #define REG_AKF_CONFIG (0x2043) // ?? -#define REG_V3_IOP_INT_MASK_SET (0x4100) -#define REG_V3_IOP_INT_MASK_CLR (0x4108) +//#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8101 64-bit +//#define REG_V3_IOP_INT_MASK_CLR (0x4108) // T8101 64-bit +#define REG_V3_IOP_INT_MASK_SET (0x4100) // T8020 32-bit +#define REG_V3_IOP_INT_MASK_CLR (0x4104) // T8020 32-bit + -#define REG_V3_IOP_I2A_CTRL (0x4114) +//#define REG_V3_IOP_I2A_CTRL (0x4114) // T8101 32-bit +#define REG_V3_IOP_I2A_CTRL (0x410c) // T8020 32-bit #define REG_V3_IOP_I2A_SEND0 (0x4820) #define REG_V3_IOP_I2A_SEND1 (0x4824) #define REG_V3_IOP_I2A_SEND2 (0x4828) #define REG_V3_IOP_I2A_SEND3 (0x482C) -#define REG_V3_IOP_A2I_CTRL (0x4110) +//#define REG_V3_IOP_A2I_CTRL (0x4110) // T8101 32-bit +#define REG_V3_IOP_A2I_CTRL (0x4108) // T8020 32-bit #define REG_V3_IOP_A2I_RECV0 (0x4810) #define REG_V3_IOP_A2I_RECV1 (0x4814) #define REG_V3_IOP_A2I_RECV2 (0x4818) @@ -142,7 +132,7 @@ static gint g_uint_cmp(gconstpointer a, gconstpointer b) return a - b; } -static bool apple_mbox_outbox_empty(AppleMboxState *s) +bool apple_mbox_outbox_empty(AppleMboxState *s) { return QTAILQ_EMPTY(&s->outbox); } @@ -203,7 +193,7 @@ static void ap_update_irq(AppleMboxState *s) * Push a message from AP to IOP, * take ownership of msg */ -static void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg) +void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg) { QTAILQ_INSERT_TAIL(&s->inbox, msg, entry); s->inboxCount++; @@ -236,7 +226,7 @@ static void apple_mbox_outbox_push(AppleMboxState *s, apple_mbox_msg_t msg) iop_update_irq(s); } -static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s) +apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s) { apple_mbox_msg_t msg = QTAILQ_FIRST(&s->outbox); if (msg) { @@ -248,6 +238,15 @@ static apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s) return msg; } +void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep, + uint64_t msg) +{ + apple_mbox_msg_t m = g_new0(struct apple_mbox_msg, 1); + m->msg = msg; + m->endpoint = ep; + apple_mbox_inbox_push(s, m); +} + void apple_mbox_send_control_message(AppleMboxState *s, uint32_t ep, uint64_t msg) { @@ -455,15 +454,24 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr, { AppleMboxState *s = APPLE_MBOX(opaque); apple_mbox_msg_t msg = NULL; + struct sep_message sep_msg = { 0 }; s->int_mask = 0; WITH_QEMU_LOCK_GUARD(&s->mutex) { +#if 0 + qemu_log_mask(LOG_UNIMP, + "%s AKF_v3: Begin write to 0x" HWADDR_FMT_plx + " of value 0x" HWADDR_FMT_plx "\n", + s->role, addr, data); +#endif memcpy(&s->regs[addr], &data, size); switch (addr) { case REG_V3_CPU_CTRL: - if (data & V3_CPU_CTRL_RUN) { + if (data & V3_CPU_CTRL_RUN) + //if ((data & V3_CPU_CTRL_RUN) || (data & 0x10000)) + { struct apple_mbox_mgmt_msg m = { 0 }; s->regs[REG_V3_CPU_STATUS] &= ~V3_CPU_STATUS_IDLE; iop_start(s); @@ -486,6 +494,11 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr, if (addr + size == REG_V3_A2I_PUSH3 + 4) { msg = g_new0(struct apple_mbox_msg, 1); memcpy(msg->data, &s->regs[REG_V3_A2I_PUSH0], 16); + if (!strcmp(s->role, "SEP")) + { + memcpy(&sep_msg.raw, msg->data, 8); + qemu_log_mask(LOG_UNIMP, "%s: REG_V3_A2I_PUSH3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + } apple_mbox_inbox_push(s, msg); IOP_LOG_MSG(s, "AP sent", msg); } @@ -518,6 +531,26 @@ static void apple_mbox_v3_reg_write(void *opaque, hwaddr addr, if (addr + size == REG_V3_IOP_I2A_SEND3 + 4) { msg = g_new0(struct apple_mbox_msg, 1); memcpy(msg->data, &s->regs[REG_V3_IOP_I2A_SEND0], 16); + if (!strcmp(s->role, "SEP")) + { + memcpy(&sep_msg.raw, msg->data, 8); + qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_I2A_SEND3: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 103 || sep_msg.opcode == 117)) + { + qemu_log_mask(LOG_UNIMP, "SEP skip_test: skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + g_free(msg); + break; + } +#if 0 + else if (sep_msg.endpoint == 0xff && (sep_msg.opcode == 0x66 || sep_msg.opcode == 0xd2) && sep_msg.data == 0x2) + { + qemu_log_mask(LOG_UNIMP, "SEP skip_test: change_status: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + sep_msg.data = 0x8; + memcpy(msg->data, &sep_msg.raw, 8); + } +#endif + qemu_log_mask(LOG_UNIMP, "SEP skip_test: not skipping: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + } apple_mbox_outbox_push(s, msg); IOP_LOG_MSG(s, "IOP sent", msg); } @@ -545,6 +578,7 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) AppleMboxState *s = APPLE_MBOX(opaque); uint64_t ret = 0; apple_mbox_msg_t msg = NULL; + struct sep_message sep_msg = { 0 }; WITH_QEMU_LOCK_GUARD(&s->mutex) { @@ -552,9 +586,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) switch (addr) { case REG_V3_INT_MASK_SET: - return s->int_mask; + //return s->int_mask; + ret = s->int_mask; + break; case REG_V3_INT_MASK_CLR: - return ~s->int_mask; + //return ~s->int_mask; + ret = ~s->int_mask; + break; case REG_V3_I2A_POP_0_LOW: msg = apple_mbox_outbox_pop(s); if (!msg) { @@ -563,6 +601,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) msg->flags = iop_outbox_flags(s); IOP_LOG_MSG(s, "AP received", msg); + if (!strcmp(s->role, "SEP")) + { + memcpy(&sep_msg.raw, msg->data, 8); + qemu_log_mask(LOG_UNIMP, "%s: REG_V3_I2A_POP_0_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + } memcpy(&s->regs[REG_V3_I2A_POP_0_LOW], msg->data, 16); memcpy(&ret, &s->regs[addr], size); @@ -575,9 +618,13 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) case REG_V3_I2A_POP_1_HIGH: break; case REG_V3_IOP_INT_MASK_SET: - return s->iop_int_mask; + //return s->iop_int_mask; + ret = s->iop_int_mask; + break; case REG_V3_IOP_INT_MASK_CLR: - return ~s->iop_int_mask; + //return ~s->iop_int_mask; + ret = ~s->iop_int_mask; + break; case REG_V3_A2I_CTRL: QEMU_FALLTHROUGH; case REG_V3_IOP_A2I_CTRL: @@ -602,6 +649,27 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) break; case REG_V3_CPU_STATUS: break; + case REG_V3_UNKNOWN0: +#if 0 + ret = ((apple_mbox_inbox_empty(s) && + !(s->iop_int_mask & V2_A2I_EMPTY)) || + (!apple_mbox_inbox_empty(s) && + !(s->iop_int_mask & V2_A2I_NONEMPTY)) || + (apple_mbox_outbox_empty(s) && + !(s->iop_int_mask & V2_I2A_EMPTY)) || + (!apple_mbox_outbox_empty(s) && + !(s->iop_int_mask & V2_I2A_NONEMPTY))); +#endif + ret = 1; + // TODO: response not interrupt available, but something with REG_V3_CPU_CTRL? + break; + case REG_V3_UNKNOWN1: + break; + case REG_V3_UNKNOWN2: + //ret = 1; + //ret = 0xffffffff; + return 0; + break; case REG_V3_IOP_A2I_RECV0: msg = apple_mbox_inbox_pop(s); if (!msg) { @@ -609,6 +677,11 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) } msg->flags = iop_outbox_flags(s); IOP_LOG_MSG(s, "IOP received", msg); + if (!strcmp(s->role, "SEP")) + { + memcpy(&sep_msg.raw, msg->data, 8); + qemu_log_mask(LOG_UNIMP, "%s: REG_V3_IOP_A2I_RECV0: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + } memcpy(&s->regs[addr], msg->data, 16); memcpy(&ret, &s->regs[addr], size); g_free(msg); @@ -626,6 +699,12 @@ static uint64_t apple_mbox_v3_reg_read(void *opaque, hwaddr addr, unsigned size) break; } } +#if 0 + qemu_log_mask(LOG_UNIMP, + "%s AKF_v3: End read from 0x" HWADDR_FMT_plx + " of value 0x" HWADDR_FMT_plx "\n", + s->role, addr, ret); +#endif return ret; } @@ -646,9 +725,16 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr, { AppleMboxState *s = APPLE_MBOX(opaque); apple_mbox_msg_t msg = NULL; + struct sep_message sep_msg = { 0 }; WITH_QEMU_LOCK_GUARD(&s->mutex) { +#if 0 + qemu_log_mask(LOG_UNIMP, + "%s AKF_v2: Begin write to 0x" HWADDR_FMT_plx + " of value 0x" HWADDR_FMT_plx "\n", + s->role, addr, data); +#endif memcpy(&s->regs[addr], &data, size); switch (addr) { @@ -671,6 +757,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr, if (addr + size == REG_V2_A2I_PUSH_HIGH + 4) { msg = g_new0(struct apple_mbox_msg, 1); memcpy(msg->data, &s->regs[REG_V2_A2I_PUSH_LOW], 8); + if (!strcmp(s->role, "SEP")) + { + memcpy(&sep_msg.raw, msg->data, 8); + qemu_log_mask(LOG_UNIMP, "%s: REG_V2_A2I_PUSH_HIGH: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + } apple_mbox_inbox_push(s, msg); IOP_LOG_MSG(s, "AP sent", msg); } @@ -699,6 +790,11 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr, if (addr + size == REG_V2_IOP_I2A_SEND1 + 4) { msg = g_new0(struct apple_mbox_msg, 1); memcpy(msg->data, &s->regs[REG_V2_IOP_I2A_SEND0], 8); + if (!strcmp(s->role, "SEP")) + { + memcpy(&sep_msg.raw, msg->data, 8); + qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_I2A_SEND1: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + } apple_mbox_outbox_push(s, msg); IOP_LOG_MSG(s, "IOP sent", msg); } @@ -724,6 +820,7 @@ static void apple_mbox_v2_reg_write(void *opaque, hwaddr addr, static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) { AppleMboxState *s = APPLE_MBOX(opaque); + struct sep_message sep_msg = { 0 }; uint64_t ret = 0; WITH_QEMU_LOCK_GUARD(&s->mutex) @@ -733,9 +830,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) switch (addr) { case REG_V2_INT_MASK_SET: - return s->int_mask; + //return s->int_mask; + ret = s->int_mask; + break; case REG_V2_INT_MASK_CLR: - return ~s->int_mask; + //return ~s->int_mask; + ret = ~s->int_mask; + break; case REG_V2_I2A_POP_LOW: m = apple_mbox_outbox_pop(s); if (!m) { @@ -744,6 +845,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) m->flags = iop_outbox_flags(s); IOP_LOG_MSG(s, "AP received", m); + if (!strcmp(s->role, "SEP")) + { + memcpy(&sep_msg.raw, m->data, 8); + qemu_log_mask(LOG_UNIMP, "%s: REG_V2_I2A_POP_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + } memcpy(&s->regs[REG_V2_I2A_POP_LOW], m->data, 8); memcpy(&ret, &s->regs[addr], size); @@ -752,9 +858,13 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) case REG_V2_I2A_POP_HIGH: break; case REG_V2_IOP_INT_MASK_SET: - return s->iop_int_mask; + //return s->iop_int_mask; + ret = s->iop_int_mask; + break; case REG_V2_IOP_INT_MASK_CLR: - return ~s->iop_int_mask; + //return ~s->iop_int_mask; + ret = ~s->iop_int_mask; + break; case REG_V2_A2I_CTRL: QEMU_FALLTHROUGH; case REG_V2_IOP_A2I_CTRL: @@ -780,6 +890,11 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) } m->flags = iop_outbox_flags(s); IOP_LOG_MSG(s, "IOP received", m); + if (!strcmp(s->role, "SEP")) + { + memcpy(&sep_msg.raw, m->data, 8); + qemu_log_mask(LOG_UNIMP, "%s: REG_V2_IOP_A2I_RECV_LOW: ep=0x%02x, tag=0x%02x, opcode=0x%02x(%u), param=0x%02x, data=0x%08x\n", s->role, sep_msg.endpoint, sep_msg.tag, sep_msg.opcode, sep_msg.opcode, sep_msg.param, sep_msg.data); + } memcpy(&s->regs[addr], m->data, 8); memcpy(&ret, &s->regs[addr], size); g_free(m); @@ -793,6 +908,12 @@ static uint64_t apple_mbox_v2_reg_read(void *opaque, hwaddr addr, unsigned size) break; } } +#if 0 + qemu_log_mask(LOG_UNIMP, + "%s AKF_v2: End read from 0x" HWADDR_FMT_plx + " of value 0x" HWADDR_FMT_plx "\n", + s->role, addr, ret); +#endif return ret; } @@ -901,6 +1022,7 @@ AppleMboxState *apple_mbox_create(const char *role, void *opaque, } qdev_init_gpio_out_named(DEVICE(dev), &s->iop_irq, APPLE_MBOX_IOP_IRQ, 1); + qdev_init_gpio_out_named(DEVICE(dev), &s->test_irq, APPLE_MBOX_TEST_IRQ, 1); QTAILQ_INIT(&s->inbox); QTAILQ_INIT(&s->outbox); QTAILQ_INIT(&s->rollcall); diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c index 9e224ffc72..fd7ae6fc2e 100644 --- a/hw/usb/hcd-dwc2.c +++ b/hw/usb/hcd-dwc2.c @@ -45,7 +45,13 @@ #include "trace.h" // #define SOC_DMA_BASE (0x100000000ULL) +//#define DO_T8030_SECUREROM 1 + +#ifdef DO_T8030_SECUREROM +#define SOC_DMA_BASE (0x100000000ULL) +#else #define SOC_DMA_BASE (0x0ULL) +#endif #define USB_HZ_FS 12000000 #define USB_HZ_HS 96000000 diff --git a/include/hw/arm/apple_a13.h b/include/hw/arm/apple_a13.h index f591f780cf..51b9a6b251 100644 --- a/include/hw/arm/apple_a13.h +++ b/include/hw/arm/apple_a13.h @@ -66,6 +66,8 @@ typedef struct AppleA13State { A13_CPREG_VAR_DEF(ARM64_REG_HID14); A13_CPREG_VAR_DEF(ARM64_REG_HID16); A13_CPREG_VAR_DEF(ARM64_REG_LSU_ERR_STS); + A13_CPREG_VAR_DEF(SYS_E_LSU_ERR_STS); + A13_CPREG_VAR_DEF(SYS_E_FED_ERR_STS); A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W0_EL0); A13_CPREG_VAR_DEF(IMP_BARRIER_LBSY_BST_SYNC_W1_EL0); A13_CPREG_VAR_DEF(ARM64_REG_3_3_15_7); @@ -75,6 +77,10 @@ typedef struct AppleA13State { A13_CPREG_VAR_DEF(PMCR1); A13_CPREG_VAR_DEF(PMSR); A13_CPREG_VAR_DEF(S3_4_c15_c0_5); + A13_CPREG_VAR_DEF(SYS_HCR_EL2); // TODO: already exists in target/arm/helper.c + A13_CPREG_VAR_DEF(SYS_PRE_LLCFLUSH_TMR); + A13_CPREG_VAR_DEF(SYS_ACC_PWR_DN_SAVE); + A13_CPREG_VAR_DEF(SYS_AON_CNT_CTL); A13_CPREG_VAR_DEF(AMX_STATUS_EL1); A13_CPREG_VAR_DEF(AMX_CTL_EL1); A13_CPREG_VAR_DEF(ARM64_REG_CYC_OVRD); diff --git a/include/hw/arm/apple_sep.h b/include/hw/arm/apple_sep.h index 96740ccd58..e5a8540394 100644 --- a/include/hw/arm/apple_sep.h +++ b/include/hw/arm/apple_sep.h @@ -24,6 +24,7 @@ #include "hw/arm/apple_a13.h" #include "hw/arm/xnu_dtb.h" #include "hw/misc/apple_mbox.h" +#include "hw/boards.h" #include "hw/sysbus.h" #include "qemu/typedefs.h" #include "qom/object.h" @@ -42,13 +43,27 @@ struct AppleSEPState { AppleMboxState *mbox; MemoryRegion *dma_mr; AddressSpace *dma_as; - MemoryRegion trng_mr; + MemoryRegion trng_t8020_mr; + MemoryRegion trng_t8101_mr; MemoryRegion misc0_mr; MemoryRegion misc1_mr; MemoryRegion misc2_mr; + MemoryRegion misc3_mr; + MemoryRegion misc4_mr; // MISC4 // T8101 BootMonitor for SEPOS loading? + MemoryRegion misc5_mr; + MemoryRegion misc6_mr; + MemoryRegion misc7_mr; + MemoryRegion misc8_mr; + MemoryRegion misc9_mr; uint8_t misc0_regs[REG_SIZE]; uint8_t misc1_regs[REG_SIZE]; uint8_t misc2_regs[REG_SIZE]; + uint8_t misc39_regs[REG_SIZE]; + uint8_t misc4_regs[REG_SIZE]; + uint8_t misc5_regs[REG_SIZE]; + uint8_t misc6_regs[REG_SIZE]; + uint8_t misc7_regs[REG_SIZE]; + uint8_t misc8_regs[REG_SIZE]; }; AppleSEPState *apple_sep_create(DTBNode *node, vaddr base, uint32_t cpu_id, diff --git a/include/hw/misc/apple_mbox.h b/include/hw/misc/apple_mbox.h index d802cffd40..412fb5d7f0 100644 --- a/include/hw/misc/apple_mbox.h +++ b/include/hw/misc/apple_mbox.h @@ -11,6 +11,7 @@ #define APPLE_MBOX_IRQ_I2A_NONEMPTY 2 #define APPLE_MBOX_IRQ_I2A_EMPTY 3 #define APPLE_MBOX_IOP_IRQ "apple-mbox-iop-irq" +#define APPLE_MBOX_TEST_IRQ "apple-mbox-test-irq" #define APPLE_MBOX_MMIO_V3 0 #define APPLE_MBOX_MMIO_V2 1 @@ -23,6 +24,28 @@ OBJECT_DECLARE_SIMPLE_TYPE(AppleMboxState, APPLE_MBOX) #define EP_MANAGEMENT (0) #define EP_CRASHLOG (1) + +#define IOP_LOG_MSG(s, t, msg) \ + do { \ + qemu_log_mask(LOG_GUEST_ERROR, \ + "%s: %s message (msg->endpoint: 0x%X " \ + "msg->data[0]: 0x" HWADDR_FMT_plx \ + " msg->data[1]: 0x" HWADDR_FMT_plx \ + " s->ep0_status: 0x%X)\n", \ + s->role, t, msg->endpoint, msg->data[0], msg->data[1], \ + s->ep0_status); \ + } while (0) + +#define IOP_LOG_MGMT_MSG(s, msg) \ + do { \ + qemu_log_mask(LOG_GUEST_ERROR, \ + "%s: IOP received management message (msg->endpoint: " \ + "0x0 msg->raw: 0x" HWADDR_FMT_plx \ + " s->ep0_status: 0x%X)\n", \ + s->role, msg->raw, s->ep0_status); \ + } while (0) + + enum apple_mbox_ep0_state { EP0_IDLE, EP0_WAIT_HELLO, @@ -102,6 +125,7 @@ struct AppleMboxState { uint32_t protocol_version; qemu_irq irqs[4]; qemu_irq iop_irq; + qemu_irq test_irq; QTAILQ_HEAD(, apple_mbox_msg) inbox; QTAILQ_HEAD(, apple_mbox_msg) outbox; QTAILQ_HEAD(, apple_mbox_msg) rollcall; @@ -128,6 +152,25 @@ struct AppleMboxOps { void (*wakeup)(void *opaque); }; +void apple_mbox_inbox_push(AppleMboxState *s, apple_mbox_msg_t msg); +apple_mbox_msg_t apple_mbox_outbox_pop(AppleMboxState *s); +bool apple_mbox_outbox_empty(AppleMboxState *s); +void apple_mbox_send_inbox_control_message(AppleMboxState *s, uint32_t ep, uint64_t msg); + +struct QEMU_PACKED sep_message { + union { + struct QEMU_PACKED { + uint8_t endpoint; + uint8_t tag; + uint8_t opcode; + uint8_t param; + uint32_t data; + }; + uint64_t raw; + }; +}; + + /* * Send message to an endpoint */ diff --git a/meson.build b/meson.build index 7d26691204..ba57333214 100644 --- a/meson.build +++ b/meson.build @@ -1365,8 +1365,10 @@ endif liblzfse = not_found if not get_option('lzfse').auto() or have_block - liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'], - required: get_option('lzfse')) + liblzfse = dependency('lzfse', required: get_option('lzfse'), + method: 'pkg-config') +# liblzfse = cc.find_library('lzfse', has_headers: ['lzfse.h'], +# required: get_option('lzfse')) endif if liblzfse.found() and not cc.links(''' #include diff --git a/softmmu/memory.c b/softmmu/memory.c index 7d9494ce70..78a1ed7475 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -1397,6 +1397,8 @@ bool memory_region_access_valid(MemoryRegion *mr, { if (mr->ops->valid.accepts && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { + CPUState *cpu = first_cpu; + cpu_dump_state(cpu, stderr, CPU_DUMP_CODE); qemu_log_mask(LOG_GUEST_ERROR, "Invalid %s at addr 0x%" HWADDR_PRIX ", size %u, region '%s', reason: rejected\n", is_write ? "write" : "read", @@ -1469,6 +1471,8 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr, pval, op, attrs); } if (!memory_region_access_valid(mr, addr, size, false, attrs)) { + fprintf(stderr, "Invalid read: addr: 0x%llx ; size : %d\n", addr, size); + //__asm__("int3"); *pval = unassigned_mem_read(mr, addr, size); return MEMTX_DECODE_ERROR; } @@ -1518,6 +1522,8 @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr, data, op, attrs); } if (!memory_region_access_valid(mr, addr, size, true, attrs)) { + fprintf(stderr, "Invalid write: addr: 0x%llx ; data: 0x%llx ; size : %d\n", addr, data, size); + //__asm__("int3"); unassigned_mem_write(mr, addr, data, size); return MEMTX_DECODE_ERROR; } diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 63f439d162..b3da79aa59 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -2990,8 +2990,10 @@ typedef enum ARMMMUIdx { ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB, ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB, ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB, - ARMMMUIdx_Stage1_GE1 = 3 | ARM_MMU_IDX_NOTLB, - ARMMMUIdx_Stage1_GE1_PAN = 4 | ARM_MMU_IDX_NOTLB, + //ARMMMUIdx_Stage1_GE1 = 3 | ARM_MMU_IDX_NOTLB, + //ARMMMUIdx_Stage1_GE1_PAN = 4 | ARM_MMU_IDX_NOTLB, + ARMMMUIdx_Stage1_GE1 = ARMMMUIdx_Stage1_E1 | ARM_MMU_IDX_NOTLB | ARM_MMU_IDX_A_GXF, + ARMMMUIdx_Stage1_GE1_PAN = ARMMMUIdx_Stage1_E1_PAN | ARM_MMU_IDX_NOTLB | ARM_MMU_IDX_A_GXF, /* * M-profile. diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c index abe72e35ae..3d2fbea790 100644 --- a/target/arm/debug_helper.c +++ b/target/arm/debug_helper.c @@ -444,9 +444,6 @@ static uint32_t arm_debug_exception_fsr(CPUARMState *env) using_lpae = false; } else if (target_el == 2 || arm_el_is_aa64(env, target_el)) { using_lpae = true; - } else if (arm_feature(env, ARM_FEATURE_PMSA) && - arm_feature(env, ARM_FEATURE_V8)) { - using_lpae = true; } else if (arm_feature(env, ARM_FEATURE_LPAE) && (env->cp15.tcr_el[target_el] & TTBCR_EAE)) { using_lpae = true; diff --git a/ui/gtk.c b/ui/gtk.c index 8ba41c8f13..f5d8258a9e 100644 --- a/ui/gtk.c +++ b/ui/gtk.c @@ -967,10 +967,9 @@ static gboolean gd_button_event(GtkWidget *widget, GdkEventButton *button, if (button->button == 1 && button->type == GDK_BUTTON_PRESS && !qemu_input_is_absolute() && s->ptr_owner != vc) { if (!vc->window) { - gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), - TRUE); + //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE); } else { - gd_grab_pointer(vc, "relative-mode-click"); + //gd_grab_pointer(vc, "relative-mode-click"); } return TRUE; } @@ -1369,7 +1368,7 @@ static gboolean gd_win_grab(void *opaque) if (vc->s->ptr_owner) { gd_ungrab_pointer(vc->s); } else { - gd_grab_pointer(vc, "user-request-detached-tab"); + //gd_grab_pointer(vc, "user-request-detached-tab"); } return TRUE; } @@ -1445,7 +1444,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque) { GtkDisplayState *s = opaque; VirtualConsole *vc = gd_vc_find_current(s); - +#if 0 if (!s->full_screen) { gtk_notebook_set_show_tabs(GTK_NOTEBOOK(s->notebook), FALSE); gtk_widget_hide(s->menu_bar); @@ -1468,7 +1467,7 @@ static void gd_menu_full_screen(GtkMenuItem *item, void *opaque) gd_update_windowsize(vc); } } - +#endif gd_update_cursor(vc); } @@ -1644,8 +1643,8 @@ static void gd_menu_grab_input(GtkMenuItem *item, void *opaque) VirtualConsole *vc = gd_vc_find_current(s); if (gd_is_grab_active(s)) { - gd_grab_keyboard(vc, "user-request-main-window"); - gd_grab_pointer(vc, "user-request-main-window"); + //gd_grab_keyboard(vc, "user-request-main-window"); + //gd_grab_pointer(vc, "user-request-main-window"); } else { gd_ungrab_keyboard(s); gd_ungrab_pointer(s); @@ -1669,16 +1668,13 @@ static void gd_change_page(GtkNotebook *nb, gpointer arg1, guint arg2, if (!vc) { return; } - gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item), - TRUE); + gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(vc->menu_item), TRUE); on_vga = (vc->type == GD_VC_GFX && qemu_console_is_graphic(vc->gfx.dcl.con)); if (!on_vga) { - gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), - FALSE); + gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), FALSE); } else if (s->full_screen) { - gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), - TRUE); + //gtk_check_menu_item_set_active(GTK_CHECK_MENU_ITEM(s->grab_item), TRUE); } gtk_widget_set_sensitive(s->grab_item, on_vga); #ifdef CONFIG_VTE @@ -1696,7 +1692,7 @@ static gboolean gd_enter_event(GtkWidget *widget, GdkEventCrossing *crossing, GtkDisplayState *s = vc->s; if (gd_grab_on_hover(s)) { - gd_grab_keyboard(vc, "grab-on-hover"); + //gd_grab_keyboard(vc, "grab-on-hover"); } return TRUE; } diff --git a/ui/sdl2.c b/ui/sdl2.c index 0d91b555e3..2e8bbe5c8d 100644 --- a/ui/sdl2.c +++ b/ui/sdl2.c @@ -274,24 +274,25 @@ static void absolute_mouse_grab(struct sdl2_console *scon) SDL_GetWindowSize(scon->real_window, &scr_w, &scr_h); if (mouse_x > 0 && mouse_x < scr_w - 1 && mouse_y > 0 && mouse_y < scr_h - 1) { - sdl_grab_start(scon); + //sdl_grab_start(scon); } } static void sdl_mouse_mode_change(Notifier *notify, void *data) { - if (qemu_input_is_absolute()) { + if (qemu_input_is_absolute() && 0) { if (!absolute_enabled) { - absolute_enabled = 1; - SDL_SetRelativeMouseMode(SDL_FALSE); - absolute_mouse_grab(&sdl2_console[0]); + //absolute_enabled = 1; + //SDL_SetRelativeMouseMode(SDL_FALSE); + //absolute_mouse_grab(&sdl2_console[0]); } } else if (absolute_enabled) { if (!gui_fullscreen) { - sdl_grab_end(&sdl2_console[0]); + //sdl_grab_end(&sdl2_console[0]); } absolute_enabled = 0; } + absolute_enabled = 0; } static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy, @@ -333,15 +334,14 @@ static void sdl_send_mouse_event(struct sdl2_console *scon, int dx, int dy, static void toggle_full_screen(struct sdl2_console *scon) { - gui_fullscreen = !gui_fullscreen; + gui_fullscreen = 0;//!gui_fullscreen; if (gui_fullscreen) { - SDL_SetWindowFullscreen(scon->real_window, - SDL_WINDOW_FULLSCREEN_DESKTOP); - gui_saved_grab = gui_grab; - sdl_grab_start(scon); + //SDL_SetWindowFullscreen(scon->real_window, SDL_WINDOW_FULLSCREEN_DESKTOP); + //gui_saved_grab = gui_grab; + //sdl_grab_start(scon); } else { if (!gui_saved_grab) { - sdl_grab_end(scon); + //sdl_grab_end(scon); } SDL_SetWindowFullscreen(scon->real_window, 0); } @@ -397,7 +397,7 @@ static void handle_keydown(SDL_Event *ev) case SDL_SCANCODE_8: case SDL_SCANCODE_9: if (gui_grab) { - sdl_grab_end(scon); + //sdl_grab_end(scon); } win = ev->key.keysym.scancode - SDL_SCANCODE_1; @@ -414,15 +414,15 @@ static void handle_keydown(SDL_Event *ev) } break; case SDL_SCANCODE_F: - toggle_full_screen(scon); + //toggle_full_screen(scon); gui_keysym = 1; break; case SDL_SCANCODE_G: gui_keysym = 1; if (!gui_grab) { - sdl_grab_start(scon); + //sdl_grab_start(scon); } else if (!gui_fullscreen) { - sdl_grab_end(scon); + //sdl_grab_end(scon); } break; case SDL_SCANCODE_U: @@ -506,12 +506,12 @@ static void handle_mousemotion(SDL_Event *ev) if (gui_grab && !gui_fullscreen && (ev->motion.x == 0 || ev->motion.y == 0 || ev->motion.x == max_x || ev->motion.y == max_y)) { - sdl_grab_end(scon); + //sdl_grab_end(scon); } if (!gui_grab && (ev->motion.x > 0 && ev->motion.x < max_x && ev->motion.y > 0 && ev->motion.y < max_y)) { - sdl_grab_start(scon); + //sdl_grab_start(scon); } } if (gui_grab || qemu_input_is_absolute() || absolute_enabled) { @@ -534,7 +534,7 @@ static void handle_mousebutton(SDL_Event *ev) if (!gui_grab && !qemu_input_is_absolute()) { if (ev->type == SDL_MOUSEBUTTONUP && bev->button == SDL_BUTTON_LEFT) { /* start grabbing all events */ - sdl_grab_start(scon); + //sdl_grab_start(scon); } } else { if (ev->type == SDL_MOUSEBUTTONDOWN) { @@ -605,7 +605,7 @@ static void handle_windowevent(SDL_Event *ev) /* fall through */ case SDL_WINDOWEVENT_ENTER: if (!gui_grab && (qemu_input_is_absolute() || absolute_enabled)) { - absolute_mouse_grab(scon); + //absolute_mouse_grab(scon); } /* If a new console window opened using a hotkey receives the * focus, SDL sends another KEYDOWN event to the new window, @@ -621,7 +621,7 @@ static void handle_windowevent(SDL_Event *ev) win32_kbd_set_window(NULL); } if (gui_grab && !gui_fullscreen) { - sdl_grab_end(scon); + //sdl_grab_end(scon); } break; case SDL_WINDOWEVENT_RESTORED: @@ -950,7 +950,7 @@ static void sdl2_display_init(DisplayState *ds, DisplayOptions *o) sdl_cursor_normal = SDL_GetCursor(); if (gui_fullscreen) { - sdl_grab_start(&sdl2_console[0]); + //sdl_grab_start(&sdl2_console[0]); } atexit(sdl_cleanup);