m1n1.trace.agx: Trace AGX wip

Signed-off-by: Scott Mansell <phiren@gmail.com>
2024-11-22 22:53:04 +00:00 · 2022-02-09 17:13:01 +13:00 · 2022-02-09 17:13:01 +13:00 · 980b9241d2
commit 980b9241d2
parent 90eae66b33
2 changed files with 230 additions and 1 deletions
--- a/proxyclient/hv/trace_agx.py
+++ b/proxyclient/hv/trace_agx.py
@ -1,5 +1,7 @@
 # SPDX-License-Identifier: MIT
 from m1n1.utils import *
 trace_device("/arm-io/sgx", False)
 trace_device("/arm-io/pmp", False)
 trace_device("/arm-io/gfx-asc", False)
@ -7,5 +9,80 @@ trace_device("/arm-io/gfx-asc", False)
 from m1n1.trace.asc import ASCTracer
 ASCTracer = ASCTracer._reloadcls()
-gfx_tracer = ASCTracer(hv, "/arm-io/gfx-asc", verbose=True)
+
 # gfx_tracer = ASCTracer(hv, "/arm-io/gfx-asc", verbose=True)
 # gfx_tracer.start()
 from m1n1.trace.agx import AGXTracer
 AGXTracer = AGXTracer._reloadcls()
 gfx_tracer = AGXTracer(hv, "/arm-io/gfx-asc", verbose=False)
 gfx_tracer.start()
 trace_range(irange(gfx_tracer.gpu_region, gfx_tracer.gpu_region_size), mode=TraceMode.SYNC)
 trace_range(irange(gfx_tracer.gfx_shared_region, gfx_tracer.gfx_shared_region_size), mode=TraceMode.SYNC)
 trace_range(irange(gfx_tracer.gfx_handoff, gfx_tracer.gfx_handoff_size), mode=TraceMode.SYNC)
 # Trace the entire mmio range around the GPU
 # node = hv.adt["/arm-io/sgx"]
 # addr, size = node.get_reg(0)
 # hv.trace_range(irange(addr, 0x1000000), TraceMode.SYNC)
 def trace_all_gfx_io():
    # These are all the IO ranges that get mapped into the UAT iommu pagetable
    # Trace them so we can see if any of them are being written by the CPU
    # page (8): fa010020000 ... fa010023fff -> 000000020e100000 [8000020e100447]
    hv.trace_range(irange(0x20e100000, 0x4000), mode=TraceMode.SYNC)
    # page (10): fa010028000 ... fa01002bfff -> 000000028e104000 [c000028e104447]
    hv.trace_range(irange(0x20e100000, 0x4000), mode=TraceMode.SYNC)
    # page (22): fa010058000 ... fa01005bfff -> 000000028e494000 [8000028e494447]
    hv.trace_range(irange(0x28e494000, 0x4000), mode=TraceMode.SYNC)
    # page (28): fa010070000 ... fa010073fff -> 0000000204d60000 [c0000204d60447]
    hv.trace_range(irange(0x204d60000, 0x4000), mode=TraceMode.SYNC)
    # page (30): fa010078000 ... fa01007bfff -> 0000000200000000 [c0000200000447]
    #    to
    # page (83): fa01014c000 ... fa01014ffff -> 00000002000d4000 [c00002000d4447]
    hv.trace_range(irange(0x200000000, 0xd5000), mode=TraceMode.SYNC)
    # page (84): fa010150000 ... fa010153fff -> 0000000201000000 [c0000201000447]
    #page (137): fa010224000 ... fa010227fff -> 00000002010d4000 [c00002010d4447]
    hv.trace_range(irange(0x201000000, 0xd5000), mode=TraceMode.SYNC)
    # page (138): fa010228000 ... fa01022bfff -> 0000000202000000 [c0000202000447]
    # page (191): fa0102fc000 ... fa0102fffff -> 00000002020d4000 [c00002020d4447]
    hv.trace_range(irange(0x202000000, 0xd5000), mode=TraceMode.SYNC)
    # page (192): fa010300000 ... fa010303fff -> 0000000203000000 [c0000203000447]
    hv.trace_range(irange(0x203000000, 0xd5000), mode=TraceMode.SYNC)
    hv.trace_range(irange(0x204000000, 0xd5000), mode=TraceMode.SYNC)
    hv.trace_range(irange(0x205000000, 0xd5000), mode=TraceMode.SYNC)
    hv.trace_range(irange(0x206000000, 0xd5000), mode=TraceMode.SYNC)
    hv.trace_range(irange(0x207000000, 0xd5000), mode=TraceMode.SYNC)
    # page (464): fa010740000 ... fa010743fff -> 00000002643c4000 [c00002643c4447]
    hv.trace_range(irange(0x2643c4000, 0x4000), mode=TraceMode.SYNC)
    # page (466): fa010748000 ... fa01074bfff -> 000000028e3d0000 [c000028e3d0447]
    hv.trace_range(irange(0x28e3d0000, 0x4000), mode=TraceMode.SYNC)
    # page (468): fa010750000 ... fa010753fff -> 000000028e3c0000 [8000028e3c0447]
    hv.trace_range(irange(0x28e3c0000, 0x4000), mode=TraceMode.SYNC)
    # page (8): f9100020000 ... f9100023fff -> 0000000406000000 [60000406000447]
    # page (263): f910041c000 ... f910041ffff -> 00000004063fc000 [600004063fc447]
    hv.trace_range(irange(0x2643c4000, 0x63fc000), mode=TraceMode.SYNC)
 def trace_gpu_irqs():
    # Trace sgx interrupts
    node = hv.adt["/arm-io/sgx"]
    for irq in getattr(node, "interrupts"):
        hv.trace_irq(f"{node.name} {irq}", irq, 1, hv.IRQTRACE_IRQ)
    # Trace gfx-asc interrupts
    node = hv.adt["/arm-io/gfx-asc"]
    for irq in getattr(node, "interrupts"):
        hv.trace_irq(f"{node.name} {irq}", irq, 1, hv.IRQTRACE_IRQ)
--- a/proxyclient/m1n1/trace/agx.py
+++ b/proxyclient/m1n1/trace/agx.py
@ -0,0 +1,152 @@
 from mmap import PAGESIZE
 from . import ADTDevTracer
 from .asc import *
 from ..hw.uat import UAT
 from m1n1.proxyutils import RegMonitor
 from construct import *
 from construct.core import Int16ul, Int32ul, Int64ul, Int8ul
 ControlStruct = Struct(
    "unkptr_0" / Int64ul, # allocation size: 0x4000
    "unk_8" / Int32ul,
    "unk_c"/ Int32ul,
    "unkptr_10" / Int64ul, # allocation size: 0x34000
    "unkptr_18" / Int64ul, # allocation size: 0x88000, heap?
    "unkptr_20" / Int64ul, # allocation size: 0x4000, but probally only 0x80 bytes long
    "unk_28" / Int32ul,
    "unk_2c" / Int32ul,
    "unk_30" / Int32ul,
 )
 class InitMsg(Register64):
    TYPE    = 59, 52
 class InitReq(InitMsg):
    TYPE    = 59, 52, Constant(0x1)
    UNK     = 47, 0
 class InitResp(InitMsg):
    # example: 0x0010_4fa0_0c388000
    TYPE    = 59, 52, Constant(0x1)
    UNK1    = 47, 44
    ADDR    = 43, 0 # GPU VA that gets filled with a repating 0xefefefef pattern
 class InitEp(EP):
    # This endpoint receives and sends one message during boot.
    # Potentially a "Ready" and a "Init" message.
    BASE_MESSAGE = InitMsg
    @msg(0x1, DIR.RX, InitReq)
    def init_req(self, msg):
        print(f"  Received Init Request, {msg.UNK:x}")
    @msg(0x1, DIR.TX, InitResp)
    def init_resp(self, msg):
        print(f"  CPU Sent Init Response {msg.UNK1:x}, ADDR: {msg.ADDR:x}")
        # monitor whatever is at this address
        self.tracer.mon_addva(msg.ADDR, 0x4000, "init_region")
        self.tracer.mon.poll()
        return True
 class GpuMsg(Register64):
    TYPE    = 55, 48
 class PongMsg(GpuMsg):
    TYPE    = 59, 52
    UNK     = 47, 0
 class PongEp(EP):
    # This endpoint recives pongs. The cpu code reads some status registers after receiving one
    # Might be a "work done" message.
    BASE_MESSAGE = GpuMsg
    @msg(0x42, DIR.RX, PongMsg)
    def pong_rx(self, msg):
        print(f"  Pong {msg.UNK:x}")
        if msg.UNK != 0:
            print(f"  Pong had unexpected value{msg.UNK:x}")
            self.hv.run_shell()
        self.tracer.pong()
        return True
    @msg(0x81, DIR.TX, PongMsg)
    def init_ep(self, msg):
        print(f"  Init {msg.UNK:x}")
        addr = msg.UNK
        #self.tracer.mon_addva(addr, 0x4000, "control_struct")
        control = ControlStruct.parse(self.tracer.uat.ioread(0, addr, 0x34))
        #self.tracer.mon_addva(control.unkptr_0, 0x4000, "control_struct->unkptr_0")
        # self.tracer.mon_addva(control.unkptr_10, 0x34000, "control_struct->unkptr_10")
        # self.tracer.mon_addva(control.unkptr_18, 0x88000, "control_struct->unkptr_18")
        #self.tracer.mon_addva(control.unkptr_20, 0x4000, "control_struct->unkptr_20")
        self.tracer.control = control
        self.tracer.mon.poll()
        self.tracer.kick_init()
        return True
 class KickMsg(GpuMsg):
    TYPE    = 59, 52
    KICK    = 7, 0 # Seen: 17, 16 (common), 9, 8, 1 (common), 0 (common)
 class KickEp(EP):
    BASE_MESSAGE = GpuMsg
    @msg(0x83, DIR.TX, KickMsg)
    def kick(self, msg):
        print(f"  Kick {msg.KICK:x}")
        self.tracer.kick(msg.KICK)
        return True
 class AGXTracer(ASCTracer):
    ENDPOINTS = {
        0x01: InitEp,
        0x20: PongEp,
        0x21: KickEp
    }
    PAGESIZE = 0x4000
    def __init__(self, hv, devpath, verbose=False):
        super().__init__(hv, devpath, verbose)
        self.uat = UAT(hv.iface, hv.u)
        self.mon = RegMonitor(hv.u, ascii=True)
        self.dev_sgx = hv.u.adt["/arm-io/sgx"]
        self.gpu_region = getattr(self.dev_sgx, "gpu-region-base")
        self.gpu_region_size = getattr(self.dev_sgx, "gpu-region-size")
        self.gfx_shared_region = getattr(self.dev_sgx, "gfx-shared-region-base")
        self.gfx_shared_region_size = getattr(self.dev_sgx, "gfx-shared-region-size")
        self.gfx_handoff = getattr(self.dev_sgx, "gfx-handoff-base")
        self.gfx_handoff_size = getattr(self.dev_sgx, "gfx-handoff-size")
        # self.mon.add(self.gpu_region, self.gpu_region_size, "contexts")
        # self.mon.add(self.gfx_shared_region, self.gfx_shared_region_size, "gfx-shared")
        # self.mon.add(self.gfx_handoff, self.gfx_handoff_size, "gfx-handoff")
        self.uat.set_ttbr(self.gpu_region)
    def mon_addva(self, va, size, name=""):
        self.mon.add(va, size, name, readfn= lambda a, s: self.uat.ioread(0, a, s))
    def kick(self, val):
        self.mon.poll()
        # if val not in [0x0, 0x1, 0x10, 0x11]:
        #     self.hv.run_shell()
    def pong(self):
        self.mon.poll()
    def kick_init(self):
        self.hv.run_shell()