Commit graph

102 commits

Author SHA1 Message Date
James Calligeros
1e2c52b5b3 hv/trace_mesa: rename bindump of fingerprint transfer message
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
2022-07-01 17:58:20 +09:00
James Calligeros
1f21b6b7b8 hv/trace_mesa: tidy up output and trace SPI regs
We weren't tracing the SPI control registers before, and the output
was borked due to changes in m1n1. These have been fixed. Still
doesn't show much useful information..

Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
2022-07-01 17:58:20 +09:00
James Calligeros
e2d671d597 hv/trace_mesa.py: add mesa tracer
Mesa is Apple's codename for the TouchID sensor. On M1-based
systems, it is connected to the SPI bus and communicates via
SIO on DMA channels 0x18 and 0x19. The application processors
seem to have very little to do with its operation.

After power on, the command buffer is encrypted by the SEP and
very little useful data can be gleaned from snooping the SIO
messages. While the commands are garbled by the SEP, we can see
that it has a few recurring themes:

* A power on routine involving some sort of calibration, perhaps
  to get a noise image to subtract from each fingerprint

* A polling mode where it is kicked by the kernel and acks if
  there's no finger on the sensor (runs while macOS waits for a
  print)

* A data transfer mode, where a SIO message is sent to an unmapped
  EP and the fingerprint scanned into memory. Likely triggered by
  an interrupt coming off the finger detection ring, but I haven't
  been able to verify this.

Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
2022-06-21 17:22:16 +09:00
Martin Povišer
56d8de66db m1n1.hw.codecs.cs42l84: File the ohmmeter codec regmap
Move the regmap from experiments/ to a handier place. Also add the
codec to trace_codecs.py and codecshell.py.

Signed-off-by: Martin Povišer <povik@protonmail.com>
2022-06-21 17:20:30 +09:00
Martin Povišer
d358563d6c hv/trace_codecs.py: Trace volume/gain on speaker amps
Signed-off-by: Martin Povišer <povik@protonmail.com>
2022-06-21 17:20:30 +09:00
Janne Grunau
dc69227c96 hv/trace_nvme: Trace rtkit interface and remove hardcoded sart address
Signed-off-by: Janne Grunau <j@jannau.net>
2022-06-21 17:19:32 +09:00
Asahi Lina
5a8c54c762 hv/trace_agx.py: Encoder ID filter example
Signed-off-by: Asahi Lina <lina@asahilina.net>
2022-06-19 03:37:22 +09:00
Asahi Lina
c81df296c7 hv/trace_agx.py: Make untracing/tracing on reload less painful
Just use TraceMode.OFF instead of commenting lines out.

Also always trace the GPU panic register (TODO: do not hardcode)

Signed-off-by: Asahi Lina <lina@asahilina.net>
2022-06-02 23:51:14 +09:00
Hector Martin
eb4483f8e1 hv/trace_dcp.py: Log hexdumps to the HV log
Signed-off-by: Hector Martin <marcan@marcan.st>
2022-06-01 00:57:17 +09:00
Janne Grunau
8119130e88 hv/trace_dcp.py: update to mac OS 12.3 API
Verified calls A000 through A358 due to inconsistencies in the trace
log for A104 and A105.

Signed-off-by: Janne Grunau <j@jannau.net>
2022-05-30 22:49:00 +09:00
R
dd111b22b8 prores: test 36-bit iova; fix tracer
Signed-off-by: R <rqou@berkeley.edu>
2022-05-30 18:05:16 +09:00
R
66c019cfec prores: trace enough to dump some buffers
Signed-off-by: R <rqou@berkeley.edu>
2022-05-30 18:05:16 +09:00
R
3970b25add prores: start tracing descriptors
Signed-off-by: R <rqou@berkeley.edu>
2022-05-30 18:05:16 +09:00
Asahi Lina
a993f35874 hv/trace_agx.py: Add hypercalls for pause/resume, disable bulk tracers
Signed-off-by: Asahi Lina <lina@asahilina.net>
2022-05-21 03:54:12 +09:00
Asahi Lina
6b6dfde814 m1n1.fw.agx: Lots of GPU work
Signed-off-by: Asahi Lina <lina@asahilina.net>
2022-05-21 03:54:10 +09:00
Asahi Lina
08c34dbc37 hv/trace_agx.py: Reload some stuff
Signed-off-by: Asahi Lina <lina@asahilina.net>
2022-05-21 03:52:43 +09:00
Scott Mansell
980b9241d2 m1n1.trace.agx: Trace AGX wip
Signed-off-by: Scott Mansell <phiren@gmail.com>
2022-05-21 03:46:36 +09:00
Scott Mansell
254f01b3ea m1n1.proxyutils.RegMon: Allow custom read lambda
Useful for monitoring ranges beind an iommu

Signed-off-by: Scott Mansell <phiren@gmail.com>
2022-05-21 03:46:14 +09:00
R
4a09eca74a dart-t8110: Initial commit
Signed-off-by: R <rqou@berkeley.edu>
2022-04-16 19:24:00 +09:00
Janne Grunau
c2a48da4c1 m1n1.hv: Add trace script keyboard/trackpad
Input devices use HID over SPI. HID communication is obscured by "sio"
DMA.

Signed-off-by: Janne Grunau <j@jannau.net>
2022-03-11 12:06:01 +09:00
Janne Grunau
9c80a69266 m1n1.hv: Use dynamic pin maps in trace_gpio.py
Hardcoded pin maps do not make sense with additional HW support.
Allows tracing of a single pin in another tracing module, for example
for tracing the SPI cs pin.

Signed-off-by: Janne Grunau <j@jannau.net>
2022-03-11 12:06:01 +09:00
Janne Grunau
a57696366f hv/trace_dcp.py: Update to macOS 12.x API
DCP API seems to be mostly unchanged from 12 beta to 12.2.

Signed-off-by: Janne Grunau <j@jannau.net>
2022-02-24 23:55:46 +09:00
Hector Martin
a8a93a3b5f hv/trace_smc.py: Add GetKeyByIndex decoding
Signed-off-by: Hector Martin <marcan@marcan.st>
2022-02-15 14:05:13 +09:00
Hector Martin
434a3b6c78 hv/trace_smc.py: Support RW ops
Signed-off-by: Hector Martin <marcan@marcan.st>
2022-01-19 03:22:16 +09:00
Hector Martin
07c695926d hv/trace_dcp.py: Fix typo
Signed-off-by: Hector Martin <marcan@marcan.st>
2022-01-19 03:21:55 +09:00
Hector Martin
323e163eb4 hv/trace_dcp.py: Fix reinitialization
Signed-off-by: Hector Martin <marcan@marcan.st>
2022-01-17 04:42:00 +09:00
Hector Martin
17e0dfceab hv/trace_dcp.py: Add EPIC support and refactor
This now partially uses the scaffolding in m1n1.fw.afk.

Signed-off-by: Hector Martin <marcan@marcan.st>
2022-01-16 19:39:03 +09:00
Hector Martin
23b9b45040 hv/trace_all.py: Use async tracing by default
Signed-off-by: Hector Martin <marcan@marcan.st>
2022-01-16 19:39:03 +09:00
Hector Martin
3d523f27ad hv/trace_i2c.py: New example trace script
Signed-off-by: Hector Martin <marcan@marcan.st>
2022-01-16 19:39:03 +09:00
Sven Peter
5763569d9c hv/trace_nvme: Add NVMe tracer
Signed-off-by: Sven Peter <sven@svenpeter.dev>
2022-01-01 16:49:14 +09:00
Hector Martin
ba258dc805 hv/trace_gpio.py: Work on both t8103 and t6000
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-12-28 21:09:30 +09:00
Hector Martin
9496803b18 hv/trace_dcp.py: Add Shutdown commands for IOEp
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-12-28 21:09:06 +09:00
Hector Martin
660d7482b9 hv/trace_pmgr.py: New script
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-11-22 07:21:07 +09:00
Hector Martin
927c12ad53 hv/trace_all.py: Trace all I/O ranges using the arm-io prop
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-11-10 20:43:51 +09:00
Hector Martin
b9ddd74c02 hv/trace_smc.py: Add SMC tracer
Also fix up a bunch of stuff in m1n1.fw.smc, but it's untested as a
client.

Signed-off-by: Hector Martin <marcan@marcan.st>
2021-11-10 20:43:51 +09:00
Sven Peter
0b4d5bd793 proxyclient: hv: Add simple DWC3/XHCI/ATCPHY tracer
Signed-off-by: Sven Peter <sven@svenpeter.dev>
2021-09-22 19:01:03 +09:00
Alyssa Rosenzweig
eb466796d8 fw.dcp: Add some stubs needed for modesetting
This isn't enough to set the video mode yet but it gets us further. I
think allocate_memory/map_buf/powerOnDART need real implementations,
otherwise setting a video mode crashes the DCP in an APIODMA interrupt
handler, whatever that is.

Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
2021-08-24 21:09:35 +09:00
Hector Martin
de5b5d996c m1n1.fw.dcp: Add DCP client framework, port tracer to it
This also includes an update to the macOS 12.0 beta ABI

Signed-off-by: Hector Martin <marcan@marcan.st>
2021-08-14 16:39:17 +09:00
Hector Martin
f635d64429 hv/trace_dcp.py: Update call list for 11.4 (partial?)
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-07-15 22:28:27 +09:00
Hector Martin
4a6fa4b0e1 hv/trace_dcp.py: Redo cmd/ack handling properly, add logging & msg list
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-07-15 16:27:56 +09:00
Hector Martin
e00e8f178d hv/trace_dcp.py: Fix stuff
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-24 02:12:07 +09:00
Hector Martin
819d2cf6bc hv/trace_dcp.py: Parsing a bunch of stuff now
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-24 01:15:32 +09:00
Hector Martin
c490f74872 m1n1.trace.asc: Move EP handlers to per-EP objects
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-23 20:19:30 +09:00
Hector Martin
94f5c29c9f hv/trace_dcp.py: More things
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-22 01:39:38 +09:00
Hector Martin
42b7adad06 m1n1.trace.dart: Add DART tracer/handler
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-22 01:39:38 +09:00
Alyssa Rosenzweig
ba478f2de5 mini.hv.dcp: Decode common messages
This accounts for most of the DCP traffic once macOS is booted. I used
a sophisticated side-channel hypervisor timing attack to determine the
message functions [ adding time.sleep(1) ]

Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
2021-06-21 14:02:25 +09:00
Janne Grunau
de82209079 m1n1.trace.gpio: convert GPIOTracer to new framework
Signed-off-by: Janne Grunau <j@jannau.net>
2021-06-18 14:23:23 +09:00
Hector Martin
cb6d1f58a2 m1n1.trace.asc: Initial ASCTracer implementation
A tracer for the ASC coprocessor mailbox interface.

Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-18 02:24:55 +09:00
Hector Martin
49dad3b9ff m1n1.hv: Rework MMIO PT handling & tracing
Now keeps track of the requested MMIO maps in a DictRangeMap, which is
then flattened to HV page table updates.

TODO: HOOK/SYNC codepaths

Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-17 02:00:32 +09:00
Hector Martin
05db5dba6f trace_agx.py: Disable tracing the PMP bits
Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-15 15:46:08 +09:00
Janne Grunau
dc57e586bc hv/trace_gpio.py: mmiotrace handler for "/arm-io/gpio"
The hanlder omits noise/useless of the mmio access and annotates
known offsets, pins, interrupts and config values.

Signed-off-by: Janne Grunau <j@jannau.net>
2021-06-15 15:41:50 +09:00
Hector Martin
edbe471804 run_guest.py: Add options to run external scripts:
-m <script>

  Run a script in hypervisor context prior to starting the guest.
  This is essentially the same as the shell context.

-c <code>
  Run a literal string of code prior to starting the guest.

-S
  Start a shell instead of directly starting the guest. Use `start` to
  actually begin guest execution.

This also adds a couple example scripts under hv/.

Signed-off-by: Hector Martin <marcan@marcan.st>
2021-06-10 22:37:12 +09:00