Mesa is Apple's codename for the TouchID sensor. On M1-based
systems, it is connected to the SPI bus and communicates via
SIO on DMA channels 0x18 and 0x19. The application processors
seem to have very little to do with its operation.
After power on, the command buffer is encrypted by the SEP and
very little useful data can be gleaned from snooping the SIO
messages. While the commands are garbled by the SEP, we can see
that it has a few recurring themes:
* A power on routine involving some sort of calibration, perhaps
to get a noise image to subtract from each fingerprint
* A polling mode where it is kicked by the kernel and acks if
there's no finger on the sensor (runs while macOS waits for a
print)
* A data transfer mode, where a SIO message is sent to an unmapped
EP and the fingerprint scanned into memory. Likely triggered by
an interrupt coming off the finger detection ring, but I haven't
been able to verify this.
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Move the regmap from experiments/ to a handier place. Also add the
codec to trace_codecs.py and codecshell.py.
Signed-off-by: Martin Povišer <povik@protonmail.com>
Just use TraceMode.OFF instead of commenting lines out.
Also always trace the GPU panic register (TODO: do not hardcode)
Signed-off-by: Asahi Lina <lina@asahilina.net>
Hardcoded pin maps do not make sense with additional HW support.
Allows tracing of a single pin in another tracing module, for example
for tracing the SPI cs pin.
Signed-off-by: Janne Grunau <j@jannau.net>
This isn't enough to set the video mode yet but it gets us further. I
think allocate_memory/map_buf/powerOnDART need real implementations,
otherwise setting a video mode crashes the DCP in an APIODMA interrupt
handler, whatever that is.
Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
This accounts for most of the DCP traffic once macOS is booted. I used
a sophisticated side-channel hypervisor timing attack to determine the
message functions [ adding time.sleep(1) ]
Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Now keeps track of the requested MMIO maps in a DictRangeMap, which is
then flattened to HV page table updates.
TODO: HOOK/SYNC codepaths
Signed-off-by: Hector Martin <marcan@marcan.st>
The hanlder omits noise/useless of the mmio access and annotates
known offsets, pins, interrupts and config values.
Signed-off-by: Janne Grunau <j@jannau.net>
-m <script>
Run a script in hypervisor context prior to starting the guest.
This is essentially the same as the shell context.
-c <code>
Run a literal string of code prior to starting the guest.
-S
Start a shell instead of directly starting the guest. Use `start` to
actually begin guest execution.
This also adds a couple example scripts under hv/.
Signed-off-by: Hector Martin <marcan@marcan.st>
