From 267a04c4ac534517319a60495f893a879b7ac3fe Mon Sep 17 00:00:00 2001 From: Kostas Missos Date: Tue, 20 Nov 2018 21:32:54 +0200 Subject: [PATCH] Fix HDCP + some bugfixes Thanks @hexkyz for taking the time to recheck for the missing 6.x changes --- bootloader/config/ini.c | 4 ++-- bootloader/hos/hos.c | 10 +++++++--- bootloader/main.c | 36 +++++++++++++++++------------------- bootloader/mem/mc.c | 38 +++++++++++++++++++------------------- bootloader/mem/sdram.c | 10 +++++----- bootloader/soc/cluster.c | 5 +++-- 6 files changed, 53 insertions(+), 50 deletions(-) diff --git a/bootloader/config/ini.c b/bootloader/config/ini.c index 1b389d6..27d5c91 100644 --- a/bootloader/config/ini.c +++ b/bootloader/config/ini.c @@ -230,9 +230,9 @@ void ini_free_section(ini_sec_t *cfg) { free(kv->key); free(kv->val); - free(kv); + //free(kv); } - free(cfg); + //free(cfg); cfg = NULL; } diff --git a/bootloader/hos/hos.c b/bootloader/hos/hos.c index d30bd2f..7fa6dff 100644 --- a/bootloader/hos/hos.c +++ b/bootloader/hos/hos.c @@ -262,7 +262,7 @@ static int _read_emmc_pkg1(launch_ctxt_t *ctxt) sdmmc_storage_init_mmc(&storage, &sdmmc, SDMMC_4, SDMMC_BUS_WIDTH_8, 4); // Read package1. - ctxt->pkg1 = (u8 *)malloc(0x40000); + ctxt->pkg1 = (void *)malloc(0x40000); sdmmc_storage_set_mmc_partition(&storage, 1); sdmmc_storage_read(&storage, 0x100000 / NX_EMMC_BLOCKSIZE, 0x40000 / NX_EMMC_BLOCKSIZE, ctxt->pkg1); ctxt->pkg1_id = pkg1_identify(ctxt->pkg1); @@ -326,6 +326,7 @@ static u8 *_read_emmc_pkg2(launch_ctxt_t *ctxt) out:; nx_emmc_gpt_free(&gpt); sdmmc_storage_end(&storage); + return bctBuf; } @@ -738,8 +739,11 @@ int hos_launch(ini_sec_t *cfg) *mb_exo_fw_no = exoFwNumber; } - // Finalize MC carveout and lock SE before starting 'SecureMonitor'. - mc_config_carveout_finalize(); + // Finalize MC carveout. + if (ctxt.pkg1_id->kb <= KB_FIRMWARE_VERSION_301) + mc_config_carveout(); + + // Lock SE before starting 'SecureMonitor'. _se_lock(); //TODO: pkg1.1 locks PMC scratches, we can do that too at some point. For <4.0.0 after secmon? diff --git a/bootloader/main.c b/bootloader/main.c index 79079a9..95f6e1d 100644 --- a/bootloader/main.c +++ b/bootloader/main.c @@ -452,14 +452,12 @@ void config_hw() i2c_send_byte(I2C_5, MAX77620_I2C_ADDR, MAX77620_REG_FPS_GPIO3, 0x22); // 3.x+ - i2c_send_byte(I2C_5, MAX77620_I2C_ADDR, MAX77620_REG_SD0, 42); //42 = (1125000 - 600000) / 12500 -> 1.125V + i2c_send_byte(I2C_5, MAX77620_I2C_ADDR, MAX77620_REG_SD0, 42); //42 = (1125000uV - 600000) / 12500 -> 1.125V config_pmc_scratch(); // Missing from 4.x+ CLOCK(CLK_RST_CONTROLLER_SCLK_BURST_POLICY) = (CLOCK(CLK_RST_CONTROLLER_SCLK_BURST_POLICY) & 0xFFFF8888) | 0x3333; - mc_config_carveout(); // Missing from 4.x+ - sdram_init(); } @@ -594,7 +592,7 @@ void print_mmc_info() else { u16 card_type; - u32 speed; + u32 speed = 0; gfx_printf(&gfx_con, "%kCID:%k\n", 0xFF00DDFF, 0xFFCCCCCC); switch (storage.csd.mmca_vsn) @@ -1082,10 +1080,7 @@ int dump_emmc_part(char *sd_path, sdmmc_storage_t *storage, emmc_part_t *part) WPRINTF("Press POWER to Continue.\nPress VOL to go to the menu.\n"); msleep(500); - u32 btn = btn_wait(); - if (btn & BTN_POWER) - btn = 0; - else + if (!(btn_wait() & BTN_POWER)) return 0; gfx_con.fntsz = 8; gfx_clear_partial_grey(&gfx_ctxt, 0x1B, gfx_con.savedy, 48); @@ -1689,6 +1684,9 @@ void restore_emmc_gpp_parts() { restore_emmc_selected(PART_GP_ALL); } void dump_packages12() { + if (!sd_mount()) + return; + u8 *pkg1 = (u8 *)calloc(1, 0x40000); u8 *warmboot = (u8 *)calloc(1, 0x40000); u8 *secmon = (u8 *)calloc(1, 0x40000); @@ -1698,15 +1696,12 @@ void dump_packages12() gfx_clear_partial_grey(&gfx_ctxt, 0x1B, 0, 1256); gfx_con_setpos(&gfx_con, 0, 0); - if (!sd_mount()) - goto out; - sdmmc_storage_t storage; sdmmc_t sdmmc; if (!sdmmc_storage_init_mmc(&storage, &sdmmc, SDMMC_4, SDMMC_BUS_WIDTH_8, 4)) { EPRINTF("Failed to init eMMC."); - goto out; + goto out_free; } sdmmc_storage_set_mmc_partition(&storage, 1); @@ -1718,7 +1713,7 @@ void dump_packages12() { gfx_con.fntsz = 8; EPRINTFARGS("Unknown package1 version for reading\nTSEC firmware (= '%s').", (char *)pkg1 + 0x10); - goto out; + goto out_free; } if (!h_cfg.se_keygen_done) @@ -1750,25 +1745,25 @@ void dump_packages12() // Dump package1.1. emmcsn_path_impl(path, "/pkg1", "pkg1_decr.bin", &storage); if (sd_save_to_file(pkg1, 0x40000, path)) - goto out; + goto out_free; gfx_puts(&gfx_con, "\nFull package1 dumped to pkg1_decr.bin\n"); // Dump nxbootloader. emmcsn_path_impl(path, "/pkg1", "nxloader.bin", &storage); if (sd_save_to_file(loader, hdr->ldr_size, path)) - goto out; + goto out_free; gfx_puts(&gfx_con, "NX Bootloader dumped to nxloader.bin\n"); // Dump secmon. emmcsn_path_impl(path, "/pkg1", "secmon.bin", &storage); if (sd_save_to_file(secmon, hdr->sm_size, path)) - goto out; + goto out_free; gfx_puts(&gfx_con, "Secure Monitor dumped to secmon.bin\n"); // Dump warmboot. emmcsn_path_impl(path, "/pkg1", "warmboot.bin", &storage); if (sd_save_to_file(warmboot, hdr->wb_size, path)) - goto out; + goto out_free; gfx_puts(&gfx_con, "Warmboot dumped to warmboot.bin\n\n\n"); // Dump package2.1. @@ -1823,12 +1818,13 @@ void dump_packages12() gfx_puts(&gfx_con, "\nDone. Press any key...\n"); out: + nx_emmc_gpt_free(&gpt); +out_free: free(pkg1); free(secmon); free(warmboot); free(loader); free(pkg2); - nx_emmc_gpt_free(&gpt); sdmmc_storage_end(&storage); sd_unmount(); @@ -1980,7 +1976,7 @@ void launch_tools(u8 type) u8 max_entries = 61; char *filelist = NULL; char *file_sec = NULL; - char *dir; + char *dir = NULL; ment_t *ments = (ment_t *)malloc(sizeof(ment_t) * (max_entries + 3)); @@ -2032,6 +2028,7 @@ void launch_tools(u8 type) if (!file_sec) { free(ments); + free(dir); free(filelist); sd_unmount(); return; @@ -2076,6 +2073,7 @@ void launch_tools(u8 type) out: sd_unmount(); + free(dir); btn_wait(); } diff --git a/bootloader/mem/mc.c b/bootloader/mem/mc.c index 0795acc..c799573 100644 --- a/bootloader/mem/mc.c +++ b/bootloader/mem/mc.c @@ -28,6 +28,7 @@ void mc_config_carveout() MC(MC_MTS_CARVEOUT_SIZE_MB) = 0; MC(MC_MTS_CARVEOUT_ADR_HI) = 0; MC(MC_MTS_CARVEOUT_REG_CTRL) = 1; + MC(MC_SECURITY_CARVEOUT1_BOM) = 0; MC(MC_SECURITY_CARVEOUT1_BOM_HI) = 0; MC(MC_SECURITY_CARVEOUT1_SIZE_128KB) = 0; @@ -43,6 +44,21 @@ void mc_config_carveout() MC(MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS4) = 0; MC(MC_SECURITY_CARVEOUT1_CFG0) = 0x4000006; + MC(MC_SECURITY_CARVEOUT2_BOM) = 0x80020000; + MC(MC_SECURITY_CARVEOUT2_BOM_HI) = 0; + MC(MC_SECURITY_CARVEOUT2_SIZE_128KB) = 2; + MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS0) = 0; + MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS1) = 0; + MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2) = 0x3100000; + MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS3) = 0; + MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4) = 0x300; + MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS0) = 0; + MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS1) = 0; + MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS2) = 0; + MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS3) = 0; + MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS4) = 0; + MC(MC_SECURITY_CARVEOUT2_CFG0) = 0x440167E; + MC(MC_SECURITY_CARVEOUT3_BOM) = 0; MC(MC_SECURITY_CARVEOUT3_BOM_HI) = 0; MC(MC_SECURITY_CARVEOUT3_SIZE_128KB) = 0; @@ -57,6 +73,7 @@ void mc_config_carveout() MC(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS3) = 0; MC(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS4) = 0; MC(MC_SECURITY_CARVEOUT3_CFG0) = 0x4401E7E; + MC(MC_SECURITY_CARVEOUT4_BOM) = 0; MC(MC_SECURITY_CARVEOUT4_BOM_HI) = 0; MC(MC_SECURITY_CARVEOUT4_SIZE_128KB) = 0; @@ -71,6 +88,7 @@ void mc_config_carveout() MC(MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS3) = 0; MC(MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS4) = 0; MC(MC_SECURITY_CARVEOUT4_CFG0) = 0x8F; + MC(MC_SECURITY_CARVEOUT5_BOM) = 0; MC(MC_SECURITY_CARVEOUT5_BOM_HI) = 0; MC(MC_SECURITY_CARVEOUT5_SIZE_128KB) = 0; @@ -87,24 +105,6 @@ void mc_config_carveout() MC(MC_SECURITY_CARVEOUT5_CFG0) = 0x8F; } -void mc_config_carveout_finalize() -{ - MC(MC_SECURITY_CARVEOUT2_BOM) = 0x80020000; - MC(MC_SECURITY_CARVEOUT2_BOM_HI) = 0; - MC(MC_SECURITY_CARVEOUT2_SIZE_128KB) = 2; - MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS0) = 0; - MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS1) = 0; - MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2) = 0x3000000; - MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS3) = 0; - MC(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4) = 0x300; - MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS0) = 0; - MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS1) = 0; - MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS2) = 0; - MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS3) = 0; - MC(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS4) = 0; - MC(MC_SECURITY_CARVEOUT2_CFG0) = 0x440167E; -} - void mc_enable_ahb_redirect() { // Enable ARC_CLK_OVR_ON. @@ -133,7 +133,7 @@ void mc_enable() CLOCK(CLK_RST_CONTROLLER_CLK_ENB_H_SET) = (CLOCK(CLK_RST_CONTROLLER_CLK_ENB_H_SET) & 0xFFFFFFFE) | 1; // Enable EMC DLL clock. CLOCK(CLK_RST_CONTROLLER_CLK_ENB_X_SET) = (CLOCK(CLK_RST_CONTROLLER_CLK_ENB_X_SET) & 0xFFFFBFFF) | 0x4000; - CLOCK(CLK_RST_CONTROLLER_RST_DEV_H_SET) = 0x2000001; //Clear EMC and MC reset. + CLOCK(CLK_RST_CONTROLLER_RST_DEV_H_CLR) = 0x2000001; //Clear EMC and MC reset. usleep(5); //#ifdef CONFIG_ENABLE_AHB_REDIRECT diff --git a/bootloader/mem/sdram.c b/bootloader/mem/sdram.c index f6ff3be..86b7291 100644 --- a/bootloader/mem/sdram.c +++ b/bootloader/mem/sdram.c @@ -41,7 +41,7 @@ static u32 _get_sdram_id() static void _sdram_config(const sdram_params_t *params) { - PMC(0x45C) = (((4 * params->emc_pmc_scratch1 >> 2) + 0x80000000) ^ 0xFFFF) & 0xC000FFFF; + PMC(APBDEV_PMC_IO_DPD3_REQ) = (((4 * params->emc_pmc_scratch1 >> 2) + 0x80000000) ^ 0xFFFF) & 0xC000FFFF; usleep(params->pmc_io_dpd3_req_wait); u32 req = (4 * params->emc_pmc_scratch2 >> 2) + 0x80000000; @@ -393,7 +393,7 @@ break_nosleep: *(vu32 *)(4 * (params->boot_rom_patch_control + 0x1C000000)) = params->boot_rom_patch_data; MC(MC_TIMING_CONTROL) = 1; } - PMC(0x45C) = ((4 * params->emc_pmc_scratch1 >> 2) + 0x40000000) & 0xCFFF0000; + PMC(APBDEV_PMC_IO_DPD3_REQ) = ((4 * params->emc_pmc_scratch1 >> 2) + 0x40000000) & 0xCFFF0000; usleep(params->pmc_io_dpd3_req_wait); if (!params->emc_auto_cal_interval) EMC(EMC_AUTO_CAL_CONFIG) = params->emc_auto_cal_config | 0x200; @@ -410,7 +410,7 @@ break_nosleep: } EMC(EMC_TIMING_CONTROL) = 1; usleep(params->emc_timing_control_wait); - PMC(0x4E4) &= 0xFFF8007F; + PMC(APBDEV_PMC_DDR_CNTRL) &= 0xFFF8007F; usleep(params->pmc_ddr_ctrl_wait); if (params->memory_type == 2) { @@ -459,7 +459,7 @@ break_nosleep: } } } - PMC(0x1D0) = params->pmc_ddr_cfg; + PMC(APBDEV_PMC_DDR_CFG) = params->pmc_ddr_cfg; if (params->memory_type - 1 <= 2) { EMC(EMC_ZCAL_INTERVAL) = params->emc_zcal_interval; @@ -486,7 +486,7 @@ break_nosleep: MC(MC_VIDEO_PROTECT_REG_CTRL) = params->mc_video_protect_write_access; MC(MC_SEC_CARVEOUT_REG_CTRL) = params->mc_sec_carveout_protect_write_access; MC(MC_MTS_CARVEOUT_REG_CTRL) = params->mc_mts_carveout_reg_ctrl; - MC(MC_EMEM_CFG_ACCESS_CTRL) = 1; //Disable write access to a bunch of MC registers. + MC(MC_EMEM_CFG_ACCESS_CTRL) = 1; //Disable write access to a bunch of EMC registers. } const void *sdram_get_params() diff --git a/bootloader/soc/cluster.c b/bootloader/soc/cluster.c index d158349..16e0da3 100644 --- a/bootloader/soc/cluster.c +++ b/bootloader/soc/cluster.c @@ -127,6 +127,7 @@ void cluster_boot_cpu0(u32 entry) CLOCK(CLK_RST_CONTROLLER_RST_DEVICES_V) &= 0xFFFFFFF7; // Clear NONCPU reset. CLOCK(CLK_RST_CONTROLLER_RST_CPUG_CMPLX_CLR) = 0x20000000; - // Clear CPU{0,1,2,3} POR and CORE, CX0, L2, and DBG reset. - CLOCK(CLK_RST_CONTROLLER_RST_CPUG_CMPLX_CLR) = 0x411F000F; + // Clear CPU0 reset. + // < 5.x: 0x411F000F, Clear CPU{0,1,2,3} POR and CORE, CX0, L2, and DBG reset. + CLOCK(CLK_RST_CONTROLLER_RST_CPUG_CMPLX_CLR) = 0x41010001; }