From a94bee71d214000049daa07802be7c550b796894 Mon Sep 17 00:00:00 2001 From: Michael Scire Date: Mon, 17 Dec 2018 13:58:28 -0800 Subject: [PATCH] warmboot: add fuse bypass init --- exosphere/lp0fw/src/car.c | 84 ++++++++++++++++++++++++++++++++++++++ exosphere/lp0fw/src/car.h | 53 ++++++++++++++++++++++++ exosphere/lp0fw/src/fuse.c | 71 ++++++++++++++++++++++++++++++++ exosphere/lp0fw/src/fuse.h | 11 +++++ exosphere/lp0fw/src/lp0.c | 26 +++++++++++- exosphere/lp0fw/src/lp0.h | 2 +- exosphere/lp0fw/src/misc.h | 2 + exosphere/lp0fw/src/pmc.h | 4 ++ 8 files changed, 250 insertions(+), 3 deletions(-) create mode 100644 exosphere/lp0fw/src/car.c create mode 100644 exosphere/lp0fw/src/car.h create mode 100644 exosphere/lp0fw/src/fuse.c diff --git a/exosphere/lp0fw/src/car.c b/exosphere/lp0fw/src/car.c new file mode 100644 index 000000000..bf0a5b780 --- /dev/null +++ b/exosphere/lp0fw/src/car.c @@ -0,0 +1,84 @@ +/* + * Copyright (c) 2018 Atmosphère-NX + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include + +#include "utils.h" +#include "car.h" +#include "timer.h" +#include "lp0.h" + +static inline uint32_t get_special_clk_reg(CarDevice dev) { + switch (dev) { + case CARDEVICE_UARTA: return 0x178; + case CARDEVICE_UARTB: return 0x17C; + case CARDEVICE_I2C1: return 0x124; + case CARDEVICE_I2C5: return 0x128; + case CARDEVICE_ACTMON: return 0x3E8; + case CARDEVICE_BPMP: return 0; + default: reboot(); + } +} + +static inline uint32_t get_special_clk_val(CarDevice dev) { + switch (dev) { + case CARDEVICE_UARTA: return 0; + case CARDEVICE_UARTB: return 0; + case CARDEVICE_I2C1: return (6 << 29); + case CARDEVICE_I2C5: return (6 << 29); + case CARDEVICE_ACTMON: return (6 << 29); + case CARDEVICE_BPMP: return 0; + default: reboot(); + } +} + +static uint32_t g_clk_reg_offsets[NUM_CAR_BANKS] = {0x010, 0x014, 0x018, 0x360, 0x364, 0x280, 0x298}; +static uint32_t g_rst_reg_offsets[NUM_CAR_BANKS] = {0x004, 0x008, 0x00C, 0x358, 0x35C, 0x28C, 0x2A4}; + +void clk_enable(CarDevice dev) { + uint32_t special_reg; + if ((special_reg = get_special_clk_reg(dev))) { + MAKE_CAR_REG(special_reg) = get_special_clk_val(dev); + } + MAKE_CAR_REG(g_clk_reg_offsets[dev >> 5]) |= BIT(dev & 0x1F); +} + +void clk_disable(CarDevice dev) { + MAKE_CAR_REG(g_clk_reg_offsets[dev >> 5]) &= ~(BIT(dev & 0x1F)); +} + +void rst_enable(CarDevice dev) { + MAKE_CAR_REG(g_rst_reg_offsets[dev >> 5]) |= BIT(dev & 0x1F); +} + +void rst_disable(CarDevice dev) { + MAKE_CAR_REG(g_rst_reg_offsets[dev >> 5]) &= ~(BIT(dev & 0x1F)); +} + +void clkrst_enable(CarDevice dev) { + clk_enable(dev); + rst_disable(dev); +} + +void clkrst_disable(CarDevice dev) { + rst_enable(dev); + clk_disable(dev); +} + +void clkrst_reboot(CarDevice dev) { + clkrst_disable(dev); + clkrst_enable(dev); +} diff --git a/exosphere/lp0fw/src/car.h b/exosphere/lp0fw/src/car.h new file mode 100644 index 000000000..c2596b848 --- /dev/null +++ b/exosphere/lp0fw/src/car.h @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2018 Atmosphère-NX + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef EXOSPHERE_WARMBOOT_BIN_CLOCK_AND_RESET_H +#define EXOSPHERE_WARMBOOT_BIN_CLOCK_AND_RESET_H + +#include + +#define CAR_BASE 0x60006000 + +#define MAKE_CAR_REG(n) MAKE_REG32(CAR_BASE + n) + +#define CLK_RST_CONTROLLER_MISC_CLK_ENB_0 MAKE_CAR_REG(0x048) +#define CLK_RST_CONTROLLER_RST_DEVICES_H_0 MAKE_CAR_REG(0x008) +#define CLK_RST_CONTROLLER_LVL2_CLK_GATE_OVRD_0 MAKE_CAR_REG(0x3A4) +#define CLK_RST_CONTROLLER_RST_CPUG_CMPLX_SET_0 MAKE_CAR_REG(0x450) +#define CLK_RST_CONTROLLER_RST_CPUG_CMPLX_CLR_0 MAKE_CAR_REG(0x454) + +#define NUM_CAR_BANKS 7 + +typedef enum { + CARDEVICE_UARTA = 6, + CARDEVICE_UARTB = 7, + CARDEVICE_I2C1 = 12, + CARDEVICE_I2C5 = 47, + CARDEVICE_ACTMON = 119, + CARDEVICE_BPMP = 1 +} CarDevice; + +void clk_enable(CarDevice dev); +void clk_disable(CarDevice dev); +void rst_enable(CarDevice dev); +void rst_disable(CarDevice dev); + +void clkrst_enable(CarDevice dev); +void clkrst_disable(CarDevice dev); + +void clkrst_reboot(CarDevice dev); + +#endif diff --git a/exosphere/lp0fw/src/fuse.c b/exosphere/lp0fw/src/fuse.c new file mode 100644 index 000000000..84a64cfa6 --- /dev/null +++ b/exosphere/lp0fw/src/fuse.c @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2018 Atmosphère-NX + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include + +#include "utils.h" +#include "fuse.h" +#include "car.h" +#include "pmc.h" + +#define NUM_FUSE_BYPASS_ENTRIES 0 + +bool fuse_check_downgrade_status(void) { + /* We aren't going to implement anti-downgrade. */ + return false; +} + +static fuse_bypass_data_t g_fuse_bypass_entries[NUM_FUSE_BYPASS_ENTRIES] = { + /* No entries here. */ +}; + +void fuse_configure_fuse_bypass(void) { + /* Enable fuses in CAR? This seems to affect fuse data visibility. */ + CLK_RST_CONTROLLER_MISC_CLK_ENB_0 |= 0x10000000; + + /* Configure bypass/override, only if programming is allowed. */ + if (!(FUSE_REGS->FUSE_DIS_PGM & 1)) { + /* Enable write access. */ + FUSE_REGS->FUSE_WRITE_ACCESS = (FUSE_REGS->FUSE_WRITE_ACCESS & ~0x1) | 0x10000; + /* Enable fuse bypass config. */ + FUSE_REGS->FUSE_FUSEBYPASS = 1; + + /* Override fuses. */ + for (size_t i = 0; i < NUM_FUSE_BYPASS_ENTRIES; i++) { + MAKE_FUSE_REG(g_fuse_bypass_entries[i].offset) = g_fuse_bypass_entries[i].value; + } + + /* Disable fuse write access. */ + FUSE_REGS->FUSE_WRITE_ACCESS |= 1; + + /* Enable fuse bypass config. */ + /* I think this is a bug, and Nintendo meant to write 0 here? */ + FUSE_REGS->FUSE_FUSEBYPASS = 1; + + /* This...clears the disable programming bit(?). */ + /* I have no idea why this happens. What? */ + /* This is probably also either a bug or does nothing. */ + /* Is this bit even clearable? */ + FUSE_REGS->FUSE_DIS_PGM &= 0xFFFFFFFE; + + /* Restore saved private key disable bit. */ + FUSE_REGS->FUSE_PRIVATEKEYDISABLE |= (APBDEV_PMC_SECURE_SCRATCH21_0 & 0x10); + + /* Lock private key disable secure scratch. */ + APBDEV_PMC_SEC_DISABLE2_0 |= 0x4000000; + } + +} diff --git a/exosphere/lp0fw/src/fuse.h b/exosphere/lp0fw/src/fuse.h index b07e8b9d5..39706bd89 100644 --- a/exosphere/lp0fw/src/fuse.h +++ b/exosphere/lp0fw/src/fuse.h @@ -186,4 +186,15 @@ typedef struct { #define FUSE_REGS ((volatile fuse_registers_t *)(0x7000F800)) #define FUSE_CHIP_REGS ((volatile fuse_chip_registers_t *)(0x7000F900)) +#define MAKE_FUSE_REG(n) MAKE_REG32(0x7000F800 + n) + +typedef struct { + uint32_t offset; + uint32_t value; +} fuse_bypass_data_t; + +bool fuse_check_downgrade_status(void); + +void fuse_configure_fuse_bypass(void); + #endif diff --git a/exosphere/lp0fw/src/lp0.c b/exosphere/lp0fw/src/lp0.c index fd6525a41..dcb68aa4d 100644 --- a/exosphere/lp0fw/src/lp0.c +++ b/exosphere/lp0fw/src/lp0.c @@ -19,6 +19,7 @@ #include "mc.h" #include "pmc.h" #include "misc.h" +#include "fuse.h" #include "timer.h" void reboot(void) { @@ -30,19 +31,40 @@ void reboot(void) { } void lp0_entry_main(warmboot_metadata_t *meta) { + const uint32_t target_firmware = meta->target_firmware; /* Before doing anything else, ensure some sanity. */ - if (meta->magic != WARMBOOT_MAGIC || meta->target_firmware > ATMOSPHERE_TARGET_FIRMWARE_MAX) { + if (meta->magic != WARMBOOT_MAGIC || target_firmware > ATMOSPHERE_TARGET_FIRMWARE_MAX) { reboot(); } /* [4.0.0+] First thing warmboot does is disable BPMP access to memory. */ - if (meta->target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_400) { + if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_400) { disable_bpmp_access_to_dram(); } /* Configure debugging depending on FUSE_PRODUCTION_MODE */ configure_device_dbg_settings(); + /* Check for downgrade. */ + /* NOTE: We implemented this as "return false" */ + if (fuse_check_downgrade_status()) { + reboot(); + } + + if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_300) { + /* Nintendo's firmware checks APBDEV_PMC_SECURE_SCRATCH32_0 against a per-warmboot binary value here. */ + /* We won't bother with that. */ + if (false /* APBDEV_PMC_SECURE_SCRATCH32_0 == WARMBOOT_MAGIC_NUMBER */) { + reboot(); + } + } + + /* TODO: Check that we're running at the correct physical address. */ + + /* Setup fuses, disable bypass. */ + fuse_configure_fuse_bypass(); + + /* TODO: stuff */ while (true) { /* TODO: Halt BPMP */ } diff --git a/exosphere/lp0fw/src/lp0.h b/exosphere/lp0fw/src/lp0.h index 90cdb6850..04787f0ed 100644 --- a/exosphere/lp0fw/src/lp0.h +++ b/exosphere/lp0fw/src/lp0.h @@ -30,6 +30,6 @@ typedef struct { void lp0_entry_main(warmboot_metadata_t *meta); -void reboot(void); +void __attribute__((noreturn)) reboot(void); #endif diff --git a/exosphere/lp0fw/src/misc.h b/exosphere/lp0fw/src/misc.h index 6d34e075f..4c94002c2 100644 --- a/exosphere/lp0fw/src/misc.h +++ b/exosphere/lp0fw/src/misc.h @@ -19,6 +19,8 @@ #include +#include "utils.h" + #define MISC_BASE (0x70000000) #define MAKE_MISC_REG(n) MAKE_REG32(MISC_BASE + n) diff --git a/exosphere/lp0fw/src/pmc.h b/exosphere/lp0fw/src/pmc.h index 9025fbd33..982caf444 100644 --- a/exosphere/lp0fw/src/pmc.h +++ b/exosphere/lp0fw/src/pmc.h @@ -38,8 +38,12 @@ #define APBDEV_PMC_SCRATCH18_0 MAKE_PMC_REG(0x098) #define APBDEV_PMC_STICKY_BITS_0 MAKE_PMC_REG(0x2C0) +#define APBDEV_PMC_SEC_DISABLE2_0 MAKE_PMC_REG(0x2C4) #define APBDEV_PMC_WEAK_BIAS_0 MAKE_PMC_REG(0x2C8) +#define APBDEV_PMC_SECURE_SCRATCH21_0 MAKE_PMC_REG(0x334) +#define APBDEV_PMC_SECURE_SCRATCH32_0 MAKE_PMC_REG(0x360) + #define APBDEV_PMC_IO_DPD3_REQ_0 MAKE_PMC_REG(0x45C) #define APBDEV_PMC_IO_DPD3_STATUS_0 MAKE_PMC_REG(0x460)