Initial commit

MichaelBell · MichaelBell · commit 1e833c3644f3 · 2024-01-12T21:01:34.000Z
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,8 @@
+*.o
+*.bin
+*.elf
+mmio_load
+mmio_view
+mmio_rate
+mmio_enable_hook
+mmio_disable_hook
diff --git a/Makefile b/Makefile
@@ -0,0 +1,32 @@
+all: launch_core1.bin core1.bin blink_core1.bin mmio_enable_hook mmio_load mmio_view
+
+clean:
+	rm *.o *.elf *.bin mmio_enable_hook mmio_disable_hook mmio_load mmio_view
+
+%.o: %.s
+	arm-none-eabi-as $< -o $@
+
+launch_core1.elf: launch_core1.o
+	arm-none-eabi-ld launch_core1.o -T memmap -o $@
+
+core1.elf: count_core1.o
+	arm-none-eabi-ld count_core1.o -T memmap_core1 -o $@
+
+blink_core1.elf: blink_core1.o
+	arm-none-eabi-ld blink_core1.o -T memmap_core1 -o $@
+
+%.bin: %.elf
+	arm-none-eabi-objcopy $< -O binary $@
+
+mmio_enable_hook: mmio_enable_hook.c
+	gcc $< -o $@
+
+mmio_disable_hook: mmio_disable_hook.c
+	gcc $< -o $@
+
+mmio_view: mmio_view.c
+	gcc $< -o $@
+
+mmio_load: mmio_load.c
+	gcc $< -o $@
+
diff --git a/README.md b/README.md
@@ -0,0 +1,35 @@
+# RP1 launch second core
+
+This hack hooks a frequently called function in the RP1 firmware, and
+uses it to launch the second core at a known address.
+
+Beware: this hardcodes the address of the function to hook, so if you
+aren't running the same firmware version as me it might need modification.
+
+My version is
+
+    $ vcgencmd bootloader_version
+    2024/01/05 15:57:40
+    version 30cc5f37d65b279e820adb1d9840ad3c1cc98229 (release)
+
+The current code blinks an LED connected to GPIO 17.
+
+## Building and running
+
+You'll need to install the arm-none-eabi toolchain to build RP1 binaries:
+
+    sudo apt install binutils-arm-none-eabi
+
+Then build everything:
+
+    make
+
+Load the hook code for core0 and the blinky code for core1:
+
+    sudo ./mmio_load
+
+Enable the hook:
+
+    sudo ./mmio_enable_hook
+
+If everything's working GPIO 17 should now be blinking, driven by the RP1 core1.
diff --git a/blink_core1.s b/blink_core1.s
@@ -0,0 +1,42 @@
+.cpu cortex-m3
+.thumb
+.syntax unified
+
+.section .text
+.align 2
+.thumb_func
+.globl _entry
+_entry:
+    /* Func SYS_RIO, output enable */
+    ldr r0, =0x400d008c
+    mov r1, #0x85
+    str r1, [r0]
+
+    /* pad control */
+    ldr r0, =0x400f0048
+    mov r1, #0x56
+    str r1, [r0]
+    
+    /* output enable */
+    ldr r0, =0x400e2000
+    mov r1, #0x20000
+    str r1, [r0, #4]
+    
+    /* output high */
+    str r1, [r0]
+
+    sub r0, 0x1000
+    mov r5, #0x500000
+    adr r6, count
+    mov r7, #0
+1:
+    add r7, #1
+    str r7, [r6]
+    cmp r7, r5
+    bls 1b
+    str r1, [r0]
+    mov r7, #0
+    b 1b
+
+.align 4
+count: .word 0
diff --git a/count_core1.s b/count_core1.s
@@ -0,0 +1,17 @@
+.cpu cortex-m3
+.thumb
+.syntax unified
+
+.section .text
+.align 2
+.thumb_func
+.globl _entry
+_entry:
+    adr r6, count
+    ldr r7, [r6]
+    add r7, #1
+    str r7, [r6]
+    b _entry
+
+.align 4
+count: .word 0
diff --git a/counter.s b/counter.s
@@ -0,0 +1,30 @@
+.cpu cortex-m3
+.thumb
+.syntax unified
+
+.section .text
+.align 2
+.thumb_func
+.globl _entry
+_entry:
+    push {r6,r7}
+    adr r6, count
+    ldr r7, [r6]
+    add r7, #1
+    str r7, [r6]
+    pop {r6,r7}
+
+/* Clear interrupt implementation */
+    cmp r0, #0x1f
+    mov r3, #1
+    mov.w r2, #0xe000e000
+    bls 1f
+    subs r0, #0x20
+    add r3, #4
+1:  lsls r3, r0
+    str.w r3,[r2,#0x180]
+    bx lr
+    
+
+.align 4
+count: .word 0
diff --git a/jmp.s b/jmp.s
@@ -0,0 +1,10 @@
+.cpu cortex-m3
+.thumb
+.syntax unified
+
+.section .text
+.align 2
+.thumb_func
+.globl _entry
+_entry:
+    b 0x20007000
diff --git a/launch_core1.s b/launch_core1.s
@@ -0,0 +1,41 @@
+.cpu cortex-m3
+.thumb
+.syntax unified
+
+.section .text
+.align 2
+.thumb_func
+.globl _entry
+_entry:
+    push {r6,r7}
+    adr r6, count
+    ldr r7, [r6]
+    cmp r7, #0
+    bne 1f
+    push {r0,r1}
+    ldr r0, =0x40154014
+    ldr r1, =(0x4FF83F2D ^ 0x20008001)
+    str r1, [r0]
+    ldr r1, =0x100030d0
+    str r1, [r0,#8]
+    sev
+    pop {r0,r1}
+1:
+    add r7, #1
+    str r7, [r6]
+    pop {r6,r7}
+
+/* Clear interrupt implementation */
+    cmp r0, #0x1f
+    mov r3, #1
+    mov.w r2, #0xe000e000
+    bls 1f
+    subs r0, #0x20
+    add r3, #4
+1:  lsls r3, r0
+    str.w r3,[r2,#0x180]
+    bx lr
+    
+
+.align 4
+count: .word 0
diff --git a/memmap b/memmap
@@ -0,0 +1,9 @@
+MEMORY
+{
+    ram(rwx) : ORIGIN = 0x20007000, LENGTH = 0x1000
+}
+SECTIONS
+{
+    .text : { *(.text*) } > ram
+    .data : { *(.data*) *(.rodata*) } > ram
+}
diff --git a/memmap-jmp b/memmap-jmp
@@ -0,0 +1,9 @@
+MEMORY
+{
+    ram(rwx) : ORIGIN = 0x200007c8, LENGTH = 0x8
+}
+SECTIONS
+{
+    .text : { *(.text*) } > ram
+    .data : { *(.data*) *(.rodata*) } > ram
+}
diff --git a/memmap_core1 b/memmap_core1
@@ -0,0 +1,9 @@
+MEMORY
+{
+    ram(rwx) : ORIGIN = 0x20008000, LENGTH = 0x8000
+}
+SECTIONS
+{
+    .text : { *(.text*) } > ram
+    .data : { *(.data*) *(.rodata*) } > ram
+}
diff --git a/mmio_disable_hook.c b/mmio_disable_hook.c
@@ -0,0 +1,93 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/time.h>
+#include <stdint.h>
+#include <endian.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+
+
+//#define MMIOADDR 0x601100000
+//#define MMIOADDR 0x1f000f0000
+#define   MMIOADDR 0x1f00400000
+#define   MMIOLEN  0x10000
+#define   BASE 0x700
+#define   LEN 0x100
+
+volatile unsigned int *mmio;
+#define REG32(m,x) ((volatile uint64_t *)((uint64_t)(m)+(uint64_t)(x)))
+
+static void setup_io() {
+  int fd = open("/dev/mem", O_RDWR | O_SYNC);
+  if (fd < 0) {
+    printf("Unable to open /dev/mem. Run as root using sudo?\n");
+    exit(-1);
+  }
+
+  void *gpio_map =
+      mmap(NULL,                   // Any adddress in our space will do
+           MMIOLEN,      // Map length
+           PROT_READ | PROT_WRITE, // Enable reading & writting to mapped memory
+           MAP_SHARED,             // Shared with other processes
+           fd,                     // File to map
+           MMIOADDR       // Offset to GPIO peripheral
+      );
+
+  close(fd);
+
+  if (gpio_map == MAP_FAILED) {
+    perror("mmap failed, errno");
+    exit(-1);
+  }
+
+  mmio = ((volatile unsigned *)gpio_map) + BASE/4;
+}
+
+
+
+volatile unsigned int test;
+int main(void) {
+
+
+setup_io();
+
+printf("Read mmio address: %10lx \n", MMIOADDR + BASE);
+
+unsigned int a=0;
+volatile unsigned int b=0;
+unsigned int i = 0;
+
+for(a=0; a<LEN/4; a++) {
+   if (!(a & 0x7)) printf("\n%04x: ", a*4);
+   b= *(mmio + a);
+   //*(mmio + a) = 0;
+   printf("%08x ", b);
+}
+printf("\n");
+
+// Jump from 0x200007c8 to 0x20007000
+*(mmio + 0xc8/4) = 0xf04f281f;
+//*(mmio + 0xc8/4) = 0xbc1af006;
+
+#if 0
+a = 0;
+//FILE* f = fopen("counter.bin", "rb");
+FILE* f = fopen("core1.bin", "rb");
+while (!feof(f)) {
+  unsigned int val;
+  fread(&val, sizeof(val), 1, f);
+  *(mmio + a++) = val;
+}
+#endif
+}
+
diff --git a/mmio_enable_hook.c b/mmio_enable_hook.c
diff --git a/mmio_load.c b/mmio_load.c
diff --git a/mmio_rate.c b/mmio_rate.c
diff --git a/mmio_view.c b/mmio_view.c
