Updating pongoOS with upstream.

Makefile

@@ -19,7 +19,7 @@ EMBEDDED_CC_FLAGS ?= -Wunused-label -D'OBFUSCATE_C_FUNC(F)'='F' -DDEV_BUIL
 
 STAGE3_ENTRY_C := $(patsubst %, $(SRC)/boot/%, stage3.c clearhook.s patches.s demote_patch.s jump_to_image.s main.c)
 PONGO_C := $(wildcard $(SRC)/kernel/*.c) $(wildcard $(SRC)/dynamic/*.c) $(wildcard $(SRC)/kernel/*.s) $(wildcard $(SRC)/shell/*.c)
-PONGO_DRIVERS_C := $(wildcard $(SRC)/drivers/usb/*.c) $(wildcard $(SRC)/drivers/framebuffer/*.c) $(wildcard $(SRC)/drivers/uart/*.c) $(wildcard $(SRC)/drivers/timer/*.c) $(wildcard $(SRC)/drivers/gpio/*.c) $(wildcard $(SRC)/linux/lzma/*.c) $(wildcard $(SRC)/linux/libfdt/*.c) $(wildcard $(SRC)/linux/*.c)
+PONGO_DRIVERS_C := $(wildcard $(SRC)/drivers/usb/*.c) $(wildcard $(SRC)/drivers/framebuffer/*.c) $(wildcard $(SRC)/drivers/uart/*.c) $(wildcard $(SRC)/drivers/timer/*.c) $(wildcard $(SRC)/drivers/gpio/*.c) $(wildcard $(SRC)/linux/lzma/*.c) $(wildcard $(SRC)/linux/libfdt/*.c) $(wildcard $(SRC)/linux/*.c) $(wildcard $(SRC)/drivers/xnu/*.c) $(wildcard $(SRC)/drivers/xnu/*.s)
 PONGO_FLAGS := -ffreestanding -Iinclude -Iapple-include -Iinclude/linux/ -I$(SRC)/kernel -I$(SRC)/drivers -Wl,-e,_main -I$(SRC)/linux/libfdt
 
 # CLANG_SPECIFIC should be $(BUILD)/entry.o, because of LLD builds.

Pongo.ld

@@ -17,7 +17,7 @@ SECTIONS
  needs to have the same virtual/physical address. entry.S and start.c
  run in this initial setting.*/
  /* . = 0x10000; */
- . = 0x428000000;
+ . = 0x418000000;
 
  .start_sec : {
  build/entry.o(.text)

scripts/fetch_stdout.py

@@ -0,0 +1,9 @@
+import sys
+import usb.core
+dev = usb.core.find(idVendor=0x05ac, idProduct=0x4141)
+if dev is None:
+ raise ValueError('Device not found')
+dev.set_configuration()
+
+#dev.ctrl_transfer(0x21, 4, 0, 0, 0)
+print(dev.ctrl_transfer(0xa1, 1, 0, 0, 512).tostring())

scripts/upload_data.py

@@ -30,6 +30,6 @@
 
 dev.ctrl_transfer(0x21, 2, 0, 0, 0)
 dev.ctrl_transfer(0x21, 1, 0, 0, 0)
-dev.write(2,data,100000)
+dev.write(2,data,1000000)
 if len(data) % 512 == 0:
  dev.write(2,"")

src/boot/clearhook.s

@@ -31,14 +31,14 @@ clear_hook:
 mov x16, x30
 mov x30, x5
 mov x3, #0x800000000
-movk x3, #0x2800, lsl#16
+movk x3, #0x1800, lsl#16
 cmp x0, x3
 b.hi clear_hook_orig_backing
 add x2, x1, x0
 cmp x2, x3
 b.lo clear_hook_orig_backing
 mov x3, #0x800000000
-movk x3, #0x2900, lsl#16
+movk x3, #0x1900, lsl#16
 cmp x0, x3
 b.hi clear_hook_orig_backing
 add x2, x1, x0

src/boot/entry.s

@@ -25,7 +25,7 @@
 _main:
  adr x4, _main
  mov x5, #0x800000000
- movk x5, #0x2800, lsl#16
+ movk x5, #0x1800, lsl#16
  mov x30, x5
  cmp x4, x5
  b.eq _main$l0
@@ -40,7 +40,7 @@ copyloop:
 #ifdef AUTOBOOT
  ldr x3, [x6]
  mov x4, #0x800000000
- movk x4, #0x2900, lsl#16
+ movk x4, #0x1900, lsl#16
  mov x2, #0x7561
  movk x2, #0x6f74, lsl#16
  movk x2, #0x6f62, lsl#32
@@ -64,7 +64,7 @@ copyloop_3:
 #endif
  ret
 _main$l0:
- sub x30, x30, #0x4000
+ sub x30, x30, #0x400
  mov sp, x30
  mov x1, x0
  mov x0, x9

src/boot/jump_to_image.s

@@ -54,6 +54,6 @@ tramp_hook:
  mov x8, x27
  mov x9, x29
  mov x27, #0x800000000
- movk x27, #0x2800, lsl#16
+ movk x27, #0x1800, lsl#16
  mov x29, x27
 

src/boot/patches.s

@@ -174,9 +174,20 @@ precede the call to platform_disable_keys(). In assembly, this looks like this:
 | bl 0x(same) |
 +----------------------+
 
+Or, on newer clang, like this:
+
++------------------+
+| mov w0, 0x40000 |
+| bl 0x(same) |
+| mov x{19-28}, x0 |
+| mov w0, 0x80000 |
+| bl 0x(same) |
++------------------+
+
 And again in r2 hexsearch:
 
 /x e0030e3200000094f00300aae0030d3200000094:ffffffff000000fcf0ffffffffffffff000000fc
+/x 8000a05200000094f00300aa0001a05200000094:ffffffff000000fcf0ffffffffffffff000000fc
 
 We find this sequence, seek to the next bl, then dereference it and write a "ret" there.
 We do this rather than nop'ing the branch because there is more than one call site.
@@ -190,21 +201,27 @@ aes_keygen:
  mov x2, x0 // instr
  movz w7, 0x320e, lsl 16 // orr w0, wzr, 0x40000
  movk w7, 0x03e0
- movz w8, 0xaa00, lsl 16 // mov x{16-31}, x0
- movk w8, 0x03f0
- sub w9, w7, 0x10, lsl 12 // orr w0, wzr, 0x80000
+ movz w8, 0x52a0, lsl 16 // mov w0, 0x40000
+ movk w8, 0x0080
+ movz w9, 0xaa00, lsl 16 // mov x{16-31}, x0
+ movk w9, 0x03f0
+ sub w10, w7, 0x10, lsl 12 // orr w0, wzr, 0x80000
+ add w11, w8, 0x80 // mov w0, 0x80000
  // First loop: search for call site
 1:
  // +0x00: orr w0, wzr, 0x40000
  ldr w3, [x2], 0x4
  cmp w3, w7
+ ccmp w3, w8, 4, ne
  b.ne 1b
  // +0x08: mov x{16-31}, x0
  // +0x0c: orr w0, wzr, 0x80000
  ldp w3, w4, [x2, 0x4]
  and w3, w3, 0xfffffff0
- cmp w3, w8
- ccmp w4, w9, 0, eq
+ // if((w4 == w10 || w4 == w11) && w3 == w9)
+ cmp w4, w10
+ ccmp w4, w11, 4, ne
+ ccmp w3, w9, 0, eq
  b.ne 1b
  // +0x04: bl 0x(same)
  // +0x10: bl 0x(same)
@@ -306,9 +323,22 @@ one argument: BOOT_DARWIN (== 3). In assembly, it looks like this:
 | bl 0x... |
 +----------------+
 
+Or on new clang:
+
++-----------+
+| mov w0, 3 |
+| bl 0x... |
+| mov w0, 3 |
+| bl 0x... |
+| mov w0, 3 |
+| bl 0x... |
++-----------+
+
+
 In r2:
 
 /x e007003200000094e007003200000094e007003200000094:ffffffff000000fcffffffff000000fcffffffff000000fc
+/x 600080520000009460008052000000946000805200000094:ffffffff000000fcffffffff000000fcffffffff000000fc
 
 The last bl is the call to reconfig_lock(), so we just deref and turn it into
 a ret to nop the lock. Absolutely everything else is deferred to PongoOS.
@@ -324,23 +354,29 @@ recfg_yoink:
  mov x2, x0 // instr
  movz w8, 0x3200, lsl 16 // orr w0, wzr, 3
  movk w8, 0x07e0
- movz w9, 0x25 // bl top bits
+ movz w9, 0x5280, lsl 16 // mov w0, 3
+ movk w9, 0x0060
+ movz w10, 0x25 // bl top bits
  // Loop: search for call site
 1:
  ldr w3, [x2], 0x4
  cmp w3, w8
+ ccmp w3, w9, 4, ne
  b.ne 1b
  ldp w3, w4, [x2]
  ldp w5, w6, [x2, 0x8]
  ldr w7, [x2, 0x10]
  ubfx w3, w3, 26, 6
  ubfx w5, w5, 26, 6
  cmp w4, w8
- ccmp w6, w8, 0, eq
+ ccmp w4, w9, 4, ne
+ b.ne 1b
+ cmp w6, w8
+ ccmp w6, w9, 4, ne
  ubfx w4, w7, 26, 6
- ccmp w3, w9, 0, eq
- ccmp w5, w9, 0, eq
- ccmp w4, w9, 0, eq
+ ccmp w3, w10, 0, eq
+ ccmp w5, w10, 0, eq
+ ccmp w4, w10, 0, eq
  b.ne 1b
 
  // Deref and patch

src/boot/stage3.c

@@ -134,7 +134,7 @@ OBFUSCATE_C_FUNC(void trampoline_entry(void* boot_image, void* boot_args))
  if (__bss_start == 0x746F6F626F747561) {
  uint32_t autoboot_sz = (uint32_t)((&__bss_start)[1]);
  extern volatile void smemcpy128(void*,void*,uint32_t);
- smemcpy128 ((void*)0x829000000, &__bss_start, (autoboot_sz + 64)/16);
+ smemcpy128 ((void*)0x819000000, &__bss_start, (autoboot_sz + 64)/16);
  __bss_start = 0;
  }
 

src/drivers/usb/synopsys_otg.c

@@ -1717,7 +1717,7 @@ void usb_bringup() {
  clock_gate(clockGateBase + reg1, 0);
  clock_gate(clockGateBase + reg2, 0);
  clock_gate(clockGateBase + reg3, 0);
- usleep(1000);
+ spin(1000);
  clock_gate(clockGateBase + reg1, 1);
  clock_gate(clockGateBase + reg2, 1);
  clock_gate(clockGateBase + reg3, 1);
@@ -1731,13 +1731,13 @@ void usb_bringup() {
  *(volatile uint32_t *)(gSynopsysOTGBase + 0x8) = dt_get_u32_prop("otgphyctrl", "cfg0-device");
  *(volatile uint32_t *)(gSynopsysOTGBase + 0xc) = dt_get_u32_prop("otgphyctrl", "cfg1-device");
  *(volatile uint32_t*)(gSynopsysOTGBase) |= 1;
- usleep(20);
+ spin(20);
  *(volatile uint32_t*)(gSynopsysOTGBase) &= 0xFFFFFFF3;
- usleep(20);
+ spin(20);
  *(volatile uint32_t*)(gSynopsysOTGBase) &= 0xFFFFFFFE;
- usleep(20);
+ spin(20);
  *(volatile uint32_t*)(gSynopsysOTGBase + 0x4) &= ~2;
- usleep(1500);
+ spin(1500);
 }
 
 void usb_init() {