##raspberrypi-internals on 2024-03-26 — irc logs at libera.irclog.whitequark.org

2024-01-15 19:00 f_ changed the topic of ##raspberrypi-internals to: The inner workings of the Raspberry Pi (Low level VPU/HW) -- for general queries please visit #raspberrypi -- open firmware: https://librerpi.github.io/ -- VC4 VPU Programmers Manual: https://github.com/hermanhermitage/videocoreiv/wiki -- chat logs: https://libera.irclog.whitequark.org/~h~raspberrypi-internals -- bridged to matrix and discord

00:15 t0mm13b_ has quit [Quit: ZNC - https://znc.in]

00:45 t0mm13b has joined ##raspberrypi-internals

00:52 hackkitten has quit [Ping timeout: 268 seconds]

01:05 hackkitten has joined ##raspberrypi-internals

01:38 hackkitten has quit [Ping timeout: 268 seconds]

01:50 jn has quit [Ping timeout: 272 seconds]

01:50 jn has joined ##raspberrypi-internals

01:50 jn has quit [Changing host]

01:51 hackkitten has joined ##raspberrypi-internals

02:11 hackkitten has quit [Ping timeout: 264 seconds]

02:23 hackkitten has joined ##raspberrypi-internals

02:57 f__ has joined ##raspberrypi-internals

02:58 f_ has quit [Ping timeout: 260 seconds]

03:00 f__ is now known as f_

03:47 ryao has quit [Ping timeout: 252 seconds]

04:58 jcea has quit [Ping timeout: 256 seconds]

08:23 vriska has quit [Read error: Connection reset by peer]

08:25 vriska has joined ##raspberrypi-internals

13:06 Siecje has joined ##raspberrypi-internals

14:28 jcea has joined ##raspberrypi-internals

16:07 dolphinana has joined ##raspberrypi-internals

16:10 <dolphinana> hi! o/

16:11 <clever> dolphinana: *waves*

16:24 <dolphinana> good to see you again clever! ^^

16:24 <f_ridge> <f_[mtrx]/M> hi

16:24 <f_> hi

16:24 <dolphinana> hi f_

16:24 <f_> ^^

16:25 <f_> Long time no see :P

16:25 <dolphinana> indeed :P

16:25 <dolphinana> great to see y'all again! ^^

16:26 <f_[xmpp]> Wanting to hack on RPi again?

16:27 <dolphinana> yes ^^

16:28 <f_[xmpp]> nice :)

16:31 <dolphinana> I've been pretty busy in the last few months, so I didn't really have time to hack on RPi

16:31 <dolphinana> but now I'm a bit more free ^^

16:33 <clever> dolphinana: most recently, ive been hacking on the RP1 and got some things like PIO working

16:37 <dolphinana> RP1? Is that the new in-house chip by Raspberry Pi? Used in Raspberry Pi 5?

16:37 <clever> yep

16:37 <dolphinana> ooooh,

16:37 <dolphinana> I see ^^

16:37 <dolphinana> what does PIO mean?

16:38 <clever> the RP1 has 2 csi, 2 dsi, gpio, dual, cortex-m3, usb3, ethernet, and pio

16:38 <clever> the same PIO as the rp2040

16:38 <dolphinana> aaah, oki ^^

16:38 <clever> also, the rp2040 is the 2nd chip in the family

16:38 <clever> the RP1 came first

16:39 <clever> but the rp2040 was released to the public first

16:39 <dolphinana> I see

16:40 <dolphinana> I never knew that o.o

16:40 <clever> damn near all of the IO on the pi5, goes thru the RP1 chip

16:40 <clever> the hdmi, wifi, uSD, and pcie, are the only things still on the SoC

16:41 <dolphinana> aaah

16:41 <dolphinana> what is uSD?

16:41 <clever> micro sd card

16:41 <dolphinana> oooh, why call it uSD? It makes me confused xD

16:42 <clever> because i dont have the μ on my keyboard to call it μSD

16:42 <dolphinana> oh, okay :P

16:44 <dolphinana> clever: having a good day?

16:44 <clever> yep

16:44 <dolphinana> great to hear

16:44 <dolphinana> I'm also having a good day ^^

16:45 <clever> the pi4 and pi5 are fairly similar in design, in terms of firmware and dram

16:46 <dolphinana> mhm

16:46 <clever> they use the identical spi flash filesystem

16:46 <clever> and both use the memsysxx.bin files for dram init

16:46 <clever> for the pi4, bootmain.elf is just another stage in the loader, and it loads start4.elf from the boot media

16:47 <clever> for the pi4, bootmain.elf is the final stage, and it implements all of the runtime services (mailbox stuff)

16:47 <clever> oops, pi5 on the 2nd one!

16:47 <dolphinana> ah, I understand

16:48 <clever> in both cases, bootmain.elf is just a file in the SPI flash

16:48 <clever> but pi5 signs things differently

16:48 <clever> and its much better sealed up, so i have yet to get a rom dump

16:50 <dolphinana> oh, so it's more difficult to get a rom dump?

16:50 <clever> yeah

16:50 <dolphinana> damn..

16:50 <clever> for the pi0-pi3, bootcode.bin isnt verified, so a custom bootcode.bin can just read the rom and dump it to uart

16:51 <clever> for the pi4, recovery.bin is verified, but start4.elf isnt, so a custom start4.elf can just dump it

16:51 <dolphinana> good luck on getting a rom dump from pi5

16:52 <dolphinana> btw, how do I get the rom dump from pi1?

16:52 <clever> https://github.com/librerpi/lk-overlay/blob/master/project/rpi3-bootcode.mk

16:52 <clever> `make PROJECT=rpi3-bootcode` will generate a lk.bin file

16:53 <clever> rename it to bootcode.bin, and it will run on anything in the pi0-pi3 family

16:53 <clever> once booted, it will give a shell on the serial port, gpio 14/15, 115200 baud

16:53 <dolphinana> (I will not do it now, but I'll do it later ^^)

16:53 <clever> and there is a command to dump bytes

16:53 <clever> at 0x60000000 is the boot rom

16:54 <clever> ] db 0x60000000 0x5000

16:54 <clever> 0x60000000: 00 b0 00 01 f0 81 00 c0 e0 00 00 6d 82 18 0d 1f

16:54 <clever> 0x60000010: 1d c0 41 07 18 e8 00 80 00 60 19 e8 47 80 00 60

16:54 <clever> an example of running the dump bytes command, and the first 32 bytes it gave

16:54 <clever> then you just capture the uart traffic, and convert it to a .bin

16:55 <clever> one problem, is that something in the official start(4).elf turns the rom off

16:55 <clever> so you cant read the rom once linux has booted

16:55 <clever> so you need to hijack the boot before that stage

16:55 <dolphinana> thank you so much for the info ^^

16:56 <clever> and with the pi5, there are no unverified stages you can hijack....

16:56 <clever> https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface#execute-code

16:56 <clever> there was also this fun mailbox property

16:56 <clever> it lets you execute arbitrary VPU assembly

16:56 <clever> its missing on the pi5

16:57 <dolphinana> oooooh

16:57 <clever> https://github.com/ali1234/vcpoke/blob/master/main.c

16:58 <clever> an example of using that mailbox call

16:59 <dolphinana> I see

16:59 <dolphinana> btw, is the size of the bootROM 0x5000 large?

16:59 <clever> [clever@amd-nixos:~/apps/rpi/roms]$ hexdump -C rpi1-230aad04.bin | tail

16:59 <clever> 000047c0 02 3d 00 60 32 3e 00 60 40 00 00 00 05 00 00 00 |.=.`2>.`@.......|

17:00 <clever> 000047d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

17:00 <clever> *

17:00 <clever> looks to be about 0x47c0 bytes

17:00 <dolphinana> ah, okay ^^

17:00 <clever> ive got dumps for the roms from the pi1, pi2, pi3, pi4, and pi400

17:02 <clever> pi1 and pi2 are nearly identical

17:02 <dolphinana> (I'll be away now, see y'all later, perhaps later today?)

17:03 <dolphinana> (I will stay in the IRC chat tho... will just be inactive)

17:48 <Siecje> How does the Pi5 prevent you from reading the ROM?

17:49 <clever> Siecje: the main way, is that the VPU just doesnt allow running unsigned code

17:49 <clever> so you just cant run code to read the ROM

17:51 <Siecje> Why does Raspberry Pi the company care?

17:52 <Siecje> Security through obsecurity? So people can't learn how it works?

17:52 <clever> i dont really know

17:53 <Siecje> Or so you can't create a clone board?

17:53 <clever> you cant buy the SoC, so you cant produce a clone

17:56 <clever> and even if you could buy the SoC, you dont need the rom to make clones

17:56 <clever> assuming you could flash the OTP to enable booting from spi

17:56 <clever> but, i would assume a brand new SoC, might have verification disabled

18:04 <Siecje> I remember working somewhere in 2013 and someone was complaining about NDAs with Raspberry Pi. They ended up going with Beagle Bone black, not sure if it was any better.

18:05 <Siecje> "the USB host controller is under NDA"

18:06 <Siecje> Any idea why that is important? Or if it is still the case?

18:16 <clever> Siecje: the docs for the dwc2 controller are behind NDA (but have leaked, google can give you them)

18:16 <clever> they only matter if you want to use the dwc2 outside of linux

18:16 <clever> or improve the linux drivers

18:17 <clever> https://github.com/raspberrypi/linux/pull/3151#issuecomment-522126503

18:17 <clever> Siecje: also, the EZR32WG chip from silicon labs has a dwc2, and they did release docs

18:17 <clever> so if you just read the EZR32WG docs, youll get 90% of what you need

18:18 <Siecje> This was an embedded linux software company. They were looking for a device for training. They even thought touch screens were cheap enough that students could keep the hardware after the training.

18:19 <clever> depends on what exactly your training for

18:22 <Siecje> There were all kinds. Anything with encryption for the USA had restrictions.

18:23 <clever> i believe the entire pi0-pi4 lineup lacks hardware crypto extensions

18:23 <clever> only with the pi5 did they add arm hw crypto extensions

18:24 <Siecje> Even if the training was about how RSA worked there were import/export restrictions.

18:25 <Siecje> Does Pi5 have a TPM?

18:33 <clever> no proper hw TPM on the pi5

18:34 <Siecje> What did they add? Hardware to do crypto operations faster?

18:34 <clever> yeah

18:34 <clever> standard arm crypto extensions

19:03 <f_> clever: yyyyeeeahhhh good luck with dumping the bootROM on that Pi5..

19:05 <clever> ive got 2 plans currently, for gaining execute on the VPU, but both involve booting linux first

19:05 <clever> at which point, the rom will have dropped off the bus

19:05 <clever> so, how do i bring the rom back onto the bus?

19:05 <clever> is it even possible? the gameboy didnt allow it

20:47 Siecje has quit [Quit: Leaving...]

23:05 dolphinana has left ##raspberrypi-internals [##raspberrypi-internals]