##raspberrypi-internals on 2024-05-13 — irc logs at libera.irclog.whitequark.org

2024-01-15 19:00 f_ changed the topic of ##raspberrypi-internals to: The inner workings of the Raspberry Pi (Low level VPU/HW) -- for general queries please visit #raspberrypi -- open firmware: https://librerpi.github.io/ -- VC4 VPU Programmers Manual: https://github.com/hermanhermitage/videocoreiv/wiki -- chat logs: https://libera.irclog.whitequark.org/~h~raspberrypi-internals -- bridged to matrix and discord

02:33 jcea has quit [Ping timeout: 268 seconds]

10:25 Ad0 has quit [Ping timeout: 260 seconds]

10:27 bonda_000 has joined ##raspberrypi-internals

10:27 <bonda_000> clever: u here?

10:33 Ad0 has joined ##raspberrypi-internals

12:37 bonda_000 has quit [Ping timeout: 268 seconds]

12:40 bonda_000 has joined ##raspberrypi-internals

12:49 jcea has joined ##raspberrypi-internals

13:36 <juri_> clever is always here. :)

14:12 CompanionCube has quit [Quit: ZNC - http://znc.in]

14:20 CompanionCube has joined ##raspberrypi-internals

15:19 <f_[xmpp]> juri_ ;)

15:19 <f_[xmpp]> many are always there :P

15:25 f_ has joined ##raspberrypi-internals

15:41 <juri_> always here, but not always in this timezone. :)

16:32 Stromeko has quit [Ping timeout: 260 seconds]

16:37 Stromeko has joined ##raspberrypi-internals

16:51 bonda_000 has quit [Ping timeout: 268 seconds]

17:37 bonda_000 has joined ##raspberrypi-internals

17:39 <f_> juri_: ;)

17:57 <f_ridge> <x2x6_/D> Hi

18:30 <juri_> Hi!

18:33 <bonda_000> are you guys working on reverse engineering the vpu code as well? juri: f_ridge:

18:33 <bonda_000> it's been quite here since I joined only talked to clever for the most part

19:41 f_ has quit [Quit: To contact me, send a memo using MemoServ, PM f_[xmpp], or send an email. See https://vitali64.duckdns.org/.]

20:22 <f_ridge> <x2x6_/D> I eventually do that from time to time. Especially now, when Clever has pointed me to an unstripped version . Before that it was a more tough experience

20:22 <f_ridge> <x2x6_/D> I eventually do that from time to time. Especially now, when Clever has pointed me to an unstripped version of start_x. Before that it was a more tough experience(edited)

20:25 user_user has joined ##raspberrypi-internals

20:39 user_user has quit [Quit: leaving]

21:13 user_user has joined ##raspberrypi-internals

21:13 <user_user> I want to measure exact periods of time to understand how my functions are performing on a baremetal code on PI3

21:14 <clever> user_user: i think the best option is to just read ST_CLO before and after running your function, but the resolution is only 1 uSec

21:14 <clever> the arm timer might also work, if its not being reset by other things

21:15 <clever> oh, and the arm has dedicated performance counters you could look into

21:15 <user_user> I think I should use a systimer but I remember some controversal info seen somewhere that videocore tweaks clocks for ARM cpu.

21:15 <clever> i think those can count things like clock cycles elapsed, and cache misses

21:16 <clever> assuming your not having thermal throttling, the VPU will only change the arm clock when you ask it to

21:16 <user_user> So if it does so I can not really rely on anything that is clock based?

21:16 <clever> usually via the linux cpufreq driver

21:16 <clever> ST_CLO is always clocked at 1mhz, that never changes

21:55 user_user has quit [Quit: leaving]

22:59 <bonda_000> so far figured out

22:59 <bonda_000> the first program that is run after the init

22:59 <bonda_000> vmcs_app

23:00 <bonda_000> ends up in vmcs_task_alloc_ex that creates first 12 threads

23:00 <bonda_000> I'm not sure if you call those queues or threads

23:01 <bonda_000> clever: do you consider this a code obfuscation if values are swapped back and forth between lo regs, the stack, and high regs?

23:02 <bonda_000> I notice that the nested function calls of vcos/tx tend to reach back to the stack of the caller function to grab something

23:04 <clever> bonda_000: is it just doing sp + offset to go back in the stack, or is it being passed a pointer?

23:05 <bonda_000> one that I am at right now, had sp passed as an argument and yeah goes back up the stack

23:05 <clever> the only time ive noticed any real code obfuscation, is when dealing with some of the hmac keys in start.elf

23:05 <clever> it has a big array of the expected keys, but they have all been xor'd with a constant

23:05 <clever> so you have to xor each of them with that constant, to get the real key

23:05 <bonda_000> vcos_thread_create param_3 is a stack pointer of a caller, vcos_thread_create_classic

23:06 <clever> that sounds like its just a struct allocated on the local stack frame

23:06 <clever> so basically, `struct foo; bar(&foo);`

23:06 <clever> which is totally normal c stuff

23:06 <bonda_000> uh, sort of

23:06 <bonda_000> default_attrs

23:06 <bonda_000> got copied there

23:07 <clever> ah yes, the thread attributes, i saw that recently

23:07 <bonda_000> and then

23:07 <clever> thats just initializing the thread attributes to a default value

23:07 <bonda_000> yeah it has a pointer to 0x2000 bytes of malloced memory

23:08 <bonda_000> then a constant 2000h

23:08 <bonda_000> nvm, that's not a default

23:08 <bonda_000> that's for these first 12 threads

23:09 <bonda_000> and then

23:09 <bonda_000> it has hidden two function pointers

23:09 <bonda_000> on a stack and into a thread_struct that is of size 1F4

23:10 <bonda_000> vmcs_app_message_handler() is the one you want to take a look at

23:10 <bonda_000> it's not a message handler but it's basically the meat of the VPU code

23:10 <bonda_000> it initiates everything

23:11 <bonda_000> arm, linux kernel, cameras, hdmi

23:12 <clever> yeah, vmcs_app_message_handler, seems to be starting nearly everything on the system

23:13 <bonda_000> https://imgur.com/IF4eJLU

23:14 <bonda_000> so hopefully I can get across the place where the last entry of this struct is being referenced

23:21 <clever> bonda_000: oh, found something interesting, vmcs_initialise_auto_vchi_services

23:21 <clever> at cma_service_start_info, is an array of things, each 0xc bytes long

23:22 <clever> you have a byte telling vmcs_initialise_auto_vchi_services how to call a function, a function pointer, and an unknown 32bit int

23:22 <clever> correction, a pointer to a char*

23:23 <clever> that launches 3 services, cma, mmal, and wdog

23:23 <bonda_000> what is cma?

23:23 <clever> contiguous memory allocator

23:24 <bonda_000> oh yeah

23:24 <clever> mmal_server_start, is the thing we looked at yesterday!

23:24 <bonda_000> I dont quite understand what its doing

23:24 <bonda_000> adding 4 to a string and calling it as a code

23:25 <clever> its not code

23:25 <clever> correction

23:25 <clever> its not a string

23:25 <clever> bonda_000: https://imgur.com/a/2bAGxbD

23:25 <bonda_000> char *

23:25 <clever> its an array of 3 `struct { byte something; byte padding[3]; code *fun; char *name; }`

23:26 <bonda_000> pcVar3 = "\x01"

23:27 <bonda_000> char *pcVar3;

23:27 <clever> thats testing that the first byte is a 1

23:27 <clever> ghidra wrongly assumed its a string

23:28 <bonda_000> don't even know what "\x01" but could be a 32 bit address of something

23:28 <clever> its just 1

23:28 <bonda_000> so then it does

23:28 <clever> https://gist.github.com/cleverca22/21c79f326385efcefcedd93a68a93683

23:29 <bonda_000> iVar1 = (**(code **)(pcVar3 + 4))(param_1,param_2,param_3,*(code **)(pcVar3 + 4));

23:29 <bonda_000> oh yeah

23:29 <bonda_000> how much we are stepping depends on what variable type it is

23:30 <bonda_000> but still

23:30 <bonda_000> char pointer plus four thats a 16 byte step forward

23:32 <bonda_000> ah yeah its the lea r8, cma_service_start_info

23:32 <bonda_000> that didn't make it's way to the decompile window

23:32 <clever> if the byte is 0, it calls the function pointer with 3 args, the same 3 vmcs_initialise_auto_vchi_services received

23:32 <clever> if the byte is 1, it calls it with just 1 argument

23:33 <clever> i think technically, its loading the address of __VCHIQ_SERVICES_START and __VCHIQ_SERVICES_END

23:33 <clever> but there is then also a symbol for each element in that array

23:33 <clever> so cma_service_start_info == __VCHIQ_SERVICES_START

23:34 <clever> so it starts at __VCHIQ_SERVICES_START, reads a 12 byte thing, increments by 12, and repeats, until it hits __VCHIQ_SERVICES_END

23:34 <clever> fairly standard looping mechanics

23:38 <bonda_000> so it's a contiguous memory allocator for a chip that has no MMU?

23:40 <bonda_000> what I think is, if you just remove arm_loader and kernel_load from that function, you have all the VPU to yourself

23:42 <clever> pretty much

23:42 <clever> but you would still need symbols and headers, to properly call the thread/malloc stuff

23:42 <clever> and its simpler to just port your own things, like i did with LK

23:45 <bonda_000> well good thing is that it fits into a bootcode.bin format

23:45 <bonda_000> if you go start_x.elf that's extra copying of bytes and slower startup time

23:46 <bonda_000> it takes a minute on Ethernet to get to the end of 2nd stage

23:46 <clever> that sounds like serious network problems

23:46 <clever> mine can boot in seconds

23:46 <bonda_000> "a minute" not literally

23:46 <bonda_000> but you can see it gives sd card a timeout

23:46 <bonda_000> not instantly jump to secondary options

23:47 <clever> ah, put an SD card in it, with no files on it

23:47 <clever> then it wont have timeouts

23:47 <clever> https://imgur.com/Yeh6wEr this is the bootcode-fast-ntsc target from lk-overlay

23:47 <clever> it boots (from sd) to a video output, in just 0.61 seconds

23:47 <clever> the tv itself takes longer then that to turn on, lol

23:53 <bonda_000> that's the audio jack to composite video you told me about?

23:54 <clever> yep

23:54 <bonda_000> and that's within the vec module correct? to overtake the audio jack

23:54 <clever> yeah