brom-dump: payloads: add partial mt6573 support (usb-dump)

hello-world-uart doesn't print anything yet.
arzam16 · Apr 1, 2023 · 3ebf8a0 · 3ebf8a0
1 parent 44486f5
commit 3ebf8a0
Show file tree

Hide file tree

Showing 7 changed files with 132 additions and 7 deletions.
diff --git a/brom-dump/README.md b/brom-dump/README.md
@@ -251,3 +251,7 @@ The `MTK_AllInOne_DA.bin` found in the Linux distribution of SP Flash Tool v5.16
 Looks like the NAND support depends on host SPFT application, not on DA itself. I started my Windows computer (the only reason for this is there are more archive versions for Windows than for Linux) and began testing SP Flash Tool distributions older than v5.1648 but I shoved them the DA from v5.1648. It took me some time to figure out that the latest version of SP Flash Tool for Windows that supports mt6573 with NAND is v5.1624.
 
 I set up Wireshark and USBPcap and shortly after got the traffic dump I was looking for. The dumped traffic allowed me to carve out the original DA for mt6573 and implement support for this SoC in `spft-replay`.
+
+Adding support for mt6573 in payloads was just a matter of finding some function addresses in its original DA and putting them into header files, as well as adding a new target to Makefile. 
+
+Unfortunately, things didn't go as well as expected. Despite USB dump payload working properly the "Hello world" payload doesn't print anything at all. I will fix it next.
diff --git a/brom-dump/payloads/Makefile b/brom-dump/payloads/Makefile
@@ -17,15 +17,18 @@ AUX_DIR = $(BUILD_DIR)/aux
 OUT_DIR = $(BUILD_DIR)/out
 
 # Supported devices
-ALL_TARGETS = mt6589
+ALL_TARGETS = mt6573 mt6589
 # This has to be set manually
 TARGET ?= unsupported
+# Linker script for target
 TARGET_LD_SCRIPT = include/$(TARGET)/payload.ld
+# Target-specific init module
 TARGET_INIT = $(OUT_DIR)/$(TARGET)-init.o
 
 # Flags for individual targets
-TARGET_FLAGS = $($(TARGET)_FLAGS) -I include/$(TARGET)
-mt6589_FLAGS = -mcpu=cortex-a7
+TARGET_FLAGS = $($(subst mt,MT,$(TARGET))_FLAGS) -I include/$(TARGET)
+MT6573_FLAGS = -mcpu=arm1176jzf-s
+MT6589_FLAGS = -mcpu=cortex-a7
 
 # Available payloads
 PAYLOADS = hello-world-uart usb-dump
@@ -35,7 +38,7 @@ TARGET_DA_PATCHED = $(OUT_DIR)/$(TARGET)-da-patched.bin
 
 CHECKSUM_SPFT_V5_1648_LINUX := "9c9c57405ee35044e41d7958cfbd01232107101ec5cec03539d33438cbe38b4b"
 
-.PHONY: all target clean
+.PHONY: all target print-targets clean
 
 all: target $(PAYLOAD_BINS)
 
@@ -44,6 +47,9 @@ ifeq ($(TARGET),unsupported)
 	$(error "TARGET is not defined, supported values: $(ALL_TARGETS)")
 endif
 
+print-targets:
+	@echo $(ALL_TARGETS)
+
 clean:
 	rm -vf $(AUX_DIR)/*-da-original.bin
 	rm -vf $(OUT_DIR)/*-da-patched.bin
@@ -74,14 +80,32 @@ $(AUX_DIR)/mt6573-da-original.bin: $(AUX_DIR)/SP_Flash_Tool_v5.1648_Linux.zip |
 		tail -c +14813 | head -c 90932 \
 		> "$@"
 
+# Patch the internal memory initialization routine to jump to our payload
+# before Download Agent starts waiting for more data from SP Flash Tool.
+#
+# Before patch:
+# ======================================================================
+# 90005bd4 00 78           ldrb       r0,[r0,#0x0]
+# 90005bd6 88 47           blx        r1
+# 90005bd8 e8 68           ldr        r0,[r5,#0xc]=>DAT_40007edc
+# 90005bda 00 78           ldrb       r0,[r0,#0x0]
+#
+#
+# After patch:
+# ======================================================================
+# 90005bd4 00 78           ldrb       r0,[r0,#0x0]
+# 90005bd6 88 47           blx        r1
+# 90005bd8 15 f0 ac eb     blx        FUN_9001b334
+$(OUT_DIR)/mt6573-da-patched.bin: $(AUX_DIR)/mt6573-da-original.bin | $(OUT_DIR) $(AUX_DIR)
+	xxd -c 256 -p "$<" |\
+		sed -e "s/00788847e8680078/0078884715f0aceb/" |\
+		xxd -p -r > "$@"
+
 $(AUX_DIR)/mt6589-da-original.bin: $(AUX_DIR)/SP_Flash_Tool_v5.1648_Linux.zip | $(AUX_DIR)
 	7z x -so "$<" "SP_Flash_Tool_v5.1648_Linux/MTK_AllInOne_DA.bin" |\
 		tail -c +767137 | head -c 141012 \
 		> "$@"
 
-# Patch the internal memory initialization routine to jump to our payload
-# before Download Agent starts waiting for more data from SP Flash Tool.
-#
 # Before patch:
 # ======================================================================
 # 12000cd6 ff f7 cc ff     bl         FUN_12000c72

diff --git a/brom-dump/payloads/build-all.sh b/brom-dump/payloads/build-all.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+# SPDX-License-Identifier: Unlicense
+
+for target in $(make print-targets); do
+	make TARGET="$target"
+done
diff --git a/brom-dump/payloads/include/mt6573/da-api.h b/brom-dump/payloads/include/mt6573/da-api.h
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: GPL-3.0-only
+// SPDX-FileCopyrightText: 2023 arzamas-16 <https://github.com/arzamas-16>
+
+#include <stdint.h>
+
+void (*DA_putc_wrapper_uart)(uint8_t) =
+	( void (*)(uint8_t) )
+	(0x90007AFE + 1);
+void (*DA_print_hex_value)(uint32_t, uint32_t) =
+	( void (*)(uint32_t, uint32_t) )
+	(0x90007B14 + 1);
+void (*DA_printf_uart)(uint8_t*, uint32_t, uint32_t, uint32_t) =
+	( void (*)(uint8_t*, uint32_t, uint32_t, uint32_t) )
+	(0x90007B42 + 1);
+
+
+
+void (*DA_io_usb_write)(uint8_t*, uint32_t) =
+	( void (*)(uint8_t*, uint32_t) )
+	(0x900099FE + 1);
+uint32_t (*DA_io_usb_readl)() =
+	( uint32_t (*)() )
+	(0x90009BB8 + 1);
+void (*DA_io_usb_writel)(uint32_t) =
+	( void (*)(uint32_t) )
+	(0x90009BE4 + 1);
diff --git a/brom-dump/payloads/include/mt6573/hw-api.h b/brom-dump/payloads/include/mt6573/hw-api.h
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-3.0-only
+// SPDX-FileCopyrightText: 2023 arzamas-16 <https://github.com/arzamas-16>
+
+#define HW_reg_chip_id			0x70026008
+
+#define MEM_brom_start			0x48000000
+#define MEM_brom_length			0x10000
+#define MEM_sram_start			0x40000000
+#define MEM_sram_length			0x40000
+#define MEM_da_start			0x90005000
+#define MEM_da_length			0x1B000
diff --git a/brom-dump/payloads/include/mt6573/hw-api.s b/brom-dump/payloads/include/mt6573/hw-api.s
@@ -0,0 +1,5 @@
+@ SPDX-License-Identifier: GPL-3.0-only
+@ SPDX-FileCopyrightText: 2023 arzamas-16 <https://github.com/arzamas-16>
+
+@ derived from the original mt6573 DA, see 0x90005068
+.equ MEM_stack_base,		0x400013FC
diff --git a/brom-dump/payloads/include/mt6573/payload.ld b/brom-dump/payloads/include/mt6573/payload.ld
@@ -0,0 +1,49 @@
+/* SPDX-License-Identifier: GPL-3.0-only */
+/* SPDX-FileCopyrightText: 2023 arzamas-16 <https://github.com/arzamas-16> */
+
+ENTRY(_init)
+
+MEMORY
+{
+	DA_RAM (IWX) : ORIGIN = 0x9001b334, LENGTH = 0x800
+}
+
+SECTIONS
+{
+	.text :
+	{
+		*(.text.init);
+		*(.text*);
+	}
+
+	.rodata :
+	{
+		*(.rodata);
+		*(.rodata.*);
+		*(.gnu.linkonce.r.*);
+	}
+
+	.data :
+	{
+		*(.data);
+		*(.data.*);
+		*(.gnu.linkonce.d.*);
+	}
+
+	.bss :
+	{
+
+		*(.bss);
+		*(.bss.*);
+		*(.gnu.linkonce.b.*);
+
+		*(COMMON);
+	}
+
+	.fill :
+	{
+		FILL(0);
+		. = ORIGIN(DA_RAM) + LENGTH(DA_RAM) - 1;
+		BYTE(0);
+	}
+}