Add some more interesting payloads

c8_libpayload/pl/include/brfunc_common.h

@@ -4,6 +4,7 @@
 #include "checkm8_config.h"
 
 typedef int (*BOOTROM_FUNC)();
+typedef unsigned char (*(*BOOTROM_FUNC_PTR)());
 
 #if CHECKM8_PLATFORM == 8010
 
@@ -29,6 +30,9 @@ typedef int (*BOOTROM_FUNC)();
 #define ADDR_TIME_HAS_ELAPSED               0x10000B04F
 #define ADDR_TASK_SLEEP                     0x10000ADF0
 
+/* Boot */
+#define ADDR_NVME_INIT                      0x1000080B4
+
 #else
 #error "Unsupported checkm8 platform"
 #endif

c8_libpayload/pl/src/aes_sw.c

@@ -116,6 +116,18 @@ void expand_key(unsigned char key[16], unsigned char key_sched[176], int n,
     }
 }
 
+PAYLOAD_SECTION
+void busy_sleep(int usec)
+{
+    unsigned long long halt = 0x1000004fc;
+    unsigned long long timer_deadline_enter = 0x10000b874;
+    unsigned long long now;
+
+    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now));
+    ((BOOTROM_FUNC) timer_deadline_enter)(now + 24 * usec, ((BOOTROM_FUNC) 0x10000b924));
+    ((BOOTROM_FUNC) halt)();
+}
+
 PAYLOAD_SECTION
 void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char key[16],
                         unsigned char sbox[16][16], unsigned char rc_lookup[11],
@@ -123,6 +135,7 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
 {
     unsigned char key_sched[176];
     expand_key(key, key_sched, 11, sbox, rc_lookup);
+    busy_sleep(10);
 
     unsigned int num_blocks = msg_len / 16;
     unsigned char *block;
@@ -139,7 +152,6 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
             shift_rows(block);
             mix_cols(block, mul2, mul3);
             add_key(block, &key_sched[16 * (j + 1)]);
-            task_sleep(20);
         }
 
         sub_bytes(block, sbox);
@@ -149,34 +161,14 @@ void aes128_encrypt_ecb(unsigned char *msg, unsigned int msg_len, unsigned char
 }
 
 TEXT_SECTION
-unsigned int _start(unsigned char *msg, unsigned int msg_len, unsigned char *key,
+void _start(unsigned char *msg, unsigned int msg_len, unsigned char *key,
                     unsigned char sbox[16][16], unsigned char rc_lookup[11],
                     unsigned char mul2[256], unsigned char mul3[256])
 {
     unsigned long long start, end;
+    unsigned long long platform_quiesce_hardware = 0x100007dd0;
 
     __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
     aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
     __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end));
-
-//    for(i = 0; i < 256; i++)
-//    {
-//        __asm__ volatile ("dc civac, %0" : : "r" (&sbox[i % 16][i / 16]) : "memory");
-//        __asm__ volatile ("dc civac, %0" : : "r" (&mul2[i]) : "memory");
-//        __asm__ volatile ("dc civac, %0" : : "r" (&mul3[i]) : "memory");
-//    }
-//
-//    for(i = 0; i < 16; i++)
-//    {
-//        __asm__ volatile ("dc civac, %0" : : "r" (&msg[i]) : "memory");
-//        __asm__ volatile ("dc civac, %0" : : "r" (&key[i]) : "memory");
-//    }
-//
-//    for(i = 0; i < 12; i++)
-//    {
-//        __asm__ volatile ("dc civac, %0" : : "r" (&rc_lookup[i]) : "memory");
-//    }
-//
-//    __asm__ volatile ("dsb sy");
-    return end - start;
 }

c8_libpayload/pl/src/bootstrap.c

@@ -0,0 +1,26 @@
+#include "util.h"
+
+TEXT_SECTION
+unsigned long long _start()
+{
+//    unsigned long long platform_quiesce_hardware = 0x100007dd0;
+//    unsigned long long enter_critical_section = 0x10000a4b8;
+//    unsigned long long halt = 0x1000004fc;
+//    unsigned long long timer_deadline_enter = 0x10000b874;
+//    unsigned long long now, later;
+//
+//    ((BOOTROM_FUNC) platform_quiesce_hardware)();
+//    //((BOOTROM_FUNC) enter_critical_section)();
+//
+//    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (now));
+//    ((BOOTROM_FUNC) timer_deadline_enter)(now + (24000000) - 64, ((BOOTROM_FUNC) 0x10000b924));
+//    ((BOOTROM_FUNC) halt)();
+//    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (later));
+
+    volatile unsigned long long regval = 0xffff;
+    __asm__ volatile ("mrs %0, fpcr" : "=r" (regval));
+    regval = (1u << 24u);
+    __asm__ volatile ("msr fpcr, %0" : "=r" (regval));
+
+    return regval;
+}

c8_libpayload/pl/src/floppysleep.S

@@ -0,0 +1,189 @@
+.global fs_routine
+.global fs_load
+# .global check_subnormal
+
+.section .payload_text, "ax"
+
+fs_load:
+    # load from memory
+    ldr     s0,         [x0]
+    mov     v0.s[1],    v0.s[0]
+    mov     v0.s[2],    v0.s[0]
+    mov     v0.s[3],    v0.s[0]
+    fmov    s31,        1.0
+    ucvtf   s30,         w1
+    
+    mov     v1.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v1.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v1.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v1.s[0],    v30.s[0]
+        
+    fadd    s30,         s30,     s31
+    mov     v2.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v2.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v2.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v2.s[0],    v30.s[0]
+        
+    fadd    s30,         s30,     s31
+    mov     v3.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v3.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v3.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v3.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v4.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v4.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v4.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v4.s[0],    v30.s[0]
+        
+    fadd    s30,         s30,     s31
+    mov     v5.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v5.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v5.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v5.s[0],    v30.s[0]
+
+        
+    fadd    s30,         s30,     s31
+    mov     v6.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v6.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v6.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v6.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v7.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v7.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v7.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v7.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v8.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v8.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v8.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v8.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v9.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v9.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v9.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v9.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v10.s[3],    v10.s[0]
+    fadd    s30,         s30,     s31
+    mov     v10.s[2],    v10.s[0]
+    fadd    s30,         s30,     s31
+    mov     v10.s[1],    v10.s[0]
+    fadd    s30,         s30,     s31
+    mov     v10.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v11.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v11.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v11.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v11.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v12.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v12.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v12.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v12.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v13.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v13.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v13.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v13.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v14.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v14.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v14.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v14.s[0],    v30.s[0]
+
+    fadd    s30,         s30,     s31
+    mov     v15.s[3],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v15.s[2],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v15.s[1],    v30.s[0]
+    fadd    s30,         s30,     s31
+    mov     v15.s[0],    v30.s[0]
+
+    #mov    s30,        wzr
+    #mov    s31,        wzr
+    ret
+
+fs_routine:
+    fdiv    v16.4s,     v0.4s,      v1.4s
+    fdiv    v17.4s,     v0.4s,      v2.4s
+    fdiv    v18.4s,     v0.4s,      v3.4s
+    fdiv    v19.4s,     v0.4s,      v4.4s
+    fdiv    v20.4s,     v0.4s,      v5.4s
+    fdiv    v21.4s,     v0.4s,      v6.4s
+    fdiv    v22.4s,     v0.4s,      v7.4s
+    fdiv    v23.4s,     v0.4s,      v8.4s
+    fdiv    v24.4s,     v0.4s,      v9.4s
+    fdiv    v25.4s,     v0.4s,      v10.4s
+    fdiv    v26.4s,     v0.4s,      v11.4s
+    fdiv    v27.4s,     v0.4s,      v12.4s
+    fdiv    v28.4s,     v0.4s,      v13.4s
+    fdiv    v29.4s,     v0.4s,      v14.4s
+    fdiv    v30.4s,     v0.4s,      v15.4s
+
+    fdiv    v16.4s,     v16.4s,     v15.4s
+    fdiv    v17.4s,     v17.4s,     v14.4s
+    fdiv    v18.4s,     v18.4s,     v13.4s
+    fdiv    v19.4s,     v19.4s,     v12.4s
+    fdiv    v20.4s,     v20.4s,     v11.4s
+    fdiv    v21.4s,     v21.4s,     v10.4s
+    fdiv    v22.4s,     v22.4s,     v9.4s
+    fdiv    v23.4s,     v23.4s,     v8.4s
+    fdiv    v24.4s,     v24.4s,     v7.4s
+    fdiv    v25.4s,     v25.4s,     v6.4s
+    fdiv    v26.4s,     v26.4s,     v5.4s
+    fdiv    v27.4s,     v27.4s,     v4.4s
+    fdiv    v28.4s,     v28.4s,     v3.4s
+    fdiv    v29.4s,     v29.4s,     v2.4s
+    fdiv    v30.4s,     v30.4s,     v1.4s
+
+    mov     w0,         v16.s[3]
+    ret

c8_libpayload/pl/src/floppysleep.c

@@ -0,0 +1,44 @@
+#include "brfunc_common.h"
+#include "util.h"
+
+extern unsigned long long fs_routine(void);
+
+extern unsigned long long fs_load(float *dividend, int divisor_base);
+// extern unsigned long long check_subnormal();
+
+PAYLOAD_SECTION
+unsigned int is_subnormal(float val)
+{
+    unsigned int bytes = *((unsigned int *) &val);
+    bytes = bytes >> 23u;
+
+    if(bytes & 0x7u)
+    {
+        return 0;
+    }
+    else return 1;
+}
+
+TEXT_SECTION
+unsigned long long _start(float *init_a)
+{
+    int i;
+    unsigned long long check;
+    unsigned long long start, end, report;
+    unsigned long long timer_deadline_enter = 0x10000b874;
+    unsigned long long halt = 0x1000004fc;
+
+    fs_load(init_a, 1);
+
+    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
+    for(i = 0; i < 1; i++) check = fs_routine();
+    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end));
+
+//
+//    ((BOOTROM_FUNC) timer_deadline_enter)(2 * end - start - 64, ((BOOTROM_FUNC) 0x10000b924));
+//    ((BOOTROM_FUNC) halt)();
+
+
+//    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (report));
+    return end - start;
+}