Differences

This shows you the differences between two versions of the page.

--- megabitchip:start [2026/04/21 07:42] – megabitchip landing page with session index markus_fritsche
+++ megabitchip:start [2026/04/25 21:05] (current) – via XML-RPC markus_fritsche
@@ Line 3: / Line 3: @@
 Running index for the **MegabitChip** workstream — reverse-engineering
 and source-rebuilding the RK3588 DDR init blob
-(''rk3588_ddr_lp4_1848MHz_lp5_2112MHz_v1.19.bin'') with the goal of
+(&#039;&#039;rk3588_ddr_lp4_1848MHz_lp5_2112MHz_v1.19.bin&#039;&#039;) with the goal of
-producing a compileable, patchable C equivalent that byte-matches the
+producing a **buildable, working DDR blob** — a behavioural equivalent
-vendor binary under the reachability trace.
+under the reachability + MMIO-trace contract, not bit-identical
+reproduction.
 Target hardware: **ampere** (CoolPi CM5 GenBook, RK3588 + LPDDR5).
 Repo: [[https://git.reauktion.de/marfrit/rk3588-ddr-analysis]].
 Related running log: [[rk3588_ddr|RK3588 DDR Init Blob — RE & Patching]].
+===== Current state (as of 2026-04-21) =====
+  * **MMIO-diff: 3173 / 3173 writes byte-identical** (vendor ↔ rebuilt, happy-path LP5 cold boot).
+  * **Splicer**: 104 candidates / 85 spliced / 19 skip-larger / 0 failed.
+  * **Splicer skip-list**: 1 entry (&#039;&#039;154_FUN_de40&#039;&#039;, parked behind task #198).
+  * **Audit**: &#039;&#039;make audit&#039;&#039; green across data-symbols + early-return-tail scans.
+  * **6 silicon-hostile bugs caught pre-flash** in today&#039;s extended session across 3 bug classes — see [[megabitchip:2026-04-21_extended|session wrap]].
+===== Sub-pages =====
+  * [[megabitchip:simulation_stack|Simulation & verification stack]] — tripwire, training_sim, bitflip sweep, region classifier, audits, splicer
+  * [[megabitchip:port_matrix|Port matrix]] — per-function port status for the monster functions
+  * [[megabitchip:ddr_frequency_switching|DDR frequency switching & 3200 MHz on ampere]] — rkbin stock freqs, four switch mechanisms, DVFS entry point, observed LPDDR5-6400 on ampere
+  * [[megabitchip:pinetab2_ddr|DDR frequency switching on PineTab2 / RK3566 (LPDDR4)]] — sibling page for RK3566/LPDDR4, 1056→1332 MT/s verified on ohm, SPL-extraction gotcha, recovery procedures
 ===== Session recaps =====
@@ Line 15: / Line 31: @@
   * [[megabitchip:2026-04-20_dokuwiki|2026-04-20 — matching-decomp blitz]] (1/118 → 33/118 functions, poll-site coverage 4/16 → 15/16, canonical compile line settled)
   * [[megabitchip:2026-04-21_reloc_splice|2026-04-21 — reloc-splicer pass]] (reached 17 → 47/54, two bug classes: jump-table .rodata loss + void-signature x0 mutation)
+  * [[megabitchip:2026-04-21_simulation|2026-04-21 (Part 2) — simulation & MMIO-diff]] (three new tools: lockstep.py, mmio_diff.py, check_asm.sh; four more bugs fixed; MMIO writes 1..82 match byte-identically)
+  * [[megabitchip:2026-04-21_extended|2026-04-21 (Extended) — tripwire, bitflip, monster ports]] (sim_tripwire + PC-bucketed diff, 6 bugs / 3 classes caught pre-flash, fn_fcc4 + fn_1c14 + fn_de40 ports, bitflip sweep)
+===== Observations =====
+> //&quot;Markus&#039; insistence on simulation before flashing paid off. Big time. Again.&quot;// — 2026-04-21.
+The tripwire + PC-bucketed diff caught 3 silent NULL-derefs that hid
+behind a green &#039;&#039;mmio_diff 3173/3173&#039;&#039; baseline. &#039;&#039;ld
+--unresolved-symbols=ignore-all&#039;&#039; was quietly zero-resolving undefined
+&#039;&#039;DATA_SYMS&#039;&#039; externs, turning &#039;&#039;adrp+ldr&#039;&#039; into NULL-deref on silicon.
+A second bug class (C early-return skipping vendor&#039;s shared-tail RMW)
+and a third (port-as-read-only where vendor writes) surfaced the same
+session. All three would have been silicon corruption if flashed.
+**The simulator layer is not optional, even when mmio_diff is green.**
+Every bug a pre-silicon tool surfaces is a device not bricked.