Running index for the MegabitChip workstream — reverse-engineering and source-rebuilding the RK3588 DDR init blob (''rk3588_ddr_lp4_1848MHz_lp5_2112MHz_v1.19.bin'') with the goal of producing a buildable, working DDR blob — a behavioural equivalent under the reachability + MMIO-trace contract, not bit-identical reproduction.

Target hardware: ampere (CoolPi CM5 GenBook, RK3588 + LPDDR5). Repo: https://git.reauktion.de/marfrit/rk3588-ddr-analysis. Related running log: RK3588 DDR Init Blob — RE & Patching.

• MMIO-diff: 3173 / 3173 writes byte-identical (vendor ↔ rebuilt, happy-path LP5 cold boot).
• Splicer: 104 candidates / 85 spliced / 19 skip-larger / 0 failed.
• Splicer skip-list: 1 entry (''154_FUN_de40'', parked behind task #198).
• Audit: ''make audit'' green across data-symbols + early-return-tail scans.
• 6 silicon-hostile bugs caught pre-flash in today's extended session across 3 bug classes — see session wrap.

• Simulation & verification stack — tripwire, training_sim, bitflip sweep, region classifier, audits, splicer
• Port matrix — per-function port status for the monster functions
• DDR frequency switching & 3200 MHz on ampere — rkbin stock freqs, four switch mechanisms, DVFS entry point, observed LPDDR5-6400 on ampere
• DDR frequency switching on PineTab2 / RK3566 (LPDDR4) — sibling page for RK3566/LPDDR4, 1056→1332 MT/s verified on ohm, SPL-extraction gotcha, recovery procedures

• 2026-04-20 — matching-decomp blitz (1/118 → 33/118 functions, poll-site coverage 4/16 → 15/16, canonical compile line settled)
• 2026-04-21 — reloc-splicer pass (reached 17 → 47/54, two bug classes: jump-table .rodata loss + void-signature x0 mutation)
• 2026-04-21 (Part 2) — simulation & MMIO-diff (three new tools: lockstep.py, mmio_diff.py, check_asm.sh; four more bugs fixed; MMIO writes 1..82 match byte-identically)
• 2026-04-21 (Extended) — tripwire, bitflip, monster ports (sim_tripwire + PC-bucketed diff, 6 bugs / 3 classes caught pre-flash, fn_fcc4 + fn_1c14 + fn_de40 ports, bitflip sweep)

"Markus' insistence on simulation before flashing paid off. Big time. Again." — 2026-04-21.

The tripwire + PC-bucketed diff caught 3 silent NULL-derefs that hid behind a green ''mmio_diff 3173/3173'' baseline. ''ld –unresolved-symbols=ignore-all'' was quietly zero-resolving undefined ''DATA_SYMS'' externs, turning ''adrp+ldr'' into NULL-deref on silicon. A second bug class (C early-return skipping vendor's shared-tail RMW) and a third (port-as-read-only where vendor writes) surfaced the same session. All three would have been silicon corruption if flashed.

The simulator layer is not optional, even when mmio_diff is green. Every bug a pre-silicon tool surfaces is a device not bricked.