Running index for the MegabitChip workstream — reverse-engineering and source-rebuilding the RK3588 DDR init blob (rk3588_ddr_lp4_1848MHz_lp5_2112MHz_v1.19.bin) with the goal of producing a buildable, working DDR blob — a behavioural equivalent under the reachability + MMIO-trace contract, not bit-identical reproduction.

Target hardware: ampere (CoolPi CM5 GenBook, RK3588 + LPDDR5). Repo: https://git.reauktion.de/marfrit/rk3588-ddr-analysis. Related running log: RK3588 DDR Init Blob — RE & Patching.

• MMIO-diff: 3173 / 3173 writes byte-identical (vendor ↔ rebuilt, happy-path LP5 cold boot).
• Splicer: 104 candidates / 85 spliced / 19 skip-larger / 0 failed.
• Splicer skip-list: 1 entry (154_FUN_de40, parked behind task #198).
• Audit: make audit green across data-symbols + early-return-tail scans.
• 6 silicon-hostile bugs caught pre-flash in today's extended session across 3 bug classes — see session wrap.

• Simulation & verification stack — tripwire, training_sim, bitflip sweep, region classifier, audits, splicer
• Port matrix — per-function port status for the monster functions

• 2026-04-20 — matching-decomp blitz (1/118 → 33/118 functions, poll-site coverage 4/16 → 15/16, canonical compile line settled)
• 2026-04-21 — reloc-splicer pass (reached 17 → 47/54, two bug classes: jump-table .rodata loss + void-signature x0 mutation)
• 2026-04-21 (Part 2) — simulation & MMIO-diff (three new tools: lockstep.py, mmio_diff.py, check_asm.sh; four more bugs fixed; MMIO writes 1..82 match byte-identically)
• 2026-04-21 (Extended) — tripwire, bitflip, monster ports (sim_tripwire + PC-bucketed diff, 6 bugs / 3 classes caught pre-flash, fn_fcc4 + fn_1c14 + fn_de40 ports, bitflip sweep)

“Markus' insistence on simulation before flashing paid off. Big time. Again.” — 2026-04-21.

The tripwire + PC-bucketed diff caught 3 silent NULL-derefs that hid behind a green mmio_diff 3173/3173 baseline. ld –unresolved-symbols=ignore-all was quietly zero-resolving undefined DATA_SYMS externs, turning adrp+ldr into NULL-deref on silicon. A second bug class (C early-return skipping vendor's shared-tail RMW) and a third (port-as-read-only where vendor writes) surfaced the same session. All three would have been silicon corruption if flashed.

The simulator layer is not optional, even when mmio_diff is green. Every bug a pre-silicon tool surfaces is a device not bricked.