Bump version to 0.8.2

Implement custom fatal sysmodule.

Makefile

@@ -40,13 +40,17 @@ dist: all
 	mkdir atmosphere-$(AMSVER)
 	mkdir atmosphere-$(AMSVER)/atmosphere
 	mkdir -p atmosphere-$(AMSVER)/atmosphere/titles/0100000000000036
+	mkdir -p atmosphere-$(AMSVER)/atmosphere/titles/0100000000000034
 	mkdir -p atmosphere-$(AMSVER)/atmosphere/titles/0100000000000032
-	cp fusee/fusee-secondary/fusee-secondary.bin atmosphere-$(AMSVER)/fusee-secondary.bin
-	cp common/defaults/BCT.ini atmosphere-$(AMSVER)/BCT.ini
+	cp fusee/fusee-secondary/fusee-secondary.bin atmosphere-$(AMSVER)/atmosphere/fusee-secondary.bin
+	cp common/defaults/BCT.ini atmosphere-$(AMSVER)/atmosphere/BCT.ini
 	cp common/defaults/loader.ini atmosphere-$(AMSVER)/atmosphere/loader.ini
+	cp -r common/defaults/kip_patches atmosphere-$(AMSVER)/atmosphere/kip_patches
 	cp stratosphere/creport/creport.nsp atmosphere-$(AMSVER)/atmosphere/titles/0100000000000036/exefs.nsp
+	cp stratosphere/fatal/fatal.nsp atmosphere-$(AMSVER)/atmosphere/titles/0100000000000034/exefs.nsp
 	cp stratosphere/set_mitm/set_mitm.nsp atmosphere-$(AMSVER)/atmosphere/titles/0100000000000032/exefs.nsp
-	touch atmosphere-$(AMSVER)/atmosphere/titles/0100000000000032/boot2.flag
+	mkdir -p atmosphere-$(AMSVER)/atmosphere/titles/0100000000000032/flags
+	touch atmosphere-$(AMSVER)/atmosphere/titles/0100000000000032/flags/boot2.flag
 	cd atmosphere-$(AMSVER); zip -r ../atmosphere-$(AMSVER).zip ./*; cd ../;
 	rm -r atmosphere-$(AMSVER)
 	mkdir out

README.md

@@ -29,7 +29,7 @@ In no particular order, we credit the following for their invaluable contributio
 * __ChaN__ for the [FatFs](http://elm-chan.org/fsw/ff/00index_e.html) module.
 * __Marcus Geelnard__ for the [bcl-1.2.0](https://sourceforge.net/projects/bcl/files/bcl/bcl-1.2.0) library.
 * __naehrwert__ and __st4rk__ for the original [hekate](https://github.com/nwert/hekate) project and its hwinit code base.
-* __CTCaer__ for the continued [hekate](https://github.com/CTCaer/hekate) project's fork.
+* __CTCaer__ for the continued [hekate](https://github.com/CTCaer/hekate) project's fork and the [minerva_tc](https://github.com/CTCaer/minerva_tc) project.
 * __Riley__ for suggesting "Atmosphere" as a Horizon OS reimplementation+customization project name.
 * __hedgeberg__ for research and hardware testing.
 * __lioncash__ for code cleanup and general improvements.

common/defaults/BCT.ini

@@ -1,5 +1,14 @@
 BCT0
 [stage1]
-stage2_path = fusee-secondary.bin
+stage2_path = atmosphere/fusee-secondary.bin
 stage2_addr = 0xF0000000
-stage2_entrypoint = 0xF0000000
+stage2_entrypoint = 0xF0000000
+
+[exosphere]
+; Note: Disabling debugmode will cause parts of ams.tma to not work, in the future.
+debugmode = 1 
+debugmode_user = 0
+
+[stratosphere]
+; To force-enable nogc, add nogc = 1
+; To force-disable nogc, add nogc = 0

common/include/atmosphere/version.h

@@ -18,7 +18,7 @@
 #define ATMOSPHERE_VERSION_H
 
 #define ATMOSPHERE_RELEASE_VERSION_MAJOR    0
-#define ATMOSPHERE_RELEASE_VERSION_MINOR    7
-#define ATMOSPHERE_RELEASE_VERSION_MICRO    4
+#define ATMOSPHERE_RELEASE_VERSION_MINOR    8
+#define ATMOSPHERE_RELEASE_VERSION_MICRO    2
 
 #endif

docs/changelog.md

@@ -1,4 +1,95 @@
 # Changelog
+## 0.8.2
++ A number of bugs were fixed causing users to sometimes see `Key Derivation Failed!`.
+  + KFUSE clock enable timings have been adjusted to allow time to stabilize before TSEC is granted access.
+  + A race condition was fixed that could cause wrong key data to be used on 6.2.0
+  + The TSEC firmware is now retried on failure, fixing a failure affecting ~1/50 boots on 6.2.0.
++ A bug was fixed causing some modules to not work on firmware 1.0.0.
++ A bug was fixed causing sleep mode to not work with debugmode enabled.
+  + As a result, debugmode is now enabled in the default BCT.ini.
++ General system stability improvements to enhance the user's experience.
+## 0.8.1
++ A bug was fixed causing users to see `Failed to enable SMMU!` if fusee had previously rebooted.
+  + This message will still occur sporadically if fusee is not launched from coldboot, but it can never happen twice in a row.
++ A race condition was fixed in Atmosphere `bis_protect` functionality that could cause NS to be able to overwrite BCT public keys.
+  + This sometimes broke AutoRCM protection, the current fix has been tested on hardware and verified to work.
++ Support was added for enabling `debugmode` based on the `exosphere` section of `BCT.ini`:
+  + Setting `debugmode = 1` will cause exosphere to tell the kernel that debugmode is active.
+  + Setting `debugmode_user = 1` will cause exosphere to tell userland that debugmode is active.
+  + These are completely independent of one another, allowing fine control of system behavior.
++ Support was added for `nogc` functionality; thanks to @rajkosto for the patches.
+  + By default, `nogc` patches will automatically apply if the user is booting into 4.0.0+ with fuses from <= 3.0.2.
+  + Users can override this functionality via the `nogc` entry in the `stratosphere` section of `BCT.ini`:
+    + Setting `nogc = 1` will force enable `nogc` patches.
+    + Setting `nogc = 0` will force disable `nogc` patches.
+  + If patches are enabled but not found for the booting system, a fatal error will be thrown.
+    + This should prevent running FS without `nogc` patches after updating to an unsupported system version.
++ An extension was added to `exosphere` allowing userland applications to cause the system to reboot into RCM:
+  + This is done by calling smcSetConfig(id=65001, value=<nonzero>); user homebrew can use splSetConfig for this.
++ On fatal error, the user can now choose to perform a standard reboot via the power button, or a reboot into RCM via either volume button. 
++ A custom message was added to `fatal` for when an Atmosphère API version mismatch is detected (2495-1623).
++ General system stability improvements to enhance the user's experience.
+## 0.8.0
++ A custom `fatal` system module was added.
+  + This re-implements and extends Nintendo's fatal module, with the following features:
+    + Atmosphère's `fatal` does not create error reports.
+    + Atmosphère's `fatal` draws a custom error screen, showing registers and a backtrace.
+    + Atmosphère's `fatal` attempts to gather debugging info for all crashes, and not just ones that include info.
+    + Atmosphère's `fatal` will attempt saving reports to the SD, if a crash report was not generated by `creport`.
++ Title flag handling was changed to prevent folder clutter.
+  + Instead of living in `atmosphere/titles/<tid>/%s.flag`, flags are now located in `atmosphere/titles/<tid>/flags/%s.flag`
+    + The old format will continue to be supported for some time, but is deprecated.
+  + Flags can now be applied to HBL by placing them at `atmosphere/flags/hbl_%s.flag`.
++ Changes were made to the mitm API, greatly improving caller semantics.
+  + `sm` now informs mitm services of a new session's process id, enabling custom handling based on title id/process id.
++ smhax is no longer enabled, because it is no longer needed and breaks significant functionality.
+  + Users with updated HBL/homebrew should see no observable differences due to this change.
++ Functionality was added implementing basic protections for NAND from userland homebrew:
+  + BOOT0 now has write protection for the BCT public key and keyblob regions.
+    + The `ns` sysmodule is no longer allowed to write the BCT public keys; all other processes can.
+      + This should prevent system updates from removing AutoRCM.
+    + No processes should be allowed to write to the keyblob region.
+  + By default, BIS partitions other than BOOT0 are now read-only, and CAL0 is neither readable nor writable.
+    + Adding a `bis_write` flag for a title will allow it to write to BIS.
+    + Adding a `cal_read` flag for a title will allow it to read CAL0.
+  + An automatic backup is now made of CAL0 on boot.
+    + `fs.mitm` maintains a file handle to this backup, so userland software cannot read it.
+  + To facilitate this, `fs.mitm` now mitms all sessions for non-system modules; content overriding has been made separate from service interception.
+  + Please note: these protections are basic, and sufficiently malicious homebrew ++can defeat them++.
+    + Please be careful to only run homebrew software from sources that you trust.
++ A bug involving HDCP titles crashing on newer firmwares was fixed.
++ Support was added for system version 6.2.0; our thanks to @motezazer for his invaluable help.
+  + By default, new keys will automatically be derived without user input.
+  + Support is also present for loading new keys from `atmosphere/prod.keys` or `atmosphere/dev.keys`
++ General system stability improvements to enhance the user's experience.
+## 0.7.5
++ DRAM training was added to fusee-secondary, courtesy @hexkyz.
+  + This greatly improves the speed of memory accesses during boot, resulting in a boot time that is ~200-400% faster.
++ creport has had its code region detection improved.
+  + Instead of only checking one of the crashing thread's PC/LR for code region presence, creport now checks both + every address in the stacktrace. This is also now done for every thread.
+    + This matches the improvement Nintendo added to official creport in 6.1.0.
+  + The code region detection heuristic was further improved by checking whether an address points to .rodata or .rwdata, instead of just .text.
+  + This means that a crash appears in a loaded NRO (or otherwise discontiguous) code region, creport will be able to detect all active code regions, and not just that one. 
+## 0.7.4
++ [libstratosphere](https://github.com/Atmosphere-NX/libstratosphere) has been completely refactored/rewritten, and split into its own, separate submodule.
+  + While this is mostly "under the hood" for end-users, the refactor is faster (improving both boot-time and runtime performance), more accurate (many of the internal IPC structures are now bug-for-bug compatible with Nintendo's implementations), and significantly more stable (it fixes a large number of bugs present in the old library).
+  + The refactored API is significantly cleaner and easier to write system module code for, which should improve/speed up development of stratosphere.
+  + Developers looking to write their own custom system modules for the Switch can now easily include libstratosphere as a submodule in their projects.
++ Loader was extended to add a new generic way to redirect content (ExternalContentSources), courtesy @misson20000:
+  + A new command was added to ldr:shel, taking in a tid to redirect and returning a session handle.
+  + When the requested TID is loading, Loader will query the handle as though it were an IFileSystem.
+    + This allows clients to generically define their own filesystems, and override content with them in loader.
++ fs.mitm has gotten several optimizations that should improve its performance and stability:
+  + RomFS redirection now only occurs when there is content to redirect, even if the title is being mitm'd elsewhere.
+  + A cache is now maintained of the active data storage, if any, for all opened title IDs. This means if two processes both try to open the same archive, fs.mitm won't duplicate any of its work.
+  + RomFS metadata is now cached to the SD card on build instead of being persisted in memory -- this greatly reduces memory footprint and allows fs.mitm to redirect more titles simultaneously than before.
++ A number of bugs were fixed, including:
+  + A resource leak was fixed in process creation. This fixes crashes that occur when a large number (>32) games have been launched since the last reboot.
+  + fs.mitm no longer errors when receiving a zero-sized buffer. This fixes crashes in some games, including The Messenger.
+  + Multi-threaded server semantics should no longer cause deadlocks in certain circumstances. This fixes crashes in some games, including NES Classics.
+  + PM now only gives full FS permissions to the active KIPs. This fixes a potential crash where new processes might be unable to be registered with FS.
++ The `make dist` target now includes the branch in the generated zip name.
++ General system stability improvements to enhance the user's experience.
 ## 0.7.3
 + Loader and fs.mitm now try to reload loader.ini before reading it. This allows for changing the override button combination/HBL title id at runtime.
 + Added a MitM between set:sys and qlaunch, used to override the system version string displayed in system settings.

docs/flags.md

@@ -0,0 +1,12 @@
+# Flags
+Atmosphère supports customizing CFW behavior based on the presence of `flags` on the SD card.
+
+The following flags are supported on a per-title basis, by placing `<flag_name>.flag` inside `/atmosphere/titles/<title_id>/flags/`:
++ `boot2`, which indicates to PM that the title should be launched during the `boot2` process.
++ `fsmitm`, which indicates that `fs.mitm` should override contents for the title even if it otherwise wouldn't.
++ `fsmitm_disable`, which indicates that `fs.mitm` should not override contents for the title, even it it otherwise would.
++ `bis_write`, which indicates that `fs.mitm` should allow the title to write to BIS partitions.
++ `cal_read`, which indicates that `fs.mitm` should allow the title to read the CAL0/PRODINFO partition.
+
+The following global flags are supported, by placing `<flag name>.flag` inside `/atmosphere/flags/`:
++ `hbl_bis_write` and `hbl_cal_read` enable the BIS write and CAL0 read functionality for HBL, without needing to specify its title id.

docs/modules/loader.md

@@ -66,3 +66,17 @@ For example, `override_key=!R` will run the game only while holding down R when
 ### SM MITM Integration
 
 When the Stratosphere implementation of loader creates a new process, it notifies [sm](sm.md) through the `AtmosphereAssociatePidTidForMitm` command to notify any MITM services of new processes' identities.
+
+### IPC: AtmosphereSetExternalContentSource
+
+An additional command is added to the [`ldr:shel`](https://reswitched.github.io/SwIPC/ifaces.html#nn::ro::detail::ILdrShellInterface) interface, called `AtmosphereSetExternalContentSource`. It's command ID is `65000` on all system firmware versions. It takes a `u64 tid` and returns a server-side session handle. The client is expected to implement the `IFileSystem` interface on the returned handle. The next time the title specified by the given title ID is launched, its ExeFS contents will be loaded from the custom `IFileSystem` instead of from SD card or original ExeFS. NSOs loaded from external content source may still be subject to exefs IPS patches. After the title is launched, the `IFileSystem` is closed and the external content source override is removed. If `AtmosphereSetExternalContentSource` is called on a title that already has an external content source set for it, the existing one will be removed and replaced with the new one. It is illegal to call `AtmosphereSetExternalContentSource` while the title is being launched.
+
+The `IFileSystem` only needs to implement `OpenFile`. The paths received by the `IFileSystem`'s `OpenFile` command begin with slashes, as in `/main`, `/rtld`, and `/main.npdm`. A result code of 0x202 should be returned if the file does not exist. The `IFile`s returned from `OpenFile` only need to implement `Read` and `GetSize`.
+
+The SwIPC definition for the `AtmosphereSetExternalContentSource` command follows.
+```
+interface nn::ldr::detail::IShellInterface is ldr:shel {
+  ...
+  [65000] AtmosphereSetExternalContentSource(u64 tid) -> handle<copy, session_server> ifilesystem_handle;
+}
+```

exosphere/Makefile

@@ -9,6 +9,13 @@ endif
 TOPDIR ?= $(CURDIR)
 include $(DEVKITPRO)/devkitA64/base_rules
 
+AMSBRANCH := $(shell git symbolic-ref --short HEAD)
+AMSREV := $(AMSBRANCH)-$(shell git rev-parse --short HEAD)
+
+ifneq (, $(strip $(shell git status --porcelain 2>/dev/null)))
+    AMSREV := $(AMSREV)-dirty
+endif
+
 #---------------------------------------------------------------------------------
 # TARGET is the name of the output
 # BUILD is the directory where object files & intermediate files will be placed
@@ -26,7 +33,7 @@ INCLUDES	:=	include ../common/include
 # options for code generation
 #---------------------------------------------------------------------------------
 ARCH	:=	-march=armv8-a -mtune=cortex-a57 -mgeneral-regs-only #<- important
-DEFINES	:=	-D__CCPLEX__
+DEFINES	:=	-D__CCPLEX__ -DATMOSPHERE_GIT_BRANCH=\"$(AMSBRANCH)\" -DATMOSPHERE_GIT_REV=\"$(AMSREV)\"
 CFLAGS	:= \
 	-g \
 	-O2 \

exosphere/src/bootup.c

@@ -31,6 +31,7 @@
 #include "configitem.h"
 #include "timers.h"
 #include "misc.h"
+#include "uart.h"
 #include "bpmp.h"
 #include "sysreg.h"
 #include "interrupt.h"
@@ -46,19 +47,16 @@
 
 static bool g_has_booted_up = false;
 
-
 void setup_dram_magic_numbers(void) {
-    /* TODO: Why does these DRAM write occur? */
+    /* These DRAM writes test and set values for the GPU UCODE carveout. */
     unsigned int target_fw = exosphere_get_target_firmware();
-    if (EXOSPHERE_TARGET_FIRMWARE_400 <= target_fw) {
-        (*(volatile uint32_t *)(0x8005FFFC)) = 0xC0EDBBCC;
-        flush_dcache_range((void *)0x8005FFFC, (void *)0x80060000);
-        if (EXOSPHERE_TARGET_FIRMWARE_600 <= target_fw) {
-            (*(volatile uint32_t *)(0x8005FF00)) = 0x00000083;
-            (*(volatile uint32_t *)(0x8005FF04)) = 0x00000002;
-            (*(volatile uint32_t *)(0x8005FF08)) = 0x00000210;
-            flush_dcache_range((void *)0x8005FF00, (void *)0x8005FF0C);
-        }
+    (*(volatile uint32_t *)(0x8005FFFC)) = 0xC0EDBBCC;              /* Access test value. */
+    flush_dcache_range((void *)0x8005FFFC, (void *)0x80060000);
+    if (EXOSPHERE_TARGET_FIRMWARE_600 <= target_fw) {
+        (*(volatile uint32_t *)(0x8005FF00)) = 0x00000083;          /* SKU code. */
+        (*(volatile uint32_t *)(0x8005FF04)) = 0x00000002;
+        (*(volatile uint32_t *)(0x8005FF08)) = 0x00000210;          /* Tegra210 code. */
+        flush_dcache_range((void *)0x8005FF00, (void *)0x8005FF0C);
     }
     __dsb_sy();
 }
@@ -83,35 +81,35 @@ void bootup_misc_mmio(void) {
     se_generate_random_key(KEYSLOT_SWITCH_SRKGENKEY, KEYSLOT_SWITCH_RNGKEY);
     se_generate_srk(KEYSLOT_SWITCH_SRKGENKEY);
 
-    if (!g_has_booted_up && EXOSPHERE_TARGET_FIRMWARE_600 > exosphere_get_target_firmware() && exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) {
+    if (!g_has_booted_up && (EXOSPHERE_TARGET_FIRMWARE_600 > exosphere_get_target_firmware())) {
         setup_dram_magic_numbers();
     }
 
-    /* Todo: What? */
-    MAKE_TIMERS_REG(0x1A4) = 0xF1E0;
+    /* Mark TMR5, TMR6, TMR7, TMR8, WDT0, WDT1, WDT2 and WDT3 as secure. */
+    SHARED_TIMER_SECURE_CFG_0 = 0xF1E0;
 
-    FLOW_CTLR_BPMP_CLUSTER_CONTROL_0 = 4; /* ACTIVE_CLUSTER_LOCK. */
-    FLOW_CTLR_FLOW_DBG_QUAL_0 = 0x10000000; /* Enable FIQ2CCPLEX */
+    FLOW_CTLR_BPMP_CLUSTER_CONTROL_0 = 4;       /* ACTIVE_CLUSTER_LOCK. */
+    FLOW_CTLR_FLOW_DBG_QUAL_0 = 0x10000000;     /* Enable FIQ2CCPLEX */
 
     /* Disable Deep Power Down. */
     APBDEV_PMC_DPD_ENABLE_0 = 0;
 
-    /* Setup MC. */
-    /* TODO: What are these MC reg writes? */
-    MAKE_MC_REG(0x984) = 1;
-    MAKE_MC_REG(0x648) = 0;
-    MAKE_MC_REG(0x64C) = 0;
-    MAKE_MC_REG(0x650) = 1;
-    MAKE_MC_REG(0x670) = 0;
-    MAKE_MC_REG(0x674) = 0;
-    MAKE_MC_REG(0x678) = 1;
-    MAKE_MC_REG(0x9A0) = 0;
-    MAKE_MC_REG(0x9A4) = 0;
-    MAKE_MC_REG(0x9A8) = 0;
-    MAKE_MC_REG(0x9AC) = 1;
-    MC_SECURITY_CFG0_0 = 0;
-    MC_SECURITY_CFG1_0 = 0;
-    MC_SECURITY_CFG3_0 = 3;
+    /* Setup MC carveouts. */
+    MAKE_MC_REG(MC_VIDEO_PROTECT_GPU_OVERRIDE_0) = 1;
+    MAKE_MC_REG(MC_VIDEO_PROTECT_GPU_OVERRIDE_1) = 0;
+    MAKE_MC_REG(MC_VIDEO_PROTECT_BOM) = 0;
+    MAKE_MC_REG(MC_VIDEO_PROTECT_SIZE_MB) = 0;
+    MAKE_MC_REG(MC_VIDEO_PROTECT_REG_CTRL) = 1;
+    MAKE_MC_REG(MC_SEC_CARVEOUT_BOM) = 0;
+    MAKE_MC_REG(MC_SEC_CARVEOUT_SIZE_MB) = 0;
+    MAKE_MC_REG(MC_SEC_CARVEOUT_REG_CTRL) = 1;
+    MAKE_MC_REG(MC_MTS_CARVEOUT_BOM) = 0;
+    MAKE_MC_REG(MC_MTS_CARVEOUT_SIZE_MB) = 0;
+    MAKE_MC_REG(MC_MTS_CARVEOUT_ADR_HI) = 0;
+    MAKE_MC_REG(MC_MTS_CARVEOUT_REG_CTRL) = 1;
+    MAKE_MC_REG(MC_SECURITY_CFG0) = 0;
+    MAKE_MC_REG(MC_SECURITY_CFG1) = 0;
+    MAKE_MC_REG(MC_SECURITY_CFG3) = 3;
     configure_default_carveouts();
         
     /* Mark registers secure world only. */
@@ -142,12 +140,12 @@ void bootup_misc_mmio(void) {
         APB_MISC_SECURE_REGS_APB_SLAVE_SECURITY_ENABLE_REG2_0 = sec_disable_2;
     }
 
-    /* reset Translation Enable Registers */
-    MC_SMMU_TRANSLATION_ENABLE_0_0 = 0xFFFFFFFF;
-    MC_SMMU_TRANSLATION_ENABLE_1_0 = 0xFFFFFFFF;
-    MC_SMMU_TRANSLATION_ENABLE_2_0 = 0xFFFFFFFF;
-    MC_SMMU_TRANSLATION_ENABLE_3_0 = 0xFFFFFFFF;
-    MC_SMMU_TRANSLATION_ENABLE_4_0 = 0xFFFFFFFF;
+    /* Reset Translation Enable Registers. */
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_0) = 0xFFFFFFFF;
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_1) = 0xFFFFFFFF;
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_2) = 0xFFFFFFFF;
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_3) = 0xFFFFFFFF;
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_4) = 0xFFFFFFFF;
 
     /* TODO: What are these MC reg writes? */
     if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) {
@@ -157,7 +155,7 @@ void bootup_misc_mmio(void) {
     }
     MAKE_MC_REG(0x03C) = 0;
 
-    /* MISC registers*/
+    /* MISC registers. */
     MAKE_MC_REG(0x9E0) = 0;
     MAKE_MC_REG(0x9E4) = 0;
     MAKE_MC_REG(0x9E8) = 0;
@@ -166,18 +164,18 @@ void bootup_misc_mmio(void) {
     MAKE_MC_REG(0x9F4) = 0;
 
     if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) {
-        MC_SMMU_PTB_ASID_0 = 0;
+        MAKE_MC_REG(MC_SMMU_PTB_ASID) = 0;
     }
-    MC_SMMU_PTB_DATA_0 = 0;
-    MC_SMMU_TLB_CONFIG_0 = 0x30000030;
-    MC_SMMU_PTC_CONFIG_0 = 0x2800003F;
-    (void)MC_SMMU_TLB_CONFIG_0;
-    MC_SMMU_PTC_FLUSH_0 = 0;
-    (void)MC_SMMU_TLB_CONFIG_0;
-    MC_SMMU_TLB_FLUSH_0 = 0;
-    (void)MC_SMMU_TLB_CONFIG_0;
-    MC_SMMU_CONFIG_0 = 1; /* enable SMMU */
-    (void)MC_SMMU_TLB_CONFIG_0;
+    MAKE_MC_REG(MC_SMMU_PTB_DATA) = 0;
+    MAKE_MC_REG(MC_SMMU_TLB_CONFIG) = 0x30000030;
+    MAKE_MC_REG(MC_SMMU_PTC_CONFIG) = 0x2800003F;
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
+    MAKE_MC_REG(MC_SMMU_PTC_FLUSH) = 0;
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
+    MAKE_MC_REG(MC_SMMU_TLB_FLUSH) = 0;
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
+    MAKE_MC_REG(MC_SMMU_CONFIG) = 1;        /* Enable SMMU. */
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
     
     /* Clear RESET Vector, setup CPU Secure Boot RESET Vectors. */
     uint32_t reset_vec;
@@ -200,13 +198,13 @@ void bootup_misc_mmio(void) {
 
     /* Setup FIQs. */
 
-
     /* And assign "se_operation_completed" to Interrupt 0x5A. */
     intr_set_priority(INTERRUPT_ID_SECURITY_ENGINE, 0);
     intr_set_group(INTERRUPT_ID_SECURITY_ENGINE, 0);
     intr_set_enabled(INTERRUPT_ID_SECURITY_ENGINE, 1);
     intr_set_cpu_mask(INTERRUPT_ID_SECURITY_ENGINE, 8);
     intr_set_edge_level(INTERRUPT_ID_SECURITY_ENGINE, 0);
+    
     if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) {
         intr_set_priority(INTERRUPT_ID_ACTIVITY_MONITOR_4X, 0);
         intr_set_group(INTERRUPT_ID_ACTIVITY_MONITOR_4X, 0);
@@ -216,6 +214,11 @@ void bootup_misc_mmio(void) {
     }
 
     if (!g_has_booted_up) {
+        /* N doesn't do this, but we should for compatibility. */
+        uart_select(UART_A);
+        clkrst_reboot(CARDEVICE_UARTA);
+        uart_init(UART_A, 115200);
+        
         intr_register_handler(INTERRUPT_ID_SECURITY_ENGINE, se_operation_completed);
         if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) {
             intr_register_handler(INTERRUPT_ID_ACTIVITY_MONITOR_4X, actmon_interrupt_handler);
@@ -225,10 +228,10 @@ void bootup_misc_mmio(void) {
         }
         g_has_booted_up = true;
     } else if (exosphere_get_target_firmware() < EXOSPHERE_TARGET_FIRMWARE_400) {
-        /* TODO: What are these MC reg writes? */
-        MAKE_MC_REG(0x65C) = 0xFFFFF000;
-        MAKE_MC_REG(0x660) = 0;
-        MAKE_MC_REG(0x964) |= 1;
+        /* Disable AHB redirect. */
+        MAKE_MC_REG(MC_IRAM_BOM) = 0xFFFFF000;
+        MAKE_MC_REG(MC_IRAM_TOM) = 0;
+        MAKE_MC_REG(MC_IRAM_REG_CTRL) |= 1;
         CLK_RST_CONTROLLER_LVL2_CLK_GATE_OVRD_0 &= 0xFFF7FFFF;
     }
 }
@@ -237,10 +240,11 @@ void setup_4x_mmio(void) {
     if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_600) {
         configure_gpu_ucode_carveout();
     }
-    /* TODO: What are these MC reg writes? */
-    MAKE_MC_REG(0x65C) = 0xFFFFF000;
-    MAKE_MC_REG(0x660) = 0;
-    MAKE_MC_REG(0x964) |= 1;
+
+    /* Disable AHB redirect. */
+    MAKE_MC_REG(MC_IRAM_BOM) = 0xFFFFF000;
+    MAKE_MC_REG(MC_IRAM_TOM) = 0;
+    MAKE_MC_REG(MC_IRAM_REG_CTRL) |= 1;
     CLK_RST_CONTROLLER_LVL2_CLK_GATE_OVRD_0 &= 0xFFF7FFFF;
 
     /* TODO: What are these PMC scratch writes? */
@@ -275,16 +279,16 @@ void setup_4x_mmio(void) {
     AHB_ARBITRATION_DISABLE_0 |= 2;
 
     /* Set SMMU for BPMP/APB-DMA to point to TZRAM. */
-    MC_SMMU_PTB_ASID_0 = 1;
-    (void)MC_SMMU_TLB_CONFIG_0;
-    MC_SMMU_PTB_DATA_0 = 0x70012;
-    MC_SMMU_AVPC_ASID_0 = 0x80000001;
-    MC_SMMU_PPCS1_ASID_0 = 0x80000001;
-    (void)MC_SMMU_TLB_CONFIG_0;
-    MC_SMMU_PTC_FLUSH_0 = 0;
-    (void)MC_SMMU_TLB_CONFIG_0;
-    MC_SMMU_TLB_FLUSH_0 = 0;
-    (void)MC_SMMU_TLB_CONFIG_0;
+    MAKE_MC_REG(MC_SMMU_PTB_ASID) = 1;
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
+    MAKE_MC_REG(MC_SMMU_PTB_DATA) = 0x70012;
+    MAKE_MC_REG(MC_SMMU_AVPC_ASID) = 0x80000001;
+    MAKE_MC_REG(MC_SMMU_PPCS1_ASID) = 0x80000001;
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
+    MAKE_MC_REG(MC_SMMU_PTC_FLUSH) = 0;
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
+    MAKE_MC_REG(MC_SMMU_TLB_FLUSH) = 0;
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
 
     /* Wait for the BPMP to halt. */
     while ((FLOW_CTLR_HALT_COP_EVENTS_0 >> 29) != 2) {
@@ -321,7 +325,7 @@ void setup_current_core_state(void) {
 
     __isb();
 
-    SET_SYSREG(cntfrq_el0, MAKE_SYSCTR0_REG(0x20)); /* TODO: Reg name. */
+    SET_SYSREG(cntfrq_el0, SYSCTR0_CNTFID0_0);
     SET_SYSREG(cnthctl_el2, 3ull);
 
     __isb();

exosphere/src/configitem.c

@@ -28,19 +28,31 @@
 #include "exocfg.h"
 
 static bool g_battery_profile = false;
+static bool g_debugmode_override_user = false, g_debugmode_override_priv = false;
 
-uint32_t configitem_set(ConfigItem item, uint64_t value) {
-    if (item != CONFIGITEM_BATTERYPROFILE) {
-        return 2;
+uint32_t configitem_set(bool privileged, ConfigItem item, uint64_t value) {
+    switch (item) {
+        case CONFIGITEM_BATTERYPROFILE:
+            g_battery_profile = (value != 0);
+            break;
+        case CONFIGITEM_NEEDS_REBOOT_TO_RCM:
+            /* Force a reboot to RCM, if requested. */
+            if (value != 0) {
+                MAKE_REG32(MMIO_GET_DEVICE_ADDRESS(MMIO_DEVID_RTC_PMC) + 0x450ull) = 0x2;
+                MAKE_REG32(MMIO_GET_DEVICE_ADDRESS(MMIO_DEVID_RTC_PMC) + 0x400ull) = 0x10;
+                while (1) { }
+            }
+            break;
+        default:
+            return 2;
     }
     
-    g_battery_profile = (value != 0);
     return 0;
 }
 
 bool configitem_is_recovery_boot(void) {
     uint64_t is_recovery_boot;
-    if (configitem_get(CONFIGITEM_ISRECOVERYBOOT, &is_recovery_boot) != 0) {
+    if (configitem_get(true, CONFIGITEM_ISRECOVERYBOOT, &is_recovery_boot) != 0) {
         generic_panic();
     }
 
@@ -49,7 +61,7 @@ bool configitem_is_recovery_boot(void) {
 
 bool configitem_is_retail(void) {
     uint64_t is_retail;
-    if (configitem_get(CONFIGITEM_ISRETAIL, &is_retail) != 0) {
+    if (configitem_get(true, CONFIGITEM_ISRETAIL, &is_retail) != 0) {
         generic_panic();
     }
 
@@ -60,15 +72,29 @@ bool configitem_should_profile_battery(void) {
     return g_battery_profile;
 }
 
+bool configitem_is_debugmode_priv(void) {
+    uint64_t debugmode = 0;
+    if (configitem_get(true, CONFIGITEM_ISDEBUGMODE, &debugmode) != 0) {
+        generic_panic();
+    }
+
+    return debugmode != 0;
+}
+
 uint64_t configitem_get_hardware_type(void) {
     uint64_t hardware_type;
-    if (configitem_get(CONFIGITEM_HARDWARETYPE, &hardware_type) != 0) {
+    if (configitem_get(true, CONFIGITEM_HARDWARETYPE, &hardware_type) != 0) {
         generic_panic();
     }
     return hardware_type;
 }
 
-uint32_t configitem_get(ConfigItem item, uint64_t *p_outvalue) {
+void configitem_set_debugmode_override(bool user, bool priv) {
+    g_debugmode_override_user = user;
+    g_debugmode_override_priv = priv;
+}
+
+uint32_t configitem_get(bool privileged, ConfigItem item, uint64_t *p_outvalue) {
     uint32_t result = 0;
     switch (item) {
         case CONFIGITEM_DISABLEPROGRAMVERIFICATION:
@@ -109,7 +135,11 @@ uint32_t configitem_get(ConfigItem item, uint64_t *p_outvalue) {
             *p_outvalue = bootconfig_get_memory_arrangement();
             break;
         case CONFIGITEM_ISDEBUGMODE:
-            *p_outvalue = (int)(bootconfig_is_debug_mode());
+            if ((privileged && g_debugmode_override_priv) || (!privileged && g_debugmode_override_user)) {
+                *p_outvalue = 1;
+            } else {
+                *p_outvalue = (int)(bootconfig_is_debug_mode());
+            }
             break;
         case CONFIGITEM_KERNELMEMORYCONFIGURATION:
             *p_outvalue = bootconfig_get_kernel_memory_configuration();
@@ -157,6 +187,10 @@ uint32_t configitem_get(ConfigItem item, uint64_t *p_outvalue) {
                           ((uint64_t)(exosphere_get_target_firmware() & 0xFF) << 8ull) |
                           ((uint64_t)(mkey_get_revision() & 0xFF) << 0ull);
             break;
+        case CONFIGITEM_NEEDS_REBOOT_TO_RCM:
+            /* UNOFFICIAL: The fact that we are executing means we aren't in the process of rebooting to rcm. */
+            *p_outvalue = 0;
+            break;
         default:
             result = 2;
             break;

exosphere/src/configitem.h

@@ -40,15 +40,19 @@ typedef enum {
     CONFIGITEM_PACKAGE2HASH_5X = 17,
     
     /* These are unofficial, for usage by Exosphere. */
-    CONFIGITEM_EXOSPHERE_VERSION = 65000
+    CONFIGITEM_EXOSPHERE_VERSION = 65000,
+    CONFIGITEM_NEEDS_REBOOT_TO_RCM = 65001,
 } ConfigItem;
 
-uint32_t configitem_set(ConfigItem item, uint64_t value);
-uint32_t configitem_get(ConfigItem item, uint64_t *p_outvalue);
+uint32_t configitem_set(bool privileged, ConfigItem item, uint64_t value);
+uint32_t configitem_get(bool privileged, ConfigItem item, uint64_t *p_outvalue);
 
 bool configitem_is_recovery_boot(void);
 bool configitem_is_retail(void);
 bool configitem_should_profile_battery(void);
+bool configitem_is_debugmode_priv(void);
+
+void configitem_set_debugmode_override(bool user, bool priv);
 
 uint64_t configitem_get_hardware_type(void);
 

exosphere/src/exocfg.c

@@ -27,9 +27,12 @@
 /* TODO: Should this be at a non-static location? */
 #define MAILBOX_EXOSPHERE_CONFIG (*((volatile exosphere_config_t *)(MAILBOX_BASE + 0xE40ULL)))
 
-static exosphere_config_t g_exosphere_cfg = {MAGIC_EXOSPHERE_BOOTCONFIG, EXOSPHERE_TARGET_FIRMWARE_DEFAULT_FOR_DEBUG};
+static exosphere_config_t g_exosphere_cfg = {MAGIC_EXOSPHERE_BOOTCONFIG, EXOSPHERE_TARGET_FIRMWARE_DEFAULT_FOR_DEBUG, EXOSPHERE_FLAGS_DEFAULT};
 static bool g_has_loaded_config = false;
 
+#define EXOSPHERE_CHECK_FLAG(flag) ((g_exosphere_cfg.flags & flag) != 0)
+
+
 /* Read config out of IRAM, return target firmware version. */
 unsigned int exosphere_load_config(void) {
     if (g_has_loaded_config) {
@@ -37,8 +40,13 @@ unsigned int exosphere_load_config(void) {
     }
     g_has_loaded_config = true;
     
-    if (MAILBOX_EXOSPHERE_CONFIG.magic == MAGIC_EXOSPHERE_BOOTCONFIG) {
+    const unsigned int magic = MAILBOX_EXOSPHERE_CONFIG.magic;
+    
+    if (magic == MAGIC_EXOSPHERE_BOOTCONFIG) {
         g_exosphere_cfg = MAILBOX_EXOSPHERE_CONFIG;
+    } else if (magic == MAGIC_EXOSPHERE_BOOTCONFIG_0) {
+        g_exosphere_cfg = MAILBOX_EXOSPHERE_CONFIG;
+        g_exosphere_cfg.flags = EXOSPHERE_FLAGS_DEFAULT;
     }
     
     return g_exosphere_cfg.target_firmware;
@@ -50,4 +58,28 @@ unsigned int exosphere_get_target_firmware(void) {
     }
     
     return g_exosphere_cfg.target_firmware;
-}
+}
+
+unsigned int exosphere_should_perform_620_keygen(void) {
+    if (!g_has_loaded_config) {
+        generic_panic();
+    }
+    
+    return g_exosphere_cfg.target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620 && EXOSPHERE_CHECK_FLAG(EXOSPHERE_FLAG_PERFORM_620_KEYGEN);
+}
+
+unsigned int exosphere_should_override_debugmode_priv(void) {
+    if (!g_has_loaded_config) {
+        generic_panic();
+    }
+    
+    return EXOSPHERE_CHECK_FLAG(EXOSPHERE_FLAG_IS_DEBUGMODE_PRIV);
+}
+
+unsigned int exosphere_should_override_debugmode_user(void) {
+    if (!g_has_loaded_config) {
+        generic_panic();
+    }
+    
+    return EXOSPHERE_CHECK_FLAG(EXOSPHERE_FLAG_IS_DEBUGMODE_USER);
+}

exosphere/src/exocfg.h

@@ -25,7 +25,9 @@
 /* This serves to set configuration for *exosphere itself*, separate from the SecMon Exosphere mimics. */
 
 /* "XBC0" */
-#define MAGIC_EXOSPHERE_BOOTCONFIG (0x30434258)
+#define MAGIC_EXOSPHERE_BOOTCONFIG_0 (0x30434258)
+/* "XBC1" */
+#define MAGIC_EXOSPHERE_BOOTCONFIG (0x31434258)
 
 #define EXOSPHERE_TARGET_FIRMWARE_100 1
 #define EXOSPHERE_TARGET_FIRMWARE_200 2
@@ -33,9 +35,12 @@
 #define EXOSPHERE_TARGET_FIRMWARE_400 4
 #define EXOSPHERE_TARGET_FIRMWARE_500 5
 #define EXOSPHERE_TARGET_FIRMWARE_600 6
+#define EXOSPHERE_TARGET_FIRMWARE_620 7
+
+#define EXOSPHERE_TARGET_FIRMWARE_CURRENT EXOSPHERE_TARGET_FIRMWARE_620
 
 /* TODO: What should this be, for release? */
-#define EXOSPHERE_TARGET_FIRMWARE_DEFAULT_FOR_DEBUG EXOSPHERE_TARGET_FIRMWARE_600
+#define EXOSPHERE_TARGET_FIRMWARE_DEFAULT_FOR_DEBUG EXOSPHERE_TARGET_FIRMWARE_CURRENT
 #define EXOSPHERE_LOOSEN_PACKAGE2_RESTRICTIONS_FOR_DEBUG 1
 
 #define MAILBOX_BASE_PHYS  (MMIO_GET_DEVICE_PA(MMIO_DEVID_NXBOOTLOADER_MAILBOX))
@@ -43,17 +48,30 @@
 /* TODO: Should this be at a non-static location? */
 #define MAILBOX_EXOSPHERE_CONFIG_PHYS (*((volatile exosphere_config_t *)(MAILBOX_BASE_PHYS + 0xE40ULL)))
 
+#define EXOSPHERE_FLAGS_DEFAULT 0x00000000
+#define EXOSPHERE_FLAG_PERFORM_620_KEYGEN (1 << 0u)
+#define EXOSPHERE_FLAG_IS_DEBUGMODE_PRIV  (1 << 1u)
+#define EXOSPHERE_FLAG_IS_DEBUGMODE_USER  (1 << 2u)
 
 typedef struct {
     unsigned int magic;
     unsigned int target_firmware;
+    unsigned int flags;
 } exosphere_config_t;
 
 unsigned int exosphere_load_config(void);
 unsigned int exosphere_get_target_firmware(void);
+unsigned int exosphere_should_perform_620_keygen(void);
+unsigned int exosphere_should_override_debugmode_priv(void);
+unsigned int exosphere_should_override_debugmode_user(void);
 
 static inline unsigned int exosphere_get_target_firmware_for_init(void) {
-    return MAILBOX_EXOSPHERE_CONFIG_PHYS.magic == MAGIC_EXOSPHERE_BOOTCONFIG ? MAILBOX_EXOSPHERE_CONFIG_PHYS.target_firmware : EXOSPHERE_TARGET_FIRMWARE_DEFAULT_FOR_DEBUG;
+    const unsigned int magic = MAILBOX_EXOSPHERE_CONFIG_PHYS.magic;
+    if (magic == MAGIC_EXOSPHERE_BOOTCONFIG || magic == MAGIC_EXOSPHERE_BOOTCONFIG_0) {
+        return MAILBOX_EXOSPHERE_CONFIG_PHYS.target_firmware;
+    } else {
+        return EXOSPHERE_TARGET_FIRMWARE_DEFAULT_FOR_DEBUG;
+    }
 }
 
 #endif

exosphere/src/lp0.c

@@ -35,6 +35,7 @@
 #include "smc_api.h"
 #include "timers.h"
 #include "misc.h"
+#include "uart.h"
 #include "exocfg.h"
 
 #define u8 uint8_t
@@ -241,7 +242,7 @@ void save_se_and_power_down_cpu(void) {
     save_se_state();
 
     if (!configitem_is_retail()) {
-        /* TODO: uart_log("OYASUMI"); */
+        uart_send(UART_A, "OYASUMI", 8);
     }
     
     finalize_powerdown();

exosphere/src/masterkey.c

@@ -40,6 +40,7 @@ static const uint8_t mkey_vectors_dev[MASTERKEY_REVISION_MAX][0x10] =
     {0x2C, 0xCA, 0x9C, 0x31, 0x1E, 0x07, 0xB0, 0x02, 0x97, 0x0A, 0xD8, 0x03, 0xA2, 0x76, 0x3F, 0xA3}, /* Master key 02 encrypted with Master key 03. */
     {0x9B, 0x84, 0x76, 0x14, 0x72, 0x94, 0x52, 0xCB, 0x54, 0x92, 0x9B, 0xC4, 0x8C, 0x5B, 0x0F, 0xBA}, /* Master key 03 encrypted with Master key 04. */
     {0x78, 0xD5, 0xF1, 0x20, 0x3D, 0x16, 0xE9, 0x30, 0x32, 0x27, 0x34, 0x6F, 0xCF, 0xE0, 0x27, 0xDC}, /* Master key 04 encrypted with Master key 05. */
+    {0x6F, 0xD2, 0x84, 0x1D, 0x05, 0xEC, 0x40, 0x94, 0x5F, 0x18, 0xB3, 0x81, 0x09, 0x98, 0x8D, 0x4E}, /* Master key 05 encrypted with Master key 06. */
 };
 
 /* Retail unit keys. */
@@ -51,6 +52,7 @@ static const uint8_t mkey_vectors[MASTERKEY_REVISION_MAX][0x10] =
     {0x0A, 0x0D, 0xDF, 0x34, 0x22, 0x06, 0x6C, 0xA4, 0xE6, 0xB1, 0xEC, 0x71, 0x85, 0xCA, 0x4E, 0x07}, /* Master key 02 encrypted with Master key 03. */
     {0x6E, 0x7D, 0x2D, 0xC3, 0x0F, 0x59, 0xC8, 0xFA, 0x87, 0xA8, 0x2E, 0xD5, 0x89, 0x5E, 0xF3, 0xE9}, /* Master key 03 encrypted with Master key 04. */
     {0xEB, 0xF5, 0x6F, 0x83, 0x61, 0x9E, 0xF8, 0xFA, 0xE0, 0x87, 0xD7, 0xA1, 0x4E, 0x25, 0x36, 0xEE}, /* Master key 04 encrypted with Master key 05. */
+    {0x1E, 0x1E, 0x22, 0xC0, 0x5A, 0x33, 0x3C, 0xB9, 0x0B, 0xA9, 0x03, 0x04, 0xBA, 0xDB, 0x07, 0x57}, /* Master key 05 encrypted with Master key 06. */
 };
 
 bool check_mkey_revision(unsigned int revision, bool is_retail) {
@@ -123,7 +125,7 @@ unsigned int mkey_get_keyslot(unsigned int revision) {
 
 
 void set_old_devkey(unsigned int revision, const uint8_t *key) {
-    if (revision < MASTERKEY_REVISION_400_410 || MASTERKEY_REVISION_600_CURRENT <= revision) {
+    if (revision < MASTERKEY_REVISION_400_410 || MASTERKEY_REVISION_MAX <= revision) {
         generic_panic();
     }
 
@@ -140,7 +142,7 @@ unsigned int devkey_get_keyslot(unsigned int revision) {
     }
 
     if (revision >= 1) {
-        if (revision == MASTERKEY_REVISION_600_CURRENT) {
+        if (revision == MASTERKEY_REVISION_MAX) {
             return KEYSLOT_SWITCH_DEVICEKEY;
         } else {
             /* Load into a temp keyslot. */

exosphere/src/masterkey.h

@@ -19,15 +19,16 @@
 
 /* This is glue code to enable master key support across versions. */
 
-/* TODO: Update to 0x7 on release of new master key. */
-#define MASTERKEY_REVISION_MAX 0x6
+/* TODO: Update to 0x8 on release of new master key. */
+#define MASTERKEY_REVISION_MAX 0x7
 
 #define MASTERKEY_REVISION_100_230     0x00
 #define MASTERKEY_REVISION_300         0x01
 #define MASTERKEY_REVISION_301_302     0x02
 #define MASTERKEY_REVISION_400_410     0x03
 #define MASTERKEY_REVISION_500_510     0x04
-#define MASTERKEY_REVISION_600_CURRENT 0x05
+#define MASTERKEY_REVISION_600_610     0x05
+#define MASTERKEY_REVISION_620_CURRENT 0x06
 
 #define MASTERKEY_NUM_NEW_DEVICE_KEYS (MASTERKEY_REVISION_MAX - MASTERKEY_REVISION_400_410)
 

exosphere/src/mc.c

@@ -39,23 +39,23 @@ volatile security_carveout_t *get_carveout_by_id(unsigned int carveout) {
 }
 
 void configure_gpu_ucode_carveout(void) {
-    /* Starting in 6.0.0, Carveout 2 is configured later on. */
+    /* Starting in 6.0.0, Carveout 2 is configured later on and adds read permission to TSEC. */
     /* This is a helper function to make this easier... */
     volatile security_carveout_t *carveout = get_carveout_by_id(2);
     carveout->paddr_low = 0x80020000;
     carveout->paddr_high = 0;
-    carveout->size_big_pages = 2; /* 0x40000 */
-    carveout->flags_0 = 0;
-    carveout->flags_1 = 0;
-    carveout->flags_2 = 0x3000000;
-    carveout->flags_3 = 0;
-    carveout->flags_4 = 0x300;
-    carveout->flags_5 = 0;
-    carveout->flags_6 = 0;
-    carveout->flags_7 = 0;
-    carveout->flags_8 = 0;
-    carveout->flags_9 = 0;
-    carveout->allowed_clients = 0x440167E;
+    carveout->size_big_pages = 2;       /* 0x40000 */
+    carveout->client_access_0 = 0;
+    carveout->client_access_1 = 0;
+    carveout->client_access_2 = (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_600) ? (BIT(CSR_GPUSRD) | BIT(CSW_GPUSWR) | BIT(CSR_TSECSRD)) : (BIT(CSR_GPUSRD) | BIT(CSW_GPUSWR));
+    carveout->client_access_3 = 0;
+    carveout->client_access_4 = (BIT(CSR_GPUSRD2) | BIT(CSW_GPUSWR2));
+    carveout->client_force_internal_access_0 = 0;
+    carveout->client_force_internal_access_1 = 0;
+    carveout->client_force_internal_access_2 = 0;
+    carveout->client_force_internal_access_3 = 0;
+    carveout->client_force_internal_access_4 = 0;
+    carveout->config = 0x440167E;
 }
 
 void configure_default_carveouts(void) {
@@ -64,17 +64,17 @@ void configure_default_carveouts(void) {
     carveout->paddr_low = 0;
     carveout->paddr_high = 0;
     carveout->size_big_pages = 0;
-    carveout->flags_0 = 0;
-    carveout->flags_1 = 0;
-    carveout->flags_2 = 0;
-    carveout->flags_3 = 0;
-    carveout->flags_4 = 0;
-    carveout->flags_5 = 0;
-    carveout->flags_6 = 0;
-    carveout->flags_7 = 0;
-    carveout->flags_8 = 0;
-    carveout->flags_9 = 0;
-    carveout->allowed_clients = 0x04000006;
+    carveout->client_access_0 = 0;
+    carveout->client_access_1 = 0;
+    carveout->client_access_2 = 0;
+    carveout->client_access_3 = 0;
+    carveout->client_access_4 = 0;
+    carveout->client_force_internal_access_0 = 0;
+    carveout->client_force_internal_access_1 = 0;
+    carveout->client_force_internal_access_2 = 0;
+    carveout->client_force_internal_access_3 = 0;
+    carveout->client_force_internal_access_4 = 0;
+    carveout->config = 0x4000006;
 
     /* Configure Carveout 2 (GPU UCODE) */
     if (exosphere_get_target_firmware() < EXOSPHERE_TARGET_FIRMWARE_600) {
@@ -86,17 +86,17 @@ void configure_default_carveouts(void) {
     carveout->paddr_low = 0;
     carveout->paddr_high = 0;
     carveout->size_big_pages = 0;
-    carveout->flags_0 = 0;
-    carveout->flags_1 = 0;
-    carveout->flags_2 = 0x3000000;
-    carveout->flags_3 = 0;
-    carveout->flags_4 = 0x300;
-    carveout->flags_5 = 0;
-    carveout->flags_6 = 0;
-    carveout->flags_7 = 0;
-    carveout->flags_8 = 0;
-    carveout->flags_9 = 0;
-    carveout->allowed_clients = 0x4401E7E;
+    carveout->client_access_0 = 0;
+    carveout->client_access_1 = 0;
+    carveout->client_access_2 = (BIT(CSR_GPUSRD) | BIT(CSW_GPUSWR));
+    carveout->client_access_3 = 0;
+    carveout->client_access_4 = (BIT(CSR_GPUSRD2) | BIT(CSW_GPUSWR2));
+    carveout->client_force_internal_access_0 = 0;
+    carveout->client_force_internal_access_1 = 0;
+    carveout->client_force_internal_access_2 = 0;
+    carveout->client_force_internal_access_3 = 0;
+    carveout->client_force_internal_access_4 = 0;
+    carveout->config = 0x4401E7E;
 
     /* Configure default Kernel carveouts based on 2.0.0+. */
     if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_200) {
@@ -111,17 +111,17 @@ void configure_default_carveouts(void) {
             carveout->paddr_low = 0;
             carveout->paddr_high = 0;
             carveout->size_big_pages = 0;
-            carveout->flags_0 = 0;
-            carveout->flags_1 = 0;
-            carveout->flags_2 = 0;
-            carveout->flags_3 = 0;
-            carveout->flags_4 = 0;
-            carveout->flags_5 = 0;
-            carveout->flags_6 = 0;
-            carveout->flags_7 = 0;
-            carveout->flags_8 = 0;
-            carveout->flags_9 = 0;
-            carveout->allowed_clients = 0x4000006;
+            carveout->client_access_0 = 0;
+            carveout->client_access_1 = 0;
+            carveout->client_access_2 = 0;
+            carveout->client_access_3 = 0;
+            carveout->client_access_4 = 0;
+            carveout->client_force_internal_access_0 = 0;
+            carveout->client_force_internal_access_1 = 0;
+            carveout->client_force_internal_access_2 = 0;
+            carveout->client_force_internal_access_3 = 0;
+            carveout->client_force_internal_access_4 = 0;
+            carveout->config = 0x4000006;
         }
     }
 }
@@ -138,15 +138,15 @@ void configure_kernel_carveout(unsigned int carveout_id, uint64_t address, uint6
     carveout->paddr_low = (uint32_t)(address & 0xFFFFFFFF);
     carveout->paddr_high = (uint32_t)(address >> 32);
     carveout->size_big_pages = (uint32_t)(size >> 17);
-    carveout->flags_0 = 0x70E3407F;
-    carveout->flags_1 = 0x1A620880;
-    carveout->flags_2 = 0x303C00;
-    carveout->flags_3 = 0xCF0830BB;
-    carveout->flags_4 = 0x3;
-    carveout->flags_5 = exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400 && carveout_id == 4 ? 0x8000 : 0;
-    carveout->flags_6 = exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400 && carveout_id == 4 ? 0x40000 : 0;
-    carveout->flags_7 = 0;
-    carveout->flags_8 = 0;
-    carveout->flags_9 = 0;
-    carveout->allowed_clients = 0x8B;
+    carveout->client_access_0 = (BIT(CSR_PTCR) | BIT(CSR_DISPLAY0A) | BIT(CSR_DISPLAY0AB) | BIT(CSR_DISPLAY0B) | BIT(CSR_DISPLAY0BB) | BIT(CSR_DISPLAY0C) | BIT(CSR_DISPLAY0CB) | BIT(CSR_AFIR) | BIT(CSR_DISPLAYHC) | BIT(CSR_DISPLAYHCB) | BIT(CSR_HDAR) | BIT(CSR_HOST1XDMAR) | BIT(CSR_HOST1XR) | BIT(CSR_NVENCSRD) | BIT(CSR_PPCSAHBDMAR) | BIT(CSR_PPCSAHBSLVR));
+    carveout->client_access_1 = (BIT(CSR_MPCORER) | BIT(CSW_NVENCSWR) | BIT(CSW_AFIW) | BIT(CSW_HDAW) | BIT(CSW_HOST1XW) | BIT(CSW_MPCOREW) | BIT(CSW_PPCSAHBDMAW) | BIT(CSW_PPCSAHBSLVW));
+    carveout->client_access_2 = (BIT(CSR_XUSB_HOSTR) | BIT(CSW_XUSB_HOSTW) | BIT(CSR_XUSB_DEVR) | BIT(CSW_XUSB_DEVW) | BIT(CSR_TSECSRD) | BIT(CSW_TSECSWR));
+    carveout->client_access_3 = (BIT(CSR_SDMMCRA) | BIT(CSR_SDMMCRAA) | BIT(CSR_SDMMCRAB) | BIT(CSW_SDMMCWA) | BIT(CSW_SDMMCWAA) | BIT(CSW_SDMMCWAB) | BIT(CSR_VICSRD) | BIT(CSW_VICSWR) | BIT(CSR_DISPLAYD) | BIT(CSR_NVDECSRD) | BIT(CSW_NVDECSWR) | BIT(CSR_APER) | BIT(CSW_APEW) | BIT(CSR_NVJPGSRD) | BIT(CSW_NVJPGSWR));
+    carveout->client_access_4 = (BIT(CSR_SESRD) | BIT(CSW_SESWR));
+    carveout->client_force_internal_access_0 = ((exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) && (carveout_id == 4)) ? BIT(CSR_AVPCARM7R) : 0;
+    carveout->client_force_internal_access_1 = ((exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_400) && (carveout_id == 4)) ? BIT(CSW_AVPCARM7W) : 0;
+    carveout->client_force_internal_access_2 = 0;
+    carveout->client_force_internal_access_3 = 0;
+    carveout->client_force_internal_access_4 = 0;
+    carveout->config = 0x8B;
 }

exosphere/src/mc.h

@@ -27,60 +27,597 @@ static inline uintptr_t get_mc_base(void) {
 }
 
 #define MC_BASE  (get_mc_base())
-
 #define MAKE_MC_REG(n) MAKE_REG32(MC_BASE + n)
 
-#define MC_SMMU_CONFIG_0     MAKE_MC_REG(0x010)
-#define MC_SMMU_TLB_CONFIG_0 MAKE_MC_REG(0x014)
-#define MC_SMMU_PTC_CONFIG_0 MAKE_MC_REG(0x018)
-#define MC_SMMU_PTB_ASID_0   MAKE_MC_REG(0x01C)
-#define MC_SMMU_PTB_DATA_0   MAKE_MC_REG(0x020)
-#define MC_SMMU_TLB_FLUSH_0  MAKE_MC_REG(0x030)
-#define MC_SMMU_PTC_FLUSH_0  MAKE_MC_REG(0x034)
-#define MC_SMMU_AFI_ASID_0   MAKE_MC_REG(0x238)
-#define MC_SMMU_AVPC_ASID_0  MAKE_MC_REG(0x23C)
+#define MC_INTSTATUS                                            0x0
+#define MC_INTMASK                                              0x4
+#define MC_ERR_STATUS                                           0x8
+#define MC_ERR_ADR                                              0xc
+#define MC_SMMU_CONFIG                                          0x10
+#define MC_SMMU_TLB_CONFIG                                      0x14
+#define MC_SMMU_PTC_CONFIG                                      0x18
+#define MC_SMMU_PTB_ASID                                        0x1c
+#define MC_SMMU_PTB_DATA                                        0x20
+#define MC_SMMU_TLB_FLUSH                                       0x30
+#define MC_SMMU_PTC_FLUSH                                       0x34
+#define MC_SMMU_AFI_ASID                                        0x238
+#define MC_SMMU_AVPC_ASID                                       0x23c
+#define MC_SMMU_PPCS1_ASID                                      0x298
+#define MC_SMMU_TRANSLATION_ENABLE_0                            0x228
+#define MC_SMMU_TRANSLATION_ENABLE_1                            0x22c
+#define MC_SMMU_TRANSLATION_ENABLE_2                            0x230
+#define MC_SMMU_TRANSLATION_ENABLE_3                            0x234
+#define MC_SMMU_TRANSLATION_ENABLE_4                            0xb98
+#define MC_PCFIFO_CLIENT_CONFIG0                                0xdd0
+#define MC_PCFIFO_CLIENT_CONFIG1                                0xdd4
+#define MC_PCFIFO_CLIENT_CONFIG2                                0xdd8
+#define MC_PCFIFO_CLIENT_CONFIG3                                0xddc
+#define MC_PCFIFO_CLIENT_CONFIG4                                0xde0
+#define MC_EMEM_CFG                                             0x50
+#define MC_EMEM_ADR_CFG                                         0x54
+#define MC_EMEM_ADR_CFG_DEV0                                    0x58
+#define MC_EMEM_ADR_CFG_DEV1                                    0x5c
+#define MC_EMEM_ADR_CFG_CHANNEL_MASK                            0x60
+#define MC_EMEM_ADR_CFG_BANK_MASK_0                             0x64
+#define MC_EMEM_ADR_CFG_BANK_MASK_1                             0x68
+#define MC_EMEM_ADR_CFG_BANK_MASK_2                             0x6c
+#define MC_SECURITY_CFG0                                        0x70
+#define MC_SECURITY_CFG1                                        0x74
+#define MC_SECURITY_CFG3                                        0x9bc
+#define MC_SECURITY_RSV                                         0x7c
+#define MC_EMEM_ARB_CFG                                         0x90
+#define MC_EMEM_ARB_OUTSTANDING_REQ                             0x94
+#define MC_EMEM_ARB_TIMING_RCD                                  0x98
+#define MC_EMEM_ARB_TIMING_RP                                   0x9c
+#define MC_EMEM_ARB_TIMING_RC                                   0xa0
+#define MC_EMEM_ARB_TIMING_RAS                                  0xa4
+#define MC_EMEM_ARB_TIMING_FAW                                  0xa8
+#define MC_EMEM_ARB_TIMING_RRD                                  0xac
+#define MC_EMEM_ARB_TIMING_RAP2PRE                              0xb0
+#define MC_EMEM_ARB_TIMING_WAP2PRE                              0xb4
+#define MC_EMEM_ARB_TIMING_R2R                                  0xb8
+#define MC_EMEM_ARB_TIMING_W2W                                  0xbc
+#define MC_EMEM_ARB_TIMING_R2W                                  0xc0
+#define MC_EMEM_ARB_TIMING_W2R                                  0xc4
+#define MC_EMEM_ARB_TIMING_RFCPB                                0x6c0
+#define MC_EMEM_ARB_TIMING_CCDMW                                0x6c4
+#define MC_EMEM_ARB_REFPB_HP_CTRL                               0x6f0
+#define MC_EMEM_ARB_REFPB_BANK_CTRL                             0x6f4
+#define MC_EMEM_ARB_DA_TURNS                                    0xd0
+#define MC_EMEM_ARB_DA_COVERS                                   0xd4
+#define MC_EMEM_ARB_MISC0                                       0xd8
+#define MC_EMEM_ARB_MISC1                                       0xdc
+#define MC_EMEM_ARB_MISC2                                       0xc8
+#define MC_EMEM_ARB_RING1_THROTTLE                              0xe0
+#define MC_EMEM_ARB_RING3_THROTTLE                              0xe4
+#define MC_EMEM_ARB_NISO_THROTTLE                               0x6b0
+#define MC_EMEM_ARB_OVERRIDE                                    0xe8
+#define MC_EMEM_ARB_RSV                                         0xec
+#define MC_CLKEN_OVERRIDE                                       0xf4
+#define MC_TIMING_CONTROL_DBG                                   0xf8
+#define MC_TIMING_CONTROL                                       0xfc
+#define MC_STAT_CONTROL                                         0x100
+#define MC_STAT_STATUS                                          0x104
+#define MC_STAT_EMC_CLOCK_LIMIT                                 0x108
+#define MC_STAT_EMC_CLOCK_LIMIT_MSBS                            0x10c
+#define MC_STAT_EMC_CLOCKS                                      0x110
+#define MC_STAT_EMC_CLOCKS_MSBS                                 0x114
+#define MC_STAT_EMC_FILTER_SET0_ADR_LIMIT_LO                    0x118
+#define MC_STAT_EMC_FILTER_SET1_ADR_LIMIT_LO                    0x158
+#define MC_STAT_EMC_FILTER_SET0_ADR_LIMIT_HI                    0x11c
+#define MC_STAT_EMC_FILTER_SET1_ADR_LIMIT_HI                    0x15c
+#define MC_STAT_EMC_FILTER_SET0_ADR_LIMIT_UPPER                 0xa20
+#define MC_STAT_EMC_FILTER_SET1_ADR_LIMIT_UPPER                 0xa24
+#define MC_STAT_EMC_FILTER_SET0_VIRTUAL_ADR_LIMIT_LO            0x198
+#define MC_STAT_EMC_FILTER_SET1_VIRTUAL_ADR_LIMIT_LO            0x1a8
+#define MC_STAT_EMC_FILTER_SET0_VIRTUAL_ADR_LIMIT_HI            0x19c
+#define MC_STAT_EMC_FILTER_SET1_VIRTUAL_ADR_LIMIT_HI            0x1ac
+#define MC_STAT_EMC_FILTER_SET0_VIRTUAL_ADR_LIMIT_UPPER         0xa28
+#define MC_STAT_EMC_FILTER_SET1_VIRTUAL_ADR_LIMIT_UPPER         0xa2c
+#define MC_STAT_EMC_FILTER_SET0_ASID                            0x1a0
+#define MC_STAT_EMC_FILTER_SET1_ASID                            0x1b0
+#define MC_STAT_EMC_FILTER_SET0_SLACK_LIMIT                     0x120
+#define MC_STAT_EMC_FILTER_SET1_SLACK_LIMIT                     0x160
+#define MC_STAT_EMC_FILTER_SET0_CLIENT_0                        0x128
+#define MC_STAT_EMC_FILTER_SET1_CLIENT_0                        0x168
+#define MC_STAT_EMC_FILTER_SET0_CLIENT_1                        0x12c
+#define MC_STAT_EMC_FILTER_SET1_CLIENT_1                        0x16c
+#define MC_STAT_EMC_FILTER_SET0_CLIENT_2                        0x130
+#define MC_STAT_EMC_FILTER_SET1_CLIENT_2                        0x170
+#define MC_STAT_EMC_FILTER_SET0_CLIENT_3                        0x134
+#define MC_STAT_EMC_FILTER_SET0_CLIENT_4                        0xb88
+#define MC_STAT_EMC_FILTER_SET1_CLIENT_3                        0x174
+#define MC_STAT_EMC_FILTER_SET1_CLIENT_4                        0xb8c
+#define MC_STAT_EMC_SET0_COUNT                                  0x138
+#define MC_STAT_EMC_SET0_COUNT_MSBS                             0x13c
+#define MC_STAT_EMC_SET1_COUNT                                  0x178
+#define MC_STAT_EMC_SET1_COUNT_MSBS                             0x17c
+#define MC_STAT_EMC_SET0_SLACK_ACCUM                            0x140
+#define MC_STAT_EMC_SET0_SLACK_ACCUM_MSBS                       0x144
+#define MC_STAT_EMC_SET1_SLACK_ACCUM                            0x180
+#define MC_STAT_EMC_SET1_SLACK_ACCUM_MSBS                       0x184
+#define MC_STAT_EMC_SET0_HISTO_COUNT                            0x148
+#define MC_STAT_EMC_SET0_HISTO_COUNT_MSBS                       0x14c
+#define MC_STAT_EMC_SET1_HISTO_COUNT                            0x188
+#define MC_STAT_EMC_SET1_HISTO_COUNT_MSBS                       0x18c
+#define MC_STAT_EMC_SET0_MINIMUM_SLACK_OBSERVED                 0x150
+#define MC_STAT_EMC_SET1_MINIMUM_SLACK_OBSERVED                 0x190
+#define MC_STAT_EMC_SET0_IDLE_CYCLE_COUNT                       0x1b8
+#define MC_STAT_EMC_SET0_IDLE_CYCL_COUNT_MSBS                   0x1bc
+#define MC_STAT_EMC_SET1_IDLE_CYCLE_COUNT                       0x1c8
+#define MC_STAT_EMC_SET1_IDLE_CYCL_COUNT_MSBS                   0x1cc
+#define MC_STAT_EMC_SET0_IDLE_CYCLE_PARTITION_SELECT            0x1c0
+#define MC_STAT_EMC_SET1_IDLE_CYCLE_PARTITION_SELECT            0x1d0
+#define MC_CLIENT_HOTRESET_CTRL                                 0x200
+#define MC_CLIENT_HOTRESET_CTRL_1                               0x970
+#define MC_CLIENT_HOTRESET_STATUS                               0x204
+#define MC_CLIENT_HOTRESET_STATUS_1                             0x974
+#define MC_EMEM_ARB_ISOCHRONOUS_0                               0x208
+#define MC_EMEM_ARB_ISOCHRONOUS_1                               0x20c
+#define MC_EMEM_ARB_ISOCHRONOUS_2                               0x210
+#define MC_EMEM_ARB_ISOCHRONOUS_3                               0x214
+#define MC_EMEM_ARB_ISOCHRONOUS_4                               0xb94
+#define MC_EMEM_ARB_HYSTERESIS_0                                0x218
+#define MC_EMEM_ARB_HYSTERESIS_1                                0x21c
+#define MC_EMEM_ARB_HYSTERESIS_2                                0x220
+#define MC_EMEM_ARB_HYSTERESIS_3                                0x224
+#define MC_EMEM_ARB_HYSTERESIS_4                                0xb84
+#define MC_EMEM_ARB_DHYSTERESIS_0                               0xbb0
+#define MC_EMEM_ARB_DHYSTERESIS_1                               0xbb4
+#define MC_EMEM_ARB_DHYSTERESIS_2                               0xbb8
+#define MC_EMEM_ARB_DHYSTERESIS_3                               0xbbc
+#define MC_EMEM_ARB_DHYSTERESIS_4                               0xbc0
+#define MC_EMEM_ARB_DHYST_CTRL                                  0xbcc
+#define MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_0                        0xbd0
+#define MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_1                        0xbd4
+#define MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_2                        0xbd8
+#define MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_3                        0xbdc
+#define MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_4                        0xbe0
+#define MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_5                        0xbe4
+#define MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_6                        0xbe8
+#define MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_7                        0xbec
+#define MC_RESERVED_RSV                                         0x3fc
+#define MC_DISB_EXTRA_SNAP_LEVELS                               0x408
+#define MC_APB_EXTRA_SNAP_LEVELS                                0x2a4
+#define MC_AHB_EXTRA_SNAP_LEVELS                                0x2a0
+#define MC_USBD_EXTRA_SNAP_LEVELS                               0xa18
+#define MC_ISP_EXTRA_SNAP_LEVELS                                0xa08
+#define MC_AUD_EXTRA_SNAP_LEVELS                                0xa10
+#define MC_MSE_EXTRA_SNAP_LEVELS                                0x40c
+#define MC_GK2_EXTRA_SNAP_LEVELS                                0xa40
+#define MC_A9AVPPC_EXTRA_SNAP_LEVELS                            0x414
+#define MC_FTOP_EXTRA_SNAP_LEVELS                               0x2bc
+#define MC_JPG_EXTRA_SNAP_LEVELS                                0xa3c
+#define MC_HOST_EXTRA_SNAP_LEVELS                               0xa14
+#define MC_SAX_EXTRA_SNAP_LEVELS                                0x2c0
+#define MC_DIS_EXTRA_SNAP_LEVELS                                0x2ac
+#define MC_VICPC_EXTRA_SNAP_LEVELS                              0xa1c
+#define MC_HDAPC_EXTRA_SNAP_LEVELS                              0xa48
+#define MC_AVP_EXTRA_SNAP_LEVELS                                0x2a8
+#define MC_USBX_EXTRA_SNAP_LEVELS                               0x404
+#define MC_PCX_EXTRA_SNAP_LEVELS                                0x2b8
+#define MC_SD_EXTRA_SNAP_LEVELS                                 0xa04
+#define MC_DFD_EXTRA_SNAP_LEVELS                                0xa4c
+#define MC_VE_EXTRA_SNAP_LEVELS                                 0x2d8
+#define MC_GK_EXTRA_SNAP_LEVELS                                 0xa00
+#define MC_VE2_EXTRA_SNAP_LEVELS                                0x410
+#define MC_SDM_EXTRA_SNAP_LEVELS                                0xa44
+#define MC_VIDEO_PROTECT_BOM                                    0x648
+#define MC_VIDEO_PROTECT_SIZE_MB                                0x64c
+#define MC_VIDEO_PROTECT_BOM_ADR_HI                             0x978
+#define MC_VIDEO_PROTECT_REG_CTRL                               0x650
+#define MC_ERR_VPR_STATUS                                       0x654
+#define MC_ERR_VPR_ADR                                          0x658
+#define MC_VIDEO_PROTECT_VPR_OVERRIDE                           0x418
+#define MC_VIDEO_PROTECT_VPR_OVERRIDE1                          0x590
+#define MC_IRAM_BOM                                             0x65c
+#define MC_IRAM_TOM                                             0x660
+#define MC_IRAM_ADR_HI                                          0x980
+#define MC_IRAM_REG_CTRL                                        0x964
+#define MC_EMEM_CFG_ACCESS_CTRL                                 0x664
+#define MC_TZ_SECURITY_CTRL                                     0x668
+#define MC_EMEM_ARB_OUTSTANDING_REQ_RING3                       0x66c
+#define MC_EMEM_ARB_OUTSTANDING_REQ_NISO                        0x6b4
+#define MC_EMEM_ARB_RING0_THROTTLE_MASK                         0x6bc
+#define MC_EMEM_ARB_NISO_THROTTLE_MASK                          0x6b8
+#define MC_EMEM_ARB_NISO_THROTTLE_MASK_1                        0xb80
+#define MC_SEC_CARVEOUT_BOM                                     0x670
+#define MC_SEC_CARVEOUT_SIZE_MB                                 0x674
+#define MC_SEC_CARVEOUT_ADR_HI                                  0x9d4
+#define MC_SEC_CARVEOUT_REG_CTRL                                0x678
+#define MC_ERR_SEC_STATUS                                       0x67c
+#define MC_ERR_SEC_ADR                                          0x680
+#define MC_PC_IDLE_CLOCK_GATE_CONFIG                            0x684
+#define MC_STUTTER_CONTROL                                      0x688
+#define MC_RESERVED_RSV_1                                       0x958
+#define MC_DVFS_PIPE_SELECT                                     0x95c
+#define MC_AHB_PTSA_MIN                                         0x4e0
+#define MC_AUD_PTSA_MIN                                         0x54c
+#define MC_MLL_MPCORER_PTSA_RATE                                0x44c
+#define MC_RING2_PTSA_RATE                                      0x440
+#define MC_USBD_PTSA_RATE                                       0x530
+#define MC_USBX_PTSA_MIN                                        0x528
+#define MC_USBD_PTSA_MIN                                        0x534
+#define MC_APB_PTSA_MAX                                         0x4f0
+#define MC_JPG_PTSA_RATE                                        0x584
+#define MC_DIS_PTSA_MIN                                         0x420
+#define MC_AVP_PTSA_MAX                                         0x4fc
+#define MC_AVP_PTSA_RATE                                        0x4f4
+#define MC_RING1_PTSA_MIN                                       0x480
+#define MC_DIS_PTSA_MAX                                         0x424
+#define MC_SD_PTSA_MAX                                          0x4d8
+#define MC_MSE_PTSA_RATE                                        0x4c4
+#define MC_VICPC_PTSA_MIN                                       0x558
+#define MC_PCX_PTSA_MAX                                         0x4b4
+#define MC_ISP_PTSA_RATE                                        0x4a0
+#define MC_A9AVPPC_PTSA_MIN                                     0x48c
+#define MC_RING2_PTSA_MAX                                       0x448
+#define MC_AUD_PTSA_RATE                                        0x548
+#define MC_HOST_PTSA_MIN                                        0x51c
+#define MC_MLL_MPCORER_PTSA_MAX                                 0x454
+#define MC_SD_PTSA_MIN                                          0x4d4
+#define MC_RING1_PTSA_RATE                                      0x47c
+#define MC_JPG_PTSA_MIN                                         0x588
+#define MC_HDAPC_PTSA_MIN                                       0x62c
+#define MC_AVP_PTSA_MIN                                         0x4f8
+#define MC_JPG_PTSA_MAX                                         0x58c
+#define MC_VE_PTSA_MAX                                          0x43c
+#define MC_DFD_PTSA_MAX                                         0x63c
+#define MC_VICPC_PTSA_RATE                                      0x554
+#define MC_GK_PTSA_MAX                                          0x544
+#define MC_VICPC_PTSA_MAX                                       0x55c
+#define MC_SDM_PTSA_MAX                                         0x624
+#define MC_SAX_PTSA_RATE                                        0x4b8
+#define MC_PCX_PTSA_MIN                                         0x4b0
+#define MC_APB_PTSA_MIN                                         0x4ec
+#define MC_GK2_PTSA_MIN                                         0x614
+#define MC_PCX_PTSA_RATE                                        0x4ac
+#define MC_RING1_PTSA_MAX                                       0x484
+#define MC_HDAPC_PTSA_RATE                                      0x628
+#define MC_MLL_MPCORER_PTSA_MIN                                 0x450
+#define MC_GK2_PTSA_MAX                                         0x618
+#define MC_AUD_PTSA_MAX                                         0x550
+#define MC_GK2_PTSA_RATE                                        0x610
+#define MC_ISP_PTSA_MAX                                         0x4a8
+#define MC_DISB_PTSA_RATE                                       0x428
+#define MC_VE2_PTSA_MAX                                         0x49c
+#define MC_DFD_PTSA_MIN                                         0x638
+#define MC_FTOP_PTSA_RATE                                       0x50c
+#define MC_A9AVPPC_PTSA_RATE                                    0x488
+#define MC_VE2_PTSA_MIN                                         0x498
+#define MC_USBX_PTSA_MAX                                        0x52c
+#define MC_DIS_PTSA_RATE                                        0x41c
+#define MC_USBD_PTSA_MAX                                        0x538
+#define MC_A9AVPPC_PTSA_MAX                                     0x490
+#define MC_USBX_PTSA_RATE                                       0x524
+#define MC_FTOP_PTSA_MAX                                        0x514
+#define MC_HDAPC_PTSA_MAX                                       0x630
+#define MC_SD_PTSA_RATE                                         0x4d0
+#define MC_DFD_PTSA_RATE                                        0x634
+#define MC_FTOP_PTSA_MIN                                        0x510
+#define MC_SDM_PTSA_RATE                                        0x61c
+#define MC_AHB_PTSA_RATE                                        0x4dc
+#define MC_SMMU_SMMU_PTSA_MAX                                   0x460
+#define MC_RING2_PTSA_MIN                                       0x444
+#define MC_SDM_PTSA_MIN                                         0x620
+#define MC_APB_PTSA_RATE                                        0x4e8
+#define MC_MSE_PTSA_MIN                                         0x4c8
+#define MC_HOST_PTSA_RATE                                       0x518
+#define MC_VE_PTSA_RATE                                         0x434
+#define MC_AHB_PTSA_MAX                                         0x4e4
+#define MC_SAX_PTSA_MIN                                         0x4bc
+#define MC_SMMU_SMMU_PTSA_MIN                                   0x45c
+#define MC_ISP_PTSA_MIN                                         0x4a4
+#define MC_HOST_PTSA_MAX                                        0x520
+#define MC_SAX_PTSA_MAX                                         0x4c0
+#define MC_VE_PTSA_MIN                                          0x438
+#define MC_GK_PTSA_MIN                                          0x540
+#define MC_MSE_PTSA_MAX                                         0x4cc
+#define MC_DISB_PTSA_MAX                                        0x430
+#define MC_DISB_PTSA_MIN                                        0x42c
+#define MC_SMMU_SMMU_PTSA_RATE                                  0x458
+#define MC_VE2_PTSA_RATE                                        0x494
+#define MC_GK_PTSA_RATE                                         0x53c
+#define MC_PTSA_GRANT_DECREMENT                                 0x960
+#define MC_LATENCY_ALLOWANCE_AVPC_0                             0x2e4
+#define MC_LATENCY_ALLOWANCE_AXIAP_0                            0x3a0
+#define MC_LATENCY_ALLOWANCE_XUSB_1                             0x380
+#define MC_LATENCY_ALLOWANCE_ISP2B_0                            0x384
+#define MC_LATENCY_ALLOWANCE_SDMMCAA_0                          0x3bc
+#define MC_LATENCY_ALLOWANCE_SDMMCA_0                           0x3b8
+#define MC_LATENCY_ALLOWANCE_ISP2_0                             0x370
+#define MC_LATENCY_ALLOWANCE_SE_0                               0x3e0
+#define MC_LATENCY_ALLOWANCE_ISP2_1                             0x374
+#define MC_LATENCY_ALLOWANCE_DC_0                               0x2e8
+#define MC_LATENCY_ALLOWANCE_VIC_0                              0x394
+#define MC_LATENCY_ALLOWANCE_DCB_1                              0x2f8
+#define MC_LATENCY_ALLOWANCE_NVDEC_0                            0x3d8
+#define MC_LATENCY_ALLOWANCE_DCB_2                              0x2fc
+#define MC_LATENCY_ALLOWANCE_TSEC_0                             0x390
+#define MC_LATENCY_ALLOWANCE_DC_2                               0x2f0
+#define MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0AB                  0x694
+#define MC_LATENCY_ALLOWANCE_PPCS_1                             0x348
+#define MC_LATENCY_ALLOWANCE_XUSB_0                             0x37c
+#define MC_LATENCY_ALLOWANCE_PPCS_0                             0x344
+#define MC_LATENCY_ALLOWANCE_TSECB_0                            0x3f0
+#define MC_LATENCY_ALLOWANCE_AFI_0                              0x2e0
+#define MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0B                   0x698
+#define MC_LATENCY_ALLOWANCE_DC_1                               0x2ec
+#define MC_LATENCY_ALLOWANCE_APE_0                              0x3dc
+#define MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0C                   0x6a0
+#define MC_LATENCY_ALLOWANCE_A9AVP_0                            0x3a4
+#define MC_LATENCY_ALLOWANCE_GPU2_0                             0x3e8
+#define MC_LATENCY_ALLOWANCE_DCB_0                              0x2f4
+#define MC_LATENCY_ALLOWANCE_HC_1                               0x314
+#define MC_LATENCY_ALLOWANCE_SDMMC_0                            0x3c0
+#define MC_LATENCY_ALLOWANCE_NVJPG_0                            0x3e4
+#define MC_LATENCY_ALLOWANCE_PTC_0                              0x34c
+#define MC_LATENCY_ALLOWANCE_ETR_0                              0x3ec
+#define MC_LATENCY_ALLOWANCE_MPCORE_0                           0x320
+#define MC_LATENCY_ALLOWANCE_VI2_0                              0x398
+#define MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0BB                  0x69c
+#define MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0CB                  0x6a4
+#define MC_LATENCY_ALLOWANCE_SATA_0                             0x350
+#define MC_SCALED_LATENCY_ALLOWANCE_DISPLAY0A                   0x690
+#define MC_LATENCY_ALLOWANCE_HC_0                               0x310
+#define MC_LATENCY_ALLOWANCE_DC_3                               0x3c8
+#define MC_LATENCY_ALLOWANCE_GPU_0                              0x3ac
+#define MC_LATENCY_ALLOWANCE_SDMMCAB_0                          0x3c4
+#define MC_LATENCY_ALLOWANCE_ISP2B_1                            0x388
+#define MC_LATENCY_ALLOWANCE_NVENC_0                            0x328
+#define MC_LATENCY_ALLOWANCE_HDA_0                              0x318
+#define MC_MIN_LENGTH_APE_0                                     0xb34
+#define MC_MIN_LENGTH_DCB_2                                     0x8a8
+#define MC_MIN_LENGTH_A9AVP_0                                   0x950
+#define MC_MIN_LENGTH_TSEC_0                                    0x93c
+#define MC_MIN_LENGTH_DC_1                                      0x898
+#define MC_MIN_LENGTH_AXIAP_0                                   0x94c
+#define MC_MIN_LENGTH_ISP2B_0                                   0x930
+#define MC_MIN_LENGTH_VI2_0                                     0x944
+#define MC_MIN_LENGTH_DCB_0                                     0x8a0
+#define MC_MIN_LENGTH_DCB_1                                     0x8a4
+#define MC_MIN_LENGTH_PPCS_1                                    0x8f4
+#define MC_MIN_LENGTH_NVJPG_0                                   0xb3c
+#define MC_MIN_LENGTH_HDA_0                                     0x8c4
+#define MC_MIN_LENGTH_NVENC_0                                   0x8d4
+#define MC_MIN_LENGTH_SDMMC_0                                   0xb18
+#define MC_MIN_LENGTH_ISP2B_1                                   0x934
+#define MC_MIN_LENGTH_HC_1                                      0x8c0
+#define MC_MIN_LENGTH_DC_3                                      0xb20
+#define MC_MIN_LENGTH_AVPC_0                                    0x890
+#define MC_MIN_LENGTH_VIC_0                                     0x940
+#define MC_MIN_LENGTH_ISP2_0                                    0x91c
+#define MC_MIN_LENGTH_HC_0                                      0x8bc
+#define MC_MIN_LENGTH_SE_0                                      0xb38
+#define MC_MIN_LENGTH_NVDEC_0                                   0xb30
+#define MC_MIN_LENGTH_SATA_0                                    0x8fc
+#define MC_MIN_LENGTH_DC_0                                      0x894
+#define MC_MIN_LENGTH_XUSB_1                                    0x92c
+#define MC_MIN_LENGTH_DC_2                                      0x89c
+#define MC_MIN_LENGTH_SDMMCAA_0                                 0xb14
+#define MC_MIN_LENGTH_GPU_0                                     0xb04
+#define MC_MIN_LENGTH_ETR_0                                     0xb44
+#define MC_MIN_LENGTH_AFI_0                                     0x88c
+#define MC_MIN_LENGTH_PPCS_0                                    0x8f0
+#define MC_MIN_LENGTH_ISP2_1                                    0x920
+#define MC_MIN_LENGTH_XUSB_0                                    0x928
+#define MC_MIN_LENGTH_MPCORE_0                                  0x8cc
+#define MC_MIN_LENGTH_TSECB_0                                   0xb48
+#define MC_MIN_LENGTH_SDMMCA_0                                  0xb10
+#define MC_MIN_LENGTH_GPU2_0                                    0xb40
+#define MC_MIN_LENGTH_SDMMCAB_0                                 0xb1c
+#define MC_MIN_LENGTH_PTC_0                                     0x8f8
+#define MC_EMEM_ARB_OVERRIDE_1                                  0x968
+#define MC_VIDEO_PROTECT_GPU_OVERRIDE_0                         0x984
+#define MC_VIDEO_PROTECT_GPU_OVERRIDE_1                         0x988
+#define MC_EMEM_ARB_STATS_0                                     0x990
+#define MC_EMEM_ARB_STATS_1                                     0x994
+#define MC_MTS_CARVEOUT_BOM                                     0x9a0
+#define MC_MTS_CARVEOUT_SIZE_MB                                 0x9a4
+#define MC_MTS_CARVEOUT_ADR_HI                                  0x9a8
+#define MC_MTS_CARVEOUT_REG_CTRL                                0x9ac
+#define MC_ERR_MTS_STATUS                                       0x9b0
+#define MC_ERR_MTS_ADR                                          0x9b4
+#define MC_ERR_GENERALIZED_CARVEOUT_STATUS                      0xc00
+#define MC_ERR_GENERALIZED_CARVEOUT_ADR                         0xc04
+#define MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS2     0xd74
+#define MC_SECURITY_CARVEOUT4_CFG0                              0xcf8
+#define MC_SECURITY_CARVEOUT4_CLIENT_ACCESS2                    0xd10
+#define MC_SECURITY_CARVEOUT4_SIZE_128KB                        0xd04
+#define MC_SECURITY_CARVEOUT1_CLIENT_ACCESS4                    0xc28
+#define MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS1     0xc30
+#define MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS4     0xc8c
+#define MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS0     0xd1c
+#define MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS1     0xd70
+#define MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS0     0xc2c
+#define MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS4     0xd7c
+#define MC_SECURITY_CARVEOUT3_SIZE_128KB                        0xcb4
+#define MC_SECURITY_CARVEOUT2_CFG0                              0xc58
+#define MC_SECURITY_CARVEOUT1_CFG0                              0xc08
+#define MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS2     0xc84
+#define MC_SECURITY_CARVEOUT2_CLIENT_ACCESS0                    0xc68
+#define MC_SECURITY_CARVEOUT3_BOM                               0xcac
+#define MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2                    0xc70
+#define MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS3     0xd78
+#define MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS0     0xc7c
+#define MC_SECURITY_CARVEOUT4_CLIENT_ACCESS4                    0xd18
+#define MC_SECURITY_CARVEOUT3_CLIENT_ACCESS1                    0xcbc
+#define MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS3     0xc38
+#define MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS2     0xc34
+#define MC_SECURITY_CARVEOUT3_CLIENT_ACCESS2                    0xcc0
+#define MC_SECURITY_CARVEOUT5_CLIENT_ACCESS2                    0xd60
+#define MC_SECURITY_CARVEOUT3_CFG0                              0xca8
+#define MC_SECURITY_CARVEOUT3_CLIENT_ACCESS0                    0xcb8
+#define MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS3     0xc88
+#define MC_SECURITY_CARVEOUT2_SIZE_128KB                        0xc64
+#define MC_SECURITY_CARVEOUT5_BOM_HI                            0xd50
+#define MC_SECURITY_CARVEOUT1_SIZE_128KB                        0xc14
+#define MC_SECURITY_CARVEOUT4_CLIENT_ACCESS3                    0xd14
+#define MC_SECURITY_CARVEOUT1_BOM                               0xc0c
+#define MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS4     0xd2c
+#define MC_SECURITY_CARVEOUT5_CLIENT_ACCESS4                    0xd68
+#define MC_SECURITY_CARVEOUT3_CLIENT_ACCESS4                    0xcc8
+#define MC_SECURITY_CARVEOUT5_CLIENT_ACCESS0                    0xd58
+#define MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS2     0xd24
+#define MC_SECURITY_CARVEOUT3_CLIENT_ACCESS3                    0xcc4
+#define MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4                    0xc78
+#define MC_SECURITY_CARVEOUT1_CLIENT_ACCESS1                    0xc1c
+#define MC_SECURITY_CARVEOUT1_CLIENT_ACCESS0                    0xc18
+#define MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS3     0xd28
+#define MC_SECURITY_CARVEOUT5_CLIENT_ACCESS1                    0xd5c
+#define MC_SECURITY_CARVEOUT3_BOM_HI                            0xcb0
+#define MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS3     0xcd8
+#define MC_SECURITY_CARVEOUT2_BOM_HI                            0xc60
+#define MC_SECURITY_CARVEOUT4_BOM_HI                            0xd00
+#define MC_SECURITY_CARVEOUT5_CLIENT_ACCESS3                    0xd64
+#define MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS4     0xcdc
+#define MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS1     0xc80
+#define MC_SECURITY_CARVEOUT5_SIZE_128KB                        0xd54
+#define MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS1     0xd20
+#define MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS2     0xcd4
+#define MC_SECURITY_CARVEOUT4_CLIENT_ACCESS1                    0xd0c
+#define MC_SECURITY_CARVEOUT2_CLIENT_ACCESS3                    0xc74
+#define MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS0     0xccc
+#define MC_SECURITY_CARVEOUT4_BOM                               0xcfc
+#define MC_SECURITY_CARVEOUT5_CFG0                              0xd48
+#define MC_SECURITY_CARVEOUT2_BOM                               0xc5c
+#define MC_SECURITY_CARVEOUT5_BOM                               0xd4c
+#define MC_SECURITY_CARVEOUT1_CLIENT_ACCESS3                    0xc24
+#define MC_SECURITY_CARVEOUT5_CLIENT_FORCE_INTERNAL_ACCESS0     0xd6c
+#define MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS1     0xcd0
+#define MC_SECURITY_CARVEOUT1_BOM_HI                            0xc10
+#define MC_SECURITY_CARVEOUT1_CLIENT_ACCESS2                    0xc20
+#define MC_SECURITY_CARVEOUT1_CLIENT_FORCE_INTERNAL_ACCESS4     0xc3c
+#define MC_SECURITY_CARVEOUT2_CLIENT_ACCESS1                    0xc6c
+#define MC_SECURITY_CARVEOUT4_CLIENT_ACCESS0                    0xd08
+#define MC_ERR_APB_ASID_UPDATE_STATUS                           0x9d0
+#define MC_DA_CONFIG0                                           0x9dc
 
-#define MC_SMMU_TRANSLATION_ENABLE_0_0 MAKE_MC_REG(0x228)
-#define MC_SMMU_TRANSLATION_ENABLE_1_0 MAKE_MC_REG(0x22C)
-#define MC_SMMU_TRANSLATION_ENABLE_2_0 MAKE_MC_REG(0x230)
-#define MC_SMMU_TRANSLATION_ENABLE_3_0 MAKE_MC_REG(0x234)
-#define MC_SMMU_TRANSLATION_ENABLE_4_0 MAKE_MC_REG(0xB98)
-
-#define MC_SMMU_PPCS1_ASID_0 MAKE_MC_REG(0x298)
-
-#define MC_SECURITY_CFG0_0 MAKE_MC_REG(0x070)
-#define MC_SECURITY_CFG1_0 MAKE_MC_REG(0x074)
-#define MC_SECURITY_CFG3_0 MAKE_MC_REG(0x9BC)
+/* Virtual aliases */
+#define VIRT_MC_SECURITY_CFG3   MAKE_MC_REG(MC_SECURITY_CFG3)
 
+/* Memory Controller clients */
+#define CLIENT_ACCESS_NUM_CLIENTS   32
+typedef enum {
+    /* _ACCESS0 */
+    CSR_PTCR = (0 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0A = (1 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0AB = (2 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0B = (3 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0BB = (4 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0C = (5 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0CB = (6 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_AFIR = (14 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_AVPCARM7R = (15 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAYHC = (16 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAYHCB = (17 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HDAR = (21 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HOST1XDMAR = (22 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HOST1XR = (23 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_NVENCSRD = (28 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_PPCSAHBDMAR = (29 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_PPCSAHBSLVR = (30 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_SATAR = (31 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    
+    /* _ACCESS1 */
+    CSR_VDEBSEVR = (34 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDEMBER = (35 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDEMCER = (36 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDETPER = (37 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_MPCORELPR = (38 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_MPCORER = (39 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_NVENCSWR = (43 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_AFIW = (49 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_AVPCARM7W = (50 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_HDAW = (53 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_HOST1XW = (54 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_MPCORELPW = (56 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_MPCOREW = (57 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_PPCSAHBDMAW = (59 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_PPCSAHBSLVW = (60 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_SATAW = (61 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_VDEBSEVW = (62 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_VDEDBGW = (63 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    
+    /* _ACCESS2 */
+    CSW_VDEMBEW = (64 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_VDETPMW = (65 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_ISPRA = (68 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWA = (70 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWB = (71 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_XUSB_HOSTR = (74 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_XUSB_HOSTW = (75 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_XUSB_DEVR = (76 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_XUSB_DEVW = (77 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_ISPRAB = (78 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWAB = (80 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWBB = (81 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_TSECSRD = (84 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_TSECSWR = (85 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_A9AVPSCR = (86 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_A9AVPSCW = (87 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_GPUSRD = (88 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_GPUSWR = (89 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_DISPLAYT = (90 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    
+    /* _ACCESS3 */
+    CSR_SDMMCRA = (96 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCRAA = (97 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCR = (98 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCRAB = (99 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWA = (100 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWAA = (101 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCW = (102 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWAB = (103 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_VICSRD = (108 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_VICSWR = (109 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_VIW = (114 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_DISPLAYD = (115 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_NVDECSRD = (120 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_NVDECSWR = (121 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_APER = (122 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_APEW = (123 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_NVJPGSRD = (126 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_NVJPGSWR = (127 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    
+    /* _ACCESS4 */
+    CSR_SESRD = (128 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_SESWR = (129 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_AXIAPR = (130 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_AXIAPW = (131 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_ETRR = (132 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_ETRW = (133 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_TSECSRDB = (134 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_TSECSWRB = (135 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_GPUSRD2 = (136 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_GPUSWR2 = (137 - (CLIENT_ACCESS_NUM_CLIENTS * 4))
+} McClient;
 
+/* Memory Controller carveouts */
 #define CARVEOUT_ID_MIN 1
 #define CARVEOUT_ID_MAX 5
-
 #define KERNEL_CARVEOUT_SIZE_MAX 0x1FFE0000
-
 typedef struct {
-    uint32_t allowed_clients;
+    uint32_t config;
     uint32_t paddr_low;
     uint32_t paddr_high;
     uint32_t size_big_pages;
-    uint32_t flags_0;
-    uint32_t flags_1;
-    uint32_t flags_2;
-    uint32_t flags_3;
-    uint32_t flags_4;
-    uint32_t flags_5;
-    uint32_t flags_6;
-    uint32_t flags_7;
-    uint32_t flags_8;
-    uint32_t flags_9;
+    uint32_t client_access_0;
+    uint32_t client_access_1;
+    uint32_t client_access_2;
+    uint32_t client_access_3;
+    uint32_t client_access_4;
+    uint32_t client_force_internal_access_0;
+    uint32_t client_force_internal_access_1;
+    uint32_t client_force_internal_access_2;
+    uint32_t client_force_internal_access_3;
+    uint32_t client_force_internal_access_4;
     uint8_t padding[0x18];
 } security_carveout_t;
 
-
 volatile security_carveout_t *get_carveout_by_id(unsigned int carveout);
 void configure_default_carveouts(void);
 void configure_gpu_ucode_carveout(void);
 void configure_kernel_carveout(unsigned int carveout_id, uint64_t address, uint64_t size);
 
-
-#endif
+#endif

exosphere/src/package2.c

@@ -38,21 +38,48 @@ extern void *__start_cold_addr;
 extern size_t __bin_size;
 
 static const uint8_t new_device_key_sources[MASTERKEY_NUM_NEW_DEVICE_KEYS][0x10] = {
-    {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.x New Device Key Source. */
-    {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.x New Device Key Source. */
-    {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}  /* 6.x New Device Key Source. */
+    {0x8B, 0x4E, 0x1C, 0x22, 0x42, 0x07, 0xC8, 0x73, 0x56, 0x94, 0x08, 0x8B, 0xCC, 0x47, 0x0F, 0x5D}, /* 4.x   New Device Key Source. */
+    {0x6C, 0xEF, 0xC6, 0x27, 0x8B, 0xEC, 0x8A, 0x91, 0x99, 0xAB, 0x24, 0xAC, 0x4F, 0x1C, 0x8F, 0x1C}, /* 5.x   New Device Key Source. */
+    {0x70, 0x08, 0x1B, 0x97, 0x44, 0x64, 0xF8, 0x91, 0x54, 0x9D, 0xC6, 0x84, 0x8F, 0x1A, 0xB2, 0xE4}, /* 6.x   New Device Key Source. */
+    {0x8E, 0x09, 0x1F, 0x7A, 0xBB, 0xCA, 0x6A, 0xFB, 0xB8, 0x9B, 0xD5, 0xC1, 0x25, 0x9C, 0xA9, 0x17}  /* 6.2.0 New Device Key Source. */
 };
 
 static const uint8_t new_device_keygen_sources[MASTERKEY_NUM_NEW_DEVICE_KEYS][0x10] = {
-    {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.x New Device Keygen Source. */
-    {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.x New Device Keygen Source. */
-    {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}  /* 6.x New Device Keygen Source. */
+    {0x88, 0x62, 0x34, 0x6E, 0xFA, 0xF7, 0xD8, 0x3F, 0xE1, 0x30, 0x39, 0x50, 0xF0, 0xB7, 0x5D, 0x5D}, /* 4.x   New Device Keygen Source. */
+    {0x06, 0x1E, 0x7B, 0xE9, 0x6D, 0x47, 0x8C, 0x77, 0xC5, 0xC8, 0xE7, 0x94, 0x9A, 0xA8, 0x5F, 0x2E}, /* 5.x   New Device Keygen Source. */
+    {0x99, 0xFA, 0x98, 0xBD, 0x15, 0x1C, 0x72, 0xFD, 0x7D, 0x9A, 0xD5, 0x41, 0x00, 0xFD, 0xB2, 0xEF}, /* 6.x   New Device Keygen Source. */
+    {0x81, 0x3C, 0x6C, 0xBF, 0x5D, 0x21, 0xDE, 0x77, 0x20, 0xD9, 0x6C, 0xE3, 0x22, 0x06, 0xAE, 0xBB}  /* 6.2.0 New Device Keygen Source. */
 };
 
 static const uint8_t new_device_keygen_sources_dev[MASTERKEY_NUM_NEW_DEVICE_KEYS][0x10] = {
-    {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.x New Device Keygen Source. */
-    {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.x New Device Keygen Source. */
-    {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}  /* 6.x New Device Keygen Source. */
+    {0xD6, 0xBD, 0x9F, 0xC6, 0x18, 0x09, 0xE1, 0x96, 0x20, 0x39, 0x60, 0xD2, 0x89, 0x83, 0x31, 0x34}, /* 4.x   New Device Keygen Source. */
+    {0x59, 0x2D, 0x20, 0x69, 0x33, 0xB5, 0x17, 0xBA, 0xCF, 0xB1, 0x4E, 0xFD, 0xE4, 0xC2, 0x7B, 0xA8}, /* 5.x   New Device Keygen Source. */
+    {0xF6, 0xD8, 0x59, 0x63, 0x8F, 0x47, 0xCB, 0x4A, 0xD8, 0x74, 0x05, 0x7F, 0x88, 0x92, 0x33, 0xA5}, /* 6.x   New Device Keygen Source. */
+    {0x20, 0xAB, 0xF2, 0x0F, 0x05, 0xE3, 0xDE, 0x2E, 0xA1, 0xFB, 0x37, 0x5E, 0x8B, 0x22, 0x1A, 0x38}  /* 6.2.0 New Device Keygen Source. */
+};
+
+static const uint8_t new_master_kek_sources[1][0x10] = {
+    {0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, /* 6.2.0 Master Kek Source. */
+};
+
+static const uint8_t keyblob_key_seed_00[0x10] = {
+    0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3
+};
+
+static const uint8_t devicekey_seed[0x10] = {
+    0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78
+};
+
+static const uint8_t devicekey_4x_seed[0x10] = {
+    0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28
+};
+
+static const uint8_t masterkey_seed[0x10] = {
+    0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C
+};
+
+static const uint8_t devicekek_4x_seed[0x10] = {
+    0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66
 };
 
 static void derive_new_device_keys(unsigned int keygen_keyslot) {
@@ -105,6 +132,20 @@ static void setup_se(void) {
     for (unsigned int i = 0; i < KEYSLOT_RSA_MAX; i++) {
         set_rsa_keyslot_flags(i, 0x41);
     }
+    
+    if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_620 && exosphere_should_perform_620_keygen()) {
+        /* Start by generating device keys. */
+        se_aes_ecb_decrypt_block(KEYSLOT_SWITCH_6XTSECKEY, work_buffer, 0x10, keyblob_key_seed_00, 0x10);
+        decrypt_data_into_keyslot(KEYSLOT_SWITCH_4XOLDDEVICEKEY, KEYSLOT_SWITCH_6XSBK, work_buffer, 0x10);
+        decrypt_data_into_keyslot(KEYSLOT_SWITCH_4XNEWCONSOLEKEYGENKEY, KEYSLOT_SWITCH_4XOLDDEVICEKEY, devicekey_4x_seed, 0x10);
+        decrypt_data_into_keyslot(KEYSLOT_SWITCH_4XOLDDEVICEKEY, KEYSLOT_SWITCH_4XOLDDEVICEKEY, devicekey_seed, 0x10);
+        
+        /* Next, generate the master kek, and from there master key/device kek. We use different keyslots than Nintendo, here. */
+        decrypt_data_into_keyslot(KEYSLOT_SWITCH_6XTSECROOTKEY, KEYSLOT_SWITCH_6XTSECROOTKEY, new_master_kek_sources[0], 0x10);
+        decrypt_data_into_keyslot(KEYSLOT_SWITCH_MASTERKEY, KEYSLOT_SWITCH_6XTSECROOTKEY, masterkey_seed, 0x10);
+        decrypt_data_into_keyslot(KEYSLOT_SWITCH_5XNEWDEVICEKEYGENKEY, KEYSLOT_SWITCH_6XTSECROOTKEY, devicekek_4x_seed, 0x10);
+        clear_aes_keyslot(KEYSLOT_SWITCH_6XTSECROOTKEY);  
+    }
 
     /* Detect Master Key revision. */
     mkey_detect_revision();
@@ -120,6 +161,7 @@ static void setup_se(void) {
             break;
         case EXOSPHERE_TARGET_FIRMWARE_500:
         case EXOSPHERE_TARGET_FIRMWARE_600:
+        case EXOSPHERE_TARGET_FIRMWARE_620:
             derive_new_device_keys(KEYSLOT_SWITCH_5XNEWDEVICEKEYGENKEY);
             break;
     }
@@ -304,7 +346,7 @@ static bool validate_package2_metadata(package2_meta_t *metadata) {
 
     /* Perform version checks. */
     /* We will be compatible with all package2s released before current, but not newer ones. */
-    if (metadata->version_max >= PACKAGE2_MINVER_THEORETICAL && metadata->version_min < PACKAGE2_MAXVER_600_CURRENT) {
+    if (metadata->version_max >= PACKAGE2_MINVER_THEORETICAL && metadata->version_min < PACKAGE2_MAXVER_620_CURRENT) {
         return true;
     }
 
@@ -424,6 +466,7 @@ static void copy_warmboot_bin_to_dram() {
             warmboot_src = (uint8_t *)0x4003B000;
             break;
         case EXOSPHERE_TARGET_FIRMWARE_600:
+        case EXOSPHERE_TARGET_FIRMWARE_620:
             warmboot_src = (uint8_t *)0x4003D800;
             break;
     }
@@ -466,6 +509,7 @@ uintptr_t get_pk2ldr_stack_address(void) {
 void load_package2(coldboot_crt0_reloc_list_t *reloc_list) {
     /* Load Exosphere-specific config. */
     exosphere_load_config();
+    configitem_set_debugmode_override(exosphere_should_override_debugmode_user() != 0, exosphere_should_override_debugmode_priv() != 0);
 
     /* Setup the Security Engine. */
     setup_se();
@@ -486,6 +530,9 @@ void load_package2(coldboot_crt0_reloc_list_t *reloc_list) {
             case EXOSPHERE_TARGET_FIRMWARE_600:
                 MAKE_REG32(PMC_BASE + 0x360) = 0x87;
                 break;
+            case EXOSPHERE_TARGET_FIRMWARE_620:
+                MAKE_REG32(PMC_BASE + 0x360) = 0xA8;
+                break;
         }
     }
 

exosphere/src/package2.h

@@ -67,7 +67,8 @@ static inline uintptr_t get_nx_bootloader_mailbox_base(void) {
 #define PACKAGE2_MAXVER_302 0x5
 #define PACKAGE2_MAXVER_400_410 0x6
 #define PACKAGE2_MAXVER_500_510 0x7
-#define PACKAGE2_MAXVER_600_CURRENT 0x8
+#define PACKAGE2_MAXVER_600_610 0x8
+#define PACKAGE2_MAXVER_620_CURRENT 0x9
 
 #define PACKAGE2_MINVER_100 0x3
 #define PACKAGE2_MINVER_200 0x4
@@ -75,7 +76,8 @@ static inline uintptr_t get_nx_bootloader_mailbox_base(void) {
 #define PACKAGE2_MINVER_302 0x6
 #define PACKAGE2_MINVER_400_410 0x7
 #define PACKAGE2_MINVER_500_510 0x8
-#define PACKAGE2_MINVER_600_CURRENT 0x9
+#define PACKAGE2_MINVER_600_610 0x9
+#define PACKAGE2_MINVER_620_CURRENT 0xA
 
 typedef struct {
     union {

exosphere/src/se.h

@@ -43,6 +43,11 @@
 /* This keyslot was added in 5.0.0. */
 #define KEYSLOT_SWITCH_5XNEWDEVICEKEYGENKEY 0xA
 
+/* This keyslot was added in 6.00. */
+#define KEYSLOT_SWITCH_6XTSECKEY 0xC
+#define KEYSLOT_SWITCH_6XTSECROOTKEY 0xD
+#define KEYSLOT_SWITCH_6XSBK 0xE
+
 #define KEYSLOT_AES_MAX 0x10
 #define KEYSLOT_RSA_MAX 0x2
 

exosphere/src/sealedkeys.c

@@ -33,7 +33,7 @@ static const uint8_t g_seal_key_sources[CRYPTOUSECASE_MAX_5X][0x10] = {
     {0x0E, 0xE0, 0xC4, 0x33, 0x82, 0x66, 0xE8, 0x08, 0x39, 0x13, 0x41, 0x7D, 0x04, 0x64, 0x2B, 0x6D},
     {0xE1, 0xA8, 0xAA, 0x6A, 0x2D, 0x9C, 0xDE, 0x43, 0x0C, 0xDE, 0xC6, 0x17, 0xF6, 0xC7, 0xF1, 0xDE},
     {0x74, 0x20, 0xF6, 0x46, 0x77, 0xB0, 0x59, 0x2C, 0xE8, 0x1B, 0x58, 0x64, 0x47, 0x41, 0x37, 0xD9},
-    {0xAA, 0x19, 0x0F, 0xFA, 0x4C, 0x30, 0x3B, 0x2E, 0xE8, 0x1B, 0x58, 0x64, 0x47, 0x41, 0x37, 0xD9}
+    {0xAA, 0x19, 0x0F, 0xFA, 0x4C, 0x30, 0x3B, 0x2E, 0xE6, 0xD8, 0x9A, 0xCF, 0xE5, 0x3F, 0xB3, 0x4B}
 };
 
 bool usecase_is_invalid(unsigned int usecase) {

exosphere/src/smc_api.c

@@ -44,8 +44,8 @@
 #define DEBUG_PANIC_ON_FAILURE 0
 
 /* User SMC prototypes */
-uint32_t smc_set_config(smc_args_t *args);
-uint32_t smc_get_config(smc_args_t *args);
+uint32_t smc_set_config_user(smc_args_t *args);
+uint32_t smc_get_config_user(smc_args_t *args);
 uint32_t smc_check_status(smc_args_t *args);
 uint32_t smc_get_result(smc_args_t *args);
 uint32_t smc_exp_mod(smc_args_t *args);
@@ -71,7 +71,7 @@ uint32_t smc_decrypt_or_import_rsa_key(smc_args_t *args);
 uint32_t smc_cpu_suspend(smc_args_t *args);
 uint32_t smc_cpu_off(smc_args_t *args);
 uint32_t smc_cpu_on(smc_args_t *args);
-/* uint32_t smc_get_config(smc_args_t *args); */
+uint32_t smc_get_config_priv(smc_args_t *args);
 uint32_t smc_get_random_bytes_for_priv(smc_args_t *args);
 uint32_t smc_panic(smc_args_t *args);
 uint32_t smc_configure_carveout(smc_args_t *args);
@@ -89,8 +89,8 @@ typedef struct {
 
 static smc_table_entry_t g_smc_user_table[SMC_USER_HANDLERS] = {
     {0, NULL},
-    {0xC3000401, smc_set_config},
-    {0xC3000002, smc_get_config},
+    {0xC3000401, smc_set_config_user},
+    {0xC3000002, smc_get_config_user},
     {0xC3000003, smc_check_status},
     {0xC3000404, smc_get_result},
     {0xC3000E05, smc_exp_mod},
@@ -114,7 +114,7 @@ static smc_table_entry_t g_smc_priv_table[SMC_PRIV_HANDLERS] = {
     {0xC4000001, smc_cpu_suspend},
     {0x84000002, smc_cpu_off},
     {0xC4000003, smc_cpu_on},
-    {0xC3000004, smc_get_config}, /* NOTE: Same function as for USER */
+    {0xC3000004, smc_get_config_priv},
     {0xC3000005, smc_get_random_bytes_for_priv},
     {0xC3000006, smc_panic},
     {0xC3000007, smc_configure_carveout},
@@ -159,6 +159,7 @@ void set_version_specific_smcs(void) {
             break;
         case EXOSPHERE_TARGET_FIRMWARE_500:
         case EXOSPHERE_TARGET_FIRMWARE_600:
+        case EXOSPHERE_TARGET_FIRMWARE_620:
             /* No more LoadSecureExpModKey. */
             g_smc_user_table[0xE].handler = NULL;
             g_smc_user_table[0xC].id = 0xC300D60C;
@@ -328,15 +329,15 @@ uint32_t smc_wrapper_async(smc_args_t *args, uint32_t (*handler)(smc_args_t *),
     return result;
 }
 
-uint32_t smc_set_config(smc_args_t *args) {
+uint32_t smc_set_config_user(smc_args_t *args) {
     /* Actual value presumed in X3 on hardware. */
-    return configitem_set((ConfigItem)args->X[1], args->X[3]);
+    return configitem_set(false, (ConfigItem)args->X[1], args->X[3]);
 }
 
-uint32_t smc_get_config(smc_args_t *args) {
+uint32_t smc_get_config_user(smc_args_t *args) {
     uint64_t out_item = 0;
     uint32_t result;
-    result = configitem_get((ConfigItem)args->X[1], &out_item);
+    result = configitem_get(false, (ConfigItem)args->X[1], &out_item);
     args->X[1] = out_item;
     return result;
 }
@@ -533,6 +534,14 @@ uint32_t smc_cpu_suspend(smc_args_t *args) {
     return smc_wrapper_sync(args, cpu_suspend_wrapper);
 }
 
+uint32_t smc_get_config_priv(smc_args_t *args) {
+    uint64_t out_item = 0;
+    uint32_t result;
+    result = configitem_get(true, (ConfigItem)args->X[1], &out_item);
+    args->X[1] = out_item;
+    return result;
+}
+
 uint32_t smc_get_random_bytes_for_priv(smc_args_t *args) {
     /* This is an interesting SMC. */
     /* The kernel must NEVER be unable to get random bytes, if it needs them */

exosphere/src/smc_user.c

@@ -49,6 +49,7 @@ static bool is_user_keyslot_valid(unsigned int keyslot) {
         case EXOSPHERE_TARGET_FIRMWARE_500:
             return keyslot <= 3;
         case EXOSPHERE_TARGET_FIRMWARE_600:
+        case EXOSPHERE_TARGET_FIRMWARE_620:
         default:
             return keyslot <= 5;
     }
@@ -166,7 +167,7 @@ uint32_t user_generate_aes_kek(smc_args_t *args) {
     /* 5.0.0+ Bounds checking. */
     if (exosphere_get_target_firmware() >= EXOSPHERE_TARGET_FIRMWARE_500) {
         if (is_personalized) {
-            if (master_key_rev > MASTERKEY_REVISION_600_CURRENT || ((1 << (master_key_rev + 1)) & 0x73) == 0) {
+            if (master_key_rev >= MASTERKEY_REVISION_MAX || (MASTERKEY_REVISION_300 <= master_key_rev && master_key_rev < MASTERKEY_REVISION_400_410)) {
                 return 2;
             }
             if (mask_id > 3 || usecase >= CRYPTOUSECASE_MAX_5X) {

exosphere/src/timers.h

@@ -27,10 +27,11 @@ static inline uintptr_t get_timers_base(void) {
 }
 
 #define TIMERS_BASE (get_timers_base())
-
 #define MAKE_TIMERS_REG(n) MAKE_REG32(TIMERS_BASE + n)
 
-#define TIMERUS_CNTR_1US_0 MAKE_REG32(TIMERS_BASE + 0x10)
+#define TIMERUS_CNTR_1US_0 MAKE_TIMERS_REG(0x10)
+#define SHARED_INTR_STATUS_0 MAKE_TIMERS_REG(0x1A0)
+#define SHARED_TIMER_SECURE_CFG_0 MAKE_TIMERS_REG(0x1A4)
 
 typedef struct {
     uint32_t CONFIG;
@@ -41,7 +42,7 @@ typedef struct {
 
 #define GET_WDT(n) ((volatile watchdog_timers_t *)(TIMERS_BASE + 0x100 + 0x20 * n))
 #define WDT_REBOOT_PATTERN 0xC45A
-#define GET_WDT_REBOOT_CFG_REG(n) MAKE_REG32(TIMERS_BASE + 0x60 + 0x8*n)
+#define GET_WDT_REBOOT_CFG_REG(n) MAKE_REG32(TIMERS_BASE + 0x60 + 0x8 * n)
 
 void wait(uint32_t microseconds);
 

exosphere/src/warmboot_init.c

@@ -199,7 +199,7 @@ void warmboot_init(void) {
     invalidate_icache_all();
     
     /* On warmboot (not cpu_on) only */
-    if (MC_SECURITY_CFG3_0 == 0) {
+    if (VIRT_MC_SECURITY_CFG3 == 0) {
         init_dma_controllers(g_exosphere_target_firmware_for_init);
     }
     

exosphere/src/warmboot_main.c

@@ -30,6 +30,7 @@
 #include "car.h"
 #include "i2c.h"
 #include "misc.h"
+#include "uart.h"
 #include "interrupt.h"
 
 #include "pmc.h"
@@ -54,9 +55,17 @@ void __attribute__((noreturn)) warmboot_main(void) {
     identity_unmap_iram_cd_tzram();
 
     /* On warmboot (not cpu_on) only */
-    if (MC_SECURITY_CFG3_0 == 0) {
+    if (VIRT_MC_SECURITY_CFG3 == 0) {
+        /* N only does this on dev units, but we will do it unconditionally. */
+        {
+            uart_select(UART_A);
+            clkrst_reboot(CARDEVICE_UARTA);
+            uart_init(UART_A, 115200);
+        }
+        
         if (!configitem_is_retail()) {
-            /* TODO: uart_log("OHAYO"); */
+            uart_send(UART_A, "OHAYO", 6);
+            uart_wait_idle(UART_A, UART_VENDOR_STATE_TX_IDLE);
         }
 
         /* Sanity check the Security Engine. */

fusee/fusee-primary/Makefile

@@ -9,6 +9,13 @@ endif
 TOPDIR ?= $(CURDIR)
 include $(DEVKITARM)/base_rules
 
+AMSBRANCH := $(shell git symbolic-ref --short HEAD)
+AMSREV := $(AMSBRANCH)-$(shell git rev-parse --short HEAD)
+
+ifneq (, $(strip $(shell git status --porcelain 2>/dev/null)))
+    AMSREV := $(AMSREV)-dirty
+endif
+
 #---------------------------------------------------------------------------------
 # TARGET is the name of the output
 # BUILD is the directory where object files & intermediate files will be placed
@@ -26,7 +33,7 @@ INCLUDES	:=	include  ../../common/include
 # options for code generation
 #---------------------------------------------------------------------------------
 ARCH	:=	-march=armv4t -mtune=arm7tdmi -mthumb -mthumb-interwork
-DEFINES :=	-D__BPMP__ -DFUSEE_STAGE1_SRC
+DEFINES :=	-D__BPMP__ -DFUSEE_STAGE1_SRC -DATMOSPHERE_GIT_BRANCH=\"$(AMSBRANCH)\" -DATMOSPHERE_GIT_REV=\"$(AMSREV)\"
 
 CFLAGS	:= \
 	-g \

fusee/fusee-primary/src/car.c

@@ -15,6 +15,7 @@
  */
  
 #include "car.h"
+#include "timers.h"
 #include "utils.h"
 
 static inline uint32_t get_clk_source_reg(CarDevice dev) {
@@ -121,7 +122,15 @@ void clkrst_disable(CarDevice dev) {
 
 void clkrst_reboot(CarDevice dev) {
     clkrst_disable(dev);
-    clkrst_enable(dev);
+    if (dev == CARDEVICE_KFUSE) {
+        /* Workaround for KFUSE clock. */
+        clk_enable(dev);
+        udelay(100);
+        rst_disable(dev);
+        udelay(200);
+    } else {
+        clkrst_enable(dev);
+    }
 }
 
 void clkrst_enable_fuse_regs(bool enable) {

fusee/fusee-primary/src/hwinit.c

@@ -213,8 +213,8 @@ void nx_hwinit()
     APB_MISC_PP_PINMUX_GLOBAL_0 = 0;
     
     /* Configure GPIOs. */
-    /* NOTE: In 3.x+ part of the GPIO configuration is skipped if the unit is SDEV. */
-    /* NOTE: In 6.x+ the GPIO configuration's order was changed a bit. */
+    /* NOTE: [3.0.0+] Part of the GPIO configuration is skipped if the unit is SDEV. */
+    /* NOTE: [6.0.0+] The GPIO configuration's order was changed a bit. */
     config_gpios();
 
     /* Uncomment for UART debugging. */
@@ -233,14 +233,14 @@ void nx_hwinit()
     clkrst_reboot(CARDEVICE_I2C5);
     
     /* Reboot SE. */
-    /* NOTE: In 4.x+ this was removed. */
-    clkrst_reboot(CARDEVICE_SE);
+    /* NOTE: [4.0.0+] This was removed. */
+    /* clkrst_reboot(CARDEVICE_SE); */
     
     /* Reboot unknown device. */
     clkrst_reboot(CARDEVICE_UNK);
 
     /* Initialize I2C1. */
-    /* NOTE: In 6.x+ this was moved to after the PMIC is configured. */
+    /* NOTE: [6.0.0+] This was moved to after the PMIC is configured. */
     i2c_init(I2C_1);
     
     /* Initialize I2C5. */
@@ -268,11 +268,9 @@ void nx_hwinit()
     val = 0x1B;
     i2c_send(I2C_5, MAX77620_PWR_I2C_ADDR, MAX77620_REG_FPS_SD3, &val, 1);
     
-    /* TODO: In 3.x+ this was added. */
-    /*
+    /* NOTE: [3.0.0+] This was added. */
     val = 0x22;
     i2c_send(I2C_5, MAX77620_PWR_I2C_ADDR, MAX77620_REG_FPS_GPIO3, &val, 1);
-    */
     
     /* TODO: In 3.x+, if the unit is SDEV, the MBLPD bit is set. */
     /*
@@ -286,15 +284,15 @@ void nx_hwinit()
     i2c_send(I2C_5, MAX77620_PWR_I2C_ADDR, MAX77620_REG_SD0, &val, 1);
 
     /* Configure and lock PMC scratch registers. */
-    /* NOTE: In 4.x+ this was removed. */
+    /* NOTE: [4.0.0+] This was removed. */
     config_pmc_scratch();
 
     /* Set super clock burst policy. */
     car->sclk_brst_pol = ((car->sclk_brst_pol & 0xFFFF8888) | 0x3333);
 
     /* Configure memory controller carveouts. */
-    /* NOTE: In 4.x+ this was removed. */
-    mc_config_carveout();
+    /* NOTE: [4.0.0+] This is now done in the Secure Monitor. */
+    /* mc_config_carveout(); */
 
     /* Initialize SDRAM. */
     sdram_init();

fusee/fusee-primary/src/main.c

@@ -40,12 +40,12 @@ static char g_bct0_buffer[BCTO_MAX_SIZE];
 #define DEFAULT_BCT0_FOR_DEBUG \
 "BCT0\n"\
 "[stage1]\n"\
-"stage2_path = fusee-secondary.bin\n"\
+"stage2_path = atmosphere/fusee-secondary.bin\n"\
 "stage2_addr = 0xF0000000\n"\
 "stage2_entrypoint = 0xF0000000\n"
 
 static const char *load_config(void) {
-    if (!read_from_file(g_bct0_buffer, BCTO_MAX_SIZE, "BCT.ini")) {
+    if (!read_from_file(g_bct0_buffer, BCTO_MAX_SIZE, "atmosphere/BCT.ini")) {
         print(SCREEN_LOG_LEVEL_DEBUG, "Failed to read BCT0 from SD!\n");
         print(SCREEN_LOG_LEVEL_DEBUG, "Using default BCT0!\n");
         memcpy(g_bct0_buffer, DEFAULT_BCT0_FOR_DEBUG, sizeof(DEFAULT_BCT0_FOR_DEBUG));
@@ -108,7 +108,7 @@ static void setup_env(void) {
 
     /* Set up the exception handlers. */
     setup_exception_handlers();
-    
+        
     /* Mount the SD card. */
     mount_sd();
 }
@@ -133,6 +133,9 @@ int main(void) {
     uint32_t stage2_version = 0;
     ScreenLogLevel log_level = SCREEN_LOG_LEVEL_MANDATORY;
     
+    /* Override the global logging level. */
+    log_set_log_level(log_level);
+    
     /* Initialize the display, console, etc. */
     setup_env();
     
@@ -144,9 +147,6 @@ int main(void) {
         fatal_error("Failed to parse BCT.ini!\n");
     }
     
-    /* Override the global logging level. */
-    log_set_log_level(log_level);
-    
     /* Say hello. */
     print(SCREEN_LOG_LEVEL_MANDATORY, "Welcome to Atmosph\xe8re Fus\xe9" "e!\n");
     print(SCREEN_LOG_LEVEL_DEBUG, "Using color linear framebuffer at 0x%p!\n", g_framebuffer);    
@@ -159,7 +159,7 @@ int main(void) {
     strcpy(g_chainloader_arg_data, stage2_path);
     stage2_args = (stage2_args_t *)(g_chainloader_arg_data + strlen(stage2_path) + 1); /* May be unaligned. */
     memcpy(&stage2_args->version, &stage2_version, 4);
-    stage2_args->log_level = log_level;
+    memcpy(&stage2_args->log_level, &log_level, sizeof(log_level));
     stage2_args->display_initialized = false;
     strcpy(stage2_args->bct0, bct0);
     g_chainloader_argc = 2;

fusee/fusee-primary/src/mc.c

@@ -31,6 +31,7 @@ void mc_config_tsec_carveout(uint32_t bom, uint32_t size1mb, bool lock)
 void mc_config_carveout()
 {
     *(volatile uint32_t *)0x8005FFFC = 0xC0EDBBCC;
+    
     MAKE_MC_REG(MC_VIDEO_PROTECT_GPU_OVERRIDE_0) = 1;
     MAKE_MC_REG(MC_VIDEO_PROTECT_GPU_OVERRIDE_1) = 0;
     MAKE_MC_REG(MC_VIDEO_PROTECT_BOM) = 0;
@@ -43,6 +44,7 @@ void mc_config_carveout()
     MAKE_MC_REG(MC_MTS_CARVEOUT_SIZE_MB) = 0;
     MAKE_MC_REG(MC_MTS_CARVEOUT_ADR_HI) = 0;
     MAKE_MC_REG(MC_MTS_CARVEOUT_REG_CTRL) = 1;
+    
     MAKE_MC_REG(MC_SECURITY_CARVEOUT1_BOM) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT1_BOM_HI) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT1_SIZE_128KB) = 0;
@@ -63,15 +65,16 @@ void mc_config_carveout()
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_SIZE_128KB) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS0) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS1) = 0;
-    MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS2) = 0x3000000;
+    MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS2) = (BIT(CSR_GPUSRD) | BIT(CSW_GPUSWR));
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS3) = 0;
-    MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS4) = 0x300;
+    MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS4) = (BIT(CSR_GPUSRD2) | BIT(CSW_GPUSWR2));
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS0) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS1) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS2) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS3) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS4) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CFG0) = 0x4401E7E;
+    
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_BOM) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_BOM_HI) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_SIZE_128KB) = 0;
@@ -86,6 +89,7 @@ void mc_config_carveout()
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS3) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS4) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_CFG0) = 0x8F;
+    
     MAKE_MC_REG(MC_SECURITY_CARVEOUT5_BOM) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT5_BOM_HI) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT5_SIZE_128KB) = 0;
@@ -109,9 +113,9 @@ void mc_config_carveout_finalize()
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_SIZE_128KB) = 2;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS0) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS1) = 0;
-    MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2) = 0x3000000;
+    MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2) = (BIT(CSR_GPUSRD) | BIT(CSW_GPUSWR));
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS3) = 0;
-    MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4) = 0x300;
+    MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4) = (BIT(CSR_GPUSRD2) | BIT(CSW_GPUSWR2));
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS0) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS1) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS2) = 0;
@@ -156,7 +160,9 @@ void mc_enable()
     car->clk_enb_x_set = ((car->clk_enb_x_set & 0xFFFFBFFF) | 0x4000);
     
     /* Clear EMC and MC reset. */
-    car->rst_dev_h_set = 0x2000001; 
+    /* NOTE: [4.0.0+] This was changed to use the right register. */
+    /* car->rst_dev_h_set = 0x2000001; */
+    car->rst_dev_h_clr = 0x2000001; 
     udelay(5);
 
     mc_disable_ahb_redirect();

fusee/fusee-primary/src/mc.h

@@ -29,6 +29,23 @@
 #define MC_INTMASK                                              0x4
 #define MC_ERR_STATUS                                           0x8
 #define MC_ERR_ADR                                              0xc
+#define MC_SMMU_CONFIG                                          0x10
+#define MC_SMMU_TLB_CONFIG                                      0x14
+#define MC_SMMU_PTC_CONFIG                                      0x18
+#define MC_SMMU_PTB_ASID                                        0x1c
+#define MC_SMMU_PTB_DATA                                        0x20
+#define MC_SMMU_TLB_FLUSH                                       0x30
+#define MC_SMMU_PTC_FLUSH                                       0x34
+#define MC_SMMU_ASID_SECURITY                                   0x38
+#define MC_SMMU_AFI_ASID                                        0x238
+#define MC_SMMU_AVPC_ASID                                       0x23c
+#define MC_SMMU_TSEC_ASID                                       0x294
+#define MC_SMMU_PPCS1_ASID                                      0x298
+#define MC_SMMU_TRANSLATION_ENABLE_0                            0x228
+#define MC_SMMU_TRANSLATION_ENABLE_1                            0x22c
+#define MC_SMMU_TRANSLATION_ENABLE_2                            0x230
+#define MC_SMMU_TRANSLATION_ENABLE_3                            0x234
+#define MC_SMMU_TRANSLATION_ENABLE_4                            0xb98
 #define MC_PCFIFO_CLIENT_CONFIG0                                0xdd0
 #define MC_PCFIFO_CLIENT_CONFIG1                                0xdd4
 #define MC_PCFIFO_CLIENT_CONFIG2                                0xdd8
@@ -474,6 +491,103 @@
 #define MC_ERR_APB_ASID_UPDATE_STATUS                           0x9d0
 #define MC_DA_CONFIG0                                           0x9dc
 
+/* Memory Controller clients */
+#define CLIENT_ACCESS_NUM_CLIENTS   32
+typedef enum {
+    /* _ACCESS0 */
+    CSR_PTCR = (0 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0A = (1 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0AB = (2 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0B = (3 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0BB = (4 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0C = (5 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0CB = (6 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_AFIR = (14 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_AVPCARM7R = (15 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAYHC = (16 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAYHCB = (17 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HDAR = (21 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HOST1XDMAR = (22 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HOST1XR = (23 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_NVENCSRD = (28 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_PPCSAHBDMAR = (29 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_PPCSAHBSLVR = (30 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_SATAR = (31 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    
+    /* _ACCESS1 */
+    CSR_VDEBSEVR = (34 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDEMBER = (35 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDEMCER = (36 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDETPER = (37 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_MPCORELPR = (38 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_MPCORER = (39 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_NVENCSWR = (43 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_AFIW = (49 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_AVPCARM7W = (50 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_HDAW = (53 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_HOST1XW = (54 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_MPCORELPW = (56 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_MPCOREW = (57 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_PPCSAHBDMAW = (59 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_PPCSAHBSLVW = (60 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_SATAW = (61 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_VDEBSEVW = (62 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_VDEDBGW = (63 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    
+    /* _ACCESS2 */
+    CSW_VDEMBEW = (64 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_VDETPMW = (65 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_ISPRA = (68 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWA = (70 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWB = (71 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_XUSB_HOSTR = (74 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_XUSB_HOSTW = (75 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_XUSB_DEVR = (76 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_XUSB_DEVW = (77 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_ISPRAB = (78 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWAB = (80 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWBB = (81 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_TSECSRD = (84 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_TSECSWR = (85 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_A9AVPSCR = (86 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_A9AVPSCW = (87 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_GPUSRD = (88 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_GPUSWR = (89 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_DISPLAYT = (90 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    
+    /* _ACCESS3 */
+    CSR_SDMMCRA = (96 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCRAA = (97 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCR = (98 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCRAB = (99 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWA = (100 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWAA = (101 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCW = (102 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWAB = (103 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_VICSRD = (108 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_VICSWR = (109 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_VIW = (114 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_DISPLAYD = (115 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_NVDECSRD = (120 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_NVDECSWR = (121 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_APER = (122 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_APEW = (123 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_NVJPGSRD = (126 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_NVJPGSWR = (127 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    
+    /* _ACCESS4 */
+    CSR_SESRD = (128 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_SESWR = (129 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_AXIAPR = (130 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_AXIAPW = (131 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_ETRR = (132 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_ETRW = (133 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_TSECSRDB = (134 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_TSECSWRB = (135 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_GPUSRD2 = (136 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_GPUSWR2 = (137 - (CLIENT_ACCESS_NUM_CLIENTS * 4))
+} McClient;
+
 void mc_config_tsec_carveout(uint32_t bom, uint32_t size1mb, bool lock);
 void mc_config_carveout();
 void mc_config_carveout_finalize();

fusee/fusee-primary/src/timers.h

@@ -21,11 +21,15 @@
 
 #define TIMERS_BASE 0x60005000
 #define MAKE_TIMERS_REG(n) MAKE_REG32(TIMERS_BASE + n)
+
 #define TIMERUS_CNTR_1US_0 MAKE_TIMERS_REG(0x10)
 #define TIMERUS_USEC_CFG_0 MAKE_TIMERS_REG(0x14)
+#define SHARED_INTR_STATUS_0 MAKE_TIMERS_REG(0x1A0)
+#define SHARED_TIMER_SECURE_CFG_0 MAKE_TIMERS_REG(0x1A4)
 
 #define RTC_BASE 0x7000E000
 #define MAKE_RTC_REG(n) MAKE_REG32(RTC_BASE + n)
+
 #define RTC_SECONDS MAKE_RTC_REG(0x08)
 #define RTC_SHADOW_SECONDS MAKE_RTC_REG(0x0C)
 #define RTC_MILLI_SECONDS MAKE_RTC_REG(0x10)
@@ -39,7 +43,7 @@ typedef struct {
 
 #define GET_WDT(n) ((volatile watchdog_timers_t *)(TIMERS_BASE + 0x100 + 0x20 * n))
 #define WDT_REBOOT_PATTERN 0xC45A
-#define GET_WDT_REBOOT_CFG_REG(n) MAKE_TIMERS_REG(0x60 + 0x8 * n)
+#define GET_WDT_REBOOT_CFG_REG(n) MAKE_REG32(TIMERS_BASE + 0x60 + 0x8 * n)
 
 void wait(uint32_t microseconds);
 

fusee/fusee-primary/src/utils.c

@@ -59,21 +59,12 @@ __attribute__((noreturn)) void pmc_reboot(uint32_t scratch0) {
     }
 }
 
-__attribute__((noreturn)) void car_reboot(void) {
-    /* Reset the processor. */
-    car_get_regs()->rst_dev_l |= 1<<2;
-
-    while (true) {
-        /* Wait for reboot. */
-    }
-}
-
 __attribute__((noreturn)) void wait_for_button_and_reboot(void) {
     uint32_t button;
     while (true) {
         button = btn_read();
         if (button & BTN_POWER) {
-            car_reboot();
+            pmc_reboot(1 << 1);
         }
     }
 }

fusee/fusee-primary/src/utils.h

@@ -121,7 +121,6 @@ void hexdump(const void* data, size_t size, uintptr_t addrbase);
 
 __attribute__((noreturn)) void watchdog_reboot(void);
 __attribute__((noreturn)) void pmc_reboot(uint32_t scratch0);
-__attribute__((noreturn)) void car_reboot(void);
 __attribute__((noreturn)) void wait_for_button_and_reboot(void);
 
 __attribute__((noreturn)) void generic_panic(void);

fusee/fusee-secondary/Makefile

@@ -12,6 +12,13 @@ AMS		:= $(TOPDIR)/../../
 
 include $(DEVKITARM)/base_rules
 
+AMSBRANCH := $(shell git symbolic-ref --short HEAD)
+AMSREV := $(AMSBRANCH)-$(shell git rev-parse --short HEAD)
+
+ifneq (, $(strip $(shell git status --porcelain 2>/dev/null)))
+    AMSREV := $(AMSREV)-dirty
+endif
+
 #---------------------------------------------------------------------------------
 # TARGET is the name of the output
 # BUILD is the directory where object files & intermediate files will be placed
@@ -29,7 +36,7 @@ INCLUDES	:=	include ../../common/include
 # options for code generation
 #---------------------------------------------------------------------------------
 ARCH	:=	-march=armv4t -mtune=arm7tdmi -marm
-DEFINES :=	-D__BPMP__ -DFUSEE_STAGE2_SRC
+DEFINES :=	-D__BPMP__ -DFUSEE_STAGE2_SRC -DATMOSPHERE_GIT_BRANCH=\"$(AMSBRANCH)\" -DATMOSPHERE_GIT_REV=\"$(AMSREV)\"
 
 CFLAGS	:= \
 	-g \

fusee/fusee-secondary/src/car.c

@@ -15,6 +15,7 @@
  */
  
 #include "car.h"
+#include "timers.h"
 #include "utils.h"
 
 static inline uint32_t get_clk_source_reg(CarDevice dev) {
@@ -121,7 +122,15 @@ void clkrst_disable(CarDevice dev) {
 
 void clkrst_reboot(CarDevice dev) {
     clkrst_disable(dev);
-    clkrst_enable(dev);
+    if (dev == CARDEVICE_KFUSE) {
+        /* Workaround for KFUSE clock. */
+        clk_enable(dev);
+        udelay(100);
+        rst_disable(dev);
+        udelay(200);
+    } else {
+        clkrst_enable(dev);
+    }
 }
 
 void clkrst_enable_fuse_regs(bool enable) {

fusee/fusee-secondary/src/cluster.c

@@ -22,6 +22,7 @@
 #include "sysreg.h"
 #include "i2c.h"
 #include "car.h"
+#include "mc.h"
 #include "timers.h"
 #include "pmc.h"
 #include "max77620.h"
@@ -141,6 +142,10 @@ void cluster_boot_cpu0(uint32_t entry)
     SB_CSR_0 = 2;
     (void)SB_CSR_0;
 
+    /* Set CPU_STRICT_TZ_APERTURE_CHECK. */
+    /* NOTE: [4.0.0+] This was added, but it breaks Exosphère. */
+    /* MAKE_MC_REG(MC_TZ_SECURITY_CTRL) = 1; */
+    
     /* Clear MSELECT reset. */
     car->rst_dev_v &= 0xFFFFFFF7;
     
@@ -148,5 +153,7 @@ void cluster_boot_cpu0(uint32_t entry)
     car->rst_cpug_cmplx_clr = 0x20000000;
     
     /* Clear CPU{0,1,2,3} POR and CORE, CX0, L2, and DBG reset.*/
-    car->rst_cpug_cmplx_clr = 0x411F000F;
+    /* NOTE: [5.0.0+] This was changed so only CPU0 reset is cleared. */
+    /* car->rst_cpug_cmplx_clr = 0x411F000F; */
+    car->rst_cpug_cmplx_clr = 0x41010001;
 }

fusee/fusee-secondary/src/exocfg.h

@@ -20,7 +20,9 @@
 /* This serves to set configuration for *exosphere itself*, separate from the SecMon Exosphere mimics. */
 
 /* "XBC0" */
-#define MAGIC_EXOSPHERE_BOOTCONFIG (0x30434258)
+#define MAGIC_EXOSPHERE_BOOTCONFIG_0 (0x30434258)
+/* "XBC1" */
+#define MAGIC_EXOSPHERE_BOOTCONFIG   (0x31434258)
 
 #define EXOSPHERE_TARGET_FIRMWARE_100 1
 #define EXOSPHERE_TARGET_FIRMWARE_200 2
@@ -28,17 +30,26 @@
 #define EXOSPHERE_TARGET_FIRMWARE_400 4
 #define EXOSPHERE_TARGET_FIRMWARE_500 5
 #define EXOSPHERE_TARGET_FIRMWARE_600 6
+#define EXOSPHERE_TARGET_FIRMWARE_620 7
 
 #define EXOSPHERE_TARGET_FIRMWARE_MIN EXOSPHERE_TARGET_FIRMWARE_100
-#define EXOSPHERE_TARGET_FIRMWARE_MAX EXOSPHERE_TARGET_FIRMWARE_600
+#define EXOSPHERE_TARGET_FIRMWARE_MAX EXOSPHERE_TARGET_FIRMWARE_620
+
+#define EXOSPHERE_FLAGS_DEFAULT 0x00000000
+#define EXOSPHERE_FLAG_PERFORM_620_KEYGEN (1 << 0u)
+#define EXOSPHERE_FLAG_IS_DEBUGMODE_PRIV  (1 << 1u)
+#define EXOSPHERE_FLAG_IS_DEBUGMODE_USER  (1 << 2u)
 
 typedef struct {
     unsigned int magic;
     unsigned int target_firmware;
+    unsigned int flags;
 } exosphere_config_t;
 
 #define MAILBOX_EXOSPHERE_CONFIGURATION ((volatile exosphere_config_t *)(0x40002E40))
 
 #define EXOSPHERE_TARGETFW_KEY "target_firmware"
+#define EXOSPHERE_DEBUGMODE_PRIV_KEY "debugmode"
+#define EXOSPHERE_DEBUGMODE_USER_KEY "debugmode_user"
 
 #endif

fusee/fusee-secondary/src/extkeys.c

@@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include "extkeys.h"
+
+/**
+ * Reads a line from file f and parses out the key and value from it.
+ * The format of a line must match /^ *[A-Za-z0-9_] *[,=] *.+$/.
+ * If a line ends in \r, the final \r is stripped.
+ * The input file is assumed to have been opened with the 'b' flag.
+ * The input file is assumed to contain only ASCII.
+ *
+ * A line cannot exceed 512 bytes in length.
+ * Lines that are excessively long will be silently truncated.
+ *
+ * On success, *key and *value will be set to point to the key and value in
+ * the input line, respectively.
+ * *key and *value may also be NULL in case of empty lines.
+ * On failure, *key and *value will be set to NULL.
+ * End of file is considered failure.
+ *
+ * Because *key and *value will point to a static buffer, their contents must be
+ * copied before calling this function again.
+ * For the same reason, this function is not thread-safe.
+ *
+ * The key will be converted to lowercase.
+ * An empty key is considered a parse error, but an empty value is returned as
+ * success.
+ *
+ * This function assumes that the file can be trusted not to contain any NUL in
+ * the contents.
+ *
+ * Whitespace (' ', ASCII 0x20, as well as '\t', ASCII 0x09) at the beginning of
+ * the line, at the end of the line as well as around = (or ,) will be ignored.
+ *
+ * @param f the file to read
+ * @param key pointer to change to point to the key
+ * @param value pointer to change to point to the value
+ * @return 0 on success,
+ *         1 on end of file,
+ *         -1 on parse error (line too long, line malformed)
+ *         -2 on I/O error
+ */
+static int get_kv(FILE *f, char **key, char **value) {
+#define SKIP_SPACE(p)   do {\
+    for (; *p == ' ' || *p == '\t'; ++p)\
+        ;\
+} while(0);
+    static char line[1024];
+    char *k, *v, *p, *end;
+
+    *key = *value = NULL;
+
+    errno = 0;
+    if (fgets(line, (int)sizeof(line), f) == NULL) {
+        if (feof(f))
+            return 1;
+        else
+            return -2;
+    }
+    if (errno != 0)
+        return -2;
+
+    if (*line == '\n' || *line == '\r' || *line == '\0')
+        return 0;
+
+    /* Not finding \r or \n is not a problem.
+     * The line might just be exactly 512 characters long, we have no way to
+     * tell.
+     * Additionally, it's possible that the last line of a file is not actually
+     * a line (i.e., does not end in '\n'); we do want to handle those.
+     */
+    if ((p = strchr(line, '\r')) != NULL || (p = strchr(line, '\n')) != NULL) {
+        end = p;
+        *p = '\0';
+    } else {
+        end = line + strlen(line) + 1;
+    }
+
+    p = line;
+    SKIP_SPACE(p);
+    k = p;
+
+    /* Validate key and convert to lower case. */
+    for (; *p != ' ' && *p != ',' && *p != '\t' && *p != '='; ++p) {
+        if (*p == '\0')
+            return -1;
+
+        if (*p >= 'A' && *p <= 'Z') {
+            *p = 'a' + (*p - 'A');
+            continue;
+        }
+
+        if (*p != '_' &&
+                (*p < '0' || *p > '9') &&
+                (*p < 'a' || *p > 'z')) {
+            return -1;
+        }
+    }
+
+    /* Bail if the final ++p put us at the end of string */
+    if (*p == '\0')
+        return -1;
+
+    /* We should be at the end of key now and either whitespace or [,=]
+     * follows.
+     */
+    if (*p == '=' || *p == ',') {
+        *p++ = '\0';
+    } else {
+        *p++ = '\0';
+        SKIP_SPACE(p);
+        if (*p != '=' && *p != ',')
+            return -1;
+        *p++ = '\0';
+    }
+
+    /* Empty key is an error. */
+    if (*k == '\0')
+        return -1;
+
+    SKIP_SPACE(p);
+    v = p;
+
+    /* Skip trailing whitespace */
+    for (p = end - 1; *p == '\t' || *p == ' '; --p)
+        ;
+
+    *(p + 1) = '\0';
+
+    *key = k;
+    *value = v;
+
+    return 0;
+#undef SKIP_SPACE
+}
+
+static int ishex(char c) {
+    if ('a' <= c && c <= 'f') return 1;
+    if ('A' <= c && c <= 'F') return 1;
+    if ('0' <= c && c <= '9') return 1;
+    return 0;
+}
+
+static char hextoi(char c) {
+    if ('a' <= c && c <= 'f') return c - 'a' + 0xA;
+    if ('A' <= c && c <= 'F') return c - 'A' + 0xA;
+    if ('0' <= c && c <= '9') return c - '0';
+    return 0;
+}
+
+void parse_hex_key(unsigned char *key, const char *hex, unsigned int len) {
+    if (strlen(hex) != 2 * len) {
+        fatal_error("Key (%s) must be %x hex digits!\n", hex, 2 * len);
+    }
+
+    for (unsigned int i = 0; i < 2 * len; i++) {
+        if (!ishex(hex[i])) {
+            fatal_error("Key (%s) must be %x hex digits!\n", hex, 2 * len);
+        }
+    }
+
+    memset(key, 0, len);
+
+    for (unsigned int i = 0; i < 2 * len; i++) {
+        char val = hextoi(hex[i]);
+        if ((i & 1) == 0) {
+            val <<= 4;
+        }
+        key[i >> 1] |= val;
+    }
+}
+
+void extkeys_initialize_keyset(fusee_extkeys_t *keyset, FILE *f) {
+    char *key, *value;
+    int ret;
+    
+    while ((ret = get_kv(f, &key, &value)) != 1 && ret != -2) {
+        if (ret == 0) {
+            if (key == NULL || value == NULL) {
+                continue;
+            }
+            int matched_key = 0;
+            if (strcmp(key, "tsec_root_key") == 0 || strcmp(key, "tsec_root_key_00") == 0) {
+                parse_hex_key(keyset->tsec_root_key, value, sizeof(keyset->tsec_root_key));
+                matched_key = 1;
+            } else {
+                char test_name[0x100] = {0};
+                for (unsigned int i = 0; i < 0x20 && !matched_key; i++) { 
+                    snprintf(test_name, sizeof(test_name), "master_kek_%02x", i);
+                    if (strcmp(key, test_name) == 0) {
+                        parse_hex_key(keyset->master_keks[i], value, sizeof(keyset->master_keks[i]));
+                        matched_key = 1;
+                        break;
+                    }
+                }
+            }
+        }
+    }
+}

fusee/fusee-secondary/src/extkeys.h

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
+#ifndef FUSEE_EXTKEYS_H
+#define FUSEE_EXTKEYS_H
+
+#include <string.h>
+#include "utils.h"
+#include "masterkey.h"
+
+typedef struct {
+    unsigned char tsec_root_key[0x10];
+    unsigned char master_keks[0x20][0x10];
+} fusee_extkeys_t;
+
+void parse_hex_key(unsigned char *key, const char *hex, unsigned int len);
+void extkeys_initialize_keyset(fusee_extkeys_t *keyset, FILE *f);
+
+#endif

fusee/fusee-secondary/src/ips.c

@@ -33,6 +33,53 @@
 #define IPS32_MAGIC "IPS32"
 #define IPS32_TAIL "EEOF"
 
+#define NOGC_PATCH_DIR "default_nogc"
+static bool g_enable_nogc_patches = false;
+
+void kip_patches_set_enable_nogc(void) {
+    g_enable_nogc_patches = true;
+}
+
+static bool should_ignore_default_patch(const char *patch_dir) {
+    /* This function will ensure that select default patches only get loaded if enabled. */
+    if (!g_enable_nogc_patches && strcmp(patch_dir, NOGC_PATCH_DIR) == 0) {
+        return true;
+    }
+    
+    return false;
+}
+
+static bool has_patch(const char *dir, const char *subdir, const void *hash, size_t hash_size) {
+    char path[0x301] = {0};
+    int cur_len = 0;
+    cur_len += snprintf(path + cur_len, sizeof(path) - cur_len, "%s/", dir);
+    if (subdir != NULL) {
+        cur_len += snprintf(path + cur_len, sizeof(path) - cur_len, "%s/", subdir);
+    }
+    for (size_t i = 0; i < hash_size; i++) {
+         cur_len += snprintf(path + cur_len, sizeof(path) - cur_len, "%02X", ((const uint8_t *)hash)[i]);
+    }
+    cur_len += snprintf(path + cur_len, sizeof(path) - cur_len, ".ips");
+    if (cur_len >= sizeof(path)) {
+        return false;
+    }
+    
+    FILE *f = fopen(path, "rb");
+    if (f != NULL) {
+        fclose(f);
+        return true;
+    }
+    return false;
+}
+
+static bool has_needed_default_kip_patches(uint64_t title_id, const void *hash, size_t hash_size) {
+    if (title_id == 0x0100000000000000ULL && g_enable_nogc_patches) {
+        return has_patch("atmosphere/kip_patches", NOGC_PATCH_DIR, hash, hash_size);
+    }
+    
+    return true;
+}
+
 /* Applies an IPS/IPS32 patch to memory, disregarding writes to the first prot_size bytes. */
 static void apply_ips_patch(uint8_t *mem, size_t mem_size, size_t prot_size, bool is_ips32, FILE *f_ips) {
     uint8_t buffer[4];
@@ -156,6 +203,11 @@ static bool has_ips_patches(const char *dir, const void *hash, size_t hash_size)
             if (strcmp(pdir_ent->d_name, ".") == 0 || strcmp(pdir_ent->d_name, "..") == 0) {
                 continue;
             }
+            
+            if (should_ignore_default_patch(pdir_ent->d_name)) {
+                continue;
+            }
+            
             snprintf(path, sizeof(path) - 1, "%s/%s", dir, pdir_ent->d_name);
             DIR *patch_dir = opendir(path);
             struct dirent *ent;
@@ -165,6 +217,7 @@ static bool has_ips_patches(const char *dir, const void *hash, size_t hash_size)
                     if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) {
                         continue;
                     }
+                    
                     size_t name_len = strlen(ent->d_name);
                     if ((4 < name_len && name_len <= 0x44) && ((name_len & 1) == 0) && strcmp(ent->d_name + name_len - 4, ".ips") == 0 && name_matches_hash(ent->d_name, name_len, hash, hash_size)) {
                         snprintf(path, sizeof(path) - 1, "%s/%s/%s", dir, pdir_ent->d_name, ent->d_name);
@@ -200,6 +253,11 @@ static void apply_ips_patches(const char *dir, void *mem, size_t mem_size, size_
             if (strcmp(pdir_ent->d_name, ".") == 0 || strcmp(pdir_ent->d_name, "..") == 0) {
                 continue;
             }
+            
+            if (should_ignore_default_patch(pdir_ent->d_name)) {
+                continue;
+            }
+            
             snprintf(path, sizeof(path) - 1, "%s/%s", dir, pdir_ent->d_name);
             DIR *patch_dir = opendir(path);
             struct dirent *ent;
@@ -209,6 +267,7 @@ static void apply_ips_patches(const char *dir, void *mem, size_t mem_size, size_
                     if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) {
                         continue;
                     }
+                    
                     size_t name_len = strlen(ent->d_name);
                     if ((4 < name_len && name_len <= 0x44) && ((name_len & 1) == 0) && strcmp(ent->d_name + name_len - 4, ".ips") == 0 && name_matches_hash(ent->d_name, name_len, hash, hash_size)) {
                         snprintf(path, sizeof(path) - 1, "%s/%s/%s", dir, pdir_ent->d_name, ent->d_name);
@@ -316,7 +375,11 @@ static kip1_header_t *kip1_uncompress(kip1_header_t *kip, size_t *size) {
 kip1_header_t *apply_kip_ips_patches(kip1_header_t *kip, size_t kip_size) {
     uint8_t hash[0x20];
     se_calculate_sha256(hash, kip, kip_size);
-        
+    
+    if (!has_needed_default_kip_patches(kip->title_id, hash, sizeof(hash))) {
+        fatal_error("[NXBOOT]: Missing default patch for KIP %08x%08x...\n", (uint32_t)(kip->title_id >> 32), (uint32_t)kip->title_id);
+    }
+            
     if (!has_ips_patches("atmosphere/kip_patches", hash, sizeof(hash))) {
         return NULL;
     }

fusee/fusee-secondary/src/ips.h

@@ -24,4 +24,6 @@
 void apply_kernel_ips_patches(void *kernel, size_t kernel_size);
 kip1_header_t *apply_kip_ips_patches(kip1_header_t *kip, size_t kip_size);
 
+void kip_patches_set_enable_nogc(void);
+
 #endif

fusee/fusee-secondary/src/kernel_patches.c

@@ -442,6 +442,11 @@ static const kernel_hook_t g_kernel_hooks_600[] = {
 
 /* Kernel Infos. */
 static const kernel_info_t g_kernel_infos[] = {
+    {   /* 1.0.0-7. */
+        .hash = {0x64, 0x44, 0x07, 0x2F, 0x56, 0x44, 0x73, 0xDD, 0xD5, 0x46, 0x1B, 0x8C, 0xDC, 0xEF, 0x54, 0x98, 0x16, 0xDA, 0x81, 0xDE, 0x5B, 0x1C, 0x9D, 0xD7, 0x5A, 0x13, 0x91, 0xD9, 0x53, 0xAB, 0x8D, 0x8D},
+        .free_code_space_offset = 0x4797C,
+        KERNEL_HOOKS(100)
+    },
     {   /* 1.0.0. */
         .hash = {0xB8, 0xC5, 0x0C, 0x68, 0x25, 0xA9, 0xB9, 0x5B, 0xD2, 0x4D, 0x2C, 0x7C, 0x81, 0x7F, 0xE6, 0x96, 0xF2, 0x42, 0x4E, 0x1D, 0x78, 0xDF, 0x3B, 0xCA, 0x3D, 0x6B, 0x68, 0x12, 0xDD, 0xA9, 0xCB, 0x9C},
         .free_code_space_offset = 0x4797C,

fusee/fusee-secondary/src/key_derivation.c

@@ -13,13 +13,14 @@
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
- 
+
+#include <stdio.h>
 #include "key_derivation.h"
 #include "masterkey.h"
 #include "se.h"
 #include "exocfg.h"
 #include "fuse.h"
-#include "tsec.h"
+#include "extkeys.h"
 #include "utils.h"
 
 #define AL16 ALIGN(16)
@@ -53,11 +54,11 @@ static const uint8_t AL16 masterkey_4x_seed[0x10] = {
     0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66
 };
 
-static nx_dec_keyblob_t AL16 g_dec_keyblobs[32];
+static const uint8_t AL16 new_master_kek_seeds[1][0x10] = {
+    {0x37, 0x4B, 0x77, 0x29, 0x59, 0xB4, 0x04, 0x30, 0x81, 0xF6, 0xE5, 0x8C, 0x6D, 0x36, 0x17, 0x9A}, /* MasterKek seed 06. */
+};
 
-static int get_tsec_key(void *dst, const void *tsec_fw, size_t tsec_fw_size, uint32_t tsec_key_id) {
-    return tsec_get_key(dst, tsec_key_id, tsec_fw);
-}
+static nx_dec_keyblob_t AL16 g_dec_keyblobs[32];
 
 static int get_keyblob(nx_keyblob_t *dst, uint32_t revision, const nx_keyblob_t *keyblobs, uint32_t available_revision) {
     if (revision >= 0x20) {
@@ -108,44 +109,85 @@ static int decrypt_keyblob(const nx_keyblob_t *keyblobs, uint32_t revision, uint
 }
 
 int load_package1_key(uint32_t revision) {
-    if (revision > MASTERKEY_REVISION_600_CURRENT) {
+    if (revision > MASTERKEY_REVISION_600_610) {
         return -1;
     }
     
-    set_aes_keyslot(0xB, g_dec_keyblobs[revision].keys[8], 0x10);
+    set_aes_keyslot(0xB, g_dec_keyblobs[revision].package1_key, 0x10);
     return 0;
 }
 
 /* Derive all Switch keys. */
-int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_fw, size_t tsec_fw_size) {
+int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_key, void *tsec_root_key, unsigned int *out_keygen_type) {
     uint8_t AL16 work_buffer[0x10];
+    uint8_t AL16 zeroes[0x10] = {0};
+    
+    /* Initialize keygen type. */
+    *out_keygen_type = 0;
 
     /* TODO: Set keyslot flags properly in preparation of derivation. */
     set_aes_keyslot_flags(0xE, 0x15);
     set_aes_keyslot_flags(0xD, 0x15);
-
-    /* Set TSEC key. */
-    if  (get_tsec_key(work_buffer, tsec_fw, tsec_fw_size, 1) != 0) {
-        return -1;
-    }
-    set_aes_keyslot(0xD, work_buffer, 0x10);
     
+    /* Set the TSEC key. */
+    set_aes_keyslot(0xD, tsec_key, 0x10);
+        
     /* Decrypt all keyblobs, setting keyslot 0xF correctly. */
-    for (unsigned int rev = 0; rev < MASTERKEY_REVISION_MAX; rev++) {
+    for (unsigned int rev = 0; rev <= MASTERKEY_REVISION_600_610; rev++) {
         int ret = decrypt_keyblob(keyblobs, rev, available_revision);
         if (ret) {
             return ret;
         }
     }
 
+    /* Do 6.2.0+ keygen. */
+    if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
+        if (memcmp(tsec_root_key, zeroes, 0x10) != 0) {
+            /* We got a valid key from emulation. */
+            set_aes_keyslot(0xC, tsec_root_key, 0x10);
+            for (unsigned int rev = MASTERKEY_REVISION_620_CURRENT; rev < MASTERKEY_REVISION_MAX; rev++) {
+                se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
+                memcpy(g_dec_keyblobs[rev].master_kek, work_buffer, 0x10);
+            }
+        } else {
+            /* Try reading the keys from a file. */
+            const char *keyfile = fuse_get_retail_type() != 0 ? "atmosphere/prod.keys" : "atmosphere/dev.keys";
+            FILE *extkey_file = fopen(keyfile, "r");
+            AL16 fusee_extkeys_t extkeys = {0};
+            if (extkey_file == NULL) {
+                fatal_error("Error: failed to read %s, needed for 6.2.0+ key derivation!", keyfile);
+            }
+            extkeys_initialize_keyset(&extkeys, extkey_file);
+            fclose(extkey_file);
+        
+            if (memcmp(extkeys.tsec_root_key, zeroes, 0x10) != 0) {
+                set_aes_keyslot(0xC, extkeys.tsec_root_key, 0x10);
+                for (unsigned int rev = MASTERKEY_REVISION_620_CURRENT; rev < MASTERKEY_REVISION_MAX; rev++) {
+                    se_aes_ecb_decrypt_block(0xC, work_buffer, 0x10, new_master_kek_seeds[rev - MASTERKEY_REVISION_620_CURRENT], 0x10);
+                    memcpy(g_dec_keyblobs[rev].master_kek, work_buffer, 0x10);
+                }
+            } else {
+                for (unsigned int rev = MASTERKEY_REVISION_620_CURRENT; rev < MASTERKEY_REVISION_MAX; rev++) {
+                    memcpy(g_dec_keyblobs[rev].master_kek, extkeys.master_keks[rev], 0x10);
+                }
+            }
+        }
+        
+        if (memcmp(g_dec_keyblobs[available_revision].master_kek, zeroes, 0x10) == 0) {
+            fatal_error("Error: failed to derive master_kek_%02x!", available_revision);
+        }
+    }
+    
     /* Clear the SBK. */
     clear_aes_keyslot(0xE);
 
     /* Get needed data. */
-    set_aes_keyslot(0xC, g_dec_keyblobs[MASTERKEY_REVISION_600_CURRENT].keys[0], 0x10);
+    set_aes_keyslot(0xC, g_dec_keyblobs[available_revision].master_kek, 0x10);
 
     /* Also set the Package1 key for the revision that is stored on the eMMC boot0 partition. */
-    load_package1_key(available_revision);
+    if (target_firmware < EXOSPHERE_TARGET_FIRMWARE_620) {
+        load_package1_key(available_revision);
+    }
 
     /* Derive keys for Exosphere, lock critical keyslots. */
     switch (target_firmware) {
@@ -163,6 +205,7 @@ int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, ui
             break;
         case EXOSPHERE_TARGET_FIRMWARE_500:
         case EXOSPHERE_TARGET_FIRMWARE_600:
+        case EXOSPHERE_TARGET_FIRMWARE_620:
             decrypt_data_into_keyslot(0xA, 0xF, devicekey_4x_seed, 0x10);
             decrypt_data_into_keyslot(0xF, 0xF, devicekey_seed, 0x10);
             decrypt_data_into_keyslot(0xE, 0xC, masterkey_4x_seed, 0x10);

fusee/fusee-secondary/src/key_derivation.h

@@ -28,7 +28,14 @@ typedef enum BisPartition {
 } BisPartition;
 
 typedef struct {
-    uint8_t keys[9][0x10];
+    union {
+        uint8_t keys[9][0x10];
+        struct {
+            uint8_t master_kek[0x10];
+            uint8_t _keys[7][0x10];
+            uint8_t package1_key[0x10];
+        };
+    };
 } nx_dec_keyblob_t;
 
 typedef struct nx_keyblob_t {
@@ -40,7 +47,7 @@ typedef struct nx_keyblob_t {
     };
 } nx_keyblob_t;
 
-int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_fw, size_t tsec_fw_size);
+int derive_nx_keydata(uint32_t target_firmware, const nx_keyblob_t *keyblobs, uint32_t available_revision, const void *tsec_key, void *tsec_root_key, unsigned int *out_keygen_type);
 int load_package1_key(uint32_t revision);
 void finalize_nx_keydata(uint32_t target_firmware);
 void derive_bis_key(void *dst, BisPartition partition_id, uint32_t target_firmware);

fusee/fusee-secondary/src/main.c

@@ -26,6 +26,7 @@
 #include "loader.h"
 #include "chainloader.h"
 #include "stage2.h"
+#include "mtc.h"
 #include "nxboot.h"
 #include "console.h"
 #include "fs_utils.h"
@@ -52,6 +53,9 @@ static void setup_env(void) {
     if (nxfs_mount_all() < 0) {
         fatal_error("Failed to mount at least one parition: %s\n", strerror(errno));
     }
+    
+    /* Train DRAM. */
+    train_dram();
 }
 
 static void cleanup_env(void) {

fusee/fusee-secondary/src/masterkey.c

@@ -26,7 +26,6 @@ static unsigned int g_mkey_revision = 0;
 static bool g_determined_mkey_revision = false;
 
 static uint8_t g_old_masterkeys[MASTERKEY_REVISION_MAX][0x10];
-static uint8_t g_old_devicekeys[MASTERKEY_NUM_NEW_DEVICE_KEYS - 1][0x10];
 
 /* TODO: Extend with new vectors, as needed. */
 /* Dev unit keys. */
@@ -38,6 +37,7 @@ static const uint8_t mkey_vectors_dev[MASTERKEY_REVISION_MAX][0x10] =
     {0x2C, 0xCA, 0x9C, 0x31, 0x1E, 0x07, 0xB0, 0x02, 0x97, 0x0A, 0xD8, 0x03, 0xA2, 0x76, 0x3F, 0xA3}, /* Master key 02 encrypted with Master key 03. */
     {0x9B, 0x84, 0x76, 0x14, 0x72, 0x94, 0x52, 0xCB, 0x54, 0x92, 0x9B, 0xC4, 0x8C, 0x5B, 0x0F, 0xBA}, /* Master key 03 encrypted with Master key 04. */
     {0x78, 0xD5, 0xF1, 0x20, 0x3D, 0x16, 0xE9, 0x30, 0x32, 0x27, 0x34, 0x6F, 0xCF, 0xE0, 0x27, 0xDC}, /* Master key 04 encrypted with Master key 05. */
+    {0x6F, 0xD2, 0x84, 0x1D, 0x05, 0xEC, 0x40, 0x94, 0x5F, 0x18, 0xB3, 0x81, 0x09, 0x98, 0x8D, 0x4E}, /* Master key 05 encrypted with Master key 06. */
 };
 
 /* Retail unit keys. */
@@ -49,6 +49,7 @@ static const uint8_t mkey_vectors[MASTERKEY_REVISION_MAX][0x10] =
     {0x0A, 0x0D, 0xDF, 0x34, 0x22, 0x06, 0x6C, 0xA4, 0xE6, 0xB1, 0xEC, 0x71, 0x85, 0xCA, 0x4E, 0x07}, /* Master key 02 encrypted with Master key 03. */
     {0x6E, 0x7D, 0x2D, 0xC3, 0x0F, 0x59, 0xC8, 0xFA, 0x87, 0xA8, 0x2E, 0xD5, 0x89, 0x5E, 0xF3, 0xE9}, /* Master key 03 encrypted with Master key 04. */
     {0xEB, 0xF5, 0x6F, 0x83, 0x61, 0x9E, 0xF8, 0xFA, 0xE0, 0x87, 0xD7, 0xA1, 0x4E, 0x25, 0x36, 0xEE}, /* Master key 04 encrypted with Master key 05. */
+    {0x1E, 0x1E, 0x22, 0xC0, 0x5A, 0x33, 0x3C, 0xB9, 0x0B, 0xA9, 0x03, 0x04, 0xBA, 0xDB, 0x07, 0x57}, /* Master key 05 encrypted with Master key 06. */
 };
 
 static bool check_mkey_revision(unsigned int revision, bool is_retail) {
@@ -119,33 +120,3 @@ unsigned int mkey_get_keyslot(unsigned int revision) {
         return KEYSLOT_SWITCH_TEMPKEY;
     }
 }
-
-void set_old_devkey(unsigned int revision, const uint8_t *key) {
-    if (revision < MASTERKEY_REVISION_400_410 || MASTERKEY_REVISION_600_CURRENT <= revision) {
-        generic_panic();
-    }
-
-    memcpy(g_old_devicekeys[revision - MASTERKEY_REVISION_400_410], key, 0x10);
-}
-
-unsigned int devkey_get_keyslot(unsigned int revision) {
-    if (!g_determined_mkey_revision || revision >= MASTERKEY_REVISION_MAX) {
-        generic_panic();
-    }
-
-    if (revision > g_mkey_revision) {
-        generic_panic();
-    }
-
-    if (revision >= 1) {
-        if (revision == MASTERKEY_REVISION_600_CURRENT) {
-            return KEYSLOT_SWITCH_DEVICEKEY;
-        } else {
-            /* Load into a temp keyslot. */
-            set_aes_keyslot(KEYSLOT_SWITCH_TEMPKEY, g_old_devicekeys[revision - MASTERKEY_REVISION_400_410], 0x10);
-            return KEYSLOT_SWITCH_TEMPKEY;
-        }
-    } else {
-        return KEYSLOT_SWITCH_4XOLDDEVICEKEY;
-    }
-}

fusee/fusee-secondary/src/masterkey.h

@@ -19,15 +19,16 @@
 
 /* This is glue code to enable master key support across versions. */
 
-/* TODO: Update to 0x7 on release of new master key. */
-#define MASTERKEY_REVISION_MAX 0x6
+/* TODO: Update to 0x8 on release of new master key. */
+#define MASTERKEY_REVISION_MAX 0x7
 
 #define MASTERKEY_REVISION_100_230     0x00
 #define MASTERKEY_REVISION_300         0x01
 #define MASTERKEY_REVISION_301_302     0x02
 #define MASTERKEY_REVISION_400_410     0x03
 #define MASTERKEY_REVISION_500_510     0x04
-#define MASTERKEY_REVISION_600_CURRENT 0x05
+#define MASTERKEY_REVISION_600_610     0x05
+#define MASTERKEY_REVISION_620_CURRENT 0x06
 
 #define MASTERKEY_NUM_NEW_DEVICE_KEYS (MASTERKEY_REVISION_MAX - MASTERKEY_REVISION_400_410)
 

fusee/fusee-secondary/src/mc.c

@@ -31,6 +31,7 @@ void mc_config_tsec_carveout(uint32_t bom, uint32_t size1mb, bool lock)
 void mc_config_carveout()
 {
     *(volatile uint32_t *)0x8005FFFC = 0xC0EDBBCC;
+    
     MAKE_MC_REG(MC_VIDEO_PROTECT_GPU_OVERRIDE_0) = 1;
     MAKE_MC_REG(MC_VIDEO_PROTECT_GPU_OVERRIDE_1) = 0;
     MAKE_MC_REG(MC_VIDEO_PROTECT_BOM) = 0;
@@ -43,6 +44,7 @@ void mc_config_carveout()
     MAKE_MC_REG(MC_MTS_CARVEOUT_SIZE_MB) = 0;
     MAKE_MC_REG(MC_MTS_CARVEOUT_ADR_HI) = 0;
     MAKE_MC_REG(MC_MTS_CARVEOUT_REG_CTRL) = 1;
+    
     MAKE_MC_REG(MC_SECURITY_CARVEOUT1_BOM) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT1_BOM_HI) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT1_SIZE_128KB) = 0;
@@ -63,15 +65,16 @@ void mc_config_carveout()
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_SIZE_128KB) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS0) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS1) = 0;
-    MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS2) = 0x3000000;
+    MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS2) = (BIT(CSR_GPUSRD) | BIT(CSW_GPUSWR));
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS3) = 0;
-    MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS4) = 0x300;
+    MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_ACCESS4) = (BIT(CSR_GPUSRD2) | BIT(CSW_GPUSWR2));
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS0) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS1) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS2) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS3) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CLIENT_FORCE_INTERNAL_ACCESS4) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT3_CFG0) = 0x4401E7E;
+    
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_BOM) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_BOM_HI) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_SIZE_128KB) = 0;
@@ -86,6 +89,7 @@ void mc_config_carveout()
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS3) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_CLIENT_FORCE_INTERNAL_ACCESS4) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT4_CFG0) = 0x8F;
+    
     MAKE_MC_REG(MC_SECURITY_CARVEOUT5_BOM) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT5_BOM_HI) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT5_SIZE_128KB) = 0;
@@ -109,9 +113,9 @@ void mc_config_carveout_finalize()
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_SIZE_128KB) = 2;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS0) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS1) = 0;
-    MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2) = 0x3000000;
+    MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS2) = (BIT(CSR_GPUSRD) | BIT(CSW_GPUSWR));
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS3) = 0;
-    MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4) = 0x300;
+    MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_ACCESS4) = (BIT(CSR_GPUSRD2) | BIT(CSW_GPUSWR2));
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS0) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS1) = 0;
     MAKE_MC_REG(MC_SECURITY_CARVEOUT2_CLIENT_FORCE_INTERNAL_ACCESS2) = 0;

fusee/fusee-secondary/src/mc.h

@@ -29,6 +29,23 @@
 #define MC_INTMASK                                              0x4
 #define MC_ERR_STATUS                                           0x8
 #define MC_ERR_ADR                                              0xc
+#define MC_SMMU_CONFIG                                          0x10
+#define MC_SMMU_TLB_CONFIG                                      0x14
+#define MC_SMMU_PTC_CONFIG                                      0x18
+#define MC_SMMU_PTB_ASID                                        0x1c
+#define MC_SMMU_PTB_DATA                                        0x20
+#define MC_SMMU_TLB_FLUSH                                       0x30
+#define MC_SMMU_PTC_FLUSH                                       0x34
+#define MC_SMMU_ASID_SECURITY                                   0x38
+#define MC_SMMU_AFI_ASID                                        0x238
+#define MC_SMMU_AVPC_ASID                                       0x23c
+#define MC_SMMU_TSEC_ASID                                       0x294
+#define MC_SMMU_PPCS1_ASID                                      0x298
+#define MC_SMMU_TRANSLATION_ENABLE_0                            0x228
+#define MC_SMMU_TRANSLATION_ENABLE_1                            0x22c
+#define MC_SMMU_TRANSLATION_ENABLE_2                            0x230
+#define MC_SMMU_TRANSLATION_ENABLE_3                            0x234
+#define MC_SMMU_TRANSLATION_ENABLE_4                            0xb98
 #define MC_PCFIFO_CLIENT_CONFIG0                                0xdd0
 #define MC_PCFIFO_CLIENT_CONFIG1                                0xdd4
 #define MC_PCFIFO_CLIENT_CONFIG2                                0xdd8
@@ -474,6 +491,103 @@
 #define MC_ERR_APB_ASID_UPDATE_STATUS                           0x9d0
 #define MC_DA_CONFIG0                                           0x9dc
 
+/* Memory Controller clients */
+#define CLIENT_ACCESS_NUM_CLIENTS   32
+typedef enum {
+    /* _ACCESS0 */
+    CSR_PTCR = (0 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0A = (1 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0AB = (2 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0B = (3 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0BB = (4 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0C = (5 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAY0CB = (6 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_AFIR = (14 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_AVPCARM7R = (15 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAYHC = (16 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_DISPLAYHCB = (17 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HDAR = (21 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HOST1XDMAR = (22 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_HOST1XR = (23 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_NVENCSRD = (28 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_PPCSAHBDMAR = (29 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_PPCSAHBSLVR = (30 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    CSR_SATAR = (31 - (CLIENT_ACCESS_NUM_CLIENTS * 0)),
+    
+    /* _ACCESS1 */
+    CSR_VDEBSEVR = (34 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDEMBER = (35 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDEMCER = (36 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_VDETPER = (37 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_MPCORELPR = (38 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSR_MPCORER = (39 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_NVENCSWR = (43 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_AFIW = (49 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_AVPCARM7W = (50 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_HDAW = (53 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_HOST1XW = (54 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_MPCORELPW = (56 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_MPCOREW = (57 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_PPCSAHBDMAW = (59 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_PPCSAHBSLVW = (60 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_SATAW = (61 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_VDEBSEVW = (62 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    CSW_VDEDBGW = (63 - (CLIENT_ACCESS_NUM_CLIENTS * 1)),
+    
+    /* _ACCESS2 */
+    CSW_VDEMBEW = (64 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_VDETPMW = (65 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_ISPRA = (68 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWA = (70 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWB = (71 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_XUSB_HOSTR = (74 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_XUSB_HOSTW = (75 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_XUSB_DEVR = (76 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_XUSB_DEVW = (77 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_ISPRAB = (78 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWAB = (80 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_ISPWBB = (81 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_TSECSRD = (84 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_TSECSWR = (85 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_A9AVPSCR = (86 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_A9AVPSCW = (87 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_GPUSRD = (88 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSW_GPUSWR = (89 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    CSR_DISPLAYT = (90 - (CLIENT_ACCESS_NUM_CLIENTS * 2)),
+    
+    /* _ACCESS3 */
+    CSR_SDMMCRA = (96 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCRAA = (97 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCR = (98 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_SDMMCRAB = (99 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWA = (100 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWAA = (101 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCW = (102 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_SDMMCWAB = (103 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_VICSRD = (108 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_VICSWR = (109 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_VIW = (114 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_DISPLAYD = (115 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_NVDECSRD = (120 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_NVDECSWR = (121 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_APER = (122 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_APEW = (123 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSR_NVJPGSRD = (126 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    CSW_NVJPGSWR = (127 - (CLIENT_ACCESS_NUM_CLIENTS * 3)),
+    
+    /* _ACCESS4 */
+    CSR_SESRD = (128 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_SESWR = (129 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_AXIAPR = (130 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_AXIAPW = (131 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_ETRR = (132 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_ETRW = (133 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_TSECSRDB = (134 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_TSECSWRB = (135 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSR_GPUSRD2 = (136 - (CLIENT_ACCESS_NUM_CLIENTS * 4)),
+    CSW_GPUSWR2 = (137 - (CLIENT_ACCESS_NUM_CLIENTS * 4))
+} McClient;
+
 void mc_config_tsec_carveout(uint32_t bom, uint32_t size1mb, bool lock);
 void mc_config_carveout();
 void mc_config_carveout_finalize();

fusee/fusee-secondary/src/mtc.h

@@ -0,0 +1,759 @@
+/*
+ * Copyright (c) 2015, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2018 CTCaer  <ctcaer@gmail.com>
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef FUSEE_MTC_H_
+#define FUSEE_MTC_H_
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#include "emc.h"
+#include "mc.h"
+
+#define MTC_TABLES_MAX_ENTRIES      10
+#define MAX_PLL_CFGS                14
+
+#define DVFS_FGCG_HIGH_SPEED_THRESHOLD              1000
+#define IOBRICK_DCC_THRESHOLD                   2400
+#define DVFS_FGCG_MID_SPEED_THRESHOLD               600
+
+#define TEGRA21_MAX_TABLE_ID_LEN                50
+#define TEGRA_EMC_ISO_USE_FREQ_MAX_NUM              12
+#define PLL_C_DIRECT_FLOOR                  333500000
+#define EMC_STATUS_UPDATE_TIMEOUT               1000
+#define TEGRA_EMC_DEFAULT_CLK_LATENCY_US    2000
+
+#define TEGRA_EMC_MODE_REG_17                   0x00110000
+#define TEGRA_EMC_MRW_DEV_SHIFT                 30
+#define TEGRA_EMC_MRW_DEV1                  2
+#define TEGRA_EMC_MRW_DEV2                  1
+
+#define EMC_CLK_EMC_2X_CLK_SRC_SHIFT                29
+#define EMC_CLK_EMC_2X_CLK_SRC_MASK             \
+    (0x7 << EMC_CLK_EMC_2X_CLK_SRC_SHIFT)
+#define EMC_CLK_EMC_2X_CLK_DIVISOR_SHIFT            0
+#define EMC_CLK_EMC_2X_CLK_DIVISOR_MASK             \
+    (0xff << EMC_CLK_EMC_2X_CLK_DIVISOR_SHIFT)
+
+enum {
+    REG_MC,
+    REG_EMC,
+    REG_EMC0,
+    REG_EMC1,
+};
+
+#define BURST_REGS_PER_CH_LIST                      \
+{                                   \
+    DEFINE_REG(REG_EMC0, EMC_MRW10),                \
+    DEFINE_REG(REG_EMC1, EMC_MRW10),                \
+    DEFINE_REG(REG_EMC0, EMC_MRW11),                \
+    DEFINE_REG(REG_EMC1, EMC_MRW11),                \
+    DEFINE_REG(REG_EMC0, EMC_MRW12),                \
+    DEFINE_REG(REG_EMC1, EMC_MRW12),                \
+    DEFINE_REG(REG_EMC0, EMC_MRW13),                \
+    DEFINE_REG(REG_EMC1, EMC_MRW13),                \
+}
+
+#define BURST_REGS_LIST                         \
+{                                   \
+    DEFINE_REG(REG_EMC, EMC_RC),                    \
+    DEFINE_REG(REG_EMC, EMC_RFC),                   \
+    DEFINE_REG(REG_EMC, EMC_RFCPB),                 \
+    DEFINE_REG(REG_EMC, EMC_REFCTRL2),              \
+    DEFINE_REG(REG_EMC, EMC_RFC_SLR),               \
+    DEFINE_REG(REG_EMC, EMC_RAS),                   \
+    DEFINE_REG(REG_EMC, EMC_RP),                    \
+    DEFINE_REG(REG_EMC, EMC_R2W),                   \
+    DEFINE_REG(REG_EMC, EMC_W2R),                   \
+    DEFINE_REG(REG_EMC, EMC_R2P),                   \
+    DEFINE_REG(REG_EMC, EMC_W2P),                   \
+    DEFINE_REG(REG_EMC, EMC_R2R),                   \
+    DEFINE_REG(REG_EMC, EMC_TPPD),                  \
+    DEFINE_REG(REG_EMC, EMC_CCDMW),                 \
+    DEFINE_REG(REG_EMC, EMC_RD_RCD),                \
+    DEFINE_REG(REG_EMC, EMC_WR_RCD),                \
+    DEFINE_REG(REG_EMC, EMC_RRD),                   \
+    DEFINE_REG(REG_EMC, EMC_REXT),                  \
+    DEFINE_REG(REG_EMC, EMC_WEXT),                  \
+    DEFINE_REG(REG_EMC, EMC_WDV_CHK),               \
+    DEFINE_REG(REG_EMC, EMC_WDV),                   \
+    DEFINE_REG(REG_EMC, EMC_WSV),                   \
+    DEFINE_REG(REG_EMC, EMC_WEV),                   \
+    DEFINE_REG(REG_EMC, EMC_WDV_MASK),              \
+    DEFINE_REG(REG_EMC, EMC_WS_DURATION),               \
+    DEFINE_REG(REG_EMC, EMC_WE_DURATION),               \
+    DEFINE_REG(REG_EMC, EMC_QUSE),                  \
+    DEFINE_REG(REG_EMC, EMC_QUSE_WIDTH),                \
+    DEFINE_REG(REG_EMC, EMC_IBDLY),                 \
+    DEFINE_REG(REG_EMC, EMC_OBDLY),                 \
+    DEFINE_REG(REG_EMC, EMC_EINPUT),                \
+    DEFINE_REG(REG_EMC, EMC_MRW6),                  \
+    DEFINE_REG(REG_EMC, EMC_EINPUT_DURATION),           \
+    DEFINE_REG(REG_EMC, EMC_PUTERM_EXTRA),              \
+    DEFINE_REG(REG_EMC, EMC_PUTERM_WIDTH),              \
+    DEFINE_REG(REG_EMC, EMC_QRST),                  \
+    DEFINE_REG(REG_EMC, EMC_QSAFE),                 \
+    DEFINE_REG(REG_EMC, EMC_RDV),                   \
+    DEFINE_REG(REG_EMC, EMC_RDV_MASK),              \
+    DEFINE_REG(REG_EMC, EMC_RDV_EARLY),             \
+    DEFINE_REG(REG_EMC, EMC_RDV_EARLY_MASK),            \
+    DEFINE_REG(REG_EMC, EMC_REFRESH),               \
+    DEFINE_REG(REG_EMC, EMC_BURST_REFRESH_NUM),         \
+    DEFINE_REG(REG_EMC, EMC_PRE_REFRESH_REQ_CNT),           \
+    DEFINE_REG(REG_EMC, EMC_PDEX2WR),               \
+    DEFINE_REG(REG_EMC, EMC_PDEX2RD),               \
+    DEFINE_REG(REG_EMC, EMC_PCHG2PDEN),             \
+    DEFINE_REG(REG_EMC, EMC_ACT2PDEN),              \
+    DEFINE_REG(REG_EMC, EMC_AR2PDEN),               \
+    DEFINE_REG(REG_EMC, EMC_RW2PDEN),               \
+    DEFINE_REG(REG_EMC, EMC_CKE2PDEN),              \
+    DEFINE_REG(REG_EMC, EMC_PDEX2CKE),              \
+    DEFINE_REG(REG_EMC, EMC_PDEX2MRR),              \
+    DEFINE_REG(REG_EMC, EMC_TXSR),                  \
+    DEFINE_REG(REG_EMC, EMC_TXSRDLL),               \
+    DEFINE_REG(REG_EMC, EMC_TCKE),                  \
+    DEFINE_REG(REG_EMC, EMC_TCKESR),                \
+    DEFINE_REG(REG_EMC, EMC_TPD),                   \
+    DEFINE_REG(REG_EMC, EMC_TFAW),                  \
+    DEFINE_REG(REG_EMC, EMC_TRPAB),                 \
+    DEFINE_REG(REG_EMC, EMC_TCLKSTABLE),                \
+    DEFINE_REG(REG_EMC, EMC_TCLKSTOP),              \
+    DEFINE_REG(REG_EMC, EMC_MRW7),                  \
+    DEFINE_REG(REG_EMC, EMC_TREFBW),                \
+    DEFINE_REG(REG_EMC, EMC_ODT_WRITE),             \
+    DEFINE_REG(REG_EMC, EMC_FBIO_CFG5),             \
+    DEFINE_REG(REG_EMC, EMC_FBIO_CFG7),             \
+    DEFINE_REG(REG_EMC, EMC_CFG_DIG_DLL),               \
+    DEFINE_REG(REG_EMC, EMC_CFG_DIG_DLL_PERIOD),            \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_RXRT),            \
+    DEFINE_REG(REG_EMC, EMC_CFG_PIPE_1),                \
+    DEFINE_REG(REG_EMC, EMC_CFG_PIPE_2),                \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK0_4),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK0_5),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK1_4),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK1_5),      \
+    DEFINE_REG(REG_EMC, EMC_MRW8),                  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK1_4),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK1_5),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK0_0),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK0_1),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK0_2),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK0_3),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK0_4),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK0_5),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK1_0),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK1_1),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK1_2),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK1_3),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK1_4),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQS_RANK1_5),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_LONG_CMD_0),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_LONG_CMD_1),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_LONG_CMD_2),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_LONG_CMD_3),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_LONG_CMD_4),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_SHORT_CMD_0),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_SHORT_CMD_1),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_SHORT_CMD_2),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE0_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE1_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE2_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE3_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE4_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE5_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE6_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE7_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD0_3),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD1_3),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD2_3),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD3_3),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE0_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE1_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE2_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE3_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE4_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE5_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE6_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE7_3), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD0_0),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD0_1),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD0_2),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD0_3),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD1_0),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD1_1),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD1_2),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD1_3),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD2_0),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD2_1),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD2_2),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD2_3),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD3_0),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD3_1),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD3_2),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_CMD3_3),  \
+    DEFINE_REG(REG_EMC, EMC_TXDSRVTTGEN),               \
+    DEFINE_REG(REG_EMC, EMC_FDPD_CTRL_DQ),              \
+    DEFINE_REG(REG_EMC, EMC_FDPD_CTRL_CMD),             \
+    DEFINE_REG(REG_EMC, EMC_FBIO_SPARE),                \
+    DEFINE_REG(REG_EMC, EMC_ZCAL_INTERVAL),             \
+    DEFINE_REG(REG_EMC, EMC_ZCAL_WAIT_CNT),             \
+    DEFINE_REG(REG_EMC, EMC_MRS_WAIT_CNT),              \
+    DEFINE_REG(REG_EMC, EMC_MRS_WAIT_CNT2),             \
+    DEFINE_REG(REG_EMC, EMC_AUTO_CAL_CHANNEL),          \
+    DEFINE_REG(REG_EMC, EMC_DLL_CFG_0),             \
+    DEFINE_REG(REG_EMC, EMC_DLL_CFG_1),             \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_AUTOCAL_CFG_COMMON),     \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_ZCTRL),              \
+    DEFINE_REG(REG_EMC, EMC_CFG),                   \
+    DEFINE_REG(REG_EMC, EMC_CFG_PIPE),              \
+    DEFINE_REG(REG_EMC, EMC_DYN_SELF_REF_CONTROL),          \
+    DEFINE_REG(REG_EMC, EMC_QPOP),                  \
+    DEFINE_REG(REG_EMC, EMC_DQS_BRLSHFT_0),             \
+    DEFINE_REG(REG_EMC, EMC_DQS_BRLSHFT_1),             \
+    DEFINE_REG(REG_EMC, EMC_CMD_BRLSHFT_2),             \
+    DEFINE_REG(REG_EMC, EMC_CMD_BRLSHFT_3),             \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_PAD_CFG_CTRL),           \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DATA_PAD_RX_CTRL),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_CMD_PAD_RX_CTRL),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DATA_RX_TERM_MODE),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_CMD_RX_TERM_MODE),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_CMD_PAD_TX_CTRL),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DATA_PAD_TX_CTRL),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_COMMON_PAD_TX_CTRL),     \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_VTTGEN_CTRL_0),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_VTTGEN_CTRL_1),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_VTTGEN_CTRL_2),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_BRICK_CTRL_RFU1),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_CMD_BRICK_CTRL_FDPD),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_BRICK_CTRL_RFU2),        \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DATA_BRICK_CTRL_FDPD),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_BG_BIAS_CTRL_0),         \
+    DEFINE_REG(REG_EMC, EMC_CFG_3),                 \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_PWRD_0),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_PWRD_1),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_PWRD_2),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_PWRD_3),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_PWRD_4),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_PWRD_5),          \
+    DEFINE_REG(REG_EMC, EMC_CONFIG_SAMPLE_DELAY),           \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_SEL_CLK_SRC_0),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_SEL_CLK_SRC_1),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_SEL_CLK_SRC_2),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_SEL_CLK_SRC_3),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_SEL_CLK_SRC_4),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_TX_SEL_CLK_SRC_5),       \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_BYPASS),            \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_PWRD_0),            \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_PWRD_1),            \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_DDLL_PWRD_2),            \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_CMD_CTRL_0),         \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_CMD_CTRL_1),         \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_CMD_CTRL_2),         \
+    DEFINE_REG(REG_EMC, EMC_TR_TIMING_0),               \
+    DEFINE_REG(REG_EMC, EMC_TR_DVFS),               \
+    DEFINE_REG(REG_EMC, EMC_TR_CTRL_1),             \
+    DEFINE_REG(REG_EMC, EMC_TR_RDV),                \
+    DEFINE_REG(REG_EMC, EMC_TR_QPOP),               \
+    DEFINE_REG(REG_EMC, EMC_TR_RDV_MASK),               \
+    DEFINE_REG(REG_EMC, EMC_MRW14),                 \
+    DEFINE_REG(REG_EMC, EMC_TR_QSAFE),              \
+    DEFINE_REG(REG_EMC, EMC_TR_QRST),               \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_CTRL),             \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_SETTLE),           \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_VREF_SETTLE),          \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_CA_FINE_CTRL),         \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_CA_CTRL_MISC),         \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_CA_CTRL_MISC1),        \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_CA_VREF_CTRL),         \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_QUSE_CORS_CTRL),       \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_QUSE_FINE_CTRL),       \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_QUSE_CTRL_MISC),       \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_QUSE_VREF_CTRL),       \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_READ_FINE_CTRL),       \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_READ_CTRL_MISC),       \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_READ_VREF_CTRL),       \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_WRITE_FINE_CTRL),      \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_WRITE_CTRL_MISC),      \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_WRITE_VREF_CTRL),      \
+    DEFINE_REG(REG_EMC, EMC_TRAINING_MPC),              \
+    DEFINE_REG(REG_EMC, EMC_MRW15),                 \
+}
+
+#define TRIM_REGS_PER_CH_LIST                       \
+{                                   \
+    DEFINE_REG(REG_EMC0, EMC_CMD_BRLSHFT_0),            \
+    DEFINE_REG(REG_EMC1, EMC_CMD_BRLSHFT_1),            \
+    DEFINE_REG(REG_EMC0, EMC_DATA_BRLSHFT_0),           \
+    DEFINE_REG(REG_EMC1, EMC_DATA_BRLSHFT_0),           \
+    DEFINE_REG(REG_EMC0, EMC_DATA_BRLSHFT_1),           \
+    DEFINE_REG(REG_EMC1, EMC_DATA_BRLSHFT_1),           \
+    DEFINE_REG(REG_EMC0, EMC_QUSE_BRLSHFT_0),           \
+    DEFINE_REG(REG_EMC1, EMC_QUSE_BRLSHFT_1),           \
+    DEFINE_REG(REG_EMC0, EMC_QUSE_BRLSHFT_2),           \
+    DEFINE_REG(REG_EMC1, EMC_QUSE_BRLSHFT_3),           \
+}
+
+#define TRIM_REGS_LIST                          \
+{                                   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_LONG_DQS_RANK0_0),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_LONG_DQS_RANK0_1),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_LONG_DQS_RANK0_2),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_LONG_DQS_RANK0_3),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_LONG_DQS_RANK1_0),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_LONG_DQS_RANK1_1),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_LONG_DQS_RANK1_2),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_LONG_DQS_RANK1_3),   \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE0_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE0_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE0_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE1_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE1_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE1_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE2_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE2_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE2_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE3_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE3_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE3_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE4_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE4_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE4_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE5_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE5_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE5_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE6_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE6_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE6_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE7_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE7_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK0_BYTE7_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE0_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE0_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE0_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE1_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE1_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE1_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE2_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE2_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE2_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE3_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE3_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE3_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE4_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE4_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE4_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE5_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE5_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE5_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE6_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE6_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE6_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE7_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE7_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_DDLL_SHORT_DQ_RANK1_BYTE7_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_VREF_DQS_0),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_VREF_DQS_1),          \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_VREF_DQ_0),           \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_IB_VREF_DQ_1),           \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK0_0),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK0_1),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK0_2),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK0_3),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK0_4),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK0_5),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK1_0),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK1_1),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK1_2),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_LONG_DQ_RANK1_3),    \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE0_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE0_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE0_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE1_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE1_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE1_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE2_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE2_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE2_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE3_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE3_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE3_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE4_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE4_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE4_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE5_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE5_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE5_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE6_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE6_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE6_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE7_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE7_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_BYTE7_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD0_0),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD0_1),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD0_2),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD1_0),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD1_1),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD1_2),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD2_0),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD2_1),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD2_2),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD3_0),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD3_1),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK0_CMD3_2),  \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE0_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE0_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE0_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE1_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE1_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE1_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE2_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE2_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE2_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE3_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE3_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE3_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE4_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE4_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE4_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE5_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE5_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE5_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE6_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE6_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE6_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE7_0), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE7_1), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_OB_DDLL_SHORT_DQ_RANK1_BYTE7_2), \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK0_0),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK0_1),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK0_2),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK0_3),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK1_0),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK1_1),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK1_2),      \
+    DEFINE_REG(REG_EMC, EMC_PMACRO_QUSE_DDLL_RANK1_3),      \
+}
+
+#define VREF_REGS_PER_CH_LIST                       \
+{                                   \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_OPT_DQS_IB_VREF_RANK0),   \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_OPT_DQS_IB_VREF_RANK0),   \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_OPT_DQS_IB_VREF_RANK1),   \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_OPT_DQS_IB_VREF_RANK1),   \
+}
+
+#define TRAINING_MOD_REGS_PER_CH_LIST                       \
+{                                   \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_IB_BYTE0),          \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_IB_BYTE0),          \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_IB_BYTE1),          \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_IB_BYTE1),          \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_IB_BYTE2),          \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_IB_BYTE2),          \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_IB_BYTE3),          \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_IB_BYTE3),          \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_IB_MISC),           \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_IB_MISC),           \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_OB_BYTE0),          \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_OB_BYTE0),          \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_OB_BYTE1),          \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_OB_BYTE1),          \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_OB_BYTE2),          \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_OB_BYTE2),          \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_OB_BYTE3),          \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_OB_BYTE3),          \
+    DEFINE_REG(REG_EMC0, EMC_TRAINING_RW_OFFSET_OB_MISC),           \
+    DEFINE_REG(REG_EMC1, EMC_TRAINING_RW_OFFSET_OB_MISC),           \
+}
+
+#define BURST_MC_REGS_LIST                          \
+{                                   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_CFG),    \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_OUTSTANDING_REQ),    \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_REFPB_HP_CTRL),  \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_REFPB_BANK_CTRL),    \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_RCD), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_RP),  \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_RC),  \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_RAS), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_FAW), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_RRD), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_RAP2PRE), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_WAP2PRE), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_R2R), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_W2W), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_R2W), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_CCDMW),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_W2R), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_TIMING_RFCPB),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DA_TURNS),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DA_COVERS),  \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_MISC0),  \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_MISC1),  \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_MISC2),  \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_RING1_THROTTLE), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_CTRL), \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_0),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_1),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_2),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_3),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_4),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_5),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_6),   \
+    DEFINE_REG(REG_MC, MC_EMEM_ARB_DHYST_TIMEOUT_UTIL_7),   \
+}
+
+#define BURST_UP_DOWN_REGS_LIST                         \
+{                                   \
+    DEFINE_REG(REG_MC, MC_MLL_MPCORER_PTSA_RATE),   \
+    DEFINE_REG(REG_MC, MC_FTOP_PTSA_RATE),  \
+    DEFINE_REG(REG_MC, MC_PTSA_GRANT_DECREMENT),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_XUSB_0),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_XUSB_1),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_TSEC_0),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_SDMMCA_0),  \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_SDMMCAA_0), \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_SDMMC_0),   \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_SDMMCAB_0), \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_PPCS_0),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_PPCS_1),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_MPCORE_0),  \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_HC_0),  \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_HC_1),  \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_AVPC_0),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_GPU_0), \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_GPU2_0),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_NVENC_0),   \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_NVDEC_0),   \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_VIC_0), \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_VI2_0), \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_ISP2_0),    \
+    DEFINE_REG(REG_MC, MC_LATENCY_ALLOWANCE_ISP2_1),    \
+}
+
+#define DEFINE_REG(type, reg)   reg##_INDEX
+enum BURST_REGS_LIST;
+enum TRIM_REGS_LIST;
+enum BURST_MC_REGS_LIST;
+enum BURST_UP_DOWN_REGS_LIST;
+#undef DEFINE_REG
+
+#define DEFINE_REG(type, reg)   type##_##reg##_INDEX
+enum BURST_REGS_PER_CH_LIST;
+enum TRIM_REGS_PER_CH_LIST;
+enum VREF_REGS_PER_CH_LIST;
+enum TRAINING_MOD_REGS_PER_CH_LIST;
+#undef DEFINE_REG
+
+typedef struct {
+    uint32_t rev;
+    char dvfs_ver[60];
+    uint32_t rate;
+    uint32_t min_volt;
+    uint32_t gpu_min_volt;
+    char clock_src[32];
+    uint32_t clk_src_emc;
+    uint32_t needs_training;
+    uint32_t training_pattern;
+    uint32_t trained;
+
+    uint32_t periodic_training;
+    uint32_t trained_dram_clktree_c0d0u0;
+    uint32_t trained_dram_clktree_c0d0u1;
+    uint32_t trained_dram_clktree_c0d1u0;
+    uint32_t trained_dram_clktree_c0d1u1;
+    uint32_t trained_dram_clktree_c1d0u0;
+    uint32_t trained_dram_clktree_c1d0u1;
+    uint32_t trained_dram_clktree_c1d1u0;
+    uint32_t trained_dram_clktree_c1d1u1;
+    uint32_t current_dram_clktree_c0d0u0;
+    uint32_t current_dram_clktree_c0d0u1;
+    uint32_t current_dram_clktree_c0d1u0;
+    uint32_t current_dram_clktree_c0d1u1;
+    uint32_t current_dram_clktree_c1d0u0;
+    uint32_t current_dram_clktree_c1d0u1;
+    uint32_t current_dram_clktree_c1d1u0;
+    uint32_t current_dram_clktree_c1d1u1;
+    uint32_t run_clocks;
+    uint32_t tree_margin;
+
+    uint32_t num_burst;
+    uint32_t num_burst_per_ch;
+    uint32_t num_trim;
+    uint32_t num_trim_per_ch;
+    uint32_t num_mc_regs;
+    uint32_t num_up_down;
+    uint32_t vref_num;
+    uint32_t training_mod_num;
+    uint32_t dram_timing_num;
+
+    uint32_t ptfv_list[12];
+
+    uint32_t burst_regs[221];
+    uint32_t burst_reg_per_ch[8];
+    uint32_t shadow_regs_ca_train[221];
+    uint32_t shadow_regs_quse_train[221];
+    uint32_t shadow_regs_rdwr_train[221];
+
+    uint32_t trim_regs[138];
+    uint32_t trim_perch_regs[10];
+
+    uint32_t vref_perch_regs[4];
+
+    uint32_t dram_timings[5];
+    uint32_t training_mod_regs[20];
+    uint32_t save_restore_mod_regs[12];
+    uint32_t burst_mc_regs[33];
+    uint32_t la_scale_regs[24];
+
+    uint32_t min_mrs_wait;
+    uint32_t emc_mrw;
+    uint32_t emc_mrw2;
+    uint32_t emc_mrw3;
+    uint32_t emc_mrw4;
+    uint32_t emc_mrw9;
+    uint32_t emc_mrs;
+    uint32_t emc_emrs;
+    uint32_t emc_emrs2;
+    uint32_t emc_auto_cal_config;
+    uint32_t emc_auto_cal_config2;
+    uint32_t emc_auto_cal_config3;
+    uint32_t emc_auto_cal_config4;
+    uint32_t emc_auto_cal_config5;
+    uint32_t emc_auto_cal_config6;
+    uint32_t emc_auto_cal_config7;
+    uint32_t emc_auto_cal_config8;
+    uint32_t emc_cfg_2;
+    uint32_t emc_sel_dpd_ctrl;
+    uint32_t emc_fdpd_ctrl_cmd_no_ramp;
+    uint32_t dll_clk_src;
+    uint32_t clk_out_enb_x_0_clk_enb_emc_dll;
+    uint32_t latency;
+} tegra_emc_timing_t;
+
+typedef struct {
+    uint32_t osc_freq;
+    uint32_t out_freq;
+    uint32_t feedback_div;
+    uint32_t input_div;
+    uint32_t post_div;
+} pll_cfg_t;
+
+typedef enum {
+    OP_SWITCH = 0,
+    OP_TRAIN = 1,
+    OP_TRAIN_SWITCH = 2
+} TrainMode;
+
+typedef enum {
+    TEGRA_EMC_SRC_PLLM,
+    TEGRA_EMC_SRC_PLLC,
+    TEGRA_EMC_SRC_PLLP,
+    TEGRA_EMC_SRC_CLKM,
+    TEGRA_EMC_SRC_PLLM_UD,
+    TEGRA_EMC_SRC_PLLMB_UD,
+    TEGRA_EMC_SRC_PLLMB,
+    TEGRA_EMC_SRC_PLLP_UD,
+    TEGRA_EMC_SRC_COUNT,
+} EmcSource;
+
+enum {
+    DRAM_TYPE_DDR3   = 0,
+    DRAM_TYPE_LPDDR4 = 1,
+    DRAM_TYPE_LPDDR2 = 2,
+    DRAM_TYPE_DDR2 = 3,
+};
+
+enum {
+    DLL_CHANGE_NONE = 0,
+    DLL_CHANGE_ON,
+    DLL_CHANGE_OFF,
+};
+
+enum {
+    DLL_OFF,
+    DLL_ON
+};
+
+enum {
+    AUTO_PD = 0,
+    MAN_SR  = 2
+};
+
+enum {
+    ASSEMBLY = 0,
+    ACTIVE
+};
+
+enum {
+    T_RP = 0,
+    T_FC_LPDDR4,
+    T_RFC,
+    T_PDEX,
+    RL
+};
+
+enum {
+    ONE_RANK = 1,
+    TWO_RANK = 2
+};
+
+enum {
+    SINGLE_CHANNEL = 0,
+    DUAL_CHANNEL
+};
+
+enum {
+    DRAM_DEV_SEL_ALL = 0,
+    DRAM_DEV_SEL_0   = (2 << 30),
+    DRAM_DEV_SEL_1   = (1 << 30),
+};
+
+enum {
+    EMC_CFG5_QUSE_MODE_NORMAL = 0,
+    EMC_CFG5_QUSE_MODE_ALWAYS_ON,
+    EMC_CFG5_QUSE_MODE_INTERNAL_LPBK,
+    EMC_CFG5_QUSE_MODE_PULSE_INTERN,
+    EMC_CFG5_QUSE_MODE_PULSE_EXTERN,
+    EMC_CFG5_QUSE_MODE_DIRECT_QUSE,
+};
+
+enum {
+    DVFS_SEQUENCE = 1,
+    WRITE_TRAINING_SEQUENCE = 2,
+    PERIODIC_TRAINING_SEQUENCE = 3,
+    DVFS_PT1 = 10,
+    DVFS_UPDATE = 11,
+    TRAINING_PT1 = 12,
+    TRAINING_UPDATE = 13,
+    PERIODIC_TRAINING_UPDATE = 14
+};
+
+enum {
+    TEGRA_DRAM_OVER_TEMP_NONE = 0,
+    TEGRA_DRAM_OVER_TEMP_REFRESH_X2,
+    TEGRA_DRAM_OVER_TEMP_REFRESH_X4,
+    TEGRA_DRAM_OVER_TEMP_THROTTLE,
+    TEGRA_DRAM_OVER_TEMP_MAX,
+};
+
+/* Train all possible DRAM sequences. */
+void train_dram();
+
+#endif

fusee/fusee-secondary/src/nxboot.c

@@ -28,7 +28,10 @@
 #include "mc.h"
 #include "se.h"
 #include "pmc.h"
+#include "fuse.h"
 #include "i2c.h"
+#include "ips.h"
+#include "stratosphere.h"
 #include "max77620.h"
 #include "cluster.h"
 #include "flow.h"
@@ -36,6 +39,8 @@
 #include "key_derivation.h"
 #include "package1.h"
 #include "package2.h"
+#include "smmu.h"
+#include "tsec.h"
 #include "loader.h"
 #include "splash_screen.h"
 #include "exocfg.h"
@@ -51,9 +56,43 @@
 
 static int exosphere_ini_handler(void *user, const char *section, const char *name, const char *value) {
     exosphere_config_t *exo_cfg = (exosphere_config_t *)user;
+    int tmp = 0;
     if (strcmp(section, "exosphere") == 0) {
         if (strcmp(name, EXOSPHERE_TARGETFW_KEY) == 0) {
             sscanf(value, "%d", &exo_cfg->target_firmware);
+        } 
+        if (strcmp(name, EXOSPHERE_DEBUGMODE_PRIV_KEY) == 0) {
+            sscanf(value, "%d", &tmp);
+            if (tmp) {
+                exo_cfg->flags |= EXOSPHERE_FLAG_IS_DEBUGMODE_PRIV;
+            } else {
+                exo_cfg->flags &= ~(EXOSPHERE_FLAG_IS_DEBUGMODE_PRIV);
+            }
+        } 
+        if (strcmp(name, EXOSPHERE_DEBUGMODE_USER_KEY) == 0) {
+            sscanf(value, "%d", &tmp);
+            if (tmp) {
+                exo_cfg->flags |= EXOSPHERE_FLAG_IS_DEBUGMODE_USER;
+            } else {
+                exo_cfg->flags &= ~(EXOSPHERE_FLAG_IS_DEBUGMODE_USER);
+            }
+        } else {
+            return 0;
+        }
+    } else {
+        return 0;
+    }
+    return 1;
+}
+
+static int stratosphere_ini_handler(void *user, const char *section, const char *name, const char *value) {
+    stratosphere_cfg_t *strat_cfg = (stratosphere_cfg_t *)user;
+    int tmp = 0;
+    if (strcmp(section, "stratosphere") == 0) {
+        if (strcmp(name, STRATOSPHERE_NOGC_KEY) == 0) {
+            strat_cfg->has_nogc_config = true;
+            sscanf(value, "%d", &tmp);
+            strat_cfg->enable_nogc = tmp != 0;
         } else {
             return 0;
         }
@@ -76,18 +115,30 @@ static uint32_t nxboot_get_target_firmware(const void *package1loader) {
             return EXOSPHERE_TARGET_FIRMWARE_400;
         case 0x0B:          /* 5.0.0 - 5.1.0 */
             return EXOSPHERE_TARGET_FIRMWARE_500;
-        case 0x0E:          /* 6.0.0 */
-            return EXOSPHERE_TARGET_FIRMWARE_600;
+        case 0x0E: {        /* 6.0.0 - 6.2.0 */
+            if (memcmp(package1loader_header->build_timestamp, "20180802", 8) == 0) {
+                return EXOSPHERE_TARGET_FIRMWARE_600;
+            } else if (memcmp(package1loader_header->build_timestamp, "20181107", 8) == 0) {
+                return EXOSPHERE_TARGET_FIRMWARE_620;
+            } else {
+                fatal_error("[NXBOOT]: Unable to identify package1!\n");
+            }
+        }
         default:
             return 0;
     }
 }
 
-static void nxboot_configure_exosphere(uint32_t target_firmware) {
+static void nxboot_configure_exosphere(uint32_t target_firmware, unsigned int keygen_type) {
     exosphere_config_t exo_cfg = {0};
 
     exo_cfg.magic = MAGIC_EXOSPHERE_BOOTCONFIG;
     exo_cfg.target_firmware = target_firmware;
+    if (keygen_type) {
+        exo_cfg.flags = EXOSPHERE_FLAGS_DEFAULT | EXOSPHERE_FLAG_PERFORM_620_KEYGEN;
+    } else {
+        exo_cfg.flags = EXOSPHERE_FLAGS_DEFAULT;
+    }
 
     if (ini_parse_string(get_loader_ctx()->bct0, exosphere_ini_handler, &exo_cfg) < 0) {
         fatal_error("[NXBOOT]: Failed to parse BCT.ini!\n");
@@ -100,6 +151,25 @@ static void nxboot_configure_exosphere(uint32_t target_firmware) {
     *(MAILBOX_EXOSPHERE_CONFIGURATION) = exo_cfg;
 }
 
+static void nxboot_configure_stratosphere(uint32_t target_firmware) {
+    stratosphere_cfg_t strat_cfg = {0};
+    if (ini_parse_string(get_loader_ctx()->bct0, stratosphere_ini_handler, &strat_cfg) < 0) {
+        fatal_error("[NXBOOT]: Failed to parse BCT.ini!\n");
+    }
+    
+    /* Enable NOGC patches if the user requested it, or if the user is booting into 4.0.0+ with 3.0.2- fuses. */
+    if (strat_cfg.has_nogc_config) {
+        if (strat_cfg.enable_nogc) {
+            kip_patches_set_enable_nogc();
+        }
+    } else {
+        /* Check if fuses are < 4.0.0, but firmware is >= 4.0.0 */
+        if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_400 && !(fuse_get_reserved_odm(7) & ~0x0000000F)) {
+            kip_patches_set_enable_nogc();
+        }
+    }
+}
+
 static void nxboot_set_bootreason() {
     boot_reason_t boot_reason = {0};
     FILE *boot0; 
@@ -260,11 +330,18 @@ uint32_t nxboot_main(void) {
         fatal_error("[NXBOOT]: Couldn't parse boot0: %s!\n", strerror(errno));
     }
     fclose(boot0);
+    
+    /* Find the system's target firmware. */
+    uint32_t target_firmware = nxboot_get_target_firmware(package1loader);
+    if (!target_firmware)
+        fatal_error("[NXBOOT]: Failed to detect target firmware!\n");
+    else
+        print(SCREEN_LOG_LEVEL_INFO, "[NXBOOT]: Detected target firmware %ld!\n", target_firmware);
 
     /* Read the TSEC firmware from a file, otherwise from PK1L. */
     if (loader_ctx->tsecfw_path[0] != '\0') {
         tsec_fw_size = get_file_size(loader_ctx->tsecfw_path);
-        if ((tsec_fw_size != 0) && (tsec_fw_size != 0xF00)) {
+        if ((tsec_fw_size != 0) && (tsec_fw_size != 0xF00 && tsec_fw_size != 0x2900)) {
             fatal_error("[NXBOOT]: TSEC firmware from %s has a wrong size!\n", loader_ctx->tsecfw_path);
         } else if (tsec_fw_size == 0) {
             fatal_error("[NXBOOT]: Could not read the TSEC firmware from %s!\n", loader_ctx->tsecfw_path);
@@ -280,23 +357,45 @@ uint32_t nxboot_main(void) {
             fatal_error("[NXBOOT]: Could not read the TSEC firmware from %s!\n", loader_ctx->tsecfw_path);
         }
     } else {
-        tsec_fw_size = package1_get_tsec_fw(&tsec_fw, package1loader, package1loader_size);
-        if (tsec_fw_size == 0) {
+        if (!package1_get_tsec_fw(&tsec_fw, package1loader, package1loader_size)) {
             fatal_error("[NXBOOT]: Failed to read the TSEC firmware from Package1loader!\n");
         }
+        if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
+            tsec_fw_size = 0x2900;
+        } else {
+            tsec_fw_size = 0xF00;
+        }
     }
     
-    /* Find the system's target firmware. */
-    uint32_t target_firmware = nxboot_get_target_firmware(package1loader);
-    if (!target_firmware)
-        fatal_error("[NXBOOT]: Failed to detect target firmware!\n");
-    else
-        print(SCREEN_LOG_LEVEL_INFO, "[NXBOOT]: Detected target firmware %ld!\n", target_firmware);
-    
     print(SCREEN_LOG_LEVEL_MANDATORY, "[NXBOOT]: Loaded firmware from eMMC...\n");
 
+    /* Get the TSEC keys. */
+    uint8_t tsec_key[0x10] = {0};
+    uint8_t tsec_root_key[0x10] = {0};
+    if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
+        uint8_t tsec_keys[0x20] = {0};
+        
+        /* Emulate the TSEC payload on 6.2.0+. */
+        smmu_emulate_tsec((void *)tsec_keys, package1loader, package1loader_size, package1loader);
+        
+        /* Copy back the keys. */
+        memcpy((void *)tsec_key, (void *)tsec_keys, 0x10);
+        memcpy((void *)tsec_root_key, (void *)tsec_keys + 0x10, 0x10);
+    } else {
+        /* Run the TSEC payload and get the key. */
+        if (tsec_get_key(tsec_key, 1, tsec_fw, tsec_fw_size) != 0) {
+            fatal_error("[NXBOOT]: Failed to get TSEC key!\n");
+        }
+    }
+    
+    /* Derive keydata. */
+    unsigned int keygen_type = 0;
+    if (derive_nx_keydata(target_firmware, g_keyblobs, available_revision, tsec_key, tsec_root_key, &keygen_type) != 0) {
+        fatal_error("[NXBOOT]: Key derivation failed!\n");
+    }
+
     /* Setup boot configuration for Exosphère. */
-    nxboot_configure_exosphere(target_firmware);
+    nxboot_configure_exosphere(target_firmware, keygen_type);
 
     /* Initialize Boot Reason on older firmware versions. */
     if (MAILBOX_EXOSPHERE_CONFIGURATION->target_firmware < EXOSPHERE_TARGET_FIRMWARE_400) {
@@ -304,11 +403,6 @@ uint32_t nxboot_main(void) {
         nxboot_set_bootreason();
     }
 
-    /* Derive keydata. */
-    if (derive_nx_keydata(MAILBOX_EXOSPHERE_CONFIGURATION->target_firmware, g_keyblobs, available_revision, tsec_fw, tsec_fw_size) != 0) {
-        fatal_error("[NXBOOT]: Key derivation failed!\n");
-    }
-
     /* Read the warmboot firmware from a file, otherwise from PK1. */
     if (loader_ctx->warmboot_path[0] != '\0') {
         warmboot_fw_size = get_file_size(loader_ctx->warmboot_path);
@@ -326,16 +420,26 @@ uint32_t nxboot_main(void) {
             fatal_error("[NXBOOT]: Could not read the warmboot firmware from %s!\n", loader_ctx->warmboot_path);
         }
     } else {
-        uint8_t ctr[16];
-        package1_size = package1_get_encrypted_package1(&package1, ctr, package1loader, package1loader_size);
-        if (package1_decrypt(package1, package1_size, ctr)) {
+        if (target_firmware >= EXOSPHERE_TARGET_FIRMWARE_620) {
+            /* Package1 was decrypted during TSEC emulation. */
+            const uint8_t *package1_hdr = (const uint8_t *)package1loader + 0x7000 - 0x20;
+            package1 = (package1_header_t *)(package1_hdr + 0x20);
+            package1_size = *(uint32_t *)package1_hdr;
             warmboot_fw = package1_get_warmboot_fw(package1);
             warmboot_fw_size = package1->warmboot_size;
         } else {
-            warmboot_fw = NULL;
-            warmboot_fw_size = 0;
+            /* Decrypt package1 and extract the warmboot firmware. */
+            uint8_t ctr[16];
+            package1_size = package1_get_encrypted_package1(&package1, ctr, package1loader, package1loader_size);
+            if (package1_decrypt(package1, package1_size, ctr)) {
+                warmboot_fw = package1_get_warmboot_fw(package1);
+                warmboot_fw_size = package1->warmboot_size;
+            } else {
+                warmboot_fw = NULL;
+                warmboot_fw_size = 0;
+            }
         }
-
+        
         if (warmboot_fw_size == 0) {
             fatal_error("[NXBOOT]: Could not read the warmboot firmware from Package1!\n");
         }
@@ -360,6 +464,9 @@ uint32_t nxboot_main(void) {
     }
 
     print(SCREEN_LOG_LEVEL_MANDATORY, "[NXBOOT]: Rebuilding package2...\n");
+    
+    /* Parse stratosphere config. */
+    nxboot_configure_stratosphere(MAILBOX_EXOSPHERE_CONFIGURATION->target_firmware);
 
     /* Patch package2, adding Thermosphère + custom KIPs. */
     package2_rebuild_and_copy(package2, MAILBOX_EXOSPHERE_CONFIGURATION->target_firmware);

fusee/fusee-secondary/src/nxboot_iram.c

@@ -23,7 +23,9 @@
 #include "mc.h"
 #include "nxboot.h"
 #include "se.h"
+#include "smmu.h"
 #include "timers.h"
+#include "sysreg.h"
 
 void nxboot_finish(uint32_t boot_memaddr) {
     volatile tegra_se_t *se = se_get_regs();
@@ -41,7 +43,8 @@ void nxboot_finish(uint32_t boot_memaddr) {
     }
     
     /* Finalize the GPU UCODE carveout. */
-    mc_config_carveout_finalize();
+    /* NOTE: [4.0.0+] This is now done in the Secure Monitor. */
+    /* mc_config_carveout_finalize(); */
     
     /* Lock AES keyslots. */
     for (uint32_t i = 0; i < 16; i++)
@@ -68,8 +71,21 @@ void nxboot_finish(uint32_t boot_memaddr) {
     /* Terminate the display. */
     display_end();
     
-    /* Boot CPU0. */
-    cluster_boot_cpu0(boot_memaddr);
+    /* Check if SMMU emulation has been used. */
+    uint32_t smmu_magic = *(uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0xFC);
+    if (smmu_magic == 0xDEADC0DE) {
+        /* Clear the magic. */
+        *(uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0xFC) = 0;
+        
+        /* Pass the boot address to the already running payload. */
+        *(uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0xF0) = boot_memaddr;
+        
+        /* Wait a while. */
+        mdelay(500);
+    } else {
+        /* Boot CPU0. */
+        cluster_boot_cpu0(boot_memaddr);
+    }
     
     /* Wait for Exosphère to wake up. */
     while (MAILBOX_NX_BOOTLOADER_IS_SECMON_AWAKE == 0) {

fusee/fusee-secondary/src/package1.c

@@ -90,15 +90,19 @@ int package1_read_and_parse_boot0(void **package1loader, size_t *package1loader_
     return 0;
 }
 
-size_t package1_get_tsec_fw(void **tsec_fw, const void *package1loader, size_t package1loader_size) {
+bool package1_get_tsec_fw(void **tsec_fw, const void *package1loader, size_t package1loader_size) {
     /* The TSEC firmware is always located at a 256-byte aligned address. */
-    /* We're looking for its 4 first bytes. We assume its size is always 0xF00 bytes. */
+    /* We're looking for its 4 first bytes. */
     const uint32_t *pos;
     uintptr_t pk1l = (uintptr_t)package1loader;
-    for (pos = (const uint32_t *)pk1l; (uintptr_t)pos < pk1l + package1loader_size && *pos != 0xCF42004D; pos += 0x40);
-
-    (*tsec_fw) = (void *)pos;
-    return 0xF00;
+    for (pos = (const uint32_t *)pk1l; (uintptr_t)pos < pk1l + package1loader_size; pos += 0x40) {
+        if (*pos == 0xCF42004D) {
+            (*tsec_fw) = (void *)pos;
+            return true;
+        }
+    }
+    
+    return false;
 }
 
 size_t package1_get_encrypted_package1(package1_header_t **package1, uint8_t *ctr, const void *package1loader, size_t package1loader_size) {
@@ -127,7 +131,7 @@ void *package1_get_warmboot_fw(const package1_header_t *package1) {
         https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/nvidia/tegra/common/aarch64/tegra_helpers.S#L312
         and thus by 0xD5034FDF.
 
-        Nx-bootloader seems to always start by 0xE328F0C0 (msr cpsr_f, 0xc0).
+        Nx-bootloader starts by 0xE328F0C0 (msr cpsr_f, 0xc0) before 6.2.0 and by 0xF0C0A7F0 afterwards.
     */
     const uint32_t *data = (const uint32_t *)package1->data;
     for (size_t i = 0; i < 3; i++) {
@@ -136,6 +140,7 @@ void *package1_get_warmboot_fw(const package1_header_t *package1) {
                 data += package1->secmon_size / 4;
                 break;
             case 0xE328F0C0:
+            case 0xF0C0A7F0:
                 data += package1->nx_bootloader_size / 4;
                 break;
             default:

fusee/fusee-secondary/src/package1.h

@@ -46,7 +46,7 @@ typedef struct {
 
 int package1_read_and_parse_boot0(void **package1loader, size_t *package1loader_size, nx_keyblob_t *keyblobs, uint32_t *revision, FILE *boot0);
 
-size_t package1_get_tsec_fw(void **tsec_fw, const void *package1loader, size_t package1loader_size);
+bool package1_get_tsec_fw(void **tsec_fw, const void *package1loader, size_t package1loader_size);
 size_t package1_get_encrypted_package1(package1_header_t **package1, uint8_t *ctr, const void *package1loader, size_t package1loader_size);
 
 /* Must be aligned to 16 bytes. */

fusee/fusee-secondary/src/package2.c

@@ -214,7 +214,7 @@ static bool package2_validate_metadata(package2_meta_t *metadata, uint8_t data[]
 
     /* Perform version checks. */
     /* We will be compatible with all package2s released before current, but not newer ones. */
-    if (metadata->version_max >= PACKAGE2_MINVER_THEORETICAL && metadata->version_min < PACKAGE2_MAXVER_600_CURRENT) {
+    if (metadata->version_max >= PACKAGE2_MINVER_THEORETICAL && metadata->version_min < PACKAGE2_MAXVER_620_CURRENT) {
         return true;
     }
 

fusee/fusee-secondary/src/package2.h

@@ -34,7 +34,8 @@
 #define PACKAGE2_MAXVER_302 0x5
 #define PACKAGE2_MAXVER_400_410 0x6
 #define PACKAGE2_MAXVER_500_510 0x7
-#define PACKAGE2_MAXVER_600_CURRENT 0x8
+#define PACKAGE2_MAXVER_600_610 0x8
+#define PACKAGE2_MAXVER_620_CURRENT 0x9
 
 #define PACKAGE2_MINVER_100 0x3
 #define PACKAGE2_MINVER_200 0x4
@@ -42,7 +43,8 @@
 #define PACKAGE2_MINVER_302 0x6
 #define PACKAGE2_MINVER_400_410 0x7
 #define PACKAGE2_MINVER_500_510 0x8
-#define PACKAGE2_MINVER_600_CURRENT 0x9
+#define PACKAGE2_MINVER_600_610 0x9
+#define PACKAGE2_MINVER_620_CURRENT 0xA
 
 #define NX_BOOTLOADER_PACKAGE2_LOAD_ADDRESS ((void *)(0xA9800000ull))
 

fusee/fusee-secondary/src/smmu.c

@@ -0,0 +1,285 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "smmu.h"
+#include "cluster.h"
+#include "mc.h"
+#include "timers.h"
+#include "tsec.h"
+
+#define TSEC_KEYGEN_MAX_RETRIES 25
+
+void *smmu_heap = (void *)SMMU_HEAP_BASE_ADDR;
+
+static void safe_memcpy(void *dst, void *src, uint32_t sz) {
+    /* Aligned memcpy to read MMIO correctly. */
+    for (size_t i = 0; i < (sz/4); i++) {
+        ((volatile uint32_t *)dst)[i] = ((volatile uint32_t *)src)[i];
+    }
+}
+
+static void smmu_flush_ppsb() {
+    /* Read-back barrier for interactions between the PPSB and the APB/AHB. */
+    (void)MAKE_MC_REG(MC_SMMU_TLB_CONFIG);
+}
+
+static void smmu_flush_regs() {
+    /* Flush all TLB and PTC entries. */
+    MAKE_MC_REG(MC_SMMU_PTC_FLUSH) = 0;
+    smmu_flush_ppsb();
+    MAKE_MC_REG(MC_SMMU_TLB_FLUSH) = 0;
+    smmu_flush_ppsb();
+}
+
+static void *smmu_alloc_page(uint32_t page_count) {
+    void *cur_page = smmu_heap;
+    smmu_heap += (page_count * SMMU_PAGE_SIZE);
+    memset(cur_page, 0, (page_count * SMMU_PAGE_SIZE));
+    return cur_page;
+}
+
+static uint32_t *smmu_alloc_pdir() {
+    uint32_t *pdir = (uint32_t *)smmu_alloc_page(1);
+    for (int pdn = 0; pdn < SMMU_PDIR_COUNT; pdn++) {
+        pdir[pdn] = _PDE_VACANT(pdn);
+    }
+    return pdir;
+}
+
+static uint32_t *smmu_locate_pte(uint32_t *pdir_page, uint32_t iova) {
+    uint32_t ptn = SMMU_ADDR_TO_PFN(iova);
+    uint32_t pdn = SMMU_ADDR_TO_PDN(iova);
+    uint32_t *pdir = pdir_page;
+    uint32_t *ptbl;
+
+    if (pdir[pdn] != _PDE_VACANT(pdn)) {
+        /* Mapped entry table already exists. */
+        ptbl = (uint32_t *)SMMU_EX_PTBL_PAGE(pdir[pdn]);
+    } else {
+        /* Allocate page table. */
+        ptbl = (uint32_t *)smmu_alloc_page(1);
+        uint32_t addr = SMMU_PDN_TO_ADDR(pdn);
+        for (int pn = 0; pn < SMMU_PTBL_COUNT; pn++, addr += SMMU_PAGE_SIZE) {
+            ptbl[pn] = _PTE_VACANT(addr);
+        }
+        pdir[pdn] = SMMU_MK_PDE((uint32_t)ptbl, _PDE_ATTR | _PDE_NEXT);
+        smmu_flush_regs();
+    }
+
+    return &ptbl[ptn % SMMU_PTBL_COUNT];
+}
+
+static void smmu_map(uint32_t *pdir, uint32_t addr, uint32_t ptpage, int pcount, uint32_t pte_attr) {
+    for (int i = 0; i < pcount; i++) {
+        uint32_t *pte = smmu_locate_pte(pdir, addr);
+        *pte = SMMU_PFN_TO_PTE(SMMU_ADDR_TO_PFN(ptpage), pte_attr);
+        addr += SMMU_PAGE_SIZE;
+        ptpage += SMMU_PAGE_SIZE;
+    }
+    smmu_flush_regs();
+}
+
+static uint32_t *smmu_setup_tsec_as(uint32_t asid) {
+    /* Allocate the page directory. */
+    uint32_t *pdir_page = smmu_alloc_pdir();
+
+    /* Set the PTB ASID and point it to the PDIR. */
+    MAKE_MC_REG(MC_SMMU_PTB_ASID) = asid;
+    MAKE_MC_REG(MC_SMMU_PTB_DATA) = SMMU_MK_PDIR((uint32_t)pdir_page, _PDIR_ATTR);
+    smmu_flush_ppsb();
+    
+    /* Assign the ASID to TSEC. */
+    MAKE_MC_REG(MC_SMMU_TSEC_ASID) = SMMU_ASID_ENABLE((asid << 24) | (asid << 16) | (asid << 8) | asid);
+    smmu_flush_ppsb();
+
+    return pdir_page;
+}
+
+static void smmu_clear_tsec_as(uint32_t asid) {
+    /* Set the PTB ASID and clear it's data. */
+    MAKE_MC_REG(MC_SMMU_PTB_ASID) = asid;
+    MAKE_MC_REG(MC_SMMU_PTB_DATA) = 0;
+    
+    /* Clear the ASID from TSEC. */
+    MAKE_MC_REG(MC_SMMU_TSEC_ASID) = SMMU_ASID_DISABLE;
+    smmu_flush_ppsb();
+}
+
+static void smmu_enable() {
+    /* AARCH64 payload for enabling the SMMU. */
+    /* Write 1 to MC_SMMU_CONFIG, read back and write the result to 0x40003F80. */
+    /* This will leave the CPU waiting until 0x40003FF0 is set to Exosphère's address. */
+    static const uint32_t aarch64_payload[20] = {
+        0x52800020, 0x58000162, 0x58000183, 0xB9000040,
+        0xB9400041, 0xB9000061, 0x58000142, 0xF9400040,
+        0xF100001F, 0x54FFFFA0, 0xD61F0000, 0x00000000,
+        0x70019010, 0x00000000, 0x40003F80, 0x00000000,
+        0x40003FF0, 0x00000000, 0x00000000, 0x00000000
+    };
+    
+    /* Reset Translation Enable Registers. */
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_0) = 0xFFFFFFFF;
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_1) = 0xFFFFFFFF;
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_2) = 0xFFFFFFFF;
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_3) = 0xFFFFFFFF;
+    MAKE_MC_REG(MC_SMMU_TRANSLATION_ENABLE_4) = 0xFFFFFFFF;
+    
+    /* Setup initial TLB and PTC configuration. */
+    MAKE_MC_REG(MC_SMMU_PTB_ASID) = 0;
+    MAKE_MC_REG(MC_SMMU_PTB_DATA) = 0;
+    MAKE_MC_REG(MC_SMMU_TLB_CONFIG) = 0x30000030;
+    MAKE_MC_REG(MC_SMMU_PTC_CONFIG) = 0x2800003F;
+    smmu_flush_regs();
+    
+    /* Power on the CCPLEX to enable the SMMU globally (requires a secure write). */
+    volatile uint32_t *aarch64_payload_res = (volatile uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0x80);
+    memset((void *)SMMU_AARCH64_PAYLOAD_ADDR, 0, 0x100);
+    memcpy((void *)SMMU_AARCH64_PAYLOAD_ADDR, aarch64_payload, 20 * 4);
+    cluster_boot_cpu0(SMMU_AARCH64_PAYLOAD_ADDR);
+    mdelay(500);
+    if (*aarch64_payload_res != 1) {
+        fatal_error("[SMMU]: Failed to enable SMMU!\n");
+    }
+    
+    /* Write magic for nxboot. */
+    *(uint32_t *)(SMMU_AARCH64_PAYLOAD_ADDR + 0xFC) = 0xDEADC0DE;
+    
+    /* Flush TLB and PTC entries. */
+    smmu_flush_regs();
+}
+
+void smmu_emulate_tsec(void *tsec_keys, const void *package1, size_t package1_size, void *package1_dec) {
+    volatile tegra_tsec_t *tsec = tsec_get_regs();
+    
+    /* Backup IRAM to DRAM. */
+    memcpy((void *)SMMU_IRAM_BACKUP_ADDR, (void *)0x40010000, 0x30000);
+    
+    /* Copy package1 into IRAM. */
+    memcpy((void *)0x40010000, package1, package1_size);
+    
+    /* Setup TSEC's address space. */
+    uint32_t *pdir = smmu_setup_tsec_as(1);
+
+    /* Allocate pages for MMIO and IRAM. */
+    volatile uint32_t *car_page = smmu_alloc_page(1);
+    volatile uint32_t *fuse_page = smmu_alloc_page(1);
+    volatile uint32_t *pmc_page = smmu_alloc_page(1);
+    volatile uint32_t *flow_page = smmu_alloc_page(1);
+    volatile uint32_t *se_page = smmu_alloc_page(1);
+    volatile uint32_t *mc_page = smmu_alloc_page(1);
+    volatile uint32_t *iram_pages = smmu_alloc_page(48);
+    volatile uint32_t *expv_page = smmu_alloc_page(1);
+    
+    /* Map all necessary pages. */
+    smmu_map(pdir, 0x60006000, (uint32_t)car_page, 1, _READABLE | _WRITABLE | _NONSECURE);
+    smmu_map(pdir, 0x7000F000, (uint32_t)fuse_page, 1, _READABLE | _NONSECURE);
+    smmu_map(pdir, 0x7000E000, (uint32_t)pmc_page, 1, _READABLE | _NONSECURE);
+    smmu_map(pdir, 0x60007000, (uint32_t)flow_page, 1, _WRITABLE | _NONSECURE);
+    smmu_map(pdir, 0x70012000, (uint32_t)se_page, 1, _READABLE | _WRITABLE | _NONSECURE);
+    smmu_map(pdir, 0x70019000, (uint32_t)mc_page, 1, _READABLE | _NONSECURE);
+    smmu_map(pdir, 0x40010000, (uint32_t)iram_pages, 48, _READABLE | _WRITABLE | _NONSECURE);
+    smmu_map(pdir, 0x6000F000, (uint32_t)expv_page, 1, _READABLE | _WRITABLE | _NONSECURE);
+
+    /* Enable the SMMU. */
+    smmu_enable();
+    
+    /* Loop retrying TSEC firmware execution, in case we lose the SE keydata race. */
+    uint32_t key_buf[0x20/4] = {0};
+    unsigned int retries = 0;
+    while (true) {
+        if (retries++ > TSEC_KEYGEN_MAX_RETRIES) {
+            fatal_error("[SMMU] TSEC key generation race was lost too many times!");
+        }
+    
+        /* Load the TSEC firmware from IRAM. */
+        if (tsec_load_fw((void *)(0x40010000 + 0xE00), 0x2900) < 0) {
+            fatal_error("[SMMU]: Failed to load TSEC firmware!\n");
+        }
+    
+        /* Disable the aperture since it has precedence over the SMMU. */
+        mc_disable_ahb_redirect();
+        
+        /* Clear all pages. */
+        memset((void *)car_page, 0, SMMU_PAGE_SIZE);
+        memset((void *)fuse_page, 0, SMMU_PAGE_SIZE);
+        memset((void *)pmc_page, 0, SMMU_PAGE_SIZE);
+        memset((void *)flow_page, 0, SMMU_PAGE_SIZE);
+        memset((void *)se_page, 0, SMMU_PAGE_SIZE);
+        memset((void *)mc_page, 0, SMMU_PAGE_SIZE);
+        memset((void *)iram_pages, 0, 48 * SMMU_PAGE_SIZE);
+        memset((void *)expv_page, 0, SMMU_PAGE_SIZE);
+        
+        /* Copy CAR, MC and FUSE. */
+        safe_memcpy((void *)car_page, (void *)0x60006000, 0x1000);
+        safe_memcpy((void *)mc_page, (void *)0x70019000, 0x1000);
+        safe_memcpy((void *)&fuse_page[0x800/4], (void *)0x7000F800, 0x400);
+        
+        /* Copy IRAM. */
+        memcpy((void *)iram_pages, (void *)0x40010000, 0x30000);
+            
+        /* TSEC wants CLK_RST_CONTROLLER_CLK_SOURCE_TSEC_0 to be equal to 2. */
+        car_page[0x1F4/4] = 2;
+        
+        /* TSEC wants the aperture fully open. */
+        mc_page[0x65C/4] = 0;
+        mc_page[0x660/4] = 0x80000000;
+        
+    
+        /* Run the TSEC firmware. */
+        tsec_run_fw();
+    
+        /* Extract the keys from SE. */
+        volatile uint32_t *key_data = (volatile uint32_t *)((void *)se_page + 0x320);
+        uint32_t old_key_data = *key_data;
+        uint32_t buf_counter = 0;
+        while (!(tsec->FALCON_CPUCTL & 0x10)) {
+            const uint32_t new_key_data = *key_data;
+            if (new_key_data != old_key_data) {
+                old_key_data = new_key_data;
+                key_buf[buf_counter] = new_key_data;
+                buf_counter++;
+            }
+        }
+    
+        /* Enable back the aperture. */
+        mc_enable_ahb_redirect();
+        
+        if (buf_counter == 8) {
+            break;
+        }
+    }
+    
+    /* Check if the TSEC firmware wrote over the exception vectors. */
+    volatile uint32_t *tsec_done_check = (volatile uint32_t *)((void *)expv_page + 0x200);
+    if (!(*tsec_done_check)) {
+        fatal_error("[SMMU]: Failed to emulate the TSEC firmware!\n");
+    }
+
+    /* Copy back the extracted keys. */
+    memcpy((void *)tsec_keys, (void *)key_buf, 0x20);
+    
+    /* Manually disable TSEC clocks. */
+    tsec_disable_clkrst();
+    
+    /* Clear TSEC's address space. */
+    smmu_clear_tsec_as(1);
+    
+    /* Return the decrypted package1 from emulated IRAM. */
+    memcpy(package1_dec, (void *)iram_pages, package1_size);
+    
+    /* Restore IRAM from DRAM. */
+    memcpy((void *)0x40010000, (void *)SMMU_IRAM_BACKUP_ADDR, 0x30000);
+}

fusee/fusee-secondary/src/smmu.h

@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef FUSEE_SMMU_H_
+#define FUSEE_SMMU_H_
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+#define SMMU_HEAP_BASE_ADDR             0x81000000
+#define SMMU_IRAM_BACKUP_ADDR           0x82000000
+#define SMMU_AARCH64_PAYLOAD_ADDR       0x40003F00
+
+#define SMMU_PAGE_SHIFT 12
+#define SMMU_PAGE_SIZE  (1 << SMMU_PAGE_SHIFT)
+#define SMMU_PDIR_COUNT 1024
+#define SMMU_PDIR_SIZE  (sizeof(uint32_t) * SMMU_PDIR_COUNT)
+#define SMMU_PTBL_COUNT 1024
+#define SMMU_PTBL_SIZE  (sizeof(uint32_t) * SMMU_PTBL_COUNT)
+#define SMMU_PDIR_SHIFT 12
+#define SMMU_PDE_SHIFT  12
+#define SMMU_PTE_SHIFT  12
+#define SMMU_PFN_MASK   0x000fffff
+#define SMMU_PDE_NEXT_SHIFT     28
+#define SMMU_ADDR_TO_PFN(addr)  ((addr) >> 12)
+#define SMMU_ADDR_TO_PDN(addr)  ((addr) >> 22)
+#define SMMU_PDN_TO_ADDR(pdn)   ((pdn) << 22)
+#define _READABLE   (1 << 31)
+#define _WRITABLE   (1 << 30)
+#define _NONSECURE  (1 << 29)
+#define _PDE_NEXT   (1 << SMMU_PDE_NEXT_SHIFT)
+#define _MASK_ATTR  (_READABLE | _WRITABLE | _NONSECURE)
+#define _PDIR_ATTR  (_READABLE | _WRITABLE | _NONSECURE)
+#define _PDE_ATTR   (_READABLE | _WRITABLE | _NONSECURE)
+#define _PDE_ATTR_N (_PDE_ATTR | _PDE_NEXT)
+#define _PDE_VACANT(pdn)    (((pdn) << 10) | _PDE_ATTR)
+#define _PTE_ATTR   (_READABLE | _WRITABLE | _NONSECURE)
+#define _PTE_VACANT(addr)   (((addr) >> SMMU_PAGE_SHIFT) | _PTE_ATTR)
+#define SMMU_MK_PDIR(page, attr)    (((page) >> SMMU_PDIR_SHIFT) | (attr))
+#define SMMU_MK_PDE(page, attr) (((page) >> SMMU_PDE_SHIFT) | (attr))
+#define SMMU_EX_PTBL_PAGE(pde)  (((pde) & SMMU_PFN_MASK) << SMMU_PDIR_SHIFT)
+#define SMMU_PFN_TO_PTE(pfn, attr)  ((pfn) | (attr))
+#define SMMU_ASID_ENABLE(asid)  ((asid) | (1 << 31))
+#define SMMU_ASID_DISABLE   0
+#define SMMU_ASID_ASID(n)   ((n) & ~SMMU_ASID_ENABLE(0))
+
+void smmu_emulate_tsec(void *tsec_keys, const void *package1, size_t package1_size, void *package1_dec);
+
+#endif

fusee/fusee-secondary/src/splash_screen.c

@@ -44,7 +44,7 @@ void display_splash_screen_bmp(const char *custom_splash_path, void *fb_address)
     
     /* Try to load an external custom splash screen. */
     if ((custom_splash_path != NULL) && (custom_splash_path[0] != '\x00')) {
-        if (!read_from_file(splash_screen, sizeof(&splash_screen_bmp), custom_splash_path)) {
+        if (!read_from_file(splash_screen, splash_screen_bmp_size, custom_splash_path)) {
             fatal_error("Failed to read custom splash screen from %s!\n", custom_splash_path);
         }
     }

fusee/fusee-secondary/src/stratosphere.h

@@ -31,4 +31,11 @@ void stratosphere_free_ini1(void);
 
 ini1_header_t *stratosphere_merge_inis(ini1_header_t **inis, unsigned int num_inis);
 
+typedef struct {
+    bool has_nogc_config;
+    bool enable_nogc;
+} stratosphere_cfg_t;
+
+#define STRATOSPHERE_NOGC_KEY "nogc"
+
 #endif

fusee/fusee-secondary/src/timers.h

@@ -21,11 +21,15 @@
 
 #define TIMERS_BASE 0x60005000
 #define MAKE_TIMERS_REG(n) MAKE_REG32(TIMERS_BASE + n)
+
 #define TIMERUS_CNTR_1US_0 MAKE_TIMERS_REG(0x10)
 #define TIMERUS_USEC_CFG_0 MAKE_TIMERS_REG(0x14)
+#define SHARED_INTR_STATUS_0 MAKE_TIMERS_REG(0x1A0)
+#define SHARED_TIMER_SECURE_CFG_0 MAKE_TIMERS_REG(0x1A4)
 
 #define RTC_BASE 0x7000E000
 #define MAKE_RTC_REG(n) MAKE_REG32(RTC_BASE + n)
+
 #define RTC_SECONDS MAKE_RTC_REG(0x08)
 #define RTC_SHADOW_SECONDS MAKE_RTC_REG(0x0C)
 #define RTC_MILLI_SECONDS MAKE_RTC_REG(0x10)
@@ -39,7 +43,7 @@ typedef struct {
 
 #define GET_WDT(n) ((volatile watchdog_timers_t *)(TIMERS_BASE + 0x100 + 0x20 * n))
 #define WDT_REBOOT_PATTERN 0xC45A
-#define GET_WDT_REBOOT_CFG_REG(n) MAKE_TIMERS_REG(0x60 + 0x8 * n)
+#define GET_WDT_REBOOT_CFG_REG(n) MAKE_REG32(TIMERS_BASE + 0x60 + 0x8 * n)
 
 void wait(uint32_t microseconds);
 

fusee/fusee-secondary/src/tsec.c

@@ -49,17 +49,34 @@ static int tsec_dma_phys_to_flcn(bool is_imem, uint32_t flcn_offset, uint32_t ph
     return tsec_dma_wait_idle();
 }
 
-int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw)
+void tsec_enable_clkrst()
 {
-    volatile tegra_tsec_t *tsec = tsec_get_regs();
-
-    /* Enable clocks. */
+    /* Enable all devices used by TSEC. */
     clkrst_reboot(CARDEVICE_HOST1X);
     clkrst_reboot(CARDEVICE_TSEC);
     clkrst_reboot(CARDEVICE_SOR_SAFE);
     clkrst_reboot(CARDEVICE_SOR0);
     clkrst_reboot(CARDEVICE_SOR1);
     clkrst_reboot(CARDEVICE_KFUSE);
+}
+
+void tsec_disable_clkrst()
+{
+    /* Disable all devices used by TSEC. */
+    clkrst_disable(CARDEVICE_KFUSE);
+    clkrst_disable(CARDEVICE_SOR1);
+    clkrst_disable(CARDEVICE_SOR0);
+    clkrst_disable(CARDEVICE_SOR_SAFE);
+    clkrst_disable(CARDEVICE_TSEC);
+    clkrst_disable(CARDEVICE_HOST1X);
+}
+
+int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw_size)
+{
+    volatile tegra_tsec_t *tsec = tsec_get_regs();
+
+    /* Enable clocks. */
+    tsec_enable_clkrst();
 
     /* Configure Falcon. */
     tsec->FALCON_DMACTL = 0;
@@ -70,29 +87,19 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw)
     if (!tsec_dma_wait_idle())
     {
         /* Disable clocks. */
-        clkrst_disable(CARDEVICE_KFUSE);
-        clkrst_disable(CARDEVICE_SOR1);
-        clkrst_disable(CARDEVICE_SOR0);
-        clkrst_disable(CARDEVICE_SOR_SAFE);
-        clkrst_disable(CARDEVICE_TSEC);
-        clkrst_disable(CARDEVICE_HOST1X);
+        tsec_disable_clkrst();
     
         return -1;
     }
     
     /* Load firmware. */
     tsec->FALCON_DMATRFBASE = (uint32_t)tsec_fw >> 8;
-    for (uint32_t addr = 0; addr < 0xF00; addr += 0x100)
+    for (uint32_t addr = 0; addr < tsec_fw_size; addr += 0x100)
     {
         if (!tsec_dma_phys_to_flcn(true, addr, addr))
         {
             /* Disable clocks. */
-            clkrst_disable(CARDEVICE_KFUSE);
-            clkrst_disable(CARDEVICE_SOR1);
-            clkrst_disable(CARDEVICE_SOR0);
-            clkrst_disable(CARDEVICE_SOR_SAFE);
-            clkrst_disable(CARDEVICE_TSEC);
-            clkrst_disable(CARDEVICE_HOST1X);
+            tsec_disable_clkrst();
         
             return -2;
         }
@@ -110,12 +117,7 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw)
     if (!tsec_dma_wait_idle())
     {
         /* Disable clocks. */
-        clkrst_disable(CARDEVICE_KFUSE);
-        clkrst_disable(CARDEVICE_SOR1);
-        clkrst_disable(CARDEVICE_SOR0);
-        clkrst_disable(CARDEVICE_SOR_SAFE);
-        clkrst_disable(CARDEVICE_TSEC);
-        clkrst_disable(CARDEVICE_HOST1X);
+        tsec_disable_clkrst();
     
         return -3;
     }
@@ -126,12 +128,7 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw)
         if (get_time_ms() > timeout)
         {
             /* Disable clocks. */
-            clkrst_disable(CARDEVICE_KFUSE);
-            clkrst_disable(CARDEVICE_SOR1);
-            clkrst_disable(CARDEVICE_SOR0);
-            clkrst_disable(CARDEVICE_SOR_SAFE);
-            clkrst_disable(CARDEVICE_TSEC);
-            clkrst_disable(CARDEVICE_HOST1X);
+            tsec_disable_clkrst();
         
             return -4;
         }
@@ -140,12 +137,7 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw)
     if (tsec->FALCON_SCRATCH1 != 0xB0B0B0B0)
     {
         /* Disable clocks. */
-        clkrst_disable(CARDEVICE_KFUSE);
-        clkrst_disable(CARDEVICE_SOR1);
-        clkrst_disable(CARDEVICE_SOR0);
-        clkrst_disable(CARDEVICE_SOR_SAFE);
-        clkrst_disable(CARDEVICE_TSEC);
-        clkrst_disable(CARDEVICE_HOST1X);
+        tsec_disable_clkrst();
     
         return -5;
     }
@@ -170,4 +162,55 @@ int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw)
     memcpy(key, &tmp, 0x10);
 
     return 0;
+}
+
+int tsec_load_fw(const void *tsec_fw, size_t tsec_fw_size)
+{
+    volatile tegra_tsec_t *tsec = tsec_get_regs();
+
+    /* Enable clocks. */
+    tsec_enable_clkrst();
+
+    /* Configure Falcon. */
+    tsec->FALCON_DMACTL = 0;
+    tsec->FALCON_IRQMSET = 0xFFF2;
+    tsec->FALCON_IRQDEST = 0xFFF0;
+    tsec->FALCON_ITFEN = 3;
+    
+    if (!tsec_dma_wait_idle())
+    {
+        /* Disable clocks. */
+        tsec_disable_clkrst();
+    
+        return -1;
+    }
+    
+    /* Load firmware. */
+    tsec->FALCON_DMATRFBASE = (uint32_t)tsec_fw >> 8;
+    for (uint32_t addr = 0; addr < tsec_fw_size; addr += 0x100)
+    {
+        if (!tsec_dma_phys_to_flcn(true, addr, addr))
+        {
+            /* Disable clocks. */
+            tsec_disable_clkrst();
+        
+            return -2;
+        }
+    }
+
+    return 0;
+}
+
+void tsec_run_fw()
+{
+    volatile tegra_tsec_t *tsec = tsec_get_regs();
+    
+    /* Unknown host1x write. */
+    MAKE_HOST1X_REG(0x3300) = 0x34C2E1DA;
+    
+    /* Execute firmware. */
+    tsec->FALCON_SCRATCH1 = 0;
+    tsec->FALCON_SCRATCH0 = 1;
+    tsec->FALCON_BOOTVEC = 0;
+    tsec->FALCON_CPUCTL = 2;
 }

fusee/fusee-secondary/src/tsec.h

@@ -109,6 +109,10 @@ static inline volatile tegra_tsec_t *tsec_get_regs(void)
     return (volatile tegra_tsec_t *)TSEC_BASE;
 }
 
-int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw);
+void tsec_enable_clkrst();
+void tsec_disable_clkrst();
+int tsec_get_key(uint8_t *key, uint32_t rev, const void *tsec_fw, size_t tsec_fw_size);
+int tsec_load_fw(const void *tsec_fw, size_t tsec_fw_size);
+void tsec_run_fw();
 
 #endif

fusee/fusee-secondary/src/utils.c

@@ -58,21 +58,12 @@ __attribute__((noreturn)) void pmc_reboot(uint32_t scratch0) {
     }
 }
 
-__attribute__((noreturn)) void car_reboot(void) {
-    /* Reset the processor. */
-    car_get_regs()->rst_dev_l |= 1<<2;
-
-    while (true) {
-        /* Wait for reboot. */
-    }
-}
-
 __attribute__((noreturn)) void wait_for_button_and_reboot(void) {
     uint32_t button;
     while (true) {
         button = btn_read();
         if (button & BTN_POWER) {
-            car_reboot();
+            pmc_reboot(1 << 1);
         }
     }
 }

fusee/fusee-secondary/src/utils.h

@@ -122,7 +122,6 @@ void hexdump(const void* data, size_t size, uintptr_t addrbase);
 
 __attribute__((noreturn)) void watchdog_reboot(void);
 __attribute__((noreturn)) void pmc_reboot(uint32_t scratch0);
-__attribute__((noreturn)) void car_reboot(void);
 __attribute__((noreturn)) void wait_for_button_and_reboot(void);
 void wait_for_button(void);
 

stratosphere/Makefile

@@ -1,4 +1,4 @@
-KIPS := loader pm sm boot fs_mitm set_mitm creport
+KIPS := loader pm sm boot fs_mitm set_mitm creport fatal
 
 #TODO: boot2 ?
 

stratosphere/boot/Makefile

@@ -9,6 +9,14 @@ endif
 TOPDIR ?= $(CURDIR)
 include $(DEVKITPRO)/libnx/switch_rules
 
+AMSBRANCH := $(shell git symbolic-ref --short HEAD)
+AMSREV := $(AMSBRANCH)-$(shell git rev-parse --short HEAD)
+
+ifneq (, $(strip $(shell git status --porcelain 2>/dev/null)))
+    AMSREV := $(AMSREV)-dirty
+endif
+
+
 #---------------------------------------------------------------------------------
 # TARGET is the name of the output
 # BUILD is the directory where object files & intermediate files will be placed
@@ -24,7 +32,7 @@ DATA		:=	data
 INCLUDES	:=	include ../../common/include
 EXEFS_SRC	:=	exefs_src
 
-DEFINES	:=	-DDISABLE_IPC
+DEFINES	:=	-DDISABLE_IPC -DATMOSPHERE_GIT_BRANCH=\"$(AMSBRANCH)\" -DATMOSPHERE_GIT_REV=\"$(AMSREV)\"
 
 #---------------------------------------------------------------------------------
 # options for code generation

stratosphere/creport/Makefile

@@ -9,6 +9,13 @@ endif
 TOPDIR ?= $(CURDIR)
 include $(DEVKITPRO)/libnx/switch_rules
 
+AMSBRANCH := $(shell git symbolic-ref --short HEAD)
+AMSREV := $(AMSBRANCH)-$(shell git rev-parse --short HEAD)
+
+ifneq (, $(strip $(shell git status --porcelain 2>/dev/null)))
+    AMSREV := $(AMSREV)-dirty
+endif
+
 #---------------------------------------------------------------------------------
 # TARGET is the name of the output
 # BUILD is the directory where object files & intermediate files will be placed
@@ -24,7 +31,7 @@ DATA		:=	data
 INCLUDES	:=	include ../../common/include
 EXEFS_SRC	:=	exefs_src
 
-DEFINES	:=	-DDISABLE_IPC
+DEFINES	:=	-DDISABLE_IPC -DATMOSPHERE_GIT_BRANCH=\"$(AMSBRANCH)\" -DATMOSPHERE_GIT_REV=\"$(AMSREV)\"
 
 #---------------------------------------------------------------------------------
 # options for code generation

stratosphere/creport/source/creport_code_info.cpp

@@ -32,15 +32,37 @@ void CodeList::SaveToFile(FILE *f_report) {
     }
 }
 
-void CodeList::ReadCodeRegionsFromProcess(Handle debug_handle, u64 pc, u64 lr) {
+void CodeList::ReadCodeRegionsFromThreadInfo(Handle debug_handle, const ThreadInfo *thread) {
     u64 code_base;
     
-    /* Guess that either PC or LR will point to a code region. This could be false. */
-    if (!TryFindCodeRegion(debug_handle, pc, &code_base) && !TryFindCodeRegion(debug_handle, lr, &code_base)) {
-        return;
+    /* Try to add the thread's PC. */
+    if (TryFindCodeRegion(debug_handle, thread->GetPC(), &code_base)) {
+        AddCodeRegion(debug_handle, code_base);
     }
     
-    u64 cur_ptr = code_base;
+    /* Try to add the thread's LR. */
+    if (TryFindCodeRegion(debug_handle, thread->GetLR(), &code_base)) {
+        AddCodeRegion(debug_handle, code_base);
+    }
+    
+    /* Try to add all the addresses in the thread's stacktrace. */
+    for (u32 i = 0; i < thread->GetStackTraceSize(); i++) {
+        if (TryFindCodeRegion(debug_handle, thread->GetStackTrace(i), &code_base)) {
+            AddCodeRegion(debug_handle, code_base);
+        }
+    }
+}
+
+void CodeList::AddCodeRegion(u64 debug_handle, u64 code_address) {
+    /* Check whether we already have this code region. */
+    for (size_t i = 0; i < this->code_count; i++) {
+        if (this->code_infos[i].start_address <= code_address && code_address < this->code_infos[i].end_address) {
+            return;
+        }
+    }
+    
+    /* Add all contiguous code regions. */
+    u64 cur_ptr = code_address;
     while (this->code_count < max_code_count) {
         MemoryInfo mi;
         u32 pi;
@@ -80,7 +102,25 @@ void CodeList::ReadCodeRegionsFromProcess(Handle debug_handle, u64 pc, u64 lr) {
 bool CodeList::TryFindCodeRegion(Handle debug_handle, u64 guess, u64 *address) {
     MemoryInfo mi;
     u32 pi;
-    if (R_FAILED(svcQueryDebugProcessMemory(&mi, &pi, debug_handle, guess)) || mi.perm != Perm_Rx) {
+    if (R_FAILED(svcQueryDebugProcessMemory(&mi, &pi, debug_handle, guess))) {
+        return false;
+    }
+    
+    if (mi.perm == Perm_Rw) {
+        guess = mi.addr - 4;
+        if (R_FAILED(svcQueryDebugProcessMemory(&mi, &pi, debug_handle, guess))) {
+            return false;
+        }
+    }
+    
+    if (mi.perm == Perm_R) {
+        guess = mi.addr - 4;
+        if (R_FAILED(svcQueryDebugProcessMemory(&mi, &pi, debug_handle, guess))) {
+            return false;
+        }
+    }
+    
+    if (mi.perm != Perm_Rx) {
         return false;
     }
     

stratosphere/creport/source/creport_code_info.hpp

@@ -19,6 +19,7 @@
 #include <cstdio>
 
 #include "creport_debug_types.hpp"
+#include "creport_thread_info.hpp"
 
 struct CodeInfo {
     char name[0x20];
@@ -28,19 +29,20 @@ struct CodeInfo {
 };
 
 class CodeList {
-    private:
-        static const size_t max_code_count = 0x10;
+    public:
+        static const size_t max_code_count = 0x60;
         u32 code_count = 0;
         CodeInfo code_infos[max_code_count];
         
         /* For pretty-printing. */
         char address_str_buf[0x280];
     public:        
-        void ReadCodeRegionsFromProcess(Handle debug_handle, u64 pc, u64 lr);
+        void ReadCodeRegionsFromThreadInfo(Handle debug_handle, const ThreadInfo *thread);
         const char *GetFormattedAddressString(u64 address);
         void SaveToFile(FILE *f_report);
     private:
         bool TryFindCodeRegion(Handle debug_handle, u64 guess, u64 *address);
+        void AddCodeRegion(u64 debug_handle, u64 code_address);
         void GetCodeInfoName(u64 debug_handle, u64 rx_address, u64 ro_address, char *name);
         void GetCodeInfoBuildId(u64 debug_handle, u64 ro_address, u8 *build_id);
 };

stratosphere/creport/source/creport_crash_report.cpp

@@ -27,7 +27,7 @@ void CrashReport::BuildReport(u64 pid, bool has_extra_info) {
     this->has_extra_info = has_extra_info;
     if (OpenProcess(pid)) {
         ProcessExceptions();
-        this->code_list.ReadCodeRegionsFromProcess(this->debug_handle, this->crashed_thread_info.GetPC(), this->crashed_thread_info.GetLR());
+        this->code_list.ReadCodeRegionsFromThreadInfo(this->debug_handle, &this->crashed_thread_info);
         this->thread_list.ReadThreadsFromProcess(this->debug_handle, Is64Bit());
         this->crashed_thread_info.SetCodeList(&this->code_list);
         this->thread_list.SetCodeList(&this->code_list);
@@ -36,12 +36,46 @@ void CrashReport::BuildReport(u64 pid, bool has_extra_info) {
             ProcessDyingMessage();
         }
         
+        /* Real creport only does this if application, but there's no reason not to do it all the time. */
+        for (u32 i = 0; i < this->thread_list.GetThreadCount(); i++) {
+            this->code_list.ReadCodeRegionsFromThreadInfo(this->debug_handle, this->thread_list.GetThreadInfo(i));
+        }
+        
         /* Real creport builds the report here. We do it later. */
         
         Close();
     }
 }
 
+FatalContext *CrashReport::GetFatalContext() {
+    FatalContext *ctx = new FatalContext;
+    *ctx = (FatalContext){0};
+    
+    ctx->is_aarch32 = false;
+    ctx->type = static_cast<u32>(this->exception_info.type);
+    
+    for (size_t i = 0; i < 29; i++) {
+        ctx->aarch64_ctx.x[i] = this->crashed_thread_info.context.cpu_gprs[i].x;
+    }
+    ctx->aarch64_ctx.fp = this->crashed_thread_info.context.fp;
+    ctx->aarch64_ctx.lr = this->crashed_thread_info.context.lr;
+    ctx->aarch64_ctx.pc = this->crashed_thread_info.context.pc.x;
+    
+    ctx->aarch64_ctx.stack_trace_size = this->crashed_thread_info.stack_trace_size;
+    for (size_t i = 0; i < ctx->aarch64_ctx.stack_trace_size; i++) {
+        ctx->aarch64_ctx.stack_trace[i] = this->crashed_thread_info.stack_trace[i];
+    }
+    
+    if (this->code_list.code_count) {
+        ctx->aarch64_ctx.start_address = this->code_list.code_infos[0].start_address;
+    }
+    
+    /* For ams fatal... */
+    ctx->aarch64_ctx.afsr0 = this->process_info.title_id;
+    
+    return ctx;
+}
+
 void CrashReport::ProcessExceptions() {
     if (!IsOpen()) {
         return;
@@ -228,7 +262,7 @@ void CrashReport::EnsureReportDirectories() {
 }
 
 void CrashReport::SaveReport() {
-    /* TODO: Save the report to the SD card. */
+    /* Save the report to the SD card. */
     char report_path[FS_MAX_PATH];
     
     /* Ensure path exists. */
@@ -258,7 +292,7 @@ void CrashReport::SaveReport() {
 
 void CrashReport::SaveToFile(FILE *f_report) {
     char buf[0x10] = {0};
-    fprintf(f_report, "Atmosphère Crash Report (v1.1):\n");
+    fprintf(f_report, "Atmosphère Crash Report (v1.2):\n");
     fprintf(f_report, "Result:                          0x%X (2%03d-%04d)\n\n", this->result, R_MODULE(this->result), R_DESCRIPTION(this->result));
     
     /* Process Info. */

stratosphere/creport/source/creport_crash_report.hpp

@@ -61,6 +61,7 @@ class CrashReport {
         
     public:
         void BuildReport(u64 pid, bool has_extra_info);
+        FatalContext *GetFatalContext();
         void SaveReport();
         
         bool IsAddressReadable(u64 address, u64 size, MemoryInfo *mi = NULL);

stratosphere/creport/source/creport_main.cpp

@@ -132,7 +132,9 @@ int main(int argc, char **argv) {
             return 0;
         }
         
-        fatalWithType(g_Creport.GetResult(), FatalType_ErrorScreen);
+        FatalContext *ctx = g_Creport.GetFatalContext();
+        
+        fatalWithContext(g_Creport.GetResult(), FatalType_ErrorScreen, ctx);
     }
     
 }

stratosphere/creport/source/creport_thread_info.hpp

@@ -19,10 +19,11 @@
 #include <cstdio>
 
 #include "creport_debug_types.hpp"
-#include "creport_code_info.hpp"
+
+class CodeList;
 
 class ThreadInfo {
-    private:
+    public:
         ThreadContext context{};
         u64 thread_id = 0;
         u64 stack_top = 0;
@@ -31,9 +32,11 @@ class ThreadInfo {
         u32 stack_trace_size = 0;
         CodeList *code_list;
     public:        
-        u64 GetPC() { return context.pc.x; }
-        u64 GetLR() { return context.lr; }
-        u64 GetId() { return thread_id; }
+        u64 GetPC() const { return context.pc.x; }
+        u64 GetLR() const { return context.lr; }
+        u64 GetId() const { return thread_id; }
+        u32 GetStackTraceSize() const { return stack_trace_size; }
+        u64 GetStackTrace(u32 i) const { return stack_trace[i]; }
         
         bool ReadFromProcess(Handle debug_handle, u64 thread_id, bool is_64_bit);
         void SaveToFile(FILE *f_report);
@@ -48,7 +51,10 @@ class ThreadList {
         static const size_t max_thread_count = 0x60;
         u32 thread_count = 0;
         ThreadInfo thread_infos[max_thread_count];
-    public:      
+    public:
+        u32 GetThreadCount() const { return thread_count; }
+        const ThreadInfo *GetThreadInfo(u32 i) const { return &thread_infos[i]; }
+        
         void SaveToFile(FILE *f_report);
         void DumpBinary(FILE *f_bin, u64 crashed_id);
         void ReadThreadsFromProcess(Handle debug_handle, bool is_64_bit);

stratosphere/fatal/Makefile

@@ -0,0 +1,166 @@
+#---------------------------------------------------------------------------------
+.SUFFIXES:
+#---------------------------------------------------------------------------------
+
+ifeq ($(strip $(DEVKITPRO)),)
+$(error "Please set DEVKITPRO in your environment. export DEVKITPRO=<path to>/devkitpro")
+endif
+
+TOPDIR ?= $(CURDIR)
+include $(DEVKITPRO)/libnx/switch_rules
+
+AMSBRANCH := $(shell git symbolic-ref --short HEAD)
+AMSREV := $(AMSBRANCH)-$(shell git rev-parse --short HEAD)
+
+ifneq (, $(strip $(shell git status --porcelain 2>/dev/null)))
+    AMSREV := $(AMSREV)-dirty
+endif
+
+#---------------------------------------------------------------------------------
+# TARGET is the name of the output
+# BUILD is the directory where object files & intermediate files will be placed
+# SOURCES is a list of directories containing source code
+# DATA is a list of directories containing data files
+# INCLUDES is a list of directories containing header files
+# EXEFS_SRC is the optional input directory containing data copied into exefs, if anything this normally should only contain "main.npdm".
+#---------------------------------------------------------------------------------
+TARGET		:=	$(notdir $(CURDIR))
+BUILD		:=	build
+SOURCES		:=	source
+DATA		:=	data
+INCLUDES	:=	include ../../common/include
+EXEFS_SRC	:=	exefs_src
+
+DEFINES	:=	-DDISABLE_IPC -DATMOSPHERE_GIT_BRANCH=\"$(AMSBRANCH)\" -DATMOSPHERE_GIT_REV=\"$(AMSREV)\"
+
+#---------------------------------------------------------------------------------
+# options for code generation
+#---------------------------------------------------------------------------------
+ARCH	:=	-march=armv8-a -mtune=cortex-a57 -mtp=soft -fPIE
+
+CFLAGS	:=	-g -Wall -O2 -ffunction-sections \
+			$(ARCH) $(DEFINES)
+
+CFLAGS	+=	$(INCLUDE) -D__SWITCH__ `freetype-config --cflags`
+
+CXXFLAGS	:= $(CFLAGS) -fno-rtti -fno-exceptions -std=gnu++17
+
+ASFLAGS	:=	-g $(ARCH)
+LDFLAGS	=	-specs=$(DEVKITPRO)/libnx/switch.specs -g $(ARCH) -Wl,-Map,$(notdir $*.map)
+
+LIBS	:= `freetype-config --libs` -lstratosphere -lnx
+
+#---------------------------------------------------------------------------------
+# list of directories containing libraries, this must be the top level containing
+# include and lib
+#---------------------------------------------------------------------------------
+LIBDIRS	:= $(PORTLIBS) $(LIBNX) $(CURDIR)/../libstratosphere
+
+
+#---------------------------------------------------------------------------------
+# no real need to edit anything past this point unless you need to add additional
+# rules for different file extensions
+#---------------------------------------------------------------------------------
+ifneq ($(BUILD),$(notdir $(CURDIR)))
+#---------------------------------------------------------------------------------
+
+export OUTPUT	:=	$(CURDIR)/$(TARGET)
+export TOPDIR	:=	$(CURDIR)
+
+export VPATH	:=	$(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \
+			$(foreach dir,$(DATA),$(CURDIR)/$(dir))
+
+export DEPSDIR	:=	$(CURDIR)/$(BUILD)
+
+CFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
+CPPFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))
+SFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
+BINFILES	:=	$(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))
+
+#---------------------------------------------------------------------------------
+# use CXX for linking C++ projects, CC for standard C
+#---------------------------------------------------------------------------------
+ifeq ($(strip $(CPPFILES)),)
+#---------------------------------------------------------------------------------
+	export LD	:=	$(CC)
+#---------------------------------------------------------------------------------
+else
+#---------------------------------------------------------------------------------
+	export LD	:=	$(CXX)
+#---------------------------------------------------------------------------------
+endif
+#---------------------------------------------------------------------------------
+
+export OFILES	:=	$(addsuffix .o,$(BINFILES)) \
+			$(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o)
+
+export INCLUDE	:=	$(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \
+			$(foreach dir,$(LIBDIRS),-I$(dir)/include) \
+			-I$(CURDIR)/$(BUILD)
+
+export LIBPATHS	:=	$(foreach dir,$(LIBDIRS),-L$(dir)/lib)
+
+export BUILD_EXEFS_SRC := $(TOPDIR)/$(EXEFS_SRC)
+
+ifeq ($(strip $(CONFIG_JSON)),)
+	jsons := $(wildcard *.json)
+	ifneq (,$(findstring $(TARGET).json,$(jsons)))
+		export APP_JSON := $(TOPDIR)/$(TARGET).json
+	else
+		ifneq (,$(findstring config.json,$(jsons)))
+			export APP_JSON := $(TOPDIR)/config.json
+		endif
+	endif
+else
+	export APP_JSON := $(TOPDIR)/$(CONFIG_JSON)
+endif
+
+.PHONY: $(BUILD) clean all
+
+#---------------------------------------------------------------------------------
+all: $(BUILD)
+
+$(BUILD):
+	@[ -d $@ ] || mkdir -p $@
+	@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile
+
+#---------------------------------------------------------------------------------
+clean:
+	@echo clean ...
+	@rm -fr $(BUILD) $(TARGET).nsp $(TARGET).npdm $(TARGET).nso $(TARGET).elf
+
+
+#---------------------------------------------------------------------------------
+else
+.PHONY:	all
+
+DEPENDS	:=	$(OFILES:.o=.d)
+
+#---------------------------------------------------------------------------------
+# main targets
+#---------------------------------------------------------------------------------
+all	:	$(OUTPUT).nsp
+
+ifeq ($(strip $(APP_JSON)),)
+$(OUTPUT).nsp	:	$(OUTPUT).nso
+else
+$(OUTPUT).nsp	:	$(OUTPUT).nso $(OUTPUT).npdm
+endif
+
+$(OUTPUT).nso	:	$(OUTPUT).elf
+
+$(OUTPUT).elf	:	$(OFILES)
+
+#---------------------------------------------------------------------------------
+# you need a rule like this for each extension you use as binary data
+#---------------------------------------------------------------------------------
+%.bin.o	:	%.bin
+#---------------------------------------------------------------------------------
+	@echo $(notdir $<)
+	@$(bin2o)
+
+-include $(DEPENDS)
+
+#---------------------------------------------------------------------------------------
+endif
+#---------------------------------------------------------------------------------------

stratosphere/fatal/fatal.json

@@ -0,0 +1,96 @@
+{
+	"name":	"fatal",
+	"title_id":	"0x0100000000000034",
+	"title_id_range_min":	"0x0100000000000034",
+	"title_id_range_max":	"0x0100000000000034",
+	"main_thread_stack_size":	"0x00010000",
+	"main_thread_priority":	15,
+	"default_cpu_id":	3,
+	"process_category":	0,
+	"is_retail":	true,
+	"pool_partition":	2,
+	"is_64_bit":	true,
+	"address_space_type":	1,
+	"filesystem_access":	{
+		"permissions":	"0xFFFFFFFFFFFFFFFF"
+	},
+	"service_access":	["bpc", "bpc:c", "erpt:c", "fsp-srv", "gpio", "i2c", "lbl", "lm", "nvdrv:s", "pcv", "pl:u", "pm:info", "psm", "set", "set:sys", "spsm", "vi:m", "vi:s"],
+	"service_host":	["fatal:p", "fatal:u", "time:s"],
+	"kernel_capabilities":	[{
+			"type":	"kernel_flags",
+			"value":	{
+				"highest_thread_priority":	63,
+				"lowest_thread_priority":	12,
+				"lowest_cpu_id":	0,
+				"highest_cpu_id":	3
+			}
+		}, {
+			"type":	"syscalls",
+			"value":	{
+				"svcSetHeapSize":	"0x01",
+				"svcSetMemoryPermission":	"0x02",
+				"svcSetMemoryAttribute":	"0x03",
+				"svcMapMemory":	"0x04",
+				"svcUnmapMemory":	"0x05",
+				"svcQueryMemory":	"0x06",
+				"svcExitProcess":	"0x07",
+				"svcCreateThread":	"0x08",
+				"svcStartThread":	"0x09",
+				"svcExitThread":	"0x0a",
+				"svcSleepThread":	"0x0b",
+				"svcGetThreadPriority":	"0x0c",
+				"svcSetThreadPriority":	"0x0d",
+				"svcGetThreadCoreMask":	"0x0e",
+				"svcSetThreadCoreMask":	"0x0f",
+				"svcGetCurrentProcessorNumber":	"0x10",
+				"svcSignalEvent":	"0x11",
+				"svcClearEvent":	"0x12",
+				"svcMapSharedMemory":	"0x13",
+				"svcUnmapSharedMemory":	"0x14",
+				"svcCreateTransferMemory":	"0x15",
+				"svcCloseHandle":	"0x16",
+				"svcResetSignal":	"0x17",
+				"svcWaitSynchronization":	"0x18",
+				"svcCancelSynchronization":	"0x19",
+				"svcArbitrateLock":	"0x1a",
+				"svcArbitrateUnlock":	"0x1b",
+				"svcWaitProcessWideKeyAtomic":	"0x1c",
+				"svcSignalProcessWideKey":	"0x1d",
+				"svcGetSystemTick":	"0x1e",
+				"svcConnectToNamedPort":	"0x1f",
+				"svcSendSyncRequestLight":	"0x20",
+				"svcSendSyncRequest":	"0x21",
+				"svcSendSyncRequestWithUserBuffer":	"0x22",
+				"svcSendAsyncRequestWithUserBuffer":	"0x23",
+				"svcGetProcessId":	"0x24",
+				"svcGetThreadId":	"0x25",
+				"svcBreak":	"0x26",
+				"svcOutputDebugString":	"0x27",
+				"svcReturnFromException":	"0x28",
+				"svcGetInfo":	"0x29",
+				"svcWaitForAddress":	"0x34",
+				"svcSignalToAddress":	"0x35",
+				"svcCreateSession":	"0x40",
+				"svcAcceptSession":	"0x41",
+				"svcReplyAndReceiveLight":	"0x42",
+				"svcReplyAndReceive":	"0x43",
+				"svcReplyAndReceiveWithUserBuffer":	"0x44",
+				"svcCreateEvent":	"0x45",
+				"svcReadWriteRegister":	"0x4E",
+                "svcDebugActiveProcess": "0x60",
+                "svcGetDebugEvent": "0x63",
+                "svcGetThreadList": "0x66",
+                "svcGetDebugThreadContext": "0x67",
+                "svcQueryDebugProcessMemory": "0x69",
+                "svcReadDebugProcessMemory": "0x6a",
+                "svcGetDebugThreadParam": "0x6d",
+                "svcCallSecureMonitor": "0x7f"
+			}
+		}, {
+			"type":	"min_kernel_version",
+			"value":	"0x0030"
+		}, {
+			"type":	"handle_table_size",
+			"value":	128
+		}]
+}

stratosphere/fatal/source/fatal_config.cpp

@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
+#include <switch.h>
+#include "fatal_types.hpp"
+#include "fatal_config.hpp"
+
+static FatalConfig g_fatal_config;
+
+static IEvent *g_fatal_settings_event = nullptr;
+
+FatalConfig *GetFatalConfig() {
+    return &g_fatal_config;
+}
+
+static void UpdateLanguageCode() {
+    setGetLanguageCode(&GetFatalConfig()->language_code);
+}
+
+IEvent *GetFatalSettingsEvent() {
+    if (g_fatal_settings_event == nullptr) {
+        Event evt;
+        if (R_FAILED(setsysBindFatalDirtyFlagEvent(&evt))) {
+            std::abort();
+        }
+        g_fatal_settings_event = LoadReadOnlySystemEvent(evt.revent, [](u64 timeout) {
+            u64 flags_0, flags_1;
+            if (R_SUCCEEDED(setsysGetFatalDirtyFlags(&flags_0, &flags_1)) && (flags_0 & 1)) { 
+                UpdateLanguageCode();
+            }
+            return 0;
+        }, true);
+    }
+    
+    return g_fatal_settings_event;
+}
+
+static void SetupConfigLanguages() {
+    FatalConfig *config = GetFatalConfig();
+    
+    /* Defaults. */
+    config->error_msg   = u8"Error Code: 2%03d-%04d (0x%x)\n";
+    
+    if (config->quest_flag) {
+        config->error_desc = u8"Please call 1-800-875-1852 for service.\n";
+    } else {
+        config->error_desc = u8"An error has occured.\n\n"
+                             u8"Please press the POWER Button to restart the console, or a VOL button\n"
+                             u8"to restart the console in RCM mode. If you are unable to restart the\n"
+                             u8"console, hold the POWER Button for 12 seconds to turn the console off.\n\n"
+                             u8"If the problem persists, refer to the Nintendo Support Website.\n"
+                             u8"support.nintendo.com/switch/error\n";
+    }
+    
+    /* TODO: Try to load dynamically. */
+    /* FsStorage message_storage; */
+    /* TODO: if (R_SUCCEEDED(fsOpenDataStorageByDataId(0x010000000000081D, "fatal_msg"))) { ... } */
+}
+
+void InitializeFatalConfig() {
+    FatalConfig *config = GetFatalConfig();
+    
+    memset(config, 0, sizeof(*config));
+    setsysGetSerialNumber(config->serial_number);
+    setsysGetFirmwareVersion(&config->firmware_version);
+    UpdateLanguageCode();
+    
+    setsysGetSettingsItemValue("fatal", "transition_to_fatal", &config->transition_to_fatal, sizeof(config->transition_to_fatal));
+    setsysGetSettingsItemValue("fatal", "show_extra_info", &config->show_extra_info, sizeof(config->show_extra_info));
+    setsysGetSettingsItemValue("fatal", "quest_reboot_interval_second", &config->quest_reboot_interval_second, sizeof(config->quest_reboot_interval_second));
+    
+    setsysGetFlag(SetSysFlag_Quest, &config->quest_flag);
+    
+    SetupConfigLanguages();
+}

stratosphere/fatal/source/fatal_config.hpp

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
+#pragma once
+#include <switch.h>
+#include <stratosphere.hpp>
+
+struct FatalConfig {
+    char serial_number[0x18];
+    SetSysFirmwareVersion firmware_version;
+    u64 language_code;
+    u64 quest_reboot_interval_second;
+    bool transition_to_fatal;
+    bool show_extra_info;
+    bool quest_flag;
+    const char *error_msg;
+    const char *error_desc;
+    const char *quest_desc;
+};
+
+IEvent *GetFatalSettingsEvent();
+FatalConfig *GetFatalConfig();
+
+void InitializeFatalConfig();

stratosphere/fatal/source/fatal_debug.cpp

@@ -0,0 +1,267 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#include <map>
+#include <switch.h>
+#include "fatal_debug.hpp"
+#include "fatal_config.hpp"
+
+static bool IsAddressReadable(Handle debug_handle, u64 address, u64 size, MemoryInfo *o_mi) {
+    MemoryInfo mi;
+    u32 pi;
+    
+    if (o_mi == NULL) {
+        o_mi = &mi;
+    }
+    
+    if (R_FAILED(svcQueryDebugProcessMemory(o_mi, &pi, debug_handle, address))) {
+        return false;
+    }
+    
+    /* Must be readable */
+    if ((o_mi->perm & Perm_R) != Perm_R) {
+        return false;
+    }
+    
+    /* Must have space for both userdata address and userdata size. */
+    if (address < o_mi->addr || o_mi->addr + o_mi->size < address + size) {
+        return false;
+    }
+
+    return true;
+}
+
+static bool CheckThreadIsFatalCaller(FatalThrowContext *ctx, u64 debug_handle, u64 thread_id, u64 thread_tls_addr, ThreadContext *thread_ctx) {
+    /* Verify that the thread is running or waiting. */
+    {
+        u64 _;
+        u32 thread_state;
+        if (R_FAILED(svcGetDebugThreadParam(&_, &thread_state, debug_handle, thread_id, DebugThreadParam_State))) {
+            return false;
+        }
+        
+        if (thread_state > 1) {
+            return false;
+        }
+    }
+        
+    /* Get the thread context. */
+    if (R_FAILED(svcGetDebugThreadContext(thread_ctx, debug_handle, thread_id, 0xF))) {
+        return false;
+    }
+    
+    /* Check if PC is readable. */
+    if (!IsAddressReadable(debug_handle, thread_ctx->pc.x, sizeof(u32), NULL)) {
+        return false;
+    }
+    
+    /* Try to read the current instruction. */
+    u32 insn;
+    if (R_FAILED(svcReadDebugProcessMemory(&insn, debug_handle, thread_ctx->pc.x, sizeof(insn)))) {
+        return false;
+    }
+    
+    /* If the instruction isn't svcSendSyncRequest, it's not the fatal caller. */
+    if (insn != 0xD4000421) {
+        return false;
+    }
+    
+    /* The fatal caller will have readable tls. */
+    if (!IsAddressReadable(debug_handle, thread_tls_addr, 0x100, NULL)) {
+        return false;
+    }
+    
+    /* Read in the fatal caller's tls. */
+    u8 thread_tls[0x100];
+    if (R_FAILED(svcReadDebugProcessMemory(thread_tls, debug_handle, thread_tls_addr, sizeof(thread_tls)))) {
+        return false;
+    }
+    
+    /* Replace our tls with the fatal caller's. */
+    std::memcpy(armGetTls(), thread_tls, sizeof(thread_tls));
+    
+    /* Parse the command that the thread sent. */
+    {
+        IpcParsedCommand r;
+        if (R_FAILED(ipcParse(&r))) {
+            return false;
+        }
+        
+        /* Fatal command takes in a PID, only one buffer max. */
+        if (!r.HasPid || r.NumStatics || r.NumStaticsOut || r.NumHandles) {
+            return false;
+        }
+        
+        struct {
+            u32 magic;
+            u32 version;
+            u64 cmd_id;
+            u32 err_code;
+        } *raw = (decltype(raw))(r.Raw);
+        
+        if (raw->magic != SFCI_MAGIC) {
+            return false;
+        }
+        
+        if (raw->cmd_id > 2) {
+            return false;
+        }
+        
+        if (raw->cmd_id != 2 && r.NumBuffers) {
+            return false;
+        }
+        
+        if (raw->err_code != ctx->error_code) {
+            return false;
+        }
+    }
+    
+    /* We found our caller. */
+    return true;
+}
+
+void TryCollectDebugInformation(FatalThrowContext *ctx, u64 pid) {
+    Handle debug_handle;
+    if (R_SUCCEEDED(svcDebugActiveProcess(&debug_handle, pid))) {
+        /* Ensure we close the debugged process. */
+        ON_SCOPE_EXIT { svcCloseHandle(debug_handle); };
+        
+        /* First things first, check if process is 64 bits, and get list of thread infos. */
+        std::unordered_map<u64, u64> thread_id_to_tls;
+        {
+            bool got_attach_process = false;
+            DebugEventInfo d;
+            while (R_SUCCEEDED(svcGetDebugEvent((u8 *)&d, debug_handle))) {
+                if (d.type == DebugEventType::AttachProcess) {
+                    ctx->cpu_ctx.is_aarch32 = (d.info.attach_process.flags & 1) == 0;
+                    memcpy(ctx->proc_name, d.info.attach_process.name, sizeof(d.info.attach_process.name));
+                    got_attach_process = true;
+                } else if (d.type == DebugEventType::AttachThread) {
+                    thread_id_to_tls[d.info.attach_thread.thread_id] = d.info.attach_thread.tls_address;
+                }
+            }
+            
+            if (!got_attach_process) {
+                return;
+            }
+        }
+        
+        /* TODO: Try to collect information on 32-bit fatals. This shouldn't really matter for any real use case. */
+        if (ctx->cpu_ctx.is_aarch32) {
+            return;
+        }
+        
+        /* Welcome to hell. */
+        bool found_fatal_caller = false;
+        u64 thread_id = 0;
+        ThreadContext thread_ctx;
+        {
+            /* We start by trying to get a list of threads. */
+            u32 thread_count;
+            u64 thread_ids[0x60];
+            if (R_FAILED(svcGetThreadList(&thread_count, thread_ids, 0x60, debug_handle))) {
+                return;
+            }
+            
+            /* We need to locate the thread that's called fatal. */
+            for (u32 i = 0; i < thread_count; i++) {
+                const u64 cur_thread_id = thread_ids[i];
+                if (thread_id_to_tls.find(cur_thread_id) == thread_id_to_tls.end()) {
+                    continue;
+                }
+                
+                if (CheckThreadIsFatalCaller(ctx, debug_handle, cur_thread_id, thread_id_to_tls[cur_thread_id], &thread_ctx)) {
+                    thread_id = cur_thread_id;
+                    found_fatal_caller = true;
+                    break;
+                }
+            }
+            if (!found_fatal_caller) {
+                return;
+            }
+        }
+        if (R_FAILED(svcGetDebugThreadContext(&thread_ctx, debug_handle, thread_id, 0xF))) {
+            return;
+        }
+        
+        /* So we found our caller. */
+        for (u32 i = 0; i < 29; i++) {
+            /* GetDebugThreadContext won't give us any of these registers, because thread is in SVC :( */
+            ctx->has_gprs[i] = false;
+        }
+        for (u32 i = 29; i < NumAarch64Gprs; i++) {
+            ctx->has_gprs[i] = true;
+        }
+        ctx->cpu_ctx.aarch64_ctx.fp = thread_ctx.fp;
+        ctx->cpu_ctx.aarch64_ctx.lr = thread_ctx.lr;
+        ctx->cpu_ctx.aarch64_ctx.sp = thread_ctx.sp;
+        ctx->cpu_ctx.aarch64_ctx.pc = thread_ctx.pc.x;
+        
+
+        /* Parse a stack trace. */
+        u64 cur_fp = thread_ctx.fp;
+        for (unsigned int i = 0; i < sizeof(ctx->cpu_ctx.aarch64_ctx.stack_trace)/sizeof(u64); i++) {
+            /* Validate the current frame. */
+            if (cur_fp == 0 || (cur_fp & 0xF)) {
+                break;
+            }
+            
+            /* Read a new frame. */
+            StackFrame cur_frame;
+            if (R_FAILED(svcReadDebugProcessMemory(&cur_frame, debug_handle, cur_fp, sizeof(StackFrame)))) {
+                break;
+            }
+            
+            /* Advance to the next frame. */
+            ctx->cpu_ctx.aarch64_ctx.stack_trace[ctx->cpu_ctx.aarch64_ctx.stack_trace_size++] = cur_frame.lr;
+            cur_fp = cur_frame.fp;
+        }
+        
+        /* Try to read up to 0x100 of stack. */
+        for (size_t sz = 0x100; sz > 0; sz -= 0x10) {
+            if (IsAddressReadable(debug_handle, ctx->cpu_ctx.aarch64_ctx.sp, sz, nullptr)) {
+                if (R_SUCCEEDED(svcReadDebugProcessMemory(ctx->stack_dump, debug_handle, ctx->cpu_ctx.aarch64_ctx.sp, sz))) {
+                    ctx->stack_dump_size = sz;
+                }
+                break;
+            }
+        }
+        
+        /* Parse the starting address. */
+        {
+            u64 guess = thread_ctx.pc.x;
+            MemoryInfo mi;
+            u32 pi;
+            if (R_FAILED(svcQueryDebugProcessMemory(&mi, &pi, debug_handle, guess)) || mi.perm != Perm_Rx) {
+                return;
+            }
+            
+            /* Iterate backwards until we find the memory before the code region. */
+            while (mi.addr > 0) {
+                if (R_FAILED(svcQueryDebugProcessMemory(&mi, &pi, debug_handle, guess))) {
+                    return;
+                }
+                
+                if (mi.type == MemType_Unmapped) {
+                    /* Code region will be at the end of the unmapped region preceding it. */
+                    ctx->cpu_ctx.aarch64_ctx.start_address = mi.addr + mi.size;
+                    break;
+                }
+                
+                guess -= 4;
+            }
+        }
+    }
+}

stratosphere/fatal/source/fatal_debug.hpp

@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
+#pragma once
+#include <switch.h>
+#include <stratosphere.hpp>
+
+#include "fatal_types.hpp"
+
+void TryCollectDebugInformation(FatalThrowContext *ctx, u64 pid);
+
+struct StackFrame {
+    u64 fp;
+    u64 lr;
+};
+
+struct AttachProcessInfo {
+    u64 title_id;
+    u64 process_id;
+    char name[0xC];
+    u32 flags;
+    u64 user_exception_context_address; /* 5.0.0+ */
+};
+
+struct AttachThreadInfo {
+    u64 thread_id;
+    u64 tls_address;
+    u64 entrypoint;
+};
+
+/* TODO: ExitProcessInfo */
+/* TODO: ExitThreadInfo */
+
+enum class DebugExceptionType : u32 {
+    UndefinedInstruction = 0,
+    InstructionAbort = 1,
+    DataAbort = 2,
+    AlignmentFault = 3,
+    DebuggerAttached = 4,
+    BreakPoint = 5,
+    UserBreak = 6,
+    DebuggerBreak = 7,
+    BadSvc = 8,
+    UnknownNine = 9,
+};
+
+static inline const char *GetDebugExceptionTypeStr(DebugExceptionType type) {
+    switch (type) {
+        case DebugExceptionType::UndefinedInstruction:
+            return "Undefined Instruction";
+        case DebugExceptionType::InstructionAbort:
+            return "Instruction Abort";
+        case DebugExceptionType::DataAbort:
+            return "Data Abort";
+        case DebugExceptionType::AlignmentFault:
+            return "Alignment Fault";
+        case DebugExceptionType::DebuggerAttached:
+            return "Debugger Attached";
+        case DebugExceptionType::BreakPoint:
+            return "Break Point";
+        case DebugExceptionType::UserBreak:
+            return "User Break";
+        case DebugExceptionType::DebuggerBreak:
+            return "Debugger Break";
+        case DebugExceptionType::BadSvc:
+            return "Bad Svc";
+        case DebugExceptionType::UnknownNine:
+            return "Unknown Nine";
+        default:
+            return "Unknown";
+    }
+}
+
+struct UndefinedInstructionInfo {
+    u32 insn;
+};
+
+struct DataAbortInfo {
+    u64 address;
+};
+
+struct AlignmentFaultInfo {
+    u64 address;
+};
+
+struct UserBreakInfo {
+    u64 break_reason;
+    u64 address;
+    u64 size;
+};
+
+struct BadSvcInfo {
+    u32 id;
+};
+
+union SpecificExceptionInfo {
+    UndefinedInstructionInfo undefined_instruction;
+    DataAbortInfo data_abort;
+    AlignmentFaultInfo alignment_fault;
+    UserBreakInfo user_break;
+    BadSvcInfo bad_svc;
+    u64 raw;
+};
+
+struct ExceptionInfo {
+    DebugExceptionType type;
+    u64 address;
+    SpecificExceptionInfo specific;
+};
+
+
+enum class DebugEventType : u32 {
+    AttachProcess = 0,
+    AttachThread = 1,
+    ExitProcess = 2,
+    ExitThread = 3,
+    Exception = 4
+};
+
+union DebugInfo {
+    AttachProcessInfo attach_process;
+    AttachThreadInfo attach_thread;
+    ExceptionInfo exception;
+};
+
+struct DebugEventInfo {
+    DebugEventType type;
+    u32 flags;
+    u64 thread_id;
+    union {
+        DebugInfo info;
+        u64 _[0x40/sizeof(u64)];
+    };
+};
+
+static_assert(sizeof(DebugEventInfo) >= 0x50, "Incorrect DebugEventInfo definition!");

stratosphere/fatal/source/fatal_event_manager.cpp

@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
+#include <switch.h>
+#include "fatal_types.hpp"
+#include "fatal_event_manager.hpp"
+
+static FatalEventManager g_event_manager;
+
+FatalEventManager *GetEventManager() {
+    return &g_event_manager;
+}
+
+FatalEventManager::FatalEventManager() {
+    /* Just create all the events. */
+    for (size_t i = 0; i < FatalEventManager::NumFatalEvents; i++) {
+        if (R_FAILED(eventCreate(&this->events[i], true))) {
+            std::abort();
+        }
+    }
+}
+
+Result FatalEventManager::GetEvent(Handle *out) {
+    std::scoped_lock<HosMutex> lk{this->lock};
+    
+    /* Only allow GetEvent to succeed NumFatalEvents times. */
+    if (this->events_gotten >= FatalEventManager::NumFatalEvents) {
+        return FatalResult_TooManyEvents;
+    }
+    
+    *out = this->events[this->events_gotten++].revent;
+    return 0;
+}
+
+void FatalEventManager::SignalEvents() {
+    for (size_t i = 0; i < FatalEventManager::NumFatalEvents; i++) {
+        eventFire(&this->events[i]);
+    }
+}

stratosphere/fatal/source/fatal_event_manager.hpp

@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2018 Atmosphère-NX
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
+#pragma once
+#include <switch.h>
+#include <stratosphere.hpp>
+
+class FatalEventManager {
+    private:
+        static constexpr size_t NumFatalEvents = 3;
+        
+        HosMutex lock;
+        size_t events_gotten = 0;
+        Event events[NumFatalEvents];
+    public:
+        FatalEventManager();
+        Result GetEvent(Handle *out);
+        void SignalEvents();
+};
+
+FatalEventManager *GetEventManager();