Slot1launch: Fix DSi CPU clock setting and fix reading ARM9i secure area (#2596)

* slot1launch: Fix DSi CPU clock setting

* slot1launch: Fix reading ARM9i secure area

Author: Lorenzooone

compile_docker.sh

@@ -22,6 +22,8 @@ INCLUDES	:=	build source $(UNIVERSAL)/include
 #INCLUDES		:=	build source $(UNIVERSAL)/include $(DSIMODE_FULL_SOURCES)
 DATA		:=	../data
 SPECS		:=  specs
+CARDENGINE_BIN := cardengine_arm7.bin
+#CARDENGINE_BIN := 
 
 #---------------------------------------------------------------------------------
 # options for code generation
@@ -69,7 +71,7 @@ export OBJCOPY	:=	$(PREFIX)objcopy
 CFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
 CPPFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))
 SFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
-BINFILES	:=	cardengine_arm7.bin
+BINFILES	:=	$(CARDENGINE_BIN)
 
 export OFILES	:=	$(addsuffix .o,$(BINFILES)) $(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o)
 

slot1launch/bootloader/Makefile

@@ -22,6 +22,10 @@
 #include <nds/dma.h>
 #include <stdlib.h>
 
+// Enable compiling support for launching games in DSi mode.
+// For now, requires removing the cardengine...
+//#define FULL_DSI_MODE_ENABLED
+
 #define resetCpu() \
 		__asm volatile("swi 0x000000")
 
@@ -59,6 +63,7 @@ extern tNDSHeader* ndsHeader;
 extern bool dsiModeConfirmed;
 extern bool arm9_boostVram;
 extern bool arm9_scfgUnlock;
+extern bool arm9_twlClock;
 extern bool arm9_extendedMemory;
 extern bool arm9_isSdk5;
 extern volatile int arm9_stateFlag;

slot1launch/bootloader/source/common.h

@@ -52,24 +52,27 @@
 
 #define REG_GPIO_WIFI *(vu16*)0x4004C04
 
-//#define FULL_DSI_MODE_ENABLED
-
 #include "common.h"
 #include "dmaTwl.h"
 #include "common/tonccpy.h"
 #include "read_card.h"
 #include "module_params.h"
-#include "cardengine_arm7_bin.h"
 #include "hook.h"
 #include "find.h"
 
 #ifdef FULL_DSI_MODE_ENABLED
+// Needed due to size
+#define SKIP_CARDENGINE_ARM7
 #include "gm9i/crypto.h"
 #include "gm9i/f_xy.h"
 #include "twltool/dsi.h"
 #include "u128_math.h"
 #endif
 
+#ifndef SKIP_CARDENGINE_ARM7
+#include "cardengine_arm7_bin.h"
+#endif
+
 extern bool __dsimode;
 extern u32 dsiMode;
 extern u32 language;
@@ -1061,14 +1064,14 @@ void arm7_main (void) {
 
 			REG_GPIO_WIFI |= BIT(8);	// Old NDS-Wifi mode
 
-			if (twlClock) {
-				REG_SCFG_CLK = 0x0181;
-			} else {
-				REG_SCFG_CLK = 0x0180;
-			}
 			if (!sdAccess) {
+				REG_SCFG_CLK = 0x0180;
 				REG_SCFG_EXT = 0x93FBFB06;
 			}
+			else {
+				REG_SCFG_CLK = 0x0181;
+			}
+
 			// Used by ARM7 binaries to determine DSi mode...
 			toncset((u8*)0x0380FFC0, 0, 0x10);
 		}
@@ -1096,6 +1099,7 @@ void arm7_main (void) {
 		runCardEngine = false;
 	}
 
+	#ifndef SKIP_CARDENGINE_ARM7
 	if (runCardEngine) {
 		// WRAM-A mapped to the 0x37C0000 - 0x37FFFFF area : 256k
 		REG_MBK6=0x080037C0;
@@ -1118,12 +1122,14 @@ void arm7_main (void) {
 			}
 		}
 	}
+	#endif
 	toncset ((void*)0x023F0000, 0, 0x8000);		// Clear cheat data from main memory
 
 	//debugOutput (ERR_STS_START);
 
 	arm9_boostVram = boostVram;
 	arm9_scfgUnlock = scfgUnlock;
+	arm9_twlClock = twlClock;
 	arm9_isSdk5 = isSdk5(moduleParams);
 	arm9_runCardEngine = runCardEngine;
 

slot1launch/bootloader/source/main.arm7.c

@@ -49,6 +49,7 @@ bool arm9_runCardEngine = false;
 bool dsiModeConfirmed = false;
 bool arm9_boostVram = false;
 bool arm9_scfgUnlock = false;
+bool arm9_twlClock = false;
 bool arm9_extendedMemory = false;
 bool arm9_isSdk5 = false;
 
@@ -61,6 +62,7 @@ volatile u32 arm9_BLANK_RAM = 0;
 External functions
 --------------------------------------------------------------------------*/
 extern void arm9_clearCache (void);
+extern void arm9_write_to_scfg_clk(uint16_t);
 
 
 void initMBKARM9() {
@@ -300,13 +302,25 @@ void __attribute__((target("arm"))) arm9_main (void) {
 					initMBKARM9_dsiMode();
 				}
 				REG_SCFG_EXT = 0x8307F100;
-				REG_SCFG_CLK = 0x87;
+				// bit 7 is read only in reality...
+				if(arm9_twlClock)
+					arm9_write_to_scfg_clk(0x87);
+				else
+					arm9_write_to_scfg_clk(0x86);
 				REG_SCFG_RST = 1;
 			} else {
 				REG_SCFG_EXT = (arm9_extendedMemory ? 0x8300C000 : 0x83000000);
 				if (arm9_boostVram) {
 					REG_SCFG_EXT |= BIT(13);	// Extended VRAM Access
 				}
+				// TODO: For now, not enabled to avoid breaking
+				// certain DSi games...
+				#ifdef FULL_DSI_MODE_ENABLED
+				if(arm9_twlClock)
+					arm9_write_to_scfg_clk(0x01);
+				else
+					arm9_write_to_scfg_clk(0x00);
+				#endif
 				if (!arm9_scfgUnlock) {
 					// lock SCFG
 					REG_SCFG_EXT &= ~(1UL << 31);

slot1launch/bootloader/source/main.arm9.c

@@ -85,7 +85,11 @@ typedef struct {
 	u32 romSize;				//!< total size of the ROM.
 
 	u32 headerSize;				//!< ROM header size.
-	u32 zeros88[14];
+	u32 arm9_param_table_offset;
+	u32 arm7_param_table_offset;
+	u16 ntr_rom_region_end;
+	u16 twl_rom_region_start;
+	u32 zeros94[11];
 	u8 gbaLogo[156];			//!< Nintendo logo needed for booting the game.
 	u16 logoCRC16;				//!< Nintendo Logo Checksum, CRC-16.
 	u16 headerCRC16;			//!< header checksum, CRC-16.

slot1launch/bootloader/source/ndsheaderbanner.h

@@ -28,6 +28,9 @@
 #include "encryption.h"
 #include "common.h"
 
+#define TWL_BLOWFISH_TABLE_SIZE 0x3000
+#define SINGLE_ROM_REGION_SIZE 0x80000
+
 typedef union
 {
 	char title[4];
@@ -427,13 +430,18 @@ void cardRead (u32 src, u32* dest, size_t size)
 		src += readSize;
 		dest += readSize/sizeof(*dest);
 		size -= readSize;
-	} else if ((ndsHeader->unitCode != 0) && (src >= ndsHeader->arm9iromOffset) && (src < ndsHeader->arm9iromOffset+CARD_SECURE_AREA_SIZE)) {
-		// Read data from secure area
-		readSize = src + size < (ndsHeader->arm9iromOffset+CARD_SECURE_AREA_SIZE) ? size : (ndsHeader->arm9iromOffset+CARD_SECURE_AREA_SIZE) - src;
-		tonccpy (dest, (u8*)secureArea + src - ndsHeader->arm9iromOffset, readSize);
-		src += readSize;
-		dest += readSize/sizeof(*dest);
-		size -= readSize;
+	} else if (ndsHeader->unitCode != 0) {
+		size_t twl_rom_region_start = 0;
+		if(ndsHeader->twl_rom_region_start != 0)
+			twl_rom_region_start = (ndsHeader->twl_rom_region_start * SINGLE_ROM_REGION_SIZE) + TWL_BLOWFISH_TABLE_SIZE;
+		if((twl_rom_region_start != 0) && (src >= twl_rom_region_start) && (src < twl_rom_region_start + CARD_SECURE_AREA_SIZE)) {
+			// Read data from secure area
+			readSize = src + size < (twl_rom_region_start+CARD_SECURE_AREA_SIZE) ? size : (twl_rom_region_start+CARD_SECURE_AREA_SIZE) - src;
+			tonccpy (dest, (u8*)secureArea + src - twl_rom_region_start, readSize);
+			src += readSize;
+			dest += readSize/sizeof(*dest);
+			size -= readSize;
+		}
 	}
 
 	while (size > 0) {

slot1launch/bootloader/source/read_card.c

@@ -0,0 +1,78 @@
+#include <nds/asminc.h>
+
+#define ITCM_foo_base 0x00000004
+
+.align	4
+.arm
+
+@ Writes a new value to the ARM9 SCFG_CLK.
+@ Must be called from ITCM.
+@ Must wait 8 clock cycles after changing the value before returning.
+@ https://problemkaputt.de/gbatek.htm#dsicontrolregistersscfg
+@ Not what I experimentally observed, but better safe than sorry...
+@ void _arm9_write_to_scfg_clk(uint16_t new_val);
+BEGIN_ASM_FUNC _arm9_write_to_scfg_clk
+	mov r1, #0x04000000
+	add r1, #0x4000
+	strh r0,[r1, #4]
+	@ Wait 8 clock cycles... Could be done in a better way.
+	mov r0, #8
+	wait_loop:
+	subs r0, r0, #1
+	bne wait_loop
+	bx lr
+
+_arm9_write_to_scfg_clk_end:
+
+bx_r1_caller:
+	bx r1
+
+@ Writes a new value to the ARM9 SCFG_CLK.
+@ Copies the right function to ITCM and calls it.
+@ void arm9_write_to_scfg_clk(uint16_t new_val);
+BEGIN_ASM_FUNC arm9_write_to_scfg_clk
+	push {r4, lr}
+
+	mrc p15, 0, r3, c1, c0, 0		@ Store current Control Register
+	push {r3}
+	ldr r2,=#0x00041000				@ Enable ITCM back
+	orr r3, r3, r2
+	mvn r2, #1						@ Disabe MMU/PU
+	and r3, r3, r2
+	mcr p15, 0, r3, c1, c0, 0		@ Update Control Register
+
+	mov r3, #3
+	mcr p15, 0, r3, c5, c0, 3		@ Enable RW IAccess
+
+	mov r1, #ITCM_foo_base			@ ITCM foo_base
+	ldr r2,=_arm9_write_to_scfg_clk
+	ldr r3,=_arm9_write_to_scfg_clk_end-_arm9_write_to_scfg_clk
+	itcm_copy_loop:
+	ldr r4,[r2, #0]
+	str r4,[r1, #0]
+	add r1, #4
+	add r2, #4
+	subs r3, r3, #4
+	bne itcm_copy_loop
+	mov r1, #ITCM_foo_base			@ ITCM foo_base
+	@ Call _arm9_write_to_scfg_clk
+	bl bx_r1_caller
+
+	@ Clear back the ITCM
+	mov r0, #0
+	mov r1, #0x00000000				@ ITCM
+	ldr r3,=#0x00008000				@ Wipe ITCM back
+	itcm_clear_loop:
+	str r0,[r1, #0]
+	add r1, #4
+	subs r3, r3, #4
+	bne itcm_clear_loop
+
+	mov r3, #0                  
+	mcr p15, 0, r3, c7, c5, 0		@ Flush ICache
+	mcr p15, 0, r3, c5, c0, 3		@ Disable IAccess
+
+	pop {r3}
+	mcr p15, 0, r3, c1, c0, 0		@ Restore old Control Register
+
+	pop {r4, pc}