Pi4 firmware undocumented instructions

[dshadowwolf]

It seems that the Raspberry Pi 4 has a revision of the Videocore "GPU" that has instructions that either have encodings that are broken according to the docs (0xCEC004BC starts off like a control register access, but where it should be 1100 1100 for the first byte, it's 1100 1110 -- this is 22 bytes into the text-section of "start4x.elf"...)

There are also some others - such as 0x0010 at 8 bytes into the same file and section, which falls into the gap from the 0x0005 of RTI and the 0x01C0 start of SWI with register...

Any suggestions on how to figure out what these actually do - or if there is some kind of setup or encryption being done on the instruction stream from elsewhere in the binary ?

[mklemarczyk]

Yes, Raspberry Pi 4 has a revision of the VideoCore "GPU" but it is different from revision 4 presented here. Raspberry Pi 1-3 uses revision 4, while Raspberry Pi 4 uses chip with revision 6.

[dshadowwolf]

Potentially, but I was approaching this run at disassembling the code as if the start of .text was where execution started, but it seems there is a separate section where execution starts in the Pi4 firmware. I've not yet looked at that (I've once more run out of free time) but I'm thinking there might be a small amount of obfuscation going on.