526互联

FastRPC资料汇总

发布时间 2023-05-07 22:09:42作者: sinferwu

 

DEF CON Safe Mode - Slava Makkaveev - Pwn2Own Qualcomm compute DSP for fun and profit.pdf

 

https://github.com/raspberrypi/linux/blob/stable/drivers/misc/fastrpc.c

 

external_fastrpc/fastrpc_apps_user.c at 556fa85d14bfdac3c211e27cec9b975f9efb50c6 · Evolution-X/external_fastrpc (github.com)

 

vendor_qcom_proprietary/remote.h at master · TTTT55/vendor_qcom_proprietary · GitHub

 

// https://github.com/TTTT55/vendor_qcom_proprietary/blob/00578532a2e2e308ebcf26cf3b7c0c89b4f4cf02/prebuilt_HY11/target/product/msm8953_32/obj/include/fastrpc/inc/remote.h#L29

typedef uint32_t remote_handle;
typedef uint64_t remote_handle64; //! used by multi domain modules
                                  //! 64 bit handles are translated to 32 bit values
                                  //! by the transport layer

typedef struct {
   void *pv;
   size_t nLen;
} remote_buf;

typedef struct {
   int32_t fd;
   uint32_t offset;
} remote_dma_handle;

typedef union {
   remote_buf     buf;
   remote_handle    h;
   remote_handle64 h64; //! used by multi domain modules
   remote_dma_handle dma;
} remote_arg;



// https://github.com/TTTT55/vendor_qcom_proprietary/blob/00578532a2e2e308ebcf26cf3b7c0c89b4f4cf02/commonsys-intf/adsprpc_ship/loadalgo_example/loadalgo_stub.c#L512

static __inline int _stub_method_2(remote_handle64 _handle, uint32_t _mid, uint32_t _in0Fd[1], uint32_t _in0Offset[1], uint32_t _in0Len[1], uint32_t _in1[1], uint32_t _in2[1], uint32_t _in3[1], uint32_t _rout4Fd[1], uint32_t _rout4Offset[1], uint32_t _rout4Len[1], uint32_t _in5[1], uint32_t _in6Fd[1], uint32_t _in6Offset[1], uint32_t _in6Len[1], uint32_t _in7[1]) {
   remote_arg _pra[4];
   uint32_t _primIn[5];
   remote_arg* _praHandleIn;
   remote_arg* _praHandleROut;
   int _nErr = 0;
   _pra[0].buf.pv = (void*)_primIn;
   _pra[0].buf.nLen = sizeof(_primIn);
   _praHandleIn = (_pra + (1 + 0));
   _COPY(&(_praHandleIn[0].dma.fd), 0, _in0Fd, 0, sizeof(uint32_t));
   _COPY(&(_praHandleIn[0].dma.offset), 0, _in0Offset, 0, sizeof(uint32_t));
   _ASSERT(_nErr, remote_register_dma_handle(*_in0Fd, *_in0Len) == 0);
   
   _COPY(_primIn, 0, _in1, 0, 4);
   _COPY(_primIn, 4, _in2, 0, 4);
   _COPY(_primIn, 8, _in3, 0, 4);
   _praHandleROut = ((_pra + (1 + 0)) + 2);
   _COPY(&(_praHandleROut[0].dma.fd), 0, _rout4Fd, 0, sizeof(uint32_t));
   _COPY(&(_praHandleROut[0].dma.offset), 0, _rout4Offset, 0, sizeof(uint32_t));
   _ASSERT(_nErr, remote_register_dma_handle(*_rout4Fd, *_rout4Len) == 0);
   _COPY(_primIn, 12, _in5, 0, 4);
   _COPY(&(_praHandleIn[1].dma.fd), 0, _in6Fd, 0, sizeof(uint32_t));
   _COPY(&(_praHandleIn[1].dma.offset), 0, _in6Offset, 0, sizeof(uint32_t));
   _ASSERT(_nErr, remote_register_dma_handle(*_in6Fd, *_in6Len) == 0);
   _COPY(_primIn, 16, _in7, 0, 4);
   _ASSERT(_nErr, 2 <= 15);
   _ASSERT(_nErr, 1 <= 15);
   _TRY(_nErr, __QAIC_REMOTE(remote_handle64_invoke)(_handle, REMOTE_SCALARS_MAKEX(0, _mid, 1, 0, 2, 1), _pra));
   _CATCH(_nErr) {}
   return _nErr;
}