CPU Pipeline support

Discuss development specific to the Pi version of ADFFS
Post Reply
JonAbbott
Posts: 1736
Joined: Thu Apr 11, 2013 12:13 pm
Location: Essex

CPU Pipeline support

Post by JonAbbott » Wed Sep 02, 2015 11:16 am

Quite a few protection methods rely on the CPU pipeline to work. The typical scenario is one of two:
  1. The protection will overwrite the next instruction to obscure it
  2. The protection will clear all trace of itself up to and including the last instruction
On an ARM, the instruction at PC+4 is at the decode stage in the pipeline (stage 2) and can safely be overwritten. It's this that the protection relies on to work.


Implementing stage 2 in a JIT however is not straightforward, particularly for the ARM where self-modifying code requires the cache and pipeline to be flushed. You're in catch 22, where you want the next instruction to be in the pipeline but also have to flush it and the cache, to comply with a Harvard cache implementation.

Full stage 2 implementation requires:
  1. The Abort handler needs to take a copy of the instruction at PC+4 and JIT PC+4 (coded in 2.51g)
  2. The JIT Abort handler needs to check on exit if the next instruction has been overwritten and reinstate it if necessary (coded in 2.51g)
  3. If the instruction at PC-4 has yet to be encoded it needs encoding and executing before being replaced
  4. The JIT core needs to check if a pipelined instruction overwrite is pending and correct it once the pipelined instruction has been executed
  5. STR Rx, [PC, #-4] will be in a codelet and won't be caught by the Abort handler by default. The Abort handler will need to check if the Abort occurred in a codelet and then check if the original instruction address is PC-4
Points 3/4/5 could possibly be implemented by:
  • Allowing the original instruction to be overwritten, but leave the encoded instruction, then put a Hypervisor entry instruction at PC+8 and add PC to a pipeline replacement table. When the JIT is entered, it needs to write a Hypervisor instruction to the pipelined address.
    This will need to take pipelined BL / B instructions into account and put the Hypervisor instruction at the branch address instead of PC+8.
Games that rely on the CPU pipeline include:
  • F10018 - Arcade 3
    F10067 - Carnage Inc.
    F10071 - Cataclysm
    F10125 - Drifter (confirmed to work with points 1/2 implemented)
    F10127 - Drop Ship
    F10129 - The Dungeon
    F10130 - Elite
    F10164 - Formula Two Thousand
    F10166 - F.R.E.D. (needs point 6)
    F10274 - Pandora's Box
    F10361 - TACTIC

JonAbbott
Posts: 1736
Joined: Thu Apr 11, 2013 12:13 pm
Location: Essex

Re: CPU Pipeline support

Post by JonAbbott » Fri Aug 12, 2016 7:31 am

Cyber Ape requires points 3/4/5 implementing before its encrypted disk protection check can be decoded, as it uses STR Rx,[PC,#-4] in a loop. To get the game running, I've temporarily replaced the loop with SWI ADFS_DiscOp / MOV PC, R14

Post Reply