Difference between revisions of "Memory map"
Jump to navigation
Jump to search
Hallowizer (talk | contribs) (Apploader error stuff) |
Hallowizer (talk | contribs) (→Broadway / IOS Global Memory Locations: system register flags are interrupt masks) |
||
| Line 145: | Line 145: | ||
| 4 | | 4 | ||
| 0xffffff00 | | 0xffffff00 | ||
| − | | User | + | | User interrupt mask |
|- | |- | ||
| 0x800000C8 | | 0x800000C8 | ||
| 4 | | 4 | ||
| 0 | | 0 | ||
| − | | [[Revolution OS]] | + | | [[Revolution OS]] interrupt mask |
|- | |- | ||
| 0x800000CC | | 0x800000CC | ||
Revision as of 04:48, 9 January 2022
| Start Address | End Address | Physical Address | Size | Description |
|---|---|---|---|---|
| 0x80000000 | 0x817FFFFF | 0x00000000 | 24 MB | MEM1 Memory (Cached) |
| 0xC0000000 | 0xC17FFFFF | 0x00000000 | 24 MB | MEM1 Memory (Uncached) |
| 0x90000000 | 0x93FFFFFF | 0x10000000 | 64 MB | MEM2 Memory (Cached) |
| 0xD0000000 | 0xD3FFFFFF | 0x10000000 | 64 MB | MEM2 Memory (Uncached) |
| 0xCD000000 | 0xCD008000 | 0x0D000000 | Hollywood Registers (shared with Starlet) |
The GameCube has one 24MB bank of 1T SRAM that is used for all code and data, spread across two external chips; there is also a chip containing 16MB of ARAM, which could be used for storing data (though it was not directly mapped into memory, instead only being accessible via DSP).
The Wii moves all 24MB of 1T-SRAM (referred to as MEM1) inside the Hollywood package, and adds an additional 64MB of GDDR3 RAM (MEM2). During normal operation, IOS reserves the upper 12-16MB of MEM2 for its own use; the rest can freely be used for code or data by running PPC code. MEM1 is slightly faster than MEM2. The Wii does not have the ARAM chip; instead, DSP can access MEM1 or MEM2. When using MIOS, the bottom 16 MB of MEM2 is used to emulate ARAM; the Tweezer Attack allowed accessing the rest of MEM2.
The IOS Heap range is usually 0x933E0000 – 0x93400000, as shown in registers 0x80003130(Start), 0x80003134(End). Pointers in this area are often passed back and forth between IOS and code running on Broadway. The top of MEM2 memory is allocated to IOS, and protected from access by some registers (TODO).
Broadway / IOS Global Memory Locations
| Address | Size | (Typical) Value | Description |
|---|---|---|---|
| 0x80000000 | 4 | 0x52535045 | Game Code 'RSPE' (Wii Sports) |
| 0x80000004 | 2 | 0x3031 (01) | Maker code |
| 0x80000006 | 1 | 0 | Disc Number (multidisc games) |
| 0x80000007 | 1 | ? | Disc Version |
| 0x80000008 | 1 | ? | Disc Streaming flag |
| 0x80000009 | 1 | ? | Disc Streaming buffer size |
| 0x80000018 | 4 | 0x5D1C9EA3 | Disc layout magic (Wii) |
| 0x8000001C | 4 | 0xC2339F3D | Disc layout magic (GC) |
| 0x80000020 | 4 | 0x0D15EA5E | Nintendo Standard Boot Code. |
| 0x80000024 | 4 | 0x00000001 | Version (set by apploader) |
| 0x80000028 | 4 | 0x01800000 | Memory Size (Physical) 24MB |
| 0x8000002C | 4 | 0x00000023 | Production Board Model |
| 0x80000030 | 4 | 0x00000000 | Arena Low |
| 0x80000034 | 4 | 0x817FEC60 | Arena High |
| 0x80000038 | 4 | 0x817FEC60 | Start of FST (varies in all games) |
| 0x8000003C | 4 | 0x00001394 | Maximum FST Size (varies in all games) |
| 0x80000044 | 4 | ? | Exception Mask Address |
| 0x80000060 | 0x24 | "OSDBIntegrator" Debugger Hook | Hook is PPC assembler used by Debugger. If nothing is written to 0x60, SDK titles will write the 0x20 bytes of instructions automatically. |
| 0x800000C4 | 4 | 0xffffff00 | User interrupt mask |
| 0x800000C8 | 4 | 0 | Revolution OS interrupt mask |
| 0x800000CC | 4 | 0 | Value indicating the current video mode. 0 = NTSC, 1 = PAL |
| 0x800000D8 | 4 | ? | Current OSContext instance. |
| 0x800000DC | 4 | ? | OSThread pointer, previously created thread. |
| 0x800000E0 | 4 | ? | OSThread pointer, most recently created thread. |
| 0x800000E4 | 4 | ? | Current thread pointer. |
| 0x800000EC | 4 | 0x81800000 | Dev Debugger Monitor Address (If present) |
| 0x800000F0 | 4 | 0x01800000 | Simulated Memory Size |
| 0x800000F4 | 4 | 0x817FDF80 | Pointer to data read from partition's bi2.bin, set by apploader, or the emulated bi2.bin created by the NAND Boot Program |
| 0x800000F8 | 4 | 0x0E7BE2C0 | Console Bus Speed |
| 0x800000FC | 4 | 0x2B73A840 | Console CPU Speed |
| 0x80001800 | 0x1800 | Unused Exception Vector area often used for loader stubs and reloaders as this area is never cleared or used. | |
| 0x80003000 | 0x3c | ? | Exception vector area |
| 0x80003040 | 4 | ? | __OSInterrupt table. |
| 0x800030C8 | 4 | ? | Related to Nintendo's dynamic linking system (REL). Pointer to the first loaded REL file. |
| 0x800030CC | 4 | ? | Related to Nintendo's dynamic linking system (REL). Pointer to the last loaded REL file. |
| 0x800030D0 | 4 | 0 | Pointer to a REL module name table, or 0. Added to the name offset in each REL file. |
| 0x800030D8 | 8 | 0x005498F053407000 | System time, measured as time since January 1st 2000 in units of 1/40500000th of a second. |
| 0x800030E4 | 2 | ? | __OSPADButton. Apploader puts button state of GCN port 4 at game start here for Gamecube NR disc support |
| 0x800030E6 | 2 | ? | DVD Device Code Address |
| 0x800030E8 | 4 | ? | Debug Flags Address |
| 0x800030F0 | 4 | 0x00000000 | DOL Execute Parameters |
| 0x80003100 | 4 | ? | Physical MEM1 size |
| 0x80003104 | 4 | ? | Simulated MEM1 size |
| 0x80003110 | 4 | ? | Heap pointer (end of usable memory by the game) |
| 0x80003118 | 4 | ? | Physical MEM2 size |
| 0x8000311C | 4 | ? | Simulated MEM2 size |
| 0x80003130 | 8 | 0x933E0000, 0x93400000 | IOS Heap Range |
| 0x80003138 | 4 | 0x00000011 | Hollywood Version |
| 0x80003140 | 4 | 0x00090204 | IOS version (090204 = IOS9, v2.4) |
| 0x80003144 | 4 | 0x00062507 | IOS Build Date (62507 = 06/25/07 = June 25, 2007) |
| 0x80003158 | 4 | 0x0000FF16 | GDDR Vendor Code |
| 0x8000315C | 1 | 0x80 | During the boot process, u32 0x315c is first set to 0xdeadbeef by IOS in the boot_ppc syscall. The value is set to 0x80 by the NAND Boot Program to indicate that it was loaded by the boot program (and probably 0x81 by apploaders) |
| 0x8000315D | 1 | 0? | "Enable legacy DI" mode? 0x81 = no, anything else means yes, although it is typically set to 0x80 for yes. If this is disabled, then using a GameCube apploader for a Wii disc causes Revolution OS to give an error. |
| 0x8000315E | 2 | 0x0113 | "Devkit boot program version", written to by the system menu. The value carries over to disc games. 0x0113 appears to mean v1.13, which is the latest version of the boot program (found in System Menu 4.3). |
| 0x80003160 | 4 | 0x00000000 | Init semaphore (1-2 main() waits for this to clear) |
| 0x80003164 | 4 | 0x00000000 | GC (MIOS) mode flag, set to 1 by boot2 when MIOS triggers a shutdown; the System Menu reads this and turns off the console if it is set to 1 and state.dat is set appropriately, with the message "Shutdown system from GC!". |
| 0x80003180 | 4 | 0x52535045 | Game ID 'RSPE' Wii Sports ID. If these 4 bytes don't match the ID at 80000000, WC24 mode in games is disabled. |
| 0x80003184 | 1 | 0x80 | Application type. 0x80 for disc games, 0x81 for channels. |
| 0x80003186 | 1 | 0x00 | Application type 2. Appears to be set to the when a game loads a channel (e.g. Mario Kart Wii loading the region select menu will result in this being 0x80 from the disc and the main application type being 0x81, or the Wii Fit channel transitioning to the Wii Fit disc will result in this being 0x81 and the main type being 0x80). |
| 0x80003188 | 4 | 0x00351011 | Minimum IOS version (2 bytes for the major version, 2 bytes for the title version) |
| 0x8000318C | 4 | 0x00000000 | Title Booted from NAND (Launch Code) |
| 0x80003190 | 4 | 0x00000000 | Title Booted from NAND (Return Code) |
| 0x80003194 | 4 | 0x00000000 | While reading a disc, the system menu reads the first partition table (0x20 bytes from 0x00040020) and stores a pointer to the data partition entry. When launching the disc game, it copies the partition type to 0x3194. The partition type for data partitions is 0, so typically this location always has 0. |
| 0x80003198 | 4 | data partition offset | While reading a disc, the system menu reads the first partition table (0x20 bytes from 0x00040020) and stores a pointer to the data partition entry. When launching the disc game, it copies the partition offset to 0x3198. |
| 0x8000319C | 1 | 0x80 | Set by the apploader to 0x80 for single-layer discs and 0x81 for dual-layer discs (determined by whether 0x7ed40000 is the value at offset 0x30 in the partition's bi2.bin; it seems that that value is 0 for single-layer discs). Early titles' apploaders do not set it at all, leaving the value as 0. This controls the out-of-bounds Error #001 read for titles that do make such a read: they try to read at 0x7ed40000 for dual-layer discs and 0x460a0000 for single-layer discs. |
| 0x80003400 | 0x100 | NAND boot vector (Broadway initialization code from nandloader, entry point for NAND applications) | |
| 0x80003F00 | 0x132c100 (~19.2MB) | Standard application executable area | |
| 0x81330000 | 0x4d0000 (~4.8MB) | Loader executable area |
By convention, applications should use the 0x80003F00 – 0x81330000 area for executable code and data loaded as part of their ELF/DOL, while loaders should use from 0x81330000 onwards. Applications can use the loader area and MEM2 as data work space once they are running, but they should restrict the sections contained in the DOL or ELF to the executable area only, since MEM2 is reserved as work area for the loader at that time. To preserve "return to loader" functionality, applications should never use the 0x80001800-0x80003000 area.