Difference between revisions of "Starlet memory map"
Jump to navigation
Jump to search
Blooper4912 (talk | contribs) (Undo revision 30459 by Blooper4912 (Talk) Cache screwup) |
|||
| Line 132: | Line 132: | ||
|- | |- | ||
|| || || 0018 W || init || 5. part of hash init value: 0xC3D2E1F0 | || || || 0018 W || init || 5. part of hash init value: 0xC3D2E1F0 | ||
| + | |- | ||
| + | ||0x0D040000||EHCI || | ||
|- | |- | ||
||0x0D050000||OHC !#0 || | ||0x0D050000||OHC !#0 || | ||
Revision as of 19:01, 1 January 2009
This page lists the known Starlet I/O registers. Much of this info comes from Segher & tmbinc's private notes.
Memory map
| Start Address | End Address | Physical Address | Size | Description |
|---|---|---|---|---|
| 0x00000000 | 0x017FFFFF | 0x00000000 | 24 MB | MEM1 Memory (Cached) |
| 0x10000000 | 0x13FFFFFF | 0x10000000 | 64 MB | MEM2 Memory (Cached) |
| 0x0D000000 | 0x0D000000 | Hardware Registers (shared with the Broadway) | ||
| 0x0D400000 | 0x0D400000 | RAM used for program code, data and stack | ||
| 0x0D800000 | 0x0D800000 | Hardware Registers (Starlet private) | ||
| 0xFFFE0000 | 0xFFFFFFFF | Internal SRAM |
I/O is at 0x0D800000 (Starlet private) and 0x0D000000 (shared with the Broadway). That is to say, the contents of 0x0D8xxxxx are selectively mirrored to 0x0D0xxxxx. This may change depending on some of the registers (e.g. when MIOS is active).
There is internal SRAM at 0xFFFE0000, 128kB of it; this stores the kernel code and data, minus the crypto code.
The GDDR3 is at 0x10000000, 64MB of it; the upper 12MB are exclusive for use by the Starlet, the rest is shared with the Broadway.
0x0D0xxxxx may be an AMBA AHB bus.
IO Memory
| base | function | offset | description | contents/example |
|---|---|---|---|---|
| 0x0D010000 | NAND | |||
| 0000 W | command | 9F000000 (CMD 00: start read sector) | ||
| 8030B840 (CMD 30: data (starts DMA 0x840 bytes)) | ||||
| 80FF8000 (CMD FF: reset) | ||||
| 00008000 means: wait for R/#B to go down | ||||
| 1F000000 is the mask of the address bytes to send. (10 = AA, 08 = BB, .., 01 = FF in 08,0c) | ||||
| 0000 R | status | MSB means busy | ||
| 0004 W | config | |||
| 0008 W | address #0 | 0000AABB | ||
| 000C W | address #1 | CCDDEEFF, NAND sector, multiply with 0x800 or 0x840 to get offset, 0x40 for ecc | ||
| 0010 W | data addr | target address for DMA (0x800 main bytes) | ||
| 0014 W | ecc addr | target address for DMA (0x40 spare bytes) | ||
| 0x0D020000 | AES | |||
| 0000 W | command | 980000LL to start operation (L = len in 16 byte blocks -1) | ||
| 980010LL start operation and "do not reload IV"?? | ||||
| 00000000 reset | ||||
| 0000 R | status | MSB means busy | ||
| 0004 W | data addr | source DMA | ||
| 0008 W | data addr | dst DMA | ||
| 000C W | key fifo | write 4 words to set key | ||
| 0010 W | IV fifo | write 4 words to set IV | ||
| 0x0D030000 | SHA-1 | |||
| 0000 R | status | MSB means busy | ||
| 0000 W | command | 0x00000000 Reset? | ||
| 0x8000001F Calculate hash, then increase address by size 0x800 | ||||
| 0004 W | address | Physical address of data | ||
| 0008 R | hash | 1. part of hash value | ||
| 0008 W | init | 1. part of hash init value: 0x67452301 | ||
| 000c R | hash | 2. part of hash value | ||
| 000c W | init | 2. part of hash init value: 0xEFCDAB89 | ||
| 0010 R | hash | 3. part of hash value | ||
| 0010 W | init | 3. part of hash init value: 0x98BADCFE | ||
| 0014 R | hash | 4. part of hash value | ||
| 0014 W | init | 4. part of hash init value: 0x10325476 | ||
| 0018 R | hash | 5. part of hash value | ||
| 0018 W | init | 5. part of hash init value: 0xC3D2E1F0 | ||
| 0x0D040000 | EHCI | |||
| 0x0D050000 | OHC !#0 | |||
| 0x0D060000 | OHC !#1 | |||
| 0x0D070000 | SDHC !#0 | |||
| 0x0D070100 | SDHC !#1 | |||
| 0x0D800000 | hollywood control | 0x400 bytes of control registers; these registers are mirrored every 0x400 bytes from 0x0D80000 to 0x0D805fff | ||
| 0x0D800000 | IPC | reg 0: request pointer | To make an IOS request, the physical address of an IOS command struct is written here by the Broadway. Then, Broadway sets bit 0 of IPC reg 1 to indicate a request is ready. | |
| 0x0D800004 | IPC | reg 1: semaphore flags | Broadway sets bits here as "doorbells" to indicate status; Starlet responds by setting flags here. | |
| 0x0D800008 | IPC | reg 2: Reply pointer | When an IOS request has completed, IOS will modify the original command struct passed in IPC reg 0, copy that pointer to reg 2, then set reg 1 to 0x14 to indicate a reply is ready. | |
| 0x0D800010 | timer (core clock divided by 128) | |||
| 0x0D800014 | alarm (interrupt 0 is fired when the timer reaches this value) | |||
| 0x0D800030 | something related to interrupts; typical value is 0x854DA94F. Pressing the RESET button will set the 0x20000 bit. | |||
| 0x0D800034 | ??? | |||
| 0x0D800038 | active interrupts (write 1 to clear). Pressing the RESET button will set the 0x20000 bit (interrupt 18). Pressing the POWER button will set the 0x800 bit (interrupt 11). | |||
| 0x0D80003C | enabled interrupts | clear 0x40000 for legacy di | ||
| 0x0D800060 | ??? | |||
| 0x0D800070 | ??? | set 0x10 for legacy DI; 0x1 to allow write to exi boot buffer | ||
| 0x0D8000C0 | GPIO | probably data: 0x200 for eject; 0x100 sensor bar enable; 0x20 for tray led | ||
| 0x0D8000C4 | GPIO | probably direction | ||
| 0x0D8000DC | ??? | |||
| 0x0D8000E0 | GPIO | 0x08 -- set to enable DC/DC converter, | ||
| 0x0D8000E1 | GPIO | |||
| 0x0D8000E2 | GPIO | debug / "POST" port -- connected to 8 testpads. boot0 / 1 / 2 output simple codes to indicate boot status. | ||
| 0x0D8000E3 | GPIO | |||
| 0x0D8000E4 | GPIO | probably direction | ||
| 0x0D8000EC | ??? | |||
| 0x0D8000F0 | ? typical value is 0x0070FFF6; pressing the POWER button will set the 0x1 bit | |||
| 0x0D8000F4 | ??? | |||
| 0x0D8000FC | ??? | |||
| 0x0D800100 | ??? | |||
| 0x0D80010C | ??? | |||
| 0x0D800110 | ??? | |||
| 0x0D800114 | ??? | |||
| 0x0D800118 | ??? | |||
| 0x0D80011C | ??? | |||
| 0x0D800120 | ??? | |||
| 0x0D800130 | ??? | |||
| 0x0D800134 | ??? | |||
| 0x0D800138 | ??? | |||
| 0x0D800180 | ??? | set 0x40 for legacy DI; 0x100000 set after loadEXI (boot code) | ||
| 0x0D800188 | ??? | |||
| 0x0D80018C | ??? | |||
| 0x0D800190 | ??? | involved in DSKPLL init | ||
| 0x0D800194 | ??? | 0x400 is DI reset (low active) / involved in DSKPLL init | ||
| 0x0D800198 | ??? | set to 0x00FFFFFF as part of "interface / subsytem powerup" | ||
| 0x0D8001B0 | ??? | ACRPLLSYS | ||
| 0x0D8001B0 | ??? | ACRPLLSYSEXT | ||
| 0x0D8001B8 | ??? | involved in DSKPLL init | ||
| 0x0D8001BC | ??? | |||
| 0x0D8001C0 | ??? | |||
| 0x0D8001DC | ??? | set to 0x00FFFFFF as part of "interface / subsytem powerup" | ||
| 0x0D8001EC | OTP | OTP read address (addresses run from 0x80000000..0x8000001F) | ||
| 0x80000000 - 0x80000004 stores 20 bytes boot1 SHA-1 hash | ||||
| 0x80000005 - 0x80000008 common key | ||||
| 0x80000009 NG id | ||||
| 0x8000000a - 0x80000010 NG private | ||||
| 0x80000011 - 0x80000015 NAND HMAC | ||||
| 0x80000016 - 0x80000019 NAND AES | ||||
| 0x8000001A - 0x8000001D RNG key | ||||
| 0x0D8001F0 | OTP | OTP data | ||
| 0x0D800214 | ??? | Register is read 223 times while booting boot0 and boot1. Never written by boot0 or boot1. | ||
| 0x0D800224 - 03FF | unused | |||
| 0x0D806000 | DI | looks almost identical to the Gamecube DI interface | ||
| 0x0D806000 | DISR | DI status register | ||
| 0x0D806004 | DICVR | DI cover register (status2) | ||
| 0x0D806008 | DICMDBUF0 | DI command buffer 0 | ||
| 0x0D80600C | DICMDBUF1 | DI command buffer 1 | ||
| 0x0D806010 | DICMDBUF2 | DI command buffer 2 | ||
| 0x0D806014 | DIMAR | DI DMA memory address register | ||
| 0x0D806018 | DILENGTH | DI DMA transfer length register | ||
| 0x0D806020 | DIMMBUF | DI immediate data buffer | ||
| 0x0D806024 | DICFG | DI configuration register | ||
| 0x0D806800 | EXI | |||
| | | 0x40 | ppc boot buffer | ||
| 0x0D8B4000 | AMBA AHB registers | |||
| 0x0D8B4000 | ??? | |||
| 0x0D8B4002 | ??? | |||
| 0x0D8B4004 | ??? | |||
| 0x0D8B4006 | ??? | |||
| 0x0D8B4008 | ??? | |||
| 0x0D8B400A | ??? | |||
| 0x0D8B400C | ??? | |||
| 0x0D8B400E | ??? | |||
| 0x0D8B4026 | ??? | |||
| 0x0D8B4074 | ??? | |||
| 0x0D8B4076 | ??? | |||
| 0x0D8B4228 | AHB command | AHB memory flush command. Typical values: 1, 2, 4, 8, 15 | ||
| 0x0D8B422a | AHB acknowlegde | If AHB memory flush acknowledge, will be set to the command value. |