Starlet memory map
| This is an old revision of this page, as edited by Mega Man (talk | contribs) at 01:08, 29 August 2008. It may differ significantly from the current revision. |
This page lists the known Starlet I/O registers. Much of this info comes from Segher & tmbinc's private notes.
Memory map
| Start Address | End Address | Physical Address | Size | Description |
| 0x00000000 | 0x017FFFFF | 0x00000000 | 24 MB | MEM1 Memory (Cached) |
| 0x10000000 | 0x13FFFFFF | 0x10000000 | 64 MB | MEM2 Memory (Cached) |
| 0x0D000000 | Hardware Registers (shared with the Broadway) | |||
| 0x0D800000 | Hardware Registers (Starlet private) | |||
| 0xFFFE0000 | 0xFFFFFFFF | Internal SRAM |
I/O is at x'0d80_0000 (Starlet private) and x'0d00_0000 (shared with the Broadway). That is to say, the contents of 0x0d8x are selectively mirrored to 0x0d0x. This may change depending on some of the registers (e.g. when MIOS is active).
There is internal SRAM at x'fffe_0000, 128kB of it; this stores the kernel code and data, minus the crypto code.
The GDDR3 is at x'1000_0000, 64MB of it; the upper 12MB are exclusive for use by the Starlet, the rest is shared with the Broadway.
0x0D0xxxxx may be an AMBA AHB bus.
IO Memory
| base | function | offset | description | contents/example |
| x'0d01_0000 | NAND | |||
| 0000 W | command | 9F000000 (CMD 00: start read sector) | ||
| 8030B840 (CMD 30: data (starts DMA 0x840 bytes)) | ||||
| 80FF8000 (CMD FF: reset) | ||||
| 00008000 means: wait for R/#B to go down | ||||
| 1F000000 is the mask of the address bytes to send. (10 = AA, 08 = BB, .., 01 = FF in 08,0c) | ||||
| 0000 R | status | MSB means busy | ||
| 0004 W | config | |||
| 0008 W | address #0 | 0000AABB | ||
| 000C W | address #1 | CCDDEEFF, NAND sector, multiply with 0x800 or 0x840 to get offset, 0x40 for ecc | ||
| 0010 W | data addr | target address for DMA (0x800 main bytes) | ||
| 0014 W | ecc addr | target address for DMA (0x40 spare bytes) | ||
| x'0d02_0000 | AES | |||
| 0000 W | command | 980000ll to start operation (l = len in 16 byte blocks -1) | ||
| 980010ll start operation and "do not reload IV"?? | ||||
| 00000000 reset | ||||
| 0000 R | status | MSB means busy | ||
| 0004 W | data addr | source DMA | ||
| 0008 W | data addr | dst DMA | ||
| 000C W | key fifo | write 4 words to set key | ||
| 0010 W | IV fifo | write 4 words to set IV | ||
| x'0d03_0000 | SHA-1 | |||
| 0000 R | status | MSB means busy | ||
| 0000 W | command | 0x00000000 Reset? | ||
| 0x8000001f Calculate hash, then increase address by size 0x800 | ||||
| 0004 W | address | Physical address of data | ||
| 0008 R | hash | 1. part of hash value | ||
| 0008 W | init | 1. part of hash init value: 0x67452301 | ||
| 000c R | hash | 2. part of hash value | ||
| 000c W | init | 2. part of hash init value: 0xefcdab89 | ||
| 0010 R | hash | 3. part of hash value | ||
| 0010 W | init | 3. part of hash init value: 0x98badcfe | ||
| 0014 R | hash | 4. part of hash value | ||
| 0014 W | init | 4. part of hash init value: 0x10325476 | ||
| 0018 R | hash | 5. part of hash value | ||
| 0018 W | init | 5. part of hash init value: 0xc3d2e1f0 | ||
| x'0d05_0000 | OHC !#0 | |||
| x'0d06_0000 | OHC !#1 | |||
| x'0d07_0000 | SDHC !#0 | |||
| x'0d07_0100 | SDHC !#1 | |||
| x'0d80_0000 | hollywood control | 0x400 bytes of control registers; these registers are mirrored every 0x400 bytes from 0x0d80000 to 0x0d805fff | ||
| x'0d80_0000 | IPC | reg 0: request pointer | To make an IOS request, the physical address of an IOS command struct is written here by the Broadway. Then, Broadway sets bit 0 of IPC reg 1 to indicate a request is ready. | |
| x'0d80_0004 | IPC | reg 1: semaphore flags | Broadway sets bits here as "doorbells" to indicate status; Starlet responds by setting flags here. | |
| x'0d80_0008 | IPC | reg 2: Reply pointer | When an IOS request has completed, IOS will modify the original command struct passed in IPC reg 0, copy that pointer to reg 2, then set reg 1 to 0x14 to indicate a reply is ready. | |
| x'0d80_0010 | timer (core clock divided by 128) | |||
| x'0d80_0014 | alarm (interrupt 0 is fired when the timer reaches this value) | |||
| x'0d80_0030 | something related to interrupts; typical value is 0x854da94f. Pressing the RESET button will set the 0x20000 bit. | |||
| x'0d80_0034 | ??? | |||
| x'0d80_0038 | active interrupts (write 1 to clear). Pressing the RESET button will set the 0x20000 bit (interrupt 18). Pressing the POWER button will set the 0x800 bit (interrupt 11). | |||
| x'0d80_003C | enabled interrupts | clear 0x40000 for legacy di | ||
| x'0d80_0060 | ??? | |||
| x'0d80_0070 | ??? | set 0x10 for legacy DI; 0x1 to allow write to exi boot buffer | ||
| x'0d80_00C0 | GPIO | probably data: 0x200 for eject; 0x100 sensor bar enable; 0x20 for tray led | ||
| x'0d80_00C4 | GPIO | probably direction | ||
| x'0d80_00DC | ??? | |||
| x'0d80_00E0 | GPIO | 0x08 -- set to enable DC/DC converter, | ||
| x'0d80_00E1 | GPIO | |||
| x'0d80_00E2 | GPIO | debug / "POST" port -- connected to 8 testpads. boot0 / 1 / 2 output simple codes to indicate boot status. | ||
| x'0d80_00E3 | GPIO | |||
| x'0d80_00E4 | GPIO | probably direction | ||
| x'0d80_00EC | ??? | |||
| x'0d80_00F0 | ? typical value is 0x0070fff6; pressing the POWER button will set the 0x1 bit | |||
| x'0d80_00F4 | ??? | |||
| x'0d80_00FC | ??? | |||
| x'0d80_0100 | ??? | |||
| x'0d80_010C | ??? | |||
| x'0d80_0110 | ??? | |||
| x'0d80_0114 | ??? | |||
| x'0d80_0118 | ??? | |||
| x'0d80_011C | ??? | |||
| x'0d80_0120 | ??? | |||
| x'0d80_0130 | ??? | |||
| x'0d80_0134 | ??? | |||
| x'0d80_0138 | ??? | |||
| x'0d80_0180 | ??? | set 0x40 for legacy DI; 0x100000 set after loadEXI (boot code) | ||
| x'0d80_0188 | ??? | |||
| x'0d80_018C | ??? | |||
| x'0d80_0190 | ??? | involved in DSKPLL init | ||
| x'0d80_0194 | ??? | 0x400 is DI reset (low active) / involved in DSKPLL init | ||
| x'0d80_0198 | ??? | set to 0x00FFFFFF as part of "interface / subsytem powerup" | ||
| x'0d80_01B0 | ??? | ACRPLLSYS | ||
| x'0d80_01B0 | ??? | ACRPLLSYSEXT | ||
| x'0d80_01B8 | ??? | involved in DSKPLL init | ||
| x'0d80_01BC | ??? | |||
| x'0d80_01C0 | ??? | |||
| x'0d80_01DC | ??? | set to 0x00FFFFFF as part of "interface / subsytem powerup" | ||
| x'0d80_01EC | OTP | OTP read address (addresses run from 0x80000000..0x8000001f, 0x80000000-0x80000004 stores 20 bytes boot1 hash) | ||
| x'0d80_01F0 | OTP | OTP data | ||
| x'0d80_0214 | ??? | |||
| x'0d80_0224 - 03ff | unused | |||
| x'0d80_6000 | DI | looks almost identical to the Gamecube DI interface | ||
| x'0d80_6800 | EXI | |||
| 0x40 | ppc boot buffer |