This should help people reversing iBoot and friends. It is a work in progress.
DMA (Direct Memory Access)
Base (dmac0): 0x38200000 Base (dmac1): 0x39900000 |
Register |
Description |
0x0 |
Interrupt Status |
0x4 |
TC Status (If HIGH, transaction complete) |
0x8 |
Interrupt Clear |
0xC |
Error Interrupt Status |
0x10 |
Error Interrupt Clear |
0x14 |
Interrupt Status Before Masking |
0x18 |
Error Interrupt Status Before Masking |
0x1C |
DMA Channels Enabled |
0x30 |
Controller Configuration |
0x34 |
Enable / Disable Synchronization |
0x100 |
Channel 0 Source Address |
0x104 |
Channel 0 Destination Address |
0x108 |
Channel 0 Linked List Address |
0x10C |
Channel 0 Control 1 |
0x110 |
Channel 0 Control 2 |
0x114 |
Channel 0 Configuration |
VIC (Vectored Interrupt Controller)
Base (vic0): 0x38E00000 Base (vic1): 0x38E01000 |
Register |
Description |
0x0 |
IRQ Status |
0x4 |
FIQ Status |
0x8 |
Raw Interrupt Status |
0xC |
Interrupt Select (0=IRQ, 1=FIQ) |
0x10 |
Interrupt Enable (0=Disabled, 1=Enabled) |
0x14 |
Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) |
0x18 |
Software Interrupt (0=Disabled, 1=Enabled) |
0x1C |
Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) |
0x20 |
Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work. |
0x24 |
Software Interrupt Priority Mask (0=Masked, 1=Not Masked) |
0x100 |
Vector Addresses |
0x200 |
Vector Priority Levels |
0xFE0 through 0xFEC |
Not sure what these four registers are, because I can confirm that at least SecureROM, probably iBoot and such too, will simply read them when initializing the vectored interrupt controller. It does nothing about the contents...I'll post a snippet from IDA in the discussion page, but if anyone knows what these do, put it here. |
WDT (Watchdog Timer)
Base: 0x3C800000 |
Register |
Description |
0x0 |
Control Register
NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000 |
0x4 |
Watchdog Timeout Duration |
0xC |
Interrupt Clear |
USB
OTG-PHYCTRL
Base: 0x3C400000 |
Register |
Description |
0x0 |
Power Control |
0x4 |
Clock Control |
0x8 |
Reset Control |
0x10 |
Clock Control |
OTG
Base: 0x38400000 |
Register |
Description |
0x0 |
Control |
0x4 |
Interrupt |
0x8 |
AHB Config |
0xC |
Core Config |
0x10 |
Core Reset |
0x14 |
Core Interrupt |
0x18 |
Core Interrupt Mask |
0x1C and 0x20 |
Rx Status Debug |
0x24 |
Rx FIFO Size |
0x28 |
Non-Periodic Transmit FIFO Size |
TBC... |
TBC... |
ARM7 (Second CPU)
Base: 0x38600000 |
Register |
Description |
0x100 |
Running Status
To halt the ARM7: Write 0x0 then 0x10 to this register
To make it resume: Write 0x1 to this register |
0x110 |
Code Address
To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7 |
0x114 |
"Code Waiting"
I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110 |
UART
Base (uart0): 0x3CC00000 Base (uart1): 0x3DB00000 Base (uart2): 0x3DC00000 Base (uart3): 0x3DD00000
|
Register |
Description |
0x0 |
Line Control |
0x4 |
Control |
0x8 |
FIFO Control |
0xC |
Modem Control (uart0 and uart1 only) |
0x10 |
Tx / Rx Status
Bit 0: If 1, Rx buffer has data, if 0, Rx buffer is empty
Bit 1: If 1, Rx buffer is empty, if 0, it is not empty
|
0x14 |
Rx Error
Bit 0: If 1, overrun error
Bit 1: If 1, parity error
Bit 2: If 1, frame error
Bit 3: If 1, break signal
|
0x18 |
FIFO Status |
0x1C |
Modem Status (uart0 and uart1 only) |
0x20 |
Tx Buffer (write-only) |
0x24 |
Rx Buffer (read-only) |
0x28 |
Baud Rate Divisor |
0x2C |
??? |
0x30 |
Interrupt Pending |
0x34 |
Interrupt Source Pending |
0x38 |
Interrupt Mask |