This should help people reversing iBoot and friends. It is a work in progress.
VIC (Vectored Interrupt Controller)
Base (vic0): 0x38E00000
Base (vic1): 0x38E01000 |
| Register |
Description |
| 0x0 |
IRQ Status |
| 0x4 |
FIQ Status |
| 0x8 |
Raw Interrupt Status |
| 0xC |
Interrupt Select (0=IRQ, 1=FIQ) |
| 0x10 |
Interrupt Enable (0=Disabled, 1=Enabled) |
| 0x14 |
Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) |
| 0x18 |
Software Interrupt (0=Disabled, 1=Enabled) |
| 0x1C |
Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) |
| 0x20 |
Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work. |
| 0x24 |
Software Interrupt Priority Mask (0=Masked, 1=Not Masked) |
| 0x100 |
Vector Addresses |
| 0x200 |
Vector Priority Levels |
| 0xFE0 through 0xFEC |
Not sure what these four registers are, because I can confirm that at least SecureROM, probably iBoot and such too, will simply read them when initializing the vectored interrupt controller. It does nothing about the contents...I'll post a snippet from IDA in the discussion page, but if anyone knows what these do, put it here. |
WDT (Watchdog Timer)
| Base: 0x3C800000 |
| Register |
Description |
| 0x0 |
Control Register
NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000 |
| 0x4 |
Watchdog Timeout Duration |
| 0xC |
Interrupt Clear |
USB
OTG-PHYCTRL
| Base: 0x3C400000 |
| Register |
Description |
| 0x0 |
Power Control |
| 0x4 |
Clock Control |
| 0x8 |
Reset Control |
| 0x10 |
Clock Control |
OTG
| Base: 0x38400000 |
| Register |
Description |
| 0x0 |
Control |
| 0x4 |
Interrupt |
| 0x8 |
AHB Config |
| 0xC |
Core Config |
| 0x10 |
Core Reset |
| 0x14 |
Core Interrupt |
| 0x18 |
Core Interrupt Mask |
| 0x1C and 0x20 |
Rx Status Debug |
| 0x24 |
Rx FIFO Size |
| 0x28 |
Non-Periodic Transmit FIFO Size |
| TBC... |
TBC... |
ARM7
| Base: 0x38600000 |
| Register |
Description |
| 0x100 |
Running Status
To halt the ARM7: Write 0x0 then 0x10 to this register
To make it resume: Write 0x1 to this register |
| 0x110 |
Code Address
To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7 |
| 0x114 |
"Code Waiting"
I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110 |
