|  |  | 
  | Line 171: | Line 171: | 
  |  | </table> |  | </table> | 
  |  |  |  |  | 
  | − | ==ARM7== | + | ==ARM7 (Second CPU)== | 
  |  | <table border=1 width=100%> |  | <table border=1 width=100%> | 
  |  | <tr> |  | <tr> | 
		Revision as of 17:26, 15 February 2009
This should help people reversing iBoot and friends. It is a work in progress.
VIC (Vectored Interrupt Controller)
| Base (vic0): 0x38E00000 Base (vic1): 0x38E01000
 | 
| Register | Description | 
| 0x0 | IRQ Status | 
| 0x4 | FIQ Status | 
| 0x8 | Raw Interrupt Status | 
| 0xC | Interrupt Select (0=IRQ, 1=FIQ) | 
| 0x10 | Interrupt Enable (0=Disabled, 1=Enabled) | 
| 0x14 | Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) | 
| 0x18 | Software Interrupt (0=Disabled, 1=Enabled) | 
| 0x1C | Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) | 
| 0x20 | Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work. | 
| 0x24 | Software Interrupt Priority Mask (0=Masked, 1=Not Masked) | 
| 0x100 | Vector Addresses | 
| 0x200 | Vector Priority Levels | 
| 0xFE0 through 0xFEC | Not sure what these four registers are, because I can confirm that at least SecureROM, probably iBoot and such too, will simply read them when initializing the vectored interrupt controller. It does nothing about the contents...I'll post a snippet from IDA in the discussion page, but if anyone knows what these do, put it here. | 
WDT (Watchdog Timer)
| Base: 0x3C800000 | 
| Register | Description | 
| 0x0 | Control Register 
 NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000
 | 
| 0x4 | Watchdog Timeout Duration | 
| 0xC | Interrupt Clear | 
USB
OTG-PHYCTRL
| Base: 0x3C400000 | 
| Register | Description | 
| 0x0 | Power Control | 
| 0x4 | Clock Control | 
| 0x8 | Reset Control | 
| 0x10 | Clock Control | 
OTG
| Base: 0x38400000 | 
| Register | Description | 
| 0x0 | Control | 
| 0x4 | Interrupt | 
| 0x8 | AHB Config | 
| 0xC | Core Config | 
| 0x10 | Core Reset | 
| 0x14 | Core Interrupt | 
| 0x18 | Core Interrupt Mask | 
| 0x1C and 0x20 | Rx Status Debug | 
| 0x24 | Rx FIFO Size | 
| 0x28 | Non-Periodic Transmit FIFO Size | 
| TBC... | TBC... | 
ARM7 (Second CPU)
| Base: 0x38600000 | 
| Register | Description | 
| 0x100 | Running Status 
 
 To halt the ARM7: Write 0x0 then 0x10 to this registerTo make it resume: Write 0x1 to this register
 | 
| 0x110 | Code Address 
 To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7
 | 
| 0x114 | "Code Waiting" 
 I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110
 | 
UART
| Base (uart0): 0x3CC00000 Base (uart1): 0x3DB00000
 Base (uart2): 0x3DC00000
 Base (uart3): 0x3DD00000
 
 | 
| Register | Description | 
| 0x0 | Line Control | 
| 0x4 | Control | 
| 0x8 | FIFO Control | 
| 0xC | Modem Control (uart0 and uart1 only) | 
| 0x10 | Tx / Rx Status 
 
 Bit 0: If 1, Rx buffer has data, if 0, Rx buffer is emptyBit 1: If 1, Rx buffer is empty, if 0, it is not empty
 
 | 
| 0x14 | Rx Error 
 
 Bit 0: If 1, overrun errorBit 3: If 1, break signalBit 1: If 1, parity error
 Bit 2: If 1, frame error
 
 
 | 
| 0x18 | FIFO Status | 
| 0x1C | Modem Status (uart0 and uart1 only) | 
| 0x20 | Tx Buffer (write-only) | 
| 0x24 | Rx Buffer (read-only) | 
| 0x28 | Baud Rate Divisor | 
| 0x2C | ??? | 
| 0x30 | Interrupt Pending | 
| 0x34 | Interrupt Source Pending | 
| 0x38 | Interrupt Mask |