| The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. | 
Difference between revisions of "S5L8720 (Hardware)"
| ChronicDev (talk | contribs)  (→CHIPID) | ChronicDev (talk | contribs)   (Removing information I am not 100% about, will add back after later verification /rce) | ||
| Line 225: | Line 225: | ||
| </table> | </table> | ||
| − | ==USB== | ||
| − | ===OTG-PHYCTRL=== | ||
| − | <table border=1 width=100%> | ||
| − | <tr> | ||
| − | <td colspan=2><center><b>Base</b>: 0x3C400000</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center><b>Register</b></center></td> | ||
| − | <td width=50%><center><b>Description</b></center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x0</center></td> | ||
| − | <td width=50%><center>Power Control</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x4</center></td> | ||
| − | <td width=50%><center>Clock Control</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x8</center></td> | ||
| − | <td width=50%><center>Reset Control</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x10</center></td> | ||
| − | <td width=50%><center>Clock Control</center></td> | ||
| − | </tr> | ||
| − | </table> | ||
| − | ===OTG=== | ||
| − | <table border=1 width=100%> | ||
| − | <tr> | ||
| − | <td colspan=2><center><b>Base</b>: 0x38400000</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center><b>Register</b></center></td> | ||
| − | <td width=50%><center><b>Description</b></center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x0</center></td> | ||
| − | <td width=50%><center>Control</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x4</center></td> | ||
| − | <td width=50%><center>Interrupt</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x8</center></td> | ||
| − | <td width=50%><center>AHB Config</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0xC</center></td> | ||
| − | <td width=50%><center>Core Config</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x10</center></td> | ||
| − | <td width=50%><center>Core Reset</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x14</center></td> | ||
| − | <td width=50%><center>Core Interrupt</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x18</center></td> | ||
| − | <td width=50%><center>Core Interrupt Mask</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x1C and 0x20</center></td> | ||
| − | <td width=50%><center>Rx Status Debug</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x24</center></td> | ||
| − | <td width=50%><center>Rx FIFO Size</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>0x28</center></td> | ||
| − | <td width=50%><center>Non-Periodic Transmit FIFO Size</center></td> | ||
| − | </tr> | ||
| − | <tr> | ||
| − | <td width=50%><center>TBC...</center></td> | ||
| − | <td width=50%><center>TBC...</center></td> | ||
| − | </tr> | ||
| − | </table> | ||
| ==ARM7 (Second CPU)== | ==ARM7 (Second CPU)== | ||
Revision as of 02:35, 23 February 2009
This should help people reversing iBoot and friends. It is a work in progress.
Contents
DMA (PL080)
This appears to use an ARM PrimeCell PL080. You can read the technical reference manual here.
| Base (dmac1): 0x39900000 | |
VIC (PL192)
This appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.
Register Table
| Base (vic1): 0x38E01000 | |
| Register 0xFF0: Should read as 0x0D | |
Peripheral Identification Registers
The four registers 0xfe0, 0xfe4, 0xfe8, and 0xfec, are four "8-bit registers that can be conceptually treated as one 32-bit register" according to the technical reference manual. Here are some explanations about these registers if you don't feel like digging through the reference manual. If you do, read pages 64 through 66.
Values for the S5L8720
0x38e00fe0: 00000092 0x38e00fe4: 00000011 0x38e00fe8: 00000004 0x38e00fec: 00000000
Part Number
Bits 7 through 0 of register 0xfe0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xfe4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.
Designer
Bits 7 through 4 of register 0xfe4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xfe8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.
Revision Number
Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xfe8 is the revision number, which is "0" at least for the iPod touch 2G.
Configuration
The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G (0b00=32 Supported, 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).
CHIPID
All information here was gathered by reversing iBoot and friends.
| Chip ID: Bits 31 through 16 (0x8720, meaning it is an S5L8720) | |
WDT (Watchdog Timer)
| NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000 | |
ARM7 (Second CPU)
All information here was gathered by looking at the code for the ARM7 Go command, as well as noticing the 0x38000000==0xb8000000 alias that the S5L8720 seems to have.
| To halt the ARM7: Write 0x0 then 0x10 to this register | |
| To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7 | |
| I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110 | |
UART
| Base (uart1): 0x3DB00000 Base (uart2): 0x3DC00000 Base (uart3): 0x3DD00000 | |
| Bit 0: If 1, Rx buffer has data, if 0, Rx buffer is empty | |
| Bit 0: If 1, overrun error | |
