|  |   | 
  | Line 107: | Line 107: | 
  |  |  |  |  | 
  |  | ==VIC (PL192)== |  | ==VIC (PL192)== | 
  | − | This appears to use an ARM PrimeCell PL192. You can read the technical reference manual http://infocenter.arm.com/help/topic/com.arm.doc.ddi0273a/DDI0273.pdf here]. | + | This appears to use an ARM PrimeCell PL192. You can read the technical reference manual [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0273a/DDI0273.pdf here]. | 
  |  |  |  |  | 
  |  | <table border=1 width=100%> |  | <table border=1 width=100%> | 
		Latest revision as of 07:49, 20 April 2010
This should help people reversing iBoot and friends. It is a work in progress.
SHA1
| Base: 0x38000000 | 
| Register | Description | 
| 0x00 | Configuration | 
| 0x04 | Setup | 
| 0x20 through 0x30 | Output SHA1 hash | 
| 0x40 through 0x7C | Data Input (64 Bytes) | 
See S5L8720 SHA1 for a more detailed description
DMA (PL080)
This appears to use an ARM PrimeCell PL080. You can read the technical reference manual here.
| Base (dmac0): 0x38200000 Base (dmac1): 0x39900000
 | 
| Register | Description | 
| 0x0 | Interrupt Status | 
| 0x4 | TC Status (If HIGH, transaction complete) | 
| 0x8 | TC Interrupt Clear | 
| 0xC | Error Interrupt Status | 
| 0x10 | Error Interrupt Clear | 
| 0x14 | TC Interrupt Status Before Masking (Raw) | 
| 0x18 | Error Interrupt Status Before Masking (Raw) | 
| 0x1C | DMA Channels Enabled | 
| 0x30 | Controller Configuration | 
| 0x34 | Enable / Disable Synchronization | 
| 0x100 | Channel 0 Source Address | 
| 0x104 | Channel 0 Destination Address | 
| 0x108 | Channel 0 Linked List Address | 
| 0x10C | Channel 0 Control 1 | 
| 0x110 | Channel 0 Control 2 | 
| 0x114 | Channel 0 Configuration | 
VIC (PL192)
This appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.
| Base (vic0): 0x38E00000Base (vic1): 0x38E01000
 | 
| Register | Description | 
| 0x0 | IRQ Status | 
| 0x4 | FIQ Status | 
| 0x8 | Raw Interrupt Status | 
| 0xC | Interrupt Select (0=IRQ, 1=FIQ) | 
| 0x10 | Interrupt Enable (0=Disabled, 1=Enabled) | 
| 0x14 | Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) | 
| 0x18 | Software Interrupt (0=Disabled, 1=Enabled) | 
| 0x1C | Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) | 
| 0x20 | Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work. | 
| 0x24 | Software Interrupt Priority Mask (0=Masked, 1=Not Masked) | 
| 0x100 | Vector Addresses | 
| 0x200 | Vector Priority Levels | 
| 0xFE0 through 0xFEC | Peripheral Identification Registers 
 
 Part NumberBits 7 through 0 of register 0xFE0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xFE4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.
 Designer
 Bits 7 through 4 of register 0xFE4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xFE8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.
 Revision Number
 Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xFE8 is the revision number, which is "0" at least for the iPod touch 2G.
 Configuration
 The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G (0b00=32 Supported, 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).
 
 | 
| 0xFF0 through 0xFFC | PrimeCell Identification Registers 
 
 Register 0xFF0: Should read as 0x0DRegister 0xFFC: Should read as 0xB1Register 0xFF4: Should read as 0xF0
 Register 0xFF8: Should read as 0x05
 
 | 
CHIPID
All information here was gathered by reversing iBoot and friends.
| Base: 0x3D100000 | 
| Register | Description | 
| 0x0 | Unused & Unreferenced Register | 
| 0x4 | Not yet documented | 
| 0x8 | Chip Info 
 
 Chip ID: Bits 31 through 16 (0x8720, meaning it is an S5L8720)Security Epoch: Bits 15 through 1 (0x01)
 
 | 
WDT (Watchdog Timer)
| Base: 0x3C800000 | 
| Register | Description | 
| 0x0 | Control Register 
 NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000
 | 
| 0x4 | Watchdog Timeout Duration | 
| 0xC | Interrupt Clear | 
Timers
See separate article S5L8720 Timers (Hardware)
ARM7 (Second CPU)
All information here was gathered by looking at the code for the ARM7 Go command, as well as noting that although 2.1.1 iBoots reference this as 0xB8600000, 0x80000000 through 0xFFFFFFFF is mapped to 0x0 through 0x7FFFFFFF when the MMU does it's stuff.
| Base: 0x38600000 | 
| Register | Description | 
| 0x100 | Running Status 
 
 To halt the ARM7: Clear all bits then set bit t 2To make it resume: Set bit 1
 | 
| 0x110 | Code Address 
 To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7
 | 
| 0x114 | "Code Waiting" 
 I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110
 | 
UART
| Base (uart0 - Serial): 0x3CC00000Base (uart3): 0x3DD00000Base (uart1 - Bluetooth): 0x3DB00000
 Base (uart2): 0x3DC00000
 
 
 | 
| Register | Description | 
SPI
| Base (spi0 - NOR Flash): 0x3C300000Base (spi4 - Multi Touch): 0x3E100000Base (spi1 - NOR Flash): 0x3CE00000
 Base (spi2): 0x3D200000
 Base (spi3): 0x3DA00000
 
 | 
| Register | Description | 
Links