The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8720 (Hardware)"
ChronicDev (talk | contribs) (→VIC (Vectored Interrupt Controller)) |
m (→VIC (PL192): Fixed a tag that I accidentally copy pasted over in the previous edit.) |
||
(34 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
This should help people reversing iBoot and friends. It is a work in progress. |
This should help people reversing iBoot and friends. It is a work in progress. |
||
+ | ==SHA1== |
||
− | ==DMA (Direct Memory Access)== |
||
+ | <table border=1 width=100%> |
||
+ | <tr> |
||
+ | <td colspan=2><center><b>Base</b>: 0x38000000</center></td> |
||
+ | </tr> |
||
+ | <tr> |
||
+ | <td width=50%><center><b>Register</b></center></td> |
||
+ | <td width=50%><center><b>Description</b></center></td> |
||
+ | </tr> |
||
+ | <tr> |
||
+ | <td width=50%><center>0x00</center></td> |
||
+ | <td width=50%><center>Configuration</center></td> |
||
+ | </tr> |
||
+ | <tr> |
||
+ | <td width=50%><center>0x04</center></td> |
||
+ | <td width=50%><center>Setup</center></td> |
||
+ | </tr> |
||
+ | <tr> |
||
+ | <td width=50%><center>0x20 through 0x30</center></td> |
||
+ | <td width=50%><center>Output SHA1 hash</center></td> |
||
+ | </tr> |
||
+ | <tr> |
||
+ | <td width=50%><center>0x40 through 0x7C</center></td> |
||
+ | <td width=50%><center>Data Input (64 Bytes)</center></td> |
||
+ | </tr> |
||
+ | </table> |
||
+ | See [[S5L8720 (Hardware) SHA1|S5L8720 SHA1]] for a more detailed description |
||
+ | |||
+ | ==DMA (PL080)== |
||
+ | This appears to use an ARM PrimeCell PL080. You can read the technical reference manual [http://www.mediafire.com/download.php?mjy2m1do0jg here]. |
||
+ | |||
<table border=1 width=100%> |
<table border=1 width=100%> |
||
<tr> |
<tr> |
||
Line 20: | Line 50: | ||
<tr> |
<tr> |
||
<td width=50%><center>0x8</center></td> |
<td width=50%><center>0x8</center></td> |
||
− | <td width=50%><center>Interrupt Clear</center></td> |
+ | <td width=50%><center>TC Interrupt Clear</center></td> |
</tr> |
</tr> |
||
<tr> |
<tr> |
||
Line 32: | Line 62: | ||
<tr> |
<tr> |
||
<td width=50%><center>0x14</center></td> |
<td width=50%><center>0x14</center></td> |
||
− | <td width=50%><center>Interrupt Status Before Masking</center></td> |
+ | <td width=50%><center>TC Interrupt Status Before Masking (Raw)</center></td> |
</tr> |
</tr> |
||
<tr> |
<tr> |
||
<td width=50%><center>0x18</center></td> |
<td width=50%><center>0x18</center></td> |
||
− | <td width=50%><center>Error Interrupt Status Before Masking</center></td> |
+ | <td width=50%><center>Error Interrupt Status Before Masking (Raw)</center></td> |
</tr> |
</tr> |
||
<tr> |
<tr> |
||
Line 76: | Line 106: | ||
</table> |
</table> |
||
− | ==VIC ( |
+ | ==VIC (PL192)== |
− | + | This appears to use an ARM PrimeCell PL192. You can read the technical reference manual [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0273a/DDI0273.pdf here]. |
|
− | ===Peripheral Identification Registers=== |
||
− | The four registers 0xfe0, 0xfe4, 0xfe8, and 0xfec, are four "8-bit registers that can be conceptually treated as one 32-bit register" according to the technical reference manual. Here are some explanations about these registers if you don't feel like digging through the reference manual. If you do, read pages 64 through 66. |
||
− | |||
− | ====Values for the [[S5L8720]]==== |
||
− | ] md 0x38E00FE0 |
||
− | 0x38e00fe0: 00000092 00000011 00000004 00000000 |
||
− | |||
− | ====Part Number==== |
||
− | Bits 7 through 0 of register 0xfe0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xfe4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192. |
||
− | |||
− | ====Designer==== |
||
− | Bits 7 through 4 of register 0xfe4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xfe8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited. |
||
− | |||
− | ====Revision Number=== |
||
− | Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xfe8 is the revision number, which is "0" at least for the iPod touch 2G. |
||
− | |||
− | ====Configuration==== |
||
− | The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G ('''0b00=32 Supported''', 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported). |
||
− | |||
− | ===Register Table=== |
||
<table border=1 width=100%> |
<table border=1 width=100%> |
||
<tr> |
<tr> |
||
− | <td colspan=2><center |
+ | <td colspan=2><center> |
+ | <b>Base (vic0)</b>: 0x38E00000<br> |
||
+ | <b>Base (vic1)</b>: 0x38E01000</center></td> |
||
</tr> |
</tr> |
||
<tr> |
<tr> |
||
Line 157: | Line 169: | ||
<tr> |
<tr> |
||
<td width=50%><center>0xFE0 through 0xFEC</center></td> |
<td width=50%><center>0xFE0 through 0xFEC</center></td> |
||
− | <td width=50%><center>Peripheral Identification Registers< |
+ | <td width=50%><center>Peripheral Identification Registers<br><br> |
+ | <b>Part Number</b><br> |
||
+ | Bits 7 through 0 of register 0xFE0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xFE4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.<br> |
||
+ | <b>Designer</b><br> |
||
+ | Bits 7 through 4 of register 0xFE4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xFE8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.<br> |
||
+ | <b>Revision Number</b><br> |
||
+ | Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xFE8 is the revision number, which is "0" at least for the iPod touch 2G.<br> |
||
+ | <b>Configuration</b><br> |
||
+ | The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G ('''0b00=32 Supported''', 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).<br> |
||
+ | </center></td> |
||
</tr> |
</tr> |
||
− | </table> |
||
− | |||
− | ==WDT (Watchdog Timer)== |
||
− | <table border=1 width=100%> |
||
<tr> |
<tr> |
||
− | <td |
+ | <td width=50%><center>0xFF0 through 0xFFC</center></td> |
+ | <td width=50%><center>PrimeCell Identification Registers<br><br> |
||
− | </tr> |
||
+ | <b>Register 0xFF0</b>: Should read as 0x0D<br> |
||
− | <tr> |
||
+ | <b>Register 0xFF8</b>: Should read as 0x05<br> |
||
− | <td width=50%><center><b>Description</b></center></td> |
||
+ | <b>Register 0xFFC</b>: Should read as 0xB1</center></td> |
||
− | </tr> |
||
− | + | <b>Register 0xFF4</b>: Should read as 0xF0<br> |
|
− | <tr> |
||
− | <td width=50%><center>0x0</center></td> |
||
− | <td width=50%><center>Control Register<br><br> |
||
− | <b>NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000</b></center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x4</center></td> |
||
− | <td width=50%><center>Watchdog Timeout Duration</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0xC</center></td> |
||
− | <td width=50%><center>Interrupt Clear</center></td> |
||
</tr> |
</tr> |
||
</table> |
</table> |
||
− | == |
+ | ==CHIPID== |
+ | All information here was gathered by reversing iBoot and friends. |
||
− | ===OTG-PHYCTRL=== |
||
+ | |||
<table border=1 width=100%> |
<table border=1 width=100%> |
||
<tr> |
<tr> |
||
− | <td colspan=2><center><b>Base</b>: |
+ | <td colspan=2><center><b>Base</b>: 0x3D100000</center></td> |
</tr> |
</tr> |
||
<tr> |
<tr> |
||
Line 197: | Line 203: | ||
<tr> |
<tr> |
||
<td width=50%><center>0x0</center></td> |
<td width=50%><center>0x0</center></td> |
||
− | <td width=50%><center> |
+ | <td width=50%><center>Unused & Unreferenced Register</center></td> |
</tr> |
</tr> |
||
<tr> |
<tr> |
||
<td width=50%><center>0x4</center></td> |
<td width=50%><center>0x4</center></td> |
||
− | <td width=50%><center> |
+ | <td width=50%><center>Not yet documented</center></td> |
</tr> |
</tr> |
||
<tr> |
<tr> |
||
<td width=50%><center>0x8</center></td> |
<td width=50%><center>0x8</center></td> |
||
− | <td width=50%><center> |
+ | <td width=50%><center>Chip Info<br><br> |
+ | <b>Chip ID</b>: Bits 31 through 16 (0x8720, meaning it is an [[S5L8720]])<br> |
||
− | </tr> |
||
+ | <b>Security Epoch</b>: Bits 15 through 1 (0x01)<br> |
||
− | <tr> |
||
− | + | </center></td> |
|
− | <td width=50%><center>Clock Control</center></td> |
||
</tr> |
</tr> |
||
</table> |
</table> |
||
+ | ==WDT (Watchdog Timer)== |
||
− | ===OTG=== |
||
<table border=1 width=100%> |
<table border=1 width=100%> |
||
<tr> |
<tr> |
||
− | <td colspan=2><center><b>Base</b>: |
+ | <td colspan=2><center><b>Base</b>: 0x3C800000</center></td> |
</tr> |
</tr> |
||
<tr> |
<tr> |
||
Line 224: | Line 229: | ||
<tr> |
<tr> |
||
<td width=50%><center>0x0</center></td> |
<td width=50%><center>0x0</center></td> |
||
− | <td width=50%><center>Control< |
+ | <td width=50%><center>Control Register<br><br> |
+ | <b>NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000</b></center></td> |
||
</tr> |
</tr> |
||
<tr> |
<tr> |
||
<td width=50%><center>0x4</center></td> |
<td width=50%><center>0x4</center></td> |
||
− | <td width=50%><center> |
+ | <td width=50%><center>Watchdog Timeout Duration</center></td> |
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x8</center></td> |
||
− | <td width=50%><center>AHB Config</center></td> |
||
</tr> |
</tr> |
||
<tr> |
<tr> |
||
<td width=50%><center>0xC</center></td> |
<td width=50%><center>0xC</center></td> |
||
− | <td width=50%><center> |
+ | <td width=50%><center>Interrupt Clear</center></td> |
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x10</center></td> |
||
− | <td width=50%><center>Core Reset</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x14</center></td> |
||
− | <td width=50%><center>Core Interrupt</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x18</center></td> |
||
− | <td width=50%><center>Core Interrupt Mask</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x1C and 0x20</center></td> |
||
− | <td width=50%><center>Rx Status Debug</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x24</center></td> |
||
− | <td width=50%><center>Rx FIFO Size</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x28</center></td> |
||
− | <td width=50%><center>Non-Periodic Transmit FIFO Size</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>TBC...</center></td> |
||
− | <td width=50%><center>TBC...</center></td> |
||
</tr> |
</tr> |
||
</table> |
</table> |
||
+ | |||
+ | |||
+ | |||
+ | ==Timers== |
||
+ | See separate article [[S5L8720 Timers (Hardware)]] |
||
+ | |||
==ARM7 (Second CPU)== |
==ARM7 (Second CPU)== |
||
+ | All information here was gathered by looking at the code for the [[ARM7 Go]] command, as well as noting that although 2.1.1 iBoots reference this as 0xB8600000, 0x80000000 through 0xFFFFFFFF is mapped to 0x0 through 0x7FFFFFFF when the MMU does it's stuff. |
||
+ | |||
<table border=1 width=100%> |
<table border=1 width=100%> |
||
<tr> |
<tr> |
||
Line 280: | Line 262: | ||
<td width=50%><center>0x100</center></td> |
<td width=50%><center>0x100</center></td> |
||
<td width=50%><center>Running Status<br><br> |
<td width=50%><center>Running Status<br><br> |
||
− | <b>To halt the ARM7</b>: |
+ | <b>To halt the ARM7</b>: Clear all bits then set bit t 2<br> |
− | <b>To make it resume</b>: |
+ | <b>To make it resume</b>: Set bit 1</center></td> |
</tr> |
</tr> |
||
<tr> |
<tr> |
||
Line 298: | Line 280: | ||
<table border=1 width=100%> |
<table border=1 width=100%> |
||
<tr> |
<tr> |
||
+ | <td colspan=2><center> |
||
− | <td colspan=2><center><b>Base (uart0)</b>: 0x3CC00000<br><b>Base (uart1)</b>: 0x3DB00000<br><b>Base (uart2)</b>: 0x3DC00000<br><b>Base (uart3)</b>: 0x3DD00000<br></center></td> |
||
+ | <b>Base (uart0 - Serial)</b>: 0x3CC00000<br> |
||
+ | <b>Base (uart1 - Bluetooth)</b>: 0x3DB00000<br> |
||
+ | <b>Base (uart2)</b>: 0x3DC00000<br> |
||
+ | <b>Base (uart3)</b>: 0x3DD00000<br></center></td> |
||
</tr> |
</tr> |
||
<tr> |
<tr> |
||
Line 304: | Line 290: | ||
<td width=50%><center><b>Description</b></center></td> |
<td width=50%><center><b>Description</b></center></td> |
||
</tr> |
</tr> |
||
+ | </table> |
||
+ | |||
+ | ==SPI== |
||
+ | <table border=1 width=100%> |
||
<tr> |
<tr> |
||
− | <td |
+ | <td colspan=2><center> |
+ | <b>Base (spi0 - NOR Flash)</b>: 0x3C300000<br> |
||
− | <td width=50%><center>Line Control</center></td> |
||
+ | <b>Base (spi1 - NOR Flash)</b>: 0x3CE00000<br> |
||
+ | <b>Base (spi2)</b>: 0x3D200000<br> |
||
+ | <b>Base (spi3)</b>: 0x3DA00000<br> |
||
+ | <b>Base (spi4 - Multi Touch)</b>: 0x3E100000</center></td> |
||
</tr> |
</tr> |
||
<tr> |
<tr> |
||
− | <td width=50%><center> |
+ | <td width=50%><center><b>Register</b></center></td> |
− | <td width=50%><center> |
+ | <td width=50%><center><b>Description</b></center></td> |
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x8</center></td> |
||
− | <td width=50%><center>FIFO Control</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0xC</center></td> |
||
− | <td width=50%><center>Modem Control (uart0 and uart1 only)</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x10</center></td> |
||
− | <td width=50%><center>Tx / Rx Status<br><br> |
||
− | <b>Bit 0</b>: If 1, Rx buffer has data, if 0, Rx buffer is empty<br> |
||
− | <b>Bit 1</b>: If 1, Rx buffer is empty, if 0, it is not empty<br></center></td> |
||
− | <tr> |
||
− | <td width=50%><center>0x14</center></td> |
||
− | <td width=50%><center>Rx Error<br><br> |
||
− | <b>Bit 0</b>: If 1, overrun error<br> |
||
− | <b>Bit 1</b>: If 1, parity error<br> |
||
− | <b>Bit 2</b>: If 1, frame error<br> |
||
− | <b>Bit 3</b>: If 1, break signal<br></center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x18</center></td> |
||
− | <td width=50%><center>FIFO Status</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x1C</center></td> |
||
− | <td width=50%><center>Modem Status (uart0 and uart1 only)</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x20</center></td> |
||
− | <td width=50%><center>Tx Buffer (write-only)</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x24</center></td> |
||
− | <td width=50%><center>Rx Buffer (read-only)</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x28</center></td> |
||
− | <td width=50%><center>Baud Rate Divisor</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x2C</center></td> |
||
− | <td width=50%><center>???</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x30</center></td> |
||
− | <td width=50%><center>Interrupt Pending</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x34</center></td> |
||
− | <td width=50%><center>Interrupt Source Pending</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x38</center></td> |
||
− | <td width=50%><center>Interrupt Mask</center></td> |
||
</tr> |
</tr> |
||
</table> |
</table> |
||
+ | |||
+ | ==Links== |
||
+ | * [http://github.com/planetbeing/iphonelinux/tree/27b57ac836053d59421a02755920b5be6b1e7805/openiboot OpeniBoot] |
||
+ | * [http://code.google.com/p/chronicdev/wiki/N72APDevTree Decoded iPod touch 2G DevTree] |
Latest revision as of 07:49, 20 April 2010
This should help people reversing iBoot and friends. It is a work in progress.
Contents
SHA1
See S5L8720 SHA1 for a more detailed description
DMA (PL080)
This appears to use an ARM PrimeCell PL080. You can read the technical reference manual here.
Base (dmac1): 0x39900000 |
|
VIC (PL192)
This appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.
Base (vic0): 0x38E00000 |
|
Part Number |
|
Register 0xFF0: Should read as 0x0D |
CHIPID
All information here was gathered by reversing iBoot and friends.
Chip ID: Bits 31 through 16 (0x8720, meaning it is an S5L8720) |
WDT (Watchdog Timer)
NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000 |
|
Timers
See separate article S5L8720 Timers (Hardware)
ARM7 (Second CPU)
All information here was gathered by looking at the code for the ARM7 Go command, as well as noting that although 2.1.1 iBoots reference this as 0xB8600000, 0x80000000 through 0xFFFFFFFF is mapped to 0x0 through 0x7FFFFFFF when the MMU does it's stuff.
To halt the ARM7: Clear all bits then set bit t 2 |
|
To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7 |
|
I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110 |
UART
Base (uart0 - Serial): 0x3CC00000 |
|
SPI
Base (spi0 - NOR Flash): 0x3C300000 |
|