Difference between revisions of "S5L8720 (Hardware)"

From The iPhone Wiki
Jump to: navigation, search
Line 1: Line 1:
  +
This should help people reversing iBoot and friends. It is a work in progress.
   
  +
==SHA1==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td colspan=2><center><b>Base</b>: 0x38000000</center></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
</tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
  +
<td width=50%><center><b>Register</b></center></td>
  +
<td width=50%><center><b>Description</b></center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x00</center></td>
  +
<td width=50%><center>Configuration</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x04</center></td>
  +
<td width=50%><center>Setup</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x20 through 0x30</center></td>
  +
<td width=50%><center>Output SHA1 hash</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x40 through 0x7C</center></td>
  +
<td width=50%><center>Data Input (64 Bytes)</center></td>
  +
</tr>
  +
</table>
  +
See [[S5L8720 (Hardware) SHA1|S5L8720 SHA1]] for a more detailed description
   
  +
==DMA (PL080)==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
This appears to use an ARM PrimeCell PL080. You can read the technical reference manual [http://www.mediafire.com/download.php?mjy2m1do0jg here].
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td colspan=2><center><b>Base (dmac0)</b>: 0x38200000<br><b>Base (dmac1)</b>: 0x39900000</center></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
</tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td width=50%><center><b>Register</b></center></td>
  +
<td width=50%><center><b>Description</b></center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x0</center></td>
  +
<td width=50%><center>Interrupt Status</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x4</center></td>
  +
<td width=50%><center>TC Status (If HIGH, transaction complete)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x8</center></td>
  +
<td width=50%><center>TC Interrupt Clear</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0xC</center></td>
  +
<td width=50%><center>Error Interrupt Status</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x10</center></td>
  +
<td width=50%><center>Error Interrupt Clear</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x14</center></td>
  +
<td width=50%><center>TC Interrupt Status Before Masking (Raw)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x18</center></td>
  +
<td width=50%><center>Error Interrupt Status Before Masking (Raw)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x1C</center></td>
  +
<td width=50%><center>DMA Channels Enabled</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x30</center></td>
  +
<td width=50%><center>Controller Configuration</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x34</center></td>
  +
<td width=50%><center>Enable / Disable Synchronization</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x100</center></td>
  +
<td width=50%><center>Channel 0 Source Address</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x104</center></td>
  +
<td width=50%><center>Channel 0 Destination Address</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x108</center></td>
  +
<td width=50%><center>Channel 0 Linked List Address</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x10C</center></td>
  +
<td width=50%><center>Channel 0 Control 1</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x110</center></td>
  +
<td width=50%><center>Channel 0 Control 2</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x114</center></td>
  +
<td width=50%><center>Channel 0 Configuration</center></td>
  +
</tr>
  +
</table>
   
  +
==VIC (PL192)==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
This appears to use an ARM PrimeCell PL192. You can read the technical reference manual [http://www.mediafire.com/download.php?mmjdnud0iuz here].
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td colspan=2><center>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<b>Base (vic0)</b>: 0x38E00000<br>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<b>Base (vic1)</b>: 0x38E01000</center></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
</tr>
  +
<tr>
  +
<td width=50%><center><b>Register</b></center></td>
  +
<td width=50%><center><b>Description</b></center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x0</center></td>
  +
<td width=50%><center>IRQ Status</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x4</center></td>
  +
<td width=50%><center>FIQ Status</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x8</center></td>
  +
<td width=50%><center>Raw Interrupt Status</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0xC</center></td>
  +
<td width=50%><center>Interrupt Select (0=IRQ, 1=FIQ)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x10</center></td>
  +
<td width=50%><center>Interrupt Enable (0=Disabled, 1=Enabled)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x14</center></td>
  +
<td width=50%><center>Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x18</center></td>
  +
<td width=50%><center>Software Interrupt (0=Disabled, 1=Enabled)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x1C</center></td>
  +
<td width=50%><center>Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x20</center></td>
  +
<td width=50%><center>Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work.</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x24</center></td>
  +
<td width=50%><center>Software Interrupt Priority Mask (0=Masked, 1=Not Masked)</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x100</center></td>
  +
<td width=50%><center>Vector Addresses</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x200</center></td>
  +
<td width=50%><center>Vector Priority Levels</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0xFE0 through 0xFEC</center></td>
  +
<td width=50%><center>Peripheral Identification Registers<br><br>
  +
<b>Part Number</b><br>
  +
Bits 7 through 0 of register 0xFE0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xFE4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.<br>
  +
<b>Designer</b><br>
  +
Bits 7 through 4 of register 0xFE4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xFE8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.<br>
  +
<b>Revision Number</b><br>
  +
Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xFE8 is the revision number, which is "0" at least for the iPod touch 2G.<br>
  +
<b>Configuration</b><br>
  +
The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G ('''0b00=32 Supported''', 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).<br>
  +
</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0xFF0 through 0xFFC</center></td>
  +
<td width=50%><center>PrimeCell Identification Registers<br><br>
  +
<b>Register 0xFF0</b>: Should read as 0x0D<br>
  +
<b>Register 0xFF4</b>: Should read as 0xF0<br>
  +
<b>Register 0xFF8</b>: Should read as 0x05<br>
  +
<b>Register 0xFFC</b>: Should read as 0xB1</center></td>
  +
</tr>
  +
</table>
   
  +
==CHIPID==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
All information here was gathered by reversing iBoot and friends.
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td colspan=2><center><b>Base</b>: 0x3D100000</center></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
</tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td width=50%><center><b>Register</b></center></td>
  +
<td width=50%><center><b>Description</b></center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x0</center></td>
  +
<td width=50%><center>Unused & Unreferenced Register</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x4</center></td>
  +
<td width=50%><center>Not yet documented</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x8</center></td>
  +
<td width=50%><center>Chip Info<br><br>
  +
<b>Chip ID</b>: Bits 31 through 16 (0x8720, meaning it is an [[S5L8720]])<br>
  +
<b>Security Epoch</b>: Bits 15 through 1 (0x01)<br>
  +
</center></td>
  +
</tr>
  +
</table>
   
  +
==WDT (Watchdog Timer)==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td colspan=2><center><b>Base</b>: 0x3C800000</center></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
</tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
  +
<td width=50%><center><b>Register</b></center></td>
  +
<td width=50%><center><b>Description</b></center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x0</center></td>
  +
<td width=50%><center>Control Register<br><br>
  +
<b>NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000</b></center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x4</center></td>
  +
<td width=50%><center>Watchdog Timeout Duration</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0xC</center></td>
  +
<td width=50%><center>Interrupt Clear</center></td>
  +
</tr>
  +
</table>
   
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
==Timers==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
See separate article [[S5L8720 Timers (Hardware)]]
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
==ARM7 (Second CPU)==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
All information here was gathered by looking at the code for the [[ARM7 Go]] command, as well as noting that although 2.1.1 iBoots reference this as 0xB8600000, 0x80000000 through 0xFFFFFFFF is mapped to 0x0 through 0x7FFFFFFF when the MMU does it's stuff.
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td colspan=2><center><b>Base</b>: 0x38600000</center></td>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
</tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td width=50%><center><b>Register</b></center></td>
  +
<td width=50%><center><b>Description</b></center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x100</center></td>
  +
<td width=50%><center>Running Status<br><br>
  +
<b>To halt the ARM7</b>: Clear all bits then set bit t 2<br>
  +
<b>To make it resume</b>: Set bit 1</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x110</center></td>
  +
<td width=50%><center>Code Address<br><br>
  +
To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center>0x114</center></td>
  +
<td width=50%><center>"Code Waiting"<br><br>
  +
I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110</center></td>
  +
</tr>
  +
</table>
   
  +
==UART==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td colspan=2><center>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<b>Base (uart0 - Serial)</b>: 0x3CC00000<br>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<b>Base (uart1 - Bluetooth)</b>: 0x3DB00000<br>
  +
<b>Base (uart2)</b>: 0x3DC00000<br>
  +
<b>Base (uart3)</b>: 0x3DD00000<br></center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center><b>Register</b></center></td>
  +
<td width=50%><center><b>Description</b></center></td>
  +
</tr>
  +
</table>
   
  +
==SPI==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<table border=1 width=100%>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<tr>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<td colspan=2><center>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<b>Base (spi0 - NOR Flash)</b>: 0x3C300000<br>
Haxed by 1337Urmom at The Pois0nhack team
 
  +
<b>Base (spi1 - NOR Flash)</b>: 0x3CE00000<br>
  +
<b>Base (spi2)</b>: 0x3D200000<br>
  +
<b>Base (spi3)</b>: 0x3DA00000<br>
  +
<b>Base (spi4 - Multi Touch)</b>: 0x3E100000</center></td>
  +
</tr>
  +
<tr>
  +
<td width=50%><center><b>Register</b></center></td>
  +
<td width=50%><center><b>Description</b></center></td>
  +
</tr>
  +
</table>
   
  +
==Links==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
* [http://github.com/planetbeing/iphonelinux/tree/27b57ac836053d59421a02755920b5be6b1e7805/openiboot OpeniBoot]
Haxed by 1337Urmom at The Pois0nhack team
 
  +
* [http://code.google.com/p/chronicdev/wiki/N72APDevTree Decoded iPod touch 2G DevTree]
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 

Revision as of 07:21, 7 November 2009

This should help people reversing iBoot and friends. It is a work in progress.

SHA1

Base: 0x38000000
Register
Description
0x00
Configuration
0x04
Setup
0x20 through 0x30
Output SHA1 hash
0x40 through 0x7C
Data Input (64 Bytes)

See S5L8720 SHA1 for a more detailed description

DMA (PL080)

This appears to use an ARM PrimeCell PL080. You can read the technical reference manual here.

Base (dmac0): 0x38200000
Base (dmac1): 0x39900000
Register
Description
0x0
Interrupt Status
0x4
TC Status (If HIGH, transaction complete)
0x8
TC Interrupt Clear
0xC
Error Interrupt Status
0x10
Error Interrupt Clear
0x14
TC Interrupt Status Before Masking (Raw)
0x18
Error Interrupt Status Before Masking (Raw)
0x1C
DMA Channels Enabled
0x30
Controller Configuration
0x34
Enable / Disable Synchronization
0x100
Channel 0 Source Address
0x104
Channel 0 Destination Address
0x108
Channel 0 Linked List Address
0x10C
Channel 0 Control 1
0x110
Channel 0 Control 2
0x114
Channel 0 Configuration

VIC (PL192)

This appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.

Base (vic0): 0x38E00000

Base (vic1): 0x38E01000
Register
Description
0x0
IRQ Status
0x4
FIQ Status
0x8
Raw Interrupt Status
0xC
Interrupt Select (0=IRQ, 1=FIQ)
0x10
Interrupt Enable (0=Disabled, 1=Enabled)
0x14
Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled)
0x18
Software Interrupt (0=Disabled, 1=Enabled)
0x1C
Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled)
0x20
Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work.
0x24
Software Interrupt Priority Mask (0=Masked, 1=Not Masked)
0x100
Vector Addresses
0x200
Vector Priority Levels
0xFE0 through 0xFEC
Peripheral Identification Registers

Part Number
Bits 7 through 0 of register 0xFE0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xFE4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.
Designer
Bits 7 through 4 of register 0xFE4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xFE8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.
Revision Number
Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xFE8 is the revision number, which is "0" at least for the iPod touch 2G.
Configuration
The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G (0b00=32 Supported, 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).

0xFF0 through 0xFFC
PrimeCell Identification Registers

Register 0xFF0: Should read as 0x0D
Register 0xFF4: Should read as 0xF0
Register 0xFF8: Should read as 0x05

Register 0xFFC: Should read as 0xB1

CHIPID

All information here was gathered by reversing iBoot and friends.

Base: 0x3D100000
Register
Description
0x0
Unused & Unreferenced Register
0x4
Not yet documented
0x8
Chip Info

Chip ID: Bits 31 through 16 (0x8720, meaning it is an S5L8720)
Security Epoch: Bits 15 through 1 (0x01)

WDT (Watchdog Timer)

Base: 0x3C800000
Register
Description
0x0
Control Register

NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000
0x4
Watchdog Timeout Duration
0xC
Interrupt Clear


Timers

See separate article S5L8720 Timers (Hardware)


ARM7 (Second CPU)

All information here was gathered by looking at the code for the ARM7 Go command, as well as noting that although 2.1.1 iBoots reference this as 0xB8600000, 0x80000000 through 0xFFFFFFFF is mapped to 0x0 through 0x7FFFFFFF when the MMU does it's stuff.

Base: 0x38600000
Register
Description
0x100
Running Status

To halt the ARM7: Clear all bits then set bit t 2

To make it resume: Set bit 1
0x110
Code Address

To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7
0x114
"Code Waiting"

I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110

UART

Base (uart0 - Serial): 0x3CC00000
Base (uart1 - Bluetooth): 0x3DB00000
Base (uart2): 0x3DC00000

Base (uart3): 0x3DD00000
Register
Description

SPI

Base (spi0 - NOR Flash): 0x3C300000
Base (spi1 - NOR Flash): 0x3CE00000
Base (spi2): 0x3D200000
Base (spi3): 0x3DA00000

Base (spi4 - Multi Touch): 0x3E100000
Register
Description

Links