S5L8720 (Hardware)

From The iPhone Wiki
Revision as of 20:41, 16 February 2009 by ChronicDev (talk | contribs)
Jump to: navigation, search

This should help people reversing iBoot and friends. It is a work in progress.

DMA

Base (dmac0): 0x38200000
Base (dmac1): 0x39900000
Register
Description
0x0
Interrupt Status
0x4
TC Status (If HIGH, transaction complete)
0x8
TC Interrupt Clear
0xC
Error Interrupt Status
0x10
Error Interrupt Clear
0x14
TC Interrupt Status Before Masking (Raw)
0x18
Error Interrupt Status Before Masking (Raw)
0x1C
DMA Channels Enabled
0x30
Controller Configuration
0x34
Enable / Disable Synchronization
0x100
Channel 0 Source Address
0x104
Channel 0 Destination Address
0x108
Channel 0 Linked List Address
0x10C
Channel 0 Control 1
0x110
Channel 0 Control 2
0x114
Channel 0 Configuration

VIC (PL192)

This appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.

Register Table

Base (vic0): 0x38E00000
Base (vic1): 0x38E01000
Register
Description
0x0
IRQ Status
0x4
FIQ Status
0x8
Raw Interrupt Status
0xC
Interrupt Select (0=IRQ, 1=FIQ)
0x10
Interrupt Enable (0=Disabled, 1=Enabled)
0x14
Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled)
0x18
Software Interrupt (0=Disabled, 1=Enabled)
0x1C
Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled)
0x20
Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work.
0x24
Software Interrupt Priority Mask (0=Masked, 1=Not Masked)
0x100
Vector Addresses
0x200
Vector Priority Levels
0xFE0 through 0xFEC
Peripheral Identification Registers
0xFF0 through 0xFFC
PrimeCell Identification Registers

Register 0xFF0: Should read as 0x0D
Register 0xFF4: Should read as 0xF0
Register 0xFF8: Should read as 0x05

Register 0xFFC: Should read as 0xB1

Peripheral Identification Registers

The four registers 0xfe0, 0xfe4, 0xfe8, and 0xfec, are four "8-bit registers that can be conceptually treated as one 32-bit register" according to the technical reference manual. Here are some explanations about these registers if you don't feel like digging through the reference manual. If you do, read pages 64 through 66.

Values for the S5L8720

0x38e00fe0: 00000092
0x38e00fe4: 00000011
0x38e00fe8: 00000004
0x38e00fec: 00000000

Part Number

Bits 7 through 0 of register 0xfe0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xfe4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.

Designer

Bits 7 through 4 of register 0xfe4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xfe8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.

Revision Number

Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xfe8 is the revision number, which is "0" at least for the iPod touch 2G.

Configuration

The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G (0b00=32 Supported, 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).

WDT (Watchdog Timer)

Base: 0x3C800000
Register
Description
0x0
Control Register

NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000
0x4
Watchdog Timeout Duration
0xC
Interrupt Clear

USB

OTG-PHYCTRL

Base: 0x3C400000
Register
Description
0x0
Power Control
0x4
Clock Control
0x8
Reset Control
0x10
Clock Control

OTG

Base: 0x38400000
Register
Description
0x0
Control
0x4
Interrupt
0x8
AHB Config
0xC
Core Config
0x10
Core Reset
0x14
Core Interrupt
0x18
Core Interrupt Mask
0x1C and 0x20
Rx Status Debug
0x24
Rx FIFO Size
0x28
Non-Periodic Transmit FIFO Size
TBC...
TBC...

ARM7 (Second CPU)

Base: 0x38600000
Register
Description
0x100
Running Status

To halt the ARM7: Write 0x0 then 0x10 to this register

To make it resume: Write 0x1 to this register
0x110
Code Address

To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7
0x114
"Code Waiting"

I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110

UART

Base (uart0): 0x3CC00000
Base (uart1): 0x3DB00000
Base (uart2): 0x3DC00000
Base (uart3): 0x3DD00000
Register
Description
0x0
Line Control
0x4
Control
0x8
FIFO Control
0xC
Modem Control (uart0 and uart1 only)
0x10
Tx / Rx Status

Bit 0: If 1, Rx buffer has data, if 0, Rx buffer is empty

Bit 1: If 1, Rx buffer is empty, if 0, it is not empty
0x14
Rx Error

Bit 0: If 1, overrun error
Bit 1: If 1, parity error
Bit 2: If 1, frame error

Bit 3: If 1, break signal
0x18
FIFO Status
0x1C
Modem Status (uart0 and uart1 only)
0x20
Tx Buffer (write-only)
0x24
Rx Buffer (read-only)
0x28
Baud Rate Divisor
0x2C
???
0x30
Interrupt Pending
0x34
Interrupt Source Pending
0x38
Interrupt Mask

Links