Difference between revisions of "CONFIG11 Registers"

From 3dbrew
Jump to navigation Jump to search
Line 78: Line 78:
 
| 4
 
| 4
 
|  
 
|  
 +
|-style="border-top: double"
 +
| style="background: red" | No
 +
| Clock related?
 +
| 0x10140400
 +
| 1
 +
| NewProcess11
 +
|-
 +
| style="background: red" | No
 +
| Clock related?
 +
| 0x10140410
 +
| 4
 +
| NewProcess11
 +
|-
 +
| style="background: red" | No
 +
| [[#PDN_BOOTROM_OVERLAY_CNT|PDN_BOOTROM_OVERLAY_CNT]]
 +
| 0x10140420
 +
| 4
 +
| NewProcess11
 +
|-
 +
| style="background: red" | No
 +
| [[#PDN_BOOTROM_OVERLAY_VAL|PDN_BOOTROM_OVERLAY_VAL]]
 +
| 0x10140424
 +
| 4
 +
| NewProcess11
 +
|-
 +
| style="background: red" | No
 +
| ?
 +
| 0x10140428
 +
| 4
 +
|
 +
|-style="border-top: double"
 +
| style="background: green" | Yes
 +
| [[#PDN_MPCORE_CFG|PDN_MPCORE_CFG]]
 +
| 0x10140FFC
 +
| 1
 +
| NewKernel11
 
|-style="border-top: double"
 
|-style="border-top: double"
 
| style="background: green" | Yes
 
| style="background: green" | Yes
Line 205: Line 241:
 
| 1
 
| 1
 
| Process9, [[PDN Services]]
 
| Process9, [[PDN Services]]
|}
+
|-style="border-top: double"
 
+
| style="background: red" | No
== PDN_SPI_CNT ==
+
| [[#PDN_MPCORE_STATUS|PDN_MPCORE_STATUS]]
{| class="wikitable" border="1"
+
| 0x10141300
!  Bit
+
| 2
!  Description
+
| NewProcess11
 
|-
 
|-
| 0
+
| style="background: red" | No
| Enable [[SPI Registers]] 0x10160000.
+
| [[#PDN_MPCORE_CNT|PDN_MPCORE_CNT]]
|-
+
| 0x10141304
| 1
+
| 2
| Enable [[SPI Registers]] 0x10142000.
+
| NewProcess11
 
|-
 
|-
| 2
+
| style="background: red" | No
| Enable [[SPI Registers]] 0x10143800.
+
| [[#PDN_MPCORE_BOOTCNT|PDN_MPCORE_BOOTCNT]]
 +
| 0x10141310
 +
| 1*4
 +
| NewProcess11
 
|}
 
|}
  
Line 261: Line 300:
 
| Enable (0=Disable, 1=Enable)
 
| Enable (0=Disable, 1=Enable)
 
|}
 
|}
 +
 +
== PDN_SPI_CNT ==
 +
{| class="wikitable" border="1"
 +
!  Bit
 +
!  Description
 +
|-
 +
| 0
 +
| Enable [[SPI Registers]] 0x10160000.
 +
|-
 +
| 1
 +
| Enable [[SPI Registers]] 0x10142000.
 +
|-
 +
| 2
 +
| Enable [[SPI Registers]] 0x10143800.
 +
|}
 +
 +
== PDN_BOOTROM_OVERLAY_CNT ==
 +
Bit0: Enable bootrom overlay functionality.
 +
 +
== PDN_BOOTROM_OVERLAY_VAL ==
 +
The 32-bit value to overlay data-reads to bootrom with. See [[#PDN_MPCORE_BOOTCNT|PDN_MPCORE_BOOTCNT]].
 +
 +
== PDN_MPCORE_CFG ==
 +
Read-only register.
 +
 +
{| class="wikitable" border="1"
 +
!  Bits
 +
!  Description
 +
|-
 +
| 0
 +
| Always set to 1 on both Old3DS and New3DS.
 +
|-
 +
| 1
 +
| 3rd ARM11 MPCore available maybe?
 +
|-
 +
| 2
 +
| 4th ARM11 MPCore available maybe?
 +
|}
 +
 +
== PDN_MPCORE_STATUS ==
 +
Read-only register.
 +
 +
{| class="wikitable" border="1"
 +
!  Bits
 +
!  Description
 +
|-
 +
| 0
 +
| Always set to 1 on both Old3DS and New3DS.
 +
|-
 +
| 1
 +
| 3rd ARM11 MPCore powered on maybe?
 +
|-
 +
| 2
 +
| 4th ARM11 MPCore powered on maybe?
 +
|}
 +
 +
== PDN_MPCORE_CNT ==
 +
{| class="wikitable" border="1"
 +
!  Bits
 +
!  Description
 +
|-
 +
| 0
 +
| Power on 3rd ARM11 MPCore maybe?
 +
|-
 +
| 8
 +
| Power on 4th ARM11 MPCore maybe?
 +
|}
 +
 +
== PDN_MPCORE_BOOTCNT ==
 +
{| class="wikitable" border="1"
 +
!  Bits
 +
!  Description
 +
|-
 +
| 0
 +
| Enable bootrom instruction overlay. This bit is only writable for core2 and core3.
 +
|-
 +
| 1
 +
| Enable bootrom data overlay. This bit is only writable for core2 and core3.
 +
|-
 +
| 4
 +
| Has core booted maybe?
 +
|-
 +
| 5
 +
| Always 1?
 +
|}
 +
 +
The normal ARM11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS ARM11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.
 +
 +
Bit1 in register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000. All _data reads_ made to those regions now read the 32-bit value provided in [[#PDN_BOOTROM_OVERLAY_VAL|PDN_BOOTROM_OVERLAY_VAL]].
 +
 +
Bit0 enables a bootrom instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads). Jumping randomly into the 0xFFFF0000-0xFFFF1000 region works fine and jumps to the value provided by the data overlay [[#PDN_BOOTROM_OVERLAY_VAL|PDN_BOOTROM_OVERLAY_VAL]]. Thus we may predict that the entire bootrom region is filled by:
 +
ldr pc, [pc]
 +
 +
Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the ARM pipeline, and might help us identify what instructions are placed by the instruction-overlay.
  
 
==PDN_WIFI_CNT==
 
==PDN_WIFI_CNT==

Revision as of 22:50, 30 March 2015

Registers

Old3DS Name Address Width Used by
Yes PDN_SHAREDWRAM_32K_DATA<0-7> 0x10140000 1*8 Boot11, Process9, DSP Services
Yes PDN_SHAREDWRAM_32K_CODE<0-7> 0x10140008 1*8 Boot11, Process9, DSP Services
Yes ? 0x10140100 2
Yes ? 0x10140102 2
Yes ARM11 interrupt related. 0x10140104 1 Kernel11.
Yes ? 0x10140105 1 Kernel11.
Yes ? 0x10140108 2 TwlBg
Yes ? 0x1014010C 2
Yes ? 0x10140140 2
Yes PDN_WIFI_CNT 0x10140180 1 TwlBg
Yes PDN_SPI_CNT 0x101401C0 4 SPI Services, TwlBg
Yes ? 0x10140200 4
No Clock related? 0x10140400 1 NewProcess11
No Clock related? 0x10140410 4 NewProcess11
No PDN_BOOTROM_OVERLAY_CNT 0x10140420 4 NewProcess11
No PDN_BOOTROM_OVERLAY_VAL 0x10140424 4 NewProcess11
No ? 0x10140428 4
Yes PDN_MPCORE_CFG 0x10140FFC 1 NewKernel11
Yes PDN_GPU_STATUS? 0x10141000 4 Kernel11, TwlBg
Yes PDN_PTM_0 0x10141008 4 PTM Services, PDN Services
Yes PDN_PTM_1 0x1014100C 4 PTM Services, TwlBg, PDN Services
Yes PDN_TWLMODE_0 0x10141100 2 TwlProcess9, TwlBg
Yes PDN_TWLMODE_1 0x10141104 2 TwlBg
Yes PDN_TWLMODE_2 0x10141108 2 TwlBg
Yes 0x1014110A 2 TwlBg
Yes PDN_WIFI? 0x1014110C 1
Yes ? 0x10141110 2 TwlBg
Yes ? 0x10141112 2 TwlBg
Yes PDN_CODEC_0 0x10141114 2 CODEC Services, TwlBg
Yes PDN_CODEC_1 0x10141116 2 CODEC Services, TwlBg
Yes ? 0x10141118 1 TwlBg
Yes ? 0x10141119 1 TwlBg
Yes ? 0x10141120 1 TwlBg
Yes PDN_GPU_CNT 0x10141200 4 Boot11, Kernel11, PDN Services
Yes PDN_GPU_CNT2 0x10141204 4 Boot11, Kernel11
Yes PDN_GPU_CNT3 0x10141210 2 Kernel11, TwlBg
Yes PDN_CODEC_CNT 0x10141220 1 Boot11, TwlBg, PDN Services
Yes PDN_CAMERA_CNT 0x10141224 1 PDN Services
Yes PDN_DSP_CNT 0x10141230 1 Process9, PDN Services
No PDN_MPCORE_STATUS 0x10141300 2 NewProcess11
No PDN_MPCORE_CNT 0x10141304 2 NewProcess11
No PDN_MPCORE_BOOTCNT 0x10141310 1*4 NewProcess11

PDN_SHAREDWRAM_32K_DATA

Used for mapping 32K chunks of shared WRAM for DSP data.

Bits Description
0-1 Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/data)
2-4 Offset (0..7) (slot 0..7) (LSB of address in 32Kbyte units)
5-6 Not used (0)
7 Enable (0=Disable, 1=Enable)

PDN_SHAREDWRAM_32K_CODE

Used for mapping 32K chunks of shared WRAM for DSP data.

Bits Description
0-1 Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/code)
2-4 Offset (0..7) (slot 0..7) (LSB of address in 32Kbyte units)
5-6 Not used (0)
7 Enable (0=Disable, 1=Enable)

PDN_SPI_CNT

Bit Description
0 Enable SPI Registers 0x10160000.
1 Enable SPI Registers 0x10142000.
2 Enable SPI Registers 0x10143800.

PDN_BOOTROM_OVERLAY_CNT

Bit0: Enable bootrom overlay functionality.

PDN_BOOTROM_OVERLAY_VAL

The 32-bit value to overlay data-reads to bootrom with. See PDN_MPCORE_BOOTCNT.

PDN_MPCORE_CFG

Read-only register.

Bits Description
0 Always set to 1 on both Old3DS and New3DS.
1 3rd ARM11 MPCore available maybe?
2 4th ARM11 MPCore available maybe?

PDN_MPCORE_STATUS

Read-only register.

Bits Description
0 Always set to 1 on both Old3DS and New3DS.
1 3rd ARM11 MPCore powered on maybe?
2 4th ARM11 MPCore powered on maybe?

PDN_MPCORE_CNT

Bits Description
0 Power on 3rd ARM11 MPCore maybe?
8 Power on 4th ARM11 MPCore maybe?

PDN_MPCORE_BOOTCNT

Bits Description
0 Enable bootrom instruction overlay. This bit is only writable for core2 and core3.
1 Enable bootrom data overlay. This bit is only writable for core2 and core3.
4 Has core booted maybe?
5 Always 1?

The normal ARM11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS ARM11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.

Bit1 in register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000. All _data reads_ made to those regions now read the 32-bit value provided in PDN_BOOTROM_OVERLAY_VAL.

Bit0 enables a bootrom instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads). Jumping randomly into the 0xFFFF0000-0xFFFF1000 region works fine and jumps to the value provided by the data overlay PDN_BOOTROM_OVERLAY_VAL. Thus we may predict that the entire bootrom region is filled by:

ldr pc, [pc]

Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the ARM pipeline, and might help us identify what instructions are placed by the instruction-overlay.

PDN_WIFI_CNT

Bit0: Enable wifi.

PDN_TWLMODE_0

Observed 0x8001 when running under TWL_FIRM, 0 NATIVE_FIRM.

The very last 3DS-mode register poke the TWL_FIRM Process9 does before it gets switched into TWL-mode, is writing 0x8000 to this register. Before writing this register, TWL Process9 waits for the value of this register to become non-zero. The Process9 code for this runs from ITCM, since switching into TWL-mode includes remapping all ARM9 physical memory.

Writing 0x8000 to here from the ARM9 with NATIVE_FIRM running doesn't seem to do anything, other reg-pokes likely need done first.

PDN_TWLMODE_1

Observed 0x8000 when running under TWL_FIRM, 0 NATIVE_FIRM.

PDN_GPU_CNT

This one seems to control the LCD/GPU/Backlight.

Bit0: Enable GPU registers at 0x10400000+. Bit16: Turn on LCD backlight.

PDN_GPU_CNT2

Bit0: Power on GPU?

PDN_CODEC

The following is the only time the ARM11 CODEC module uses any 0x1EC41XXX registers. In one case CODEC module clears bit1 in register 0x1EC41114, in the other case CODEC module sets bit1 in registers 0x1EC41114 and 0x1EC41116.

PDN_CODEC_CNT

This is the power register used for the PDN CODEC service.

bit0 = unknown, bit1 = turn on/off DSP, rest = always 0.

PDN_CAMERA_CNT

This is the power register used for the PDN camera service.

bit0 = unknown, bit1 = turn on/off cameras, rest = always 0.