Difference between revisions of "CONFIG11 Registers"

From 3dbrew
Jump to navigation Jump to search
Line 490: Line 490:
 
|}
 
|}
  
For the old FCRAM DMA cutoff, it appears to start at 0x28000000-(0x800000*x) length 0x800000*x.
+
For the old FCRAM DMA cutoff, it protects starting from 0x28000000-(0x800000*x) until end of FCRAM. There is no way to protect the first 0x800000-bytes.
  
For the new FCRAM DMA cutoff, it protects 0x30000000-(size) where size is 0x800000*x. This can be used to protect all of the upper FCRAM except for the first 0x800000-bytes (lowest protection addr via x=0xF is 0x28800000).
+
For the new FCRAM DMA cutoff, it protects starting from 0x30000000-(0x800000*x) until end of FCRAM. When the old FCRAM cutoff is set to non-zero, the first 0x800000-bytes bytes of new FCRAM are protected.
  
On New3DS the old+new FCRAM cutoff can be used at the same time, however this isn't done officially. When this is done the 0x800000-bytes at 0x28000000 is also protected.
+
On New3DS the old+new FCRAM cutoff can be used at the same time, however this isn't done officially.
  
For the QTM DMA cutoff, it appears to start at 0x1F400000-(0x100000*x) length 0x100000*x
+
For the QTM DMA cutoff, it protects starting from 0x1F400000-(0x100000*x) until end of QTM mem.
  
 
On cold boot this reg is set to 0.
 
On cold boot this reg is set to 0.

Revision as of 01:10, 8 February 2017

Registers

Old3DS Name Address Width Used by
Yes CFG11_SHAREDWRAM_32K_DATA<0-7> 0x10140000 1*8 Boot11, Process9, DSP Services
Yes CFG11_SHAREDWRAM_32K_CODE<0-7> 0x10140008 1*8 Boot11, Process9, DSP Services
Yes ? 0x10140100 2
Yes ? 0x10140102 2
Yes CFG11_FIQ_CNT 0x10140104 1 Kernel11.
Yes ? 0x10140105 1 Kernel11.
Yes Related to HID_? 0x10140108 2 TwlBg
Yes Related to HID_? 0x1014010C 2 TwlBg
Yes CFG11_GPUPROT 0x10140140 4 Kernel11
Yes CFG11_WIFI_CNT 0x10140180 1 TwlBg, NWM Services
Yes CFG11_SPI_CNT 0x101401C0 4 SPI Services, TwlBg
Yes ? 0x10140200 4
No Clock related? 0x10140400 1 NewKernel11
No Clock related? 0x10140410 4 NewKernel11
No CFG11_BOOTROM_OVERLAY_CNT 0x10140420 1 NewKernel11
No CFG11_BOOTROM_OVERLAY_VAL 0x10140424 4 NewKernel11
No ? 0x10140428 4
Yes CFG11_SOCINFO 0x10140FFC 2 Boot11, Kernel11
Yes CFG11_GPU_STATUS? 0x10141000 4 Kernel11, TwlBg
Yes CFG11_PTM_0 0x10141008 4 PTM Services, PDN Services
Yes CFG11_PTM_1 0x1014100C 4 PTM Services, TwlBg, PDN Services
Yes CFG11_TWLMODE_0 0x10141100 2 TwlProcess9, TwlBg
Yes CFG11_TWLMODE_1 0x10141104 2 TwlBg
Yes CFG11_TWLMODE_2 0x10141108 2 TwlBg
Yes CFG11_TWLMODE_HID 0x1014110A 2 TwlBg
Yes CFG11_WIFI? 0x1014110C 1 NWM Services
Yes ? 0x10141110 2 TwlBg
Yes ? 0x10141112 2 TwlBg
Yes CFG11_CODEC_0 0x10141114 2 CODEC Services, TwlBg
Yes CFG11_CODEC_1 0x10141116 2 CODEC Services, TwlBg
Yes ? 0x10141118 1 TwlBg
Yes ? 0x10141119 1 TwlBg
Yes ? 0x10141120 1 TwlBg
Yes CFG11_GPU_CNT 0x10141200 4 Boot11, Kernel11, PDN Services
Yes CFG11_GPU_CNT2 0x10141204 4 Boot11, Kernel11
Yes CFG11_GPU_CNT3 0x10141210 2 Kernel11, TwlBg
Yes CFG11_CODEC_CNT 0x10141220 1 Boot11, TwlBg, PDN Services
Yes CFG11_CAMERA_CNT 0x10141224 1 PDN Services
Yes CFG11_DSP_CNT 0x10141230 1 Process9, PDN Services
No CFG11_MPCORE_CLKCNT 0x10141300 2 NewKernel11
No CFG11_MPCORE_CNT 0x10141304 2 NewKernel11
No CFG11_MPCORE_BOOTCNT<0-3> 0x10141310 1*4 NewKernel11

CFG11_SHAREDWRAM_32K_DATA

Used for mapping 32K chunks of shared WRAM for DSP data.

Bits Description
0-1 Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/data)
2-4 Offset (0..7) (slot 0..7) (LSB of address in 32Kbyte units)
5-6 Not used (0)
7 Enable (0=Disable, 1=Enable)

CFG11_SHAREDWRAM_32K_CODE

Used for mapping 32K chunks of shared WRAM for DSP data.

Bits Description
0-1 Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/code)
2-4 Offset (0..7) (slot 0..7) (LSB of address in 32Kbyte units)
5-6 Not used (0)
7 Enable (0=Disable, 1=Enable)

CFG11_FIQ_CNT

Writing bit1 to this register disables FIQ interrupts.

This bit is set upon receipt of a FIQ interrupt and when svcUnbindInterrupt is called on the FIQ-abstraction software interrupt for the current core. It is cleared when binding that software interrupt to an event and just before that event is signaled.

CFG11_SPI_CNT

When the corresponding bit is 0, the bus has to be accessed using the DS SPI registers. Otherwise it has to be accessed using the 3DS SPI registers.

Bit Description
0 Enable SPI Registers 0x10160000.
1 Enable SPI Registers 0x10142000.
2 Enable SPI Registers 0x10143000.

CFG11_BOOTROM_OVERLAY_CNT

Bit0: Enable bootrom overlay functionality.

CFG11_BOOTROM_OVERLAY_VAL

The 32-bit value to overlay data-reads to bootrom with. See CFG11_MPCORE_BOOTCNT.

CFG11_SOCINFO

Read-only register.

Bits Description Used by
0 1 on both Old3DS and New3DS. Boot11
1 1 on New3DS. Kernel11
2 Clock modifier: if set, use a 3x multiplier, otherwise 2x Kernel11

CFG11_MPCORE_CLKCNT

This is used for configuring the New3DS ARM11 CPU clock-rate. This register is New3DS-only: reading from here on Old3DS always returns all-zeros even when one tried writing data here prior to the read.

Bits Description
0 Enable clock multiplier? This must be set to 1 before writing a non-zero value to bit1-2, otherwise freeze.
1-2 Clock multiplier (0=1x, 1=2x, 2=3x, 3=hang)
15 Busy

svcKernelSetState type10, only implemented on New3DS, uses this register. That code writes the following values to this register, depending on the input Param0 bit0 state, and the state of CFG11_MPCORE_CFG:

Register value Higher-clockrate bit set in svcKernelSetState Param0 CFG11_MPCORE_CFG bit2 set MPCore timer/watchdog prescaler value, prior to subtracting it by 0x1 when writing it into hw/state Clock-rate multiplier Description
0x01 No Yes 0x01 1x 268MHz
0x02 No No 0x01 1x 268MHz
0x05 Yes Yes 0x03 3x 804MHz
0x03 Yes No 0x02 2x 536MHz (tested on New3DS)

Note that the above CFG11_MPCORE_CFG bit is 1 on New3DS, and 0 on Old3DS. Since this SVC is only available with the New3DS ARM11-kernel, the only additional available clock-rate is 804MHz when running on New3DS(with official kernel code).

The following register value(s) were tested on New3DS by patching the kernel:

  • 0x00: Entire system hangs.
  • 0x02: Entire system hangs.
  • 0x03: ARM11 runs at 536MHz.
  • 0x04: Entire system hangs.
  • 0x06: Entire system hangs.
  • 0x07: Same result as 0x05.
  • 0x08: Entire system hangs.
  • 0x09: Entire system hangs.
  • 0x0A: Entire system hangs.
  • 0x0B: Same result as 0x03.
  • 0x0C: Entire system hangs.
  • 0x0D: Same result as 0x05.
  • 0x0E: Entire system hangs.
  • 0x0F: Same result as 0x05.
  • 0x1F, 0x2F, 0x4F, 0x8F, 0xFF: Same result as 0x05.

CFG11_MPCORE_CNT

Bits Description
0 Power on 3rd ARM11 MPCore maybe?
8 Power on 4th ARM11 MPCore maybe?

CFG11_MPCORE_BOOTCNT<0-3>

Bits Description
0 Enable bootrom instruction overlay, maybe? This bit is only writable for core2 and core3.
1 Enable bootrom data overlay. This bit is only writable for core2 and core3.
4 Has core booted maybe?
5 Always 1?

The normal ARM11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS ARM11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.

Bit1 in register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000. All _data reads_ made to those regions now read the 32-bit value provided in CFG11_BOOTROM_OVERLAY_VAL.

Bit0 enables a bootrom instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads). Jumping randomly into the 0xFFFF0000-0xFFFF1000 region works fine and jumps to the value provided by the data overlay CFG11_BOOTROM_OVERLAY_VAL. Thus we may predict that the entire bootrom region is filled by: ldr pc, [pc]

Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the ARM pipeline, and might help us identify what instructions are placed by the instruction-overlay.

CFG11_GPUPROT

Old3DS Bits Description
Yes 3-0 Old FCRAM DMA cutoff size, 0 = no protection.
No 7-4 New FCRAM DMA cutoff size, 0 = no protection.
Yes 8 AXIWRAM protection, 0 = accessible.
No 10-9 QTM DMA cutoff size
Yes 31-11 Zeroes

For the old FCRAM DMA cutoff, it protects starting from 0x28000000-(0x800000*x) until end of FCRAM. There is no way to protect the first 0x800000-bytes.

For the new FCRAM DMA cutoff, it protects starting from 0x30000000-(0x800000*x) until end of FCRAM. When the old FCRAM cutoff is set to non-zero, the first 0x800000-bytes bytes of new FCRAM are protected.

On New3DS the old+new FCRAM cutoff can be used at the same time, however this isn't done officially.

For the QTM DMA cutoff, it protects starting from 0x1F400000-(0x100000*x) until end of QTM mem.

On cold boot this reg is set to 0.

When this register is set to value 0, the GPU can access the entire FCRAM, AXIWRAM, and on New3DS all QTM-mem.

Initialized during kernel boot, and used with SVC 0x59 which was implemented with v11.3.

CFG11_WIFI_CNT

Bit0: Enable wifi.

CFG11_TWLMODE_0

Observed 0x8001 when running under TWL_ and AGB_FIRM, 0 NATIVE_FIRM.

This address is poked from ARM7 to signal that it has booted and begun executing code. The ARM7-mode address for this register is 0x4700000.

The very last 3DS-mode register poke the TWL_FIRM Process9 does before it gets switched into TWL-mode, is writing 0x8000 to this register. Before writing this register, TWL Process9 waits for ARM7 to change the value of this register. The Process9 code for this runs from ITCM, since switching into TWL-mode includes remapping all ARM9 physical memory.

Writing 0x8000 to here from the ARM9 with NATIVE_FIRM running doesn't seem to do anything, other reg-pokes likely need done first.

CFG11_TWLMODE_1

Observed 0x8000 when running under TWL_FIRM, 0 NATIVE_FIRM.

CFG11_TWLMODE_2

Bitfield.

CFG11_TWLMODE_HID

The value of this register is copied to HID_? under certain conditions.

CFG11_WIFI?

Bit4=unknown enabled by NWM on launch. Potentially powers on wifi card.

CFG11_GPU_CNT

This one seems to control the LCD/GPU/Backlight.

Bit0: Enable GPU registers at 0x10400000+. Bit16: Turn on LCD backlight.

CFG11_GPU_CNT2

Bit0: Power on GPU?

CFG11_GPU_CNT3

Bit1: FCRAM access from ARM11? Clearing this bit in 3DS-mode causes the ARM11 and ARM9 to hang/crash.

CFG11_CODEC

The following is the only time the ARM11 CODEC module uses any 0x1EC41XXX registers. In one case CODEC module clears bit1 in register 0x1EC41114, in the other case CODEC module sets bit1 in registers 0x1EC41114 and 0x1EC41116.

CFG11_CODEC_CNT

This is the power register used for the PDN CODEC service.

bit0 = unknown, bit1 = turn on/off DSP, rest = always 0.

CFG11_CAMERA_CNT

This is the power register used for the PDN camera service.

bit0 = unknown, bit1 = turn on/off cameras, rest = always 0.