Difference between revisions of "CONFIG9 Registers"

From 3dbrew
Jump to navigation Jump to search
(0x10010014 selects keys just like UNITINFO does, but for TWL. Feel free to correct me on this (or make a more concise name!))
(Add info on cart power supply bits)
 
(25 intermediate revisions by 9 users not shown)
Line 8: Line 8:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#CFG_SYSPROT9|CFG_SYSPROT9]]
+
| [[#CFG9_SYSPROT9|CFG9_SYSPROT9]]
 
| 0x10000000
 
| 0x10000000
 
| 1
 
| 1
Line 14: Line 14:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#CFG_SYSPROT11|CFG_SYSPROT11]]
+
| [[#CFG9_SYSPROT11|CFG9_SYSPROT11]]
 
| 0x10000001
 
| 0x10000001
 
| 1
 
| 1
Line 20: Line 20:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| CFG_DEBUGUNIT
+
| [[#CFG9_RST11|CFG9_RST11]]
 +
| 0x10000002
 +
| 1
 +
| Boot9
 +
|-
 +
| style="background: green" | Yes
 +
| CFG9_DEBUGCTL
 
| 0x10000004
 
| 0x10000004
 
| 4
 
| 4
Line 26: Line 32:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#CFG_CARDCONF|CFG_CARDCONF]]
+
| [[#CFG9_XDMA_CNT|CFG9_XDMA_CNT]]
 +
| 0x10000008
 +
| 1
 +
| Boot9, Process9, TwlProcess9
 +
|-
 +
| style="background: green" | Yes
 +
| [[#CFG9_CARDCTL|CFG9_CARDCTL]]
 
| 0x1000000C
 
| 0x1000000C
 
| 2
 
| 2
|
+
| Process9
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| CFG_DEBUGGER
+
| [[#CFG9_CARDSTATUS|CFG9_CARDSTATUS]]
 
| 0x10000010
 
| 0x10000010
 
| 1
 
| 1
|
+
| Process9
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| ?
+
| CFG9_CARDCYCLES0
| 0x10000011
 
| 1
 
|
 
|-
 
| style="background: green" | Yes
 
| ?
 
 
| 0x10000012
 
| 0x10000012
 
| 2
 
| 2
|
+
| Boot9, Process9
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| ?
+
| CFG9_CARDCYCLES1
 
| 0x10000014
 
| 0x10000014
 
| 2
 
| 2
|
+
| Boot9, Process9
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| ?
+
| [[#CFG9_SDMMCCTL|CFG9_SDMMCCTL]]
 
| 0x10000020
 
| 0x10000020
 
| 2
 
| 2
|
+
| Process9
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
Line 68: Line 74:
 
|-
 
|-
 
| style="background: red" | No
 
| style="background: red" | No
| [[#CFG_EXTMEMCNT9|CFG_EXTMEMCNT9]]
+
| [[#CFG9_EXTMEMCNT9|CFG9_EXTMEMCNT9]]
 
| 0x10000200
 
| 0x10000200
 
| 1
 
| 1
Line 74: Line 80:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#CFG_MPCORECFG|CFG_MPCORECFG]]
+
| [[#CFG9_MPCORECFG|CFG9_MPCORECFG]]
 
| 0x10000FFC
 
| 0x10000FFC
 
| 4
 
| 4
Line 80: Line 86:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#CFG_BOOTENV|CFG_BOOTENV]]
+
| [[#CFG9_BOOTENV|CFG9_BOOTENV]]
 
| 0x10010000
 
| 0x10010000
 
| 4
 
| 4
Line 86: Line 92:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#CFG_UNITINFO|CFG_UNITINFO]]
+
| [[#CFG9_UNITINFO|CFG9_UNITINFO]]
 
| 0x10010010
 
| 0x10010010
 
| 1
 
| 1
Line 92: Line 98:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#CFG_TWLUNITINFO|CFG_TWLUNITINFO]]
+
| [[#CFG9_TWLUNITINFO|CFG9_TWLUNITINFO]]
 
| 0x10010014
 
| 0x10010014
 
| 1
 
| 1
Line 98: Line 104:
 
|}
 
|}
  
==CFG_SYSPROT9 ==  
+
== CFG9_SYSPROT9 ==
Writing values to SYSPROT sets the specified bitmask. The ARM9 [[Memory_layout|bootrom]](+0x8000) is disabled by writing bit0. bit1 is used by NATIVE_FIRM to make sure console-unique TWL AES-keys are only set at hard-boot. It is not possible to set any other bits.
+
CFG9_SYSPROT9 is used to permanently disable certain security-sensitive ARM9 memory areas until the next hard reset.
 +
 
 +
{| class="wikitable" border="1"
 +
!  Bit
 +
!  Description
 +
!  Used by
 +
|-
 +
| 0
 +
| Disables ARM9 [[Memory_layout|bootrom]](+0x8000) when set to 1, and enables access to [[Memory_layout|FCRAM]]. Cannot be cleared to 0 once set to 1.
 +
| Boot9
 +
|-
 +
| 1
 +
| Disables [[OTP_Registers|OTP area]] when set to 1. Cannot be cleared to 0 once set to 1.
 +
| NewKernel9Loader, Process9
 +
|-
 +
| 31-2
 +
| Not used
 +
|
 +
|}
 +
 
 +
On Old 3DS, NATIVE_FIRM reads CFG9_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data.  After setting the TWL console-unique keys, NATIVE_FIRM sets CFG9_SYSPROT9 bit 1 to disable the OTP area.  In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step.
 +
 
 +
On New 3DS, the above is instead done by the [[FIRM#New_3DS_FIRM|Kernel9 loader]].  In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM.  The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible.
 +
 
 +
== CFG9_SYSPROT11 ==
 +
 
 +
{| class="wikitable" border="1"
 +
!  Bit
 +
!  Description
 +
!  Used by
 +
|-
 +
| 0
 +
| Disables ARM11 [[Memory_layout|bootrom]](+0x8000) when set to 1, and enables access to [[Memory_layout|FCRAM]]. Cannot be cleared to 0 once set to 1.
 +
| Boot9
 +
|-
 +
| 31-1
 +
| Not used
 +
|
 +
|}
 +
 
 +
== CFG9_RST11 ==
 +
 
 +
{| class="wikitable" border="1"
 +
!  Bit
 +
!  Description
 +
!  Used by
 +
|-
 +
| 0
 +
| Presumably takes ARM11 out of reset. Cannot be set to 1 once it has been cleared.
 +
| Boot9
 +
|-
 +
| 31-1
 +
| Not used
 +
|
 +
|}
 +
 
 +
== CFG9_XDMA_CNT ==
  
From disassembly of the New3DS process9, it appears that setting bit1 disables the 0x10012000+ region.
+
Write 1 to enable XDMA for the device, 0 to disable. Always enabled for CTRCARD (ids 0 and 1), NTRCARD (id 8), and SHA (id 6 for infifo and 7 for outfifo).
  
== CFG_SYSPROT11 ==
+
{| class="wikitable" border="1"
ARM11 bootrom (+0x8000) is disabled by writing bit0. It is not possible to set any other bits.
+
!  Bit
 +
!  Description
 +
!  Used by
 +
|-
 +
| 0
 +
| SDIO controller 1 (eMMC and usually SD card; XDMA device ID: 2)
 +
|
 +
|-
 +
| 1
 +
| SDIO controller 3 (SD card if configured so; ID: 3)
 +
|
 +
|-
 +
| 2
 +
| AES Input FIFO (ID: 4)
 +
| Boot9, Process9, TwlProcess9
 +
|-
 +
| 3
 +
| AES Output FIFO (ID: 5)
 +
| Boot9, Process9, TwlProcess9
 +
|-
 +
| 31-4
 +
| Reserved
 +
|
 +
|}
  
== CFG_CARDCONF ==
+
== CFG9_CARDCTL ==
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
!  Bit
 
!  Bit
 
!  Description
 
!  Description
 +
!  Used by
 
|-
 
|-
 
| 1-0
 
| 1-0
| Gamecard active controller select (0=NTRCARD, 1=?, 2=CTRCARD1, 3=CTRCARD2)
+
| Gamecard active controller select (0=NTRCARD, 1=?, 2=CTRCARD0, 3=CTRCARD1)
 +
| Process9
 
|-
 
|-
 
| 8
 
| 8
| ?
+
| 1 = Switch to [[SPICARD_Registers|SPICARD]] interface (savegames).
 +
| Process9
 
|}
 
|}
  
 
Depending on the gamecard controller that has been selected, one of the following gamecard registers will become active:
 
Depending on the gamecard controller that has been selected, one of the following gamecard registers will become active:
 
* Selecting NTRCARD will activate the register space at [[NTRCARD|0x10164000]].
 
* Selecting NTRCARD will activate the register space at [[NTRCARD|0x10164000]].
* Selecting CTRCARD1 will activate the register space at [[CTRCARD|0x10004000]].
+
* Selecting CTRCARD0 will activate the register space at [[CTRCARD|0x10004000]].
* Selecting CTRCARD2 will activate the register space at [[CTRCARD|0x10005000]].
+
* Selecting CTRCARD1 will activate the register space at [[CTRCARD|0x10005000]].
  
== CFG_EXTMEMCNT9 ==
+
== CFG9_CARDSTATUS ==
This register is presumably New3DS-only. Only bit0 is writable: 0 = disable New3DS ARM9 memory at 0x08100000 size 0x80000, 1 = enable.
+
{| class="wikitable" border="1"
 +
!  Bit
 +
!  Description
 +
!  Used by
 +
|-
 +
| 0
 +
| Cartridge-slot empty (0=inserted, 1=empty)
 +
| Process9
 +
|-
 +
| 3-2
 +
| Cartridge-slot power supply (0=off, 1=prepare power regulator, 2=enable output, 3=request power down)
 +
| Process9
 +
|}
  
This bit is set by New3DS ARM9-kernel crt0.
+
When the power supply is in the "request power down" state, the power bits will be reset to 0=off after some time.
  
The data in this extended memory doesn't change when disabling the memory, then re-enabling the memory. Reading this extended memory while disabled results in zeros.
+
== CFG9_SDMMCCTL ==
 +
This register controls power of multiple ports/controllers and allows to map controller 3 to ARM9 or ARM11. The SD card can be accessed on ARM11 by setting bit 8 and clearing bit 9.
  
== CFG_MPCORECFG ==
+
{| class="wikitable" border="1"
 +
!  Bit
 +
!  Description
 +
!  Used by
 +
|-
 +
| 0
 +
| Controller 1/3 port 0 power (SD card) (1=off)
 +
| Process9
 +
|-
 +
| 1
 +
| Controller 1 port 1 power (eMMC) (1=off)
 +
| Process9
 +
|-
 +
| 2
 +
| Controller 2 port 0 power (WiFi SDIO) (1=off)
 +
| Process9
 +
|-
 +
| 3
 +
| Controller 3 port 1 power? Set at cold boot.
 +
| -
 +
|-
 +
| 4-5
 +
| Unused.
 +
| -
 +
|-
 +
| 6
 +
| Wifi port related? Pull up? Set at cold boot.
 +
| -
 +
|-
 +
| 8
 +
| Controller 3 mapping (0=ARM9 0x10007000, 1=ARM11 0x10100000)
 +
| Process9
 +
|-
 +
| 9
 +
| SD card controller select (0=0x10007000/0x10100000, 1=0x10006000)
 +
| Process9
 +
|-
 +
| 10-15
 +
| Unused.
 +
| -
 +
|}
 +
 
 +
== CFG9_EXTMEMCNT9 ==
 +
This register is New3DS-only.
 +
 
 +
{| class="wikitable" border="1"
 +
!  Bit
 +
!  Description
 +
!  Used by
 +
|-
 +
| 0
 +
| Hide extended ARM9 memory (0=hidden, 1=shown)
 +
| Kernel9 (New3DS)
 +
|-
 +
| 31-1
 +
| Reserved
 +
|
 +
|}
 +
 
 +
== CFG9_MPCORECFG ==
 
Identical to [[PDN#PDN_MPCORE_CFG|PDN_MPCORE_CFG]].
 
Identical to [[PDN#PDN_MPCORE_CFG|PDN_MPCORE_CFG]].
  
== CFG_BOOTENV ==
+
== CFG9_BOOTENV ==
Initially this is value zero. NATIVE_FIRM writes value 1 here when a FIRM launch begins. The [[Legacy_FIRM_PXI|LGY]] FIRM writes value 3 here when handling PXI command 0x00020080(first TWL PXI command), it also writes value 7 here when handling PXI command 0x00030080(first AGB PXI command). This register can be read to determine what "mode" the system is running under: hard-boot, FIRM launch, or TWL/AGB FIRM.
+
This register is used to determine what the previous running FIRM was. Its value is kept following an MCU reboot. Its initial value (on a cold boot) is 0. NATIVE_FIRM [[Development_Services_PXI|sets it to 1]] on shutdown/FIRM launch. [[Legacy_FIRM_PXI|LGY FIRM]] writes value 3 here when launching a TWL title, and writes value 7 when launching an AGB title.
 
 
0=Cold boot, 1=CTR, 3=TWL, 5=NTR, 7=AGB
 
  
It is unknown if this register controls anything.
+
NATIVE_FIRM will only launch titles if this is not value 0, and will only save the [[Flash_Filesystem|AGB_FIRM savegame]] to SD if this is value 7.
  
== CFG_UNITINFO ==
+
== CFG9_UNITINFO ==
 
This 8-bit register is value zero for retail, non-zero for dev/debug units.
 
This 8-bit register is value zero for retail, non-zero for dev/debug units.
  
== CFG_TWLUNITINFO ==
+
== CFG9_TWLUNITINFO ==
 
In the console-unique TWL key-init/etc function the ARM9 copies the u8 value from REG_UNITINFO to this register.
 
In the console-unique TWL key-init/etc function the ARM9 copies the u8 value from REG_UNITINFO to this register.
  
 
This is also used by TWL_FIRM Process9.
 
This is also used by TWL_FIRM Process9.

Latest revision as of 23:14, 2 May 2023

Registers[edit]

Old3DS Name Address Width Used by
Yes CFG9_SYSPROT9 0x10000000 1 Boot9
Yes CFG9_SYSPROT11 0x10000001 1 Boot9
Yes CFG9_RST11 0x10000002 1 Boot9
Yes CFG9_DEBUGCTL 0x10000004 4
Yes CFG9_XDMA_CNT 0x10000008 1 Boot9, Process9, TwlProcess9
Yes CFG9_CARDCTL 0x1000000C 2 Process9
Yes CFG9_CARDSTATUS 0x10000010 1 Process9
Yes CFG9_CARDCYCLES0 0x10000012 2 Boot9, Process9
Yes CFG9_CARDCYCLES1 0x10000014 2 Boot9, Process9
Yes CFG9_SDMMCCTL 0x10000020 2 Process9
Yes ? 0x10000100 2
No CFG9_EXTMEMCNT9 0x10000200 1 NewKernel9
Yes CFG9_MPCORECFG 0x10000FFC 4
Yes CFG9_BOOTENV 0x10010000 4
Yes CFG9_UNITINFO 0x10010010 1 Process9
Yes CFG9_TWLUNITINFO 0x10010014 1 Process9

CFG9_SYSPROT9[edit]

CFG9_SYSPROT9 is used to permanently disable certain security-sensitive ARM9 memory areas until the next hard reset.

Bit Description Used by
0 Disables ARM9 bootrom(+0x8000) when set to 1, and enables access to FCRAM. Cannot be cleared to 0 once set to 1. Boot9
1 Disables OTP area when set to 1. Cannot be cleared to 0 once set to 1. NewKernel9Loader, Process9
31-2 Not used

On Old 3DS, NATIVE_FIRM reads CFG9_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data. After setting the TWL console-unique keys, NATIVE_FIRM sets CFG9_SYSPROT9 bit 1 to disable the OTP area. In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step.

On New 3DS, the above is instead done by the Kernel9 loader. In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM. The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible.

CFG9_SYSPROT11[edit]

Bit Description Used by
0 Disables ARM11 bootrom(+0x8000) when set to 1, and enables access to FCRAM. Cannot be cleared to 0 once set to 1. Boot9
31-1 Not used

CFG9_RST11[edit]

Bit Description Used by
0 Presumably takes ARM11 out of reset. Cannot be set to 1 once it has been cleared. Boot9
31-1 Not used

CFG9_XDMA_CNT[edit]

Write 1 to enable XDMA for the device, 0 to disable. Always enabled for CTRCARD (ids 0 and 1), NTRCARD (id 8), and SHA (id 6 for infifo and 7 for outfifo).

Bit Description Used by
0 SDIO controller 1 (eMMC and usually SD card; XDMA device ID: 2)
1 SDIO controller 3 (SD card if configured so; ID: 3)
2 AES Input FIFO (ID: 4) Boot9, Process9, TwlProcess9
3 AES Output FIFO (ID: 5) Boot9, Process9, TwlProcess9
31-4 Reserved

CFG9_CARDCTL[edit]

Bit Description Used by
1-0 Gamecard active controller select (0=NTRCARD, 1=?, 2=CTRCARD0, 3=CTRCARD1) Process9
8 1 = Switch to SPICARD interface (savegames). Process9

Depending on the gamecard controller that has been selected, one of the following gamecard registers will become active:

  • Selecting NTRCARD will activate the register space at 0x10164000.
  • Selecting CTRCARD0 will activate the register space at 0x10004000.
  • Selecting CTRCARD1 will activate the register space at 0x10005000.

CFG9_CARDSTATUS[edit]

Bit Description Used by
0 Cartridge-slot empty (0=inserted, 1=empty) Process9
3-2 Cartridge-slot power supply (0=off, 1=prepare power regulator, 2=enable output, 3=request power down) Process9

When the power supply is in the "request power down" state, the power bits will be reset to 0=off after some time.

CFG9_SDMMCCTL[edit]

This register controls power of multiple ports/controllers and allows to map controller 3 to ARM9 or ARM11. The SD card can be accessed on ARM11 by setting bit 8 and clearing bit 9.

Bit Description Used by
0 Controller 1/3 port 0 power (SD card) (1=off) Process9
1 Controller 1 port 1 power (eMMC) (1=off) Process9
2 Controller 2 port 0 power (WiFi SDIO) (1=off) Process9
3 Controller 3 port 1 power? Set at cold boot. -
4-5 Unused. -
6 Wifi port related? Pull up? Set at cold boot. -
8 Controller 3 mapping (0=ARM9 0x10007000, 1=ARM11 0x10100000) Process9
9 SD card controller select (0=0x10007000/0x10100000, 1=0x10006000) Process9
10-15 Unused. -

CFG9_EXTMEMCNT9[edit]

This register is New3DS-only.

Bit Description Used by
0 Hide extended ARM9 memory (0=hidden, 1=shown) Kernel9 (New3DS)
31-1 Reserved

CFG9_MPCORECFG[edit]

Identical to PDN_MPCORE_CFG.

CFG9_BOOTENV[edit]

This register is used to determine what the previous running FIRM was. Its value is kept following an MCU reboot. Its initial value (on a cold boot) is 0. NATIVE_FIRM sets it to 1 on shutdown/FIRM launch. LGY FIRM writes value 3 here when launching a TWL title, and writes value 7 when launching an AGB title.

NATIVE_FIRM will only launch titles if this is not value 0, and will only save the AGB_FIRM savegame to SD if this is value 7.

CFG9_UNITINFO[edit]

This 8-bit register is value zero for retail, non-zero for dev/debug units.

CFG9_TWLUNITINFO[edit]

In the console-unique TWL key-init/etc function the ARM9 copies the u8 value from REG_UNITINFO to this register.

This is also used by TWL_FIRM Process9.