ARM7 Registers: Difference between revisions

(10 intermediate revisions by 4 users not shown)

Line 30:

| <code>u16</code>

| <code>0x10018104</code>

| <code>~~ARM7_?_CNT~~</code>

| <code>ARM7_SAVE_MEMORY_CNT</code>

| 2

|-

| <code>u16</code>

| <code>0x10018108</code>

| <code>ARM7_RTC_CNT?</code>

| <code>ARM7_RTC_CNT</code>

| 2

|-

| <code>u32</code>

| <code>0x10018110</code>

| <code>?</code>

| <code>ARM7_RTC_VAL_DATE</code>

| 4

|-

| <code>u32</code>

| <code>0x10018114</code>

| <code>?</code>

| <code>ARM7_RTC_VAL_TIME</code>

| 4

|-

| <code>u32</code>

| <code>0x10018118</code>

| <code>~~ARM7_RTC_LO?~~</code>

| <code>ARM7_RTC_VAL_SETTINGS</code>

| 4

|-

| <code>u32</code>

| <code>0x1001811C</code>

| <code>~~ARM7_RTC_HI?~~</code>

| <code>ARM7_RTC_VAL_ADJUST</code>

| 4

|-

| <code>~~arm7_save_cfg_t~~</code>

| <code>u32</code>

| <code>0x10018120</code>

| <code>~~ARM7_SAVE_CFG~~</code>

| <code>ARM7_SAVE_FLASH_CHIP_ERASE_CYCLES</code>

| 16

| 4

|-

| <code>u32</code>

| <code>0x10018124</code>

| <code>ARM7_SAVE_FLASH_SECTOR_ERASE_CYCLES</code>

| 4

|-

| <code>u32</code>

| <code>0x10018128</code>

| <code>ARM7_SAVE_FLASH_PROGRAM_CYCLES</code>

| 4

|-

| <code>u32</code>

| <code>0x1001812C</code>

| <code>ARM7_SAVE_EEPROM_WRITE_CYCLES</code>

| 4

|}

Line 68:

Line 83:

===ARM7_CODE===

This is the ~~first~~ code ~~that~~ will be ~~run after~~ execution ~~begins~~. <code>TwlProcess9</code> uses this to put ARM7 in a loop (TWL), and to set the <code>POSTFLG</code> and branch to more copied code (GBA). ~~This doesn't seem~~ to ~~start execution~~ by ~~itself~~.

This region is an arm7 bootrom overlay, over the vector table at address 0. Once the ARM7 is taken out of reset by <code>TwlProcess9</code>, the reset vector will be jumped to, beginning execution. <code>TwlProcess9</code> uses this to put ARM7 in a loop (TWL), and to set the <code>POSTFLG</code> and branch to more copied code (GBA). Execution is started by writing <code>0x8001</code> to [[PDN_Registers#LGY_MODE|LGY_MODE]] after setting the mode via <code>ARM7_CNT</code>. Later, this overlay is disabled by the ARM7 via the "biosprot" register (0x04000308).

Reading uninitialized data in this 32-byte region leads to both screens displaying solid green (exception), and the CPU locking up.

===ARM7_SAVE_MODE===

This tells the save storage emulation hardware which device type to emulate (EEPROM, 512k ~~flash~~, and SRAM are all that have been used officially; 1 Mbit ~~flash is~~ supported ~~but not implemented in AGB_FIRM~~). This comes directly from the [[3DS_Virtual_Console#Footer|ROM footer]].

This tells the save storage emulation hardware which device type to emulate (64k EEPROM, a 512k Flash chip model, and SRAM are all that have been used officially; several other 512k Flash chip models, two 1 Mbit Flash chip models and 4k EEPROM are also supported). This comes directly from the [[3DS_Virtual_Console#Footer|ROM footer]].

===ARM7_SAVE_MEMORY_CNT===

This register controls whether the GBA save memory region located at <code>0x08080000</code> is accessible to ARM9 or to the ARM7 (via the emulated save chip). When it's set to 0x0 ARM7 has access, while ARM9 has access when it's set to 0x1.

===ARM7_RTC_CNT===

This register controls the emulated RTC hardware and access to some of its registers.

To set or read the data from ARM7_RTC_VAL_SETTINGS or ARM7_RTC_VAL_ADJUST, first <code>ARM7_RTC_CNT</code>'s bit 15 is waited on. Next <code>ARM7_RTC_CNT</code> is set to zero.

For a write: the two registers are written, a 1 is written to <code>ARM7_RTC_CNT</code>, and it is waited on the same as before. Afterwards if bit 14 is not set in <code>ARM7_RTC_CNT</code>, the value was set successfully. This also starts the emulated RTC.

For a read: a 2 is written to <code>ARM7_RTC_CNT</code>, it's waited on again. Afterwards, if bit 14 is not set, the aforementioned registers can be read. Presumably the hardware can be re-enabled by writing a zero to <code>ARM7_RTC_CNT</code> at this point, but <code>AGB_FIRM</code> does not.

===ARM7_RTC_VAL_DATE / ARM7_RTC_VAL_TIME===

These registers are set to the current LgyP9 date+time before the other RTC-related registers are used.

They contain the following structure, set up on the stack then both u32 registers are written one after the other:

s8 year_since_2000_bcd;

s8 month_bcd;

s8 day_bcd;

s8 day_of_week;

s8 hour_bcd;

s8 minute_bcd;

s8 second_bcd;

===ARM7_RTC_VAL_SETTINGS===

This register appears to contain the emulated RTC chip's configuration (accessible via the "control" register on real hardware), containing settings like 12/24-hour mode. Access is controlled by <code>ARM7_RTC_CNT</code> (see above).

===ARM7_RTC_VAL_ADJUST===

This register appears to contain the emulated RTC chip's time difference, relative to <code>ARM7_RTC_VAL_DATE</code> / <code>ARM7_RTC_VAL TIME</code>, in seconds. Access is controlled by <code>ARM7_RTC_CNT</code> (see above).

===~~ARM7_RTC ''?''~~===

===ARM7_SAVE_FLASH_CHIP_ERASE_CYCLES===

~~These registers may be used~~ to ~~control~~ a ~~real-~~time ~~clock~~. ~~To set or read the data here~~, ~~first <code>ARM7_RTC_CNT</code>'s bit 15~~ is ~~waited on. Next~~ <code>~~ARM7_RTC_CNT~~</code> ~~is set to zero~~.

This register seems to configure the emulated Flash chip to take a specified amount of time to complete a chip erase operation (relative to the DS' ARM7/bus speed). Two variations exist in officially released games, one meant for 512k Flash chips and one for 1 Mbit Flash chips. It is copied from from rom footer + <code>0x10</code>.

~~For~~ a ~~write: the two registers are written,~~ a ~~1 is written~~ to ~~<code>ARM7_RTC_CNT<~~/~~code>~~, and ~~it is waited on the same as before~~. ~~Afterwards if bit 14~~ is ~~not set in~~ <code>~~ARM7_RTC_CNT~~</code>~~, the value was set successfully~~.

===ARM7_SAVE_FLASH_SECTOR_ERASE_CYCLES===

This register seems to configure the emulated Flash chip to take a specified amount of time to complete a sector erase operation (relative to the DS' ARM7/bus speed). Two variations exist in officially released games, one meant for 512k Flash chips and one for 1 Mbit Flash chips. It is copied from from rom footer + <code>0x14</code>.

~~For~~ a ~~read:~~ a ~~2 is written~~ to ~~<code>ARM7_RTC_CNT<~~/~~code>~~, ~~it's waited on again~~. ~~Afterwards, if bit 14~~ is ~~not set, the RTC can be read. Presumably the hardware can be re-enabled by writing a zero to <code>ARM7_RTC_CNT</code> at this point, but~~ <code>~~AGB_FIRM~~</code> ~~does not~~.

===ARM7_SAVE_FLASH_PROGRAM_CYCLES===

This register seems to configure the emulated Flash chip to take a specified amount of time to complete a program operation (relative to the DS' ARM7/bus speed). Two variations exist in officially released games, one meant for 512k Flash chips and one for 1 Mbit Flash chips. It is copied from from rom footer + <code>0x18</code>.

===~~ARM7_SAVE_CFG~~===

===ARM7_SAVE_EEPROM_WRITE_CYCLES===

This is copied from rom footer + <code>~~0x10~~</code>. It presumably configures details about storage, such as IDs, and likely allows enabling the RTC for games which need it. Format of this data is unknown, and slightly difficult to determine without some hardware poking.

This register seems to configure the emulated EEPROM chip to take a specified amount of time to complete a write operation (relative to the DS' ARM7/bus speed). Two variations exist in officially released games, one meant for 64k EEPROM chips and one for 4k EEPROM chips. It is copied from from rom footer + <code>0x1C</code>.

==Memory map==

Line 90:

Line 136:

* <code>0x08060000</code> → <code>0x03800000</code>, ARM7 WRAM (64KiB)

* <code>0x080B0000</code> → <code>0x03000000</code>, GBA IWRAM (32KiB)

* <code>~~0x080C0000~~</code> → EEPROM/SRAM/Flash (<code>~~0x10018104~~</code> ~~must be set~~ to 1 before ~~reading memory here~~, ~~and restored to its previous value afterwards)~~

* <code>0x08080000</code> → EEPROM/SRAM/Flash 512k/Flash 1Mbit (the 2 512k banks are contiguous in memory). Access is controlled by <code>ARM7_SAVE_MEMORY_CNT</code> (see above). <code>0x080C0000</code> holds a mirror which is used by LgyP9 on boot to read the SD savedata before the mode switch, the data is then copied.

* <code>0x01FFC000</code> → <code>0x01000000</code>, ARM9 ITCM under TWL (16KiB)

@@ Line 30: / Line 30: @@
 | <code>u16</code>
 | <code>0x10018104</code>
-| <code>ARM7_?_CNT</code>
+| <code>ARM7_SAVE_MEMORY_CNT</code>
 | 2
 |-
 | <code>u16</code>
 | <code>0x10018108</code>
-| <code>ARM7_RTC_CNT?</code>
+| <code>ARM7_RTC_CNT</code>
 | 2
 |-
 | <code>u32</code>
 | <code>0x10018110</code>
-| <code>?</code>
+| <code>ARM7_RTC_VAL_DATE</code>
 | 4
 |-
 | <code>u32</code>
 | <code>0x10018114</code>
-| <code>?</code>
+| <code>ARM7_RTC_VAL_TIME</code>
 | 4
 |-
 | <code>u32</code>
 | <code>0x10018118</code>
-| <code>ARM7_RTC_LO?</code>
+| <code>ARM7_RTC_VAL_SETTINGS</code>
 | 4
 |-
 | <code>u32</code>
 | <code>0x1001811C</code>
-| <code>ARM7_RTC_HI?</code>
+| <code>ARM7_RTC_VAL_ADJUST</code>
 | 4
 |-
-| <code>arm7_save_cfg_t</code>
+| <code>u32</code>
 | <code>0x10018120</code>
-| <code>ARM7_SAVE_CFG</code>
+| <code>ARM7_SAVE_FLASH_CHIP_ERASE_CYCLES</code>
-| 16
+| 4
+|-
+| <code>u32</code>
+| <code>0x10018124</code>
+| <code>ARM7_SAVE_FLASH_SECTOR_ERASE_CYCLES</code>
+| 4
+|-
+| <code>u32</code>
+| <code>0x10018128</code>
+| <code>ARM7_SAVE_FLASH_PROGRAM_CYCLES</code>
+| 4
+|-
+| <code>u32</code>
+| <code>0x1001812C</code>
+| <code>ARM7_SAVE_EEPROM_WRITE_CYCLES</code>
+| 4
 |}
@@ Line 68: / Line 83: @@
 ===ARM7_CODE===
-This is the first code that will be run after execution begins. <code>TwlProcess9</code> uses this to put ARM7 in a loop (TWL), and to set the <code>POSTFLG</code> and branch to more copied code (GBA). This doesn't seem to start execution by itself.
+This region is an arm7 bootrom overlay, over the vector table at address 0. Once the ARM7 is taken out of reset by <code>TwlProcess9</code>, the reset vector will be jumped to, beginning execution. <code>TwlProcess9</code> uses this to put ARM7 in a loop (TWL), and to set the <code>POSTFLG</code> and branch to more copied code (GBA). Execution is started by writing <code>0x8001</code> to [[PDN_Registers#LGY_MODE|LGY_MODE]] after setting the mode via <code>ARM7_CNT</code>. Later, this overlay is disabled by the ARM7 via the "biosprot" register (0x04000308).
 Reading uninitialized data in this 32-byte region leads to both screens displaying solid green (exception), and the CPU locking up.
 ===ARM7_SAVE_MODE===
-This tells the save storage emulation hardware which device type to emulate (EEPROM, 512k flash, and SRAM are all that have been used officially; 1 Mbit flash is supported but not implemented in AGB_FIRM). This comes directly from the [[3DS_Virtual_Console#Footer|ROM footer]].
+This tells the save storage emulation hardware which device type to emulate (64k EEPROM, a 512k Flash chip model, and SRAM are all that have been used officially; several other 512k Flash chip models, two 1 Mbit Flash chip models and 4k EEPROM are also supported). This comes directly from the [[3DS_Virtual_Console#Footer|ROM footer]].
+===ARM7_SAVE_MEMORY_CNT===
+This register controls whether the GBA save memory region located at <code>0x08080000</code> is accessible to ARM9 or to the ARM7 (via the emulated save chip). When it's set to 0x0 ARM7 has access, while ARM9 has access when it's set to 0x1.
+===ARM7_RTC_CNT===
+This register controls the emulated RTC hardware and access to some of its registers.
+To set or read the data from ARM7_RTC_VAL_SETTINGS or ARM7_RTC_VAL_ADJUST, first <code>ARM7_RTC_CNT</code>'s bit 15 is waited on. Next <code>ARM7_RTC_CNT</code> is set to zero.
+For a write: the two registers are written, a 1 is written to <code>ARM7_RTC_CNT</code>, and it is waited on the same as before. Afterwards if bit 14 is not set in <code>ARM7_RTC_CNT</code>, the value was set successfully. This also starts the emulated RTC.
+For a read: a 2 is written to <code>ARM7_RTC_CNT</code>, it's waited on again. Afterwards, if bit 14 is not set, the aforementioned registers can be read. Presumably the hardware can be re-enabled by writing a zero to <code>ARM7_RTC_CNT</code> at this point, but <code>AGB_FIRM</code> does not.
+===ARM7_RTC_VAL_DATE / ARM7_RTC_VAL_TIME===
+These registers are set to the current LgyP9 date+time before the other RTC-related registers are used.
+They contain the following structure, set up on the stack then both u32 registers are written one after the other:
+ s8 year_since_2000_bcd;
+ s8 month_bcd;
+ s8 day_bcd;
+ s8 day_of_week;
+ s8 hour_bcd;
+ s8 minute_bcd;
+ s8 second_bcd;
+===ARM7_RTC_VAL_SETTINGS===
+This register appears to contain the emulated RTC chip's configuration (accessible via the "control" register on real hardware), containing settings like 12/24-hour mode. Access is controlled by <code>ARM7_RTC_CNT</code> (see above).
+===ARM7_RTC_VAL_ADJUST===
+This register appears to contain the emulated RTC chip's time difference, relative to <code>ARM7_RTC_VAL_DATE</code> / <code>ARM7_RTC_VAL TIME</code>, in seconds. Access is controlled by <code>ARM7_RTC_CNT</code> (see above).
-===ARM7_RTC ''?''===
+===ARM7_SAVE_FLASH_CHIP_ERASE_CYCLES===
-These registers may be used to control a real-time clock. To set or read the data here, first <code>ARM7_RTC_CNT</code>'s bit 15 is waited on. Next <code>ARM7_RTC_CNT</code> is set to zero.
+This register seems to configure the emulated Flash chip to take a specified amount of time to complete a chip erase operation (relative to the DS' ARM7/bus speed). Two variations exist in officially released games, one meant for 512k Flash chips and one for 1 Mbit Flash chips. It is copied from from rom footer + <code>0x10</code>.
-For a write: the two registers are written, a 1 is written to <code>ARM7_RTC_CNT</code>, and it is waited on the same as before. Afterwards if bit 14 is not set in <code>ARM7_RTC_CNT</code>, the value was set successfully.
+===ARM7_SAVE_FLASH_SECTOR_ERASE_CYCLES===
+This register seems to configure the emulated Flash chip to take a specified amount of time to complete a sector erase operation (relative to the DS' ARM7/bus speed). Two variations exist in officially released games, one meant for 512k Flash chips and one for 1 Mbit Flash chips. It is copied from from rom footer + <code>0x14</code>.
-For a read: a 2 is written to <code>ARM7_RTC_CNT</code>, it's waited on again. Afterwards, if bit 14 is not set, the RTC can be read. Presumably the hardware can be re-enabled by writing a zero to <code>ARM7_RTC_CNT</code> at this point, but <code>AGB_FIRM</code> does not.
+===ARM7_SAVE_FLASH_PROGRAM_CYCLES===
+This register seems to configure the emulated Flash chip to take a specified amount of time to complete a program operation (relative to the DS' ARM7/bus speed). Two variations exist in officially released games, one meant for 512k Flash chips and one for 1 Mbit Flash chips. It is copied from from rom footer + <code>0x18</code>.
-===ARM7_SAVE_CFG===
+===ARM7_SAVE_EEPROM_WRITE_CYCLES===
-This is copied from rom footer + <code>0x10</code>. It presumably configures details about storage, such as IDs, and likely allows enabling the RTC for games which need it. Format of this data is unknown, and slightly difficult to determine without some hardware poking.
+This register seems to configure the emulated EEPROM chip to take a specified amount of time to complete a write operation (relative to the DS' ARM7/bus speed). Two variations exist in officially released games, one meant for 64k EEPROM chips and one for 4k EEPROM chips. It is copied from from rom footer + <code>0x1C</code>.
 ==Memory map==
@@ Line 90: / Line 136: @@
 * <code>0x08060000</code> → <code>0x03800000</code>, ARM7 WRAM (64KiB)
 * <code>0x080B0000</code> → <code>0x03000000</code>, GBA IWRAM (32KiB)
-* <code>0x080C0000</code> → EEPROM/SRAM/Flash (<code>0x10018104</code> must be set to 1 before reading memory here, and restored to its previous value afterwards)
+* <code>0x08080000</code> → EEPROM/SRAM/Flash 512k/Flash 1Mbit (the 2 512k banks are contiguous in memory). Access is controlled by <code>ARM7_SAVE_MEMORY_CNT</code> (see above). <code>0x080C0000</code> holds a mirror which is used by LgyP9 on boot to read the SD savedata before the mode switch, the data is then copied.
 * <code>0x01FFC000</code> → <code>0x01000000</code>, ARM9 ITCM under TWL (16KiB)