PDN Registers: Difference between revisions

(2 intermediate revisions by the same user not shown)

Line 433:

N3DS modes (LGR1/LGR2) enable the New 3DS FCRAM extension and are needed to access N3DS-only devices.

* CTR: ~~O3DSS~~

* CTR: O3DS

* LGR1: N3DS prototype, 2 ~~cores~~, no L2C

* LGR1: N3DS prototype, 4 cores (originally 2), no L2C

* LGR2: retail N3DS, 4 cores, has L2C

|-

| 15

| ~~Busy~~

| Interrupt status (read) / clear (write)

|}

'''All currently powered-on cores must be (and remain) in WFI state to trigger the SoC mode switch.'''

Kernel code suggests that devices that support LGR1 but not LGR2 only had 2 cores. All cores (the number of which can be read from MPCORE SCU registers) are usable in LGR1 mode.

On firmlaunch, the kernel sets the mode to O3DS.

Line 465:

Line 469:

|-

| 0

| ~~nRESET~~, 0 = ~~reset. Also enable the bootrom instruction overlay.~~

| Power request: 0 = power off, 1 = power on

|-

| 1

| ~~Enable bootrom data overlay~~

| Handshake bit

Needs to be set before powering on the core. It is meant to be cleared by software on the powered-on core, to signal itself.

|-

| 4

| ~~Reset operation in progress~~

| Power status: 0 = off, 1 = on

|-

| 5

| ~~Always 1~~?

| Core present?

|}

Only usable for core2 and core3.

Only usable for core2 and core3. Core 0 and 1 have a fixed, read-only value of 0x30 for this register.

* On power-on, software should switch the affected core to Normal Mode on the SCU

* On power-off, software '''must''' switch the affected core to Powered Off mode on the SCU (otherwise the core won't go off)

The normal Arm11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS Arm11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.

~~Bit1~~ in ~~register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000~~ and ~~0x10000-0x11000. All _data reads_ made~~ to ~~those regions now read the 32-bit value provided in~~ [[~~CONFIG11 Registers~~ #CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].

The overlay should be enabled by setting bit0 in [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_CNT|CFG11_BOOTROM_OVERLAY_CNT]] and configured by setting the entrypoint address to [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].

~~Bit0 sets the core out of reset and enables a bootrom~~ instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads~~). Jumping randomly into the~~ 0xFFFF0000-0xFFFF1000 ~~region works fine~~ and ~~jumps~~ to the ~~value provided~~ by the ~~data overlay [[CONFIG11 Registers #CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]]. Thus we may predict that the entire bootrom region is filled by~~:

The overlay overrides all ''instruction'' reads from phyiscal addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000 to the following (figured out by using low exception vectors and configuring the b11 veeners accordingly):

ldr pc, [pc]

ldr pc, [pc, #(0x20 - 8)]

~~Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the Arm pipeline,~~ and ~~might help us identify what instructions are placed by~~ the ~~instruction-overlay~~.

and all ''data'' reads from the same ranges to [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].

@@ Line 433: / Line 433: @@
 N3DS modes (LGR1/LGR2) enable the New 3DS FCRAM extension and are needed to access N3DS-only devices.
-* CTR: O3DSS
+* CTR: O3DS
-* LGR1: N3DS prototype, 2 cores, no L2C
+* LGR1: N3DS prototype, 4 cores (originally 2), no L2C
 * LGR2: retail N3DS, 4 cores, has L2C
 |-
 | 15
-| Busy
+| Interrupt status (read) / clear (write)
 |}
+'''All currently powered-on cores must be (and remain) in WFI state to trigger the SoC mode switch.'''
+Kernel code suggests that devices that support LGR1 but not LGR2 only had 2 cores. All cores (the number of which can be read from MPCORE SCU registers) are usable in LGR1 mode.
 On firmlaunch, the kernel sets the mode to O3DS.
@@ Line 465: / Line 469: @@
 |-
 | 0
-| nRESET, 0 = reset. Also enable the bootrom instruction overlay.
+| Power request: 0 = power off, 1 = power on
 |-
 | 1
-| Enable bootrom data overlay
+| Handshake bit
+Needs to be set before powering on the core. It is meant to be cleared by software on the powered-on core, to signal itself.
 |-
 | 4
-| Reset operation in progress
+| Power status: 0 = off, 1 = on
 |-
 | 5
-| Always 1?
+| Core present?
 |}
-Only usable for core2 and core3.
+Only usable for core2 and core3. Core 0 and 1 have a fixed, read-only value of 0x30 for this register.
+* On power-on, software should switch the affected core to Normal Mode on the SCU
+* On power-off, software '''must''' switch the affected core to Powered Off mode on the SCU (otherwise the core won't go off)
 The normal Arm11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS Arm11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.
-Bit1 in register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000. All _data reads_ made to those regions now read the 32-bit value provided in [[CONFIG11 Registers #CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].
+The overlay should be enabled by setting bit0 in [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_CNT|CFG11_BOOTROM_OVERLAY_CNT]] and configured by setting the entrypoint address to [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].
-Bit0 sets the core out of reset and enables a bootrom instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads). Jumping randomly into the 0xFFFF0000-0xFFFF1000 region works fine and jumps to the value provided by the data overlay [[CONFIG11 Registers #CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]]. Thus we may predict that the entire bootrom region is filled by:
+The overlay overrides all ''instruction'' reads from phyiscal addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000 to the following (figured out by using low exception vectors and configuring the b11 veeners accordingly):
-ldr pc, [pc]
+  ldr pc, [pc, #(0x20 - 8)]
-Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the Arm pipeline, and might help us identify what instructions are placed by the instruction-overlay.
+and all ''data'' reads from the same ranges to [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].