Difference between revisions of "MCU Services"
(Added IPC call names and headers) |
(Added more info and cleaned up) |
||
Line 552: | Line 552: | ||
=MCU firmware versions= | =MCU firmware versions= | ||
− | These reside in mcu-module .rodata, are uploaded to MCU register 0x05 and are usually | + | These reside in mcu-module .rodata, are uploaded to MCU register 0x05 and are usually 0x4003 bytes in size (the actual firmware is 0x4000 bytes preceeded by a 3 byte RL78 assembly opcode "jhl" (or 0xffe68, #108) to switch the I2C comms into flash write mode). |
− | There exists an alternate code path where uploading is done using register 0x3B (if register 0x0F is zero meaning all peripherals are turned off, and 0x10 must be 1 (power button pressed/held)). This may be a "hack" around early versions of MCU? Register 0x3B is part of the RTC alarm registers on recent versions of MCU | + | Before the upload could commence, WiFi interrupts are turned off via GPIO command 0x00020080(0, 0x40000), then after the upload completed, the sysmodule waits exactly one second for the MCU to reboot, then turns WiFi interrupts back on via <code>gpio:MCU</code> command 0x00020080(0x40000, 0x40000). |
+ | |||
+ | There exists an alternate code path where uploading is done using register 0x3B (if register 0x0F is zero meaning all peripherals are turned off, and 0x10 must be 1 (power button pressed/held)). This may be a "hack" around early versions of MCU? Register 0x3B is part of the RTC alarm registers on recent versions of MCU. | ||
On dev-units, the user-facing representation of this firmware version is displayed by first subtracting 0x10 from the major field (raw register 0x00). It is these user-facing versions that are displayed in the table below. It is unknown what bit4 (0x10) actually represents, but it is seemingly always set. | On dev-units, the user-facing representation of this firmware version is displayed by first subtracting 0x10 from the major field (raw register 0x00). It is these user-facing versions that are displayed in the table below. It is unknown what bit4 (0x10) actually represents, but it is seemingly always set. |
Revision as of 21:41, 4 October 2017
Only one session can be open per service at a time. If a session is already open for a service, MCU module will wait for the thread handling the session to terminate(triggered by the session being closed by the user process), then it accepts the new session. The commands for each service are handled by separate threads.
MCU camera service "mcu::CAM"
Command Header | Description |
---|---|
0x00010040 | WriteCameraLedState (writes i2c register 0x2B) |
0x00020080 | ReadCameraLedState (reads i2c register 0x2B) |
MCU GPU service "mcu::GPU"
Command Header | Description |
---|---|
0x00010000 | GetLcdPowerState. This writes the value of I2C-MCU register 0xf bit6 to u8 cmdreply[2], and the value of bit5 from that register to u8 cmdreply[3]. |
0x00020080 | SetLcdPowerState. This writes the upper LCD bits of MCU register 0x22. |
0x00030000 | GetGpuLcdInterfaceState. This writes the value of I2C-MCU register 0xf bit7 to u8 cmdreply[2]. |
0x00040040 | SetGpuLcdInterfaceState. This writes the lower two bits of MCU register 0x22. |
0x00050040 | SetTopScreenFlicker |
0x00060080 | GetTopScreenFlicker |
0x00070040 | SetBottomScreenFlicker |
0x00080080 | GetBottomScreenFlicker |
0x00090000 | GetMcuFwVerHigh. Called by GSP module |
0x000A0000 | GetMcuFwVerLow. Called by GSP module |
0x000B0040 | Set3dLedState |
0x000C0000 | Get3dLedState |
0x000D0000 | GetMcuGpuEventHandle. Event handle written to TLS+0x8c. MCU notifications 24 to 29 signal this. |
0x000E0000 | GetMcuGpuEventReason. Writes some value to TLS+0x88. Called by GSP module |
MCU HID service "mcu::HID"
Command Header | Description |
---|---|
0x00010040 | ? |
0x00020000 | ??? test register 0x40 bit0, and writes result to IPC+8 |
0x00030040 | ??? writes IPC+4 to register 0x41 |
0x00040000 | ??? reads register 0x44 to IPC+8 |
0x00050080 | ??? writes IPC+4 to register 0x43 and IPC+8 to register 0x44 |
0x00060000 | ReadGyroscopeValues (reads gyroscopy with corrected values) |
0x00070000 | GetRaw3DSliderPosition |
0x00080040 | ? |
0x00090000 | ? |
0x000A0040 | ? |
0x000B0000 | ? |
0x000C0000 | GetMcuHidEventHandle. MCU notifications 11 and 12 signal this. Handle is written to IPC+12 |
0x000D0000 | GetMcuHidEventReason. This reads an internal flield into IPC+8 and clears it. |
0x000E0000 | GetSoundVolume |
0x000F0040 | EnableAccelerometerInterrupt(int enable). 1 = enable, 0 = disable accelerometer |
While before these functions are handled, the MCU interrupt with bitmask 0x800 is enabled, then after the commands were handled the MCU interrupt bits 0x1800 get cleared.
MCU service "mcu::RTC"
Command Header | Description |
---|---|
0x00010080 | SetRTC |
0x00020000 | GetRTC |
0x00030040 | SetRTCSeconds |
0x00040000 | GetRTCSeconds |
0x00050040 | SetRTCMinutes |
0x00060000 | GetRTCMinutes |
0x00070040 | SetRTCHours |
0x00080000 | GetRTCHours |
0x00090040 | SetRTCDayOfWeek |
0x000A0000 | GetRTCDayOfWeek |
0x000B0040 | SetRTCDayOfMonth |
0x000C0000 | GetRTCDayOfMonth |
0x000D0040 | SetRTCMonth |
0x000E0000 | GetRTCMonth |
0x000F0040 | SetRTCYear |
0x00100000 | GetRTCYear |
0x00110040 | SetRTCLeapYearCounter |
0x00120000 | GetRTCLeapYearCounter |
0x00130080 | SetRTCAlarm |
0x00140000 | GetRTCAlarm |
0x00150040 | SetRTCAlarmComponent[0] |
0x00160000 | GetRTCAlarmComponent[0] |
0x00170040 | SetRTCAlarmComponent[1] |
0x00180000 | GetRTCAlarmComponent[1] |
0x00190040 | SetRTCAlarmComponent[2] |
0x001A0000 | GetRTCAlarmComponent[2] |
0x001B0040 | SetRTCAlarmComponent[3] |
0x001C0000 | GetRTCAlarmComponent[3] |
0x001D0040 | SetRTCAlarmComponent[4] |
0x001E0000 | GetRTCAlarmComponent[4] |
0x001F0040 | SetPedometerRecordingMode |
0x00200000 | GetPedometerRecordingMode |
0x00210080 | GetStepCount (for the current day) |
0x00220042 | ReadRegister4Fh(u32 unused_size, translation_param size=0x156 << 4 | 0xC, u8[0x156] ptr) |
0x00230000 | ??? writes 1 to register 0x4E which is not writable |
0x00240000 | GetPowerEventHandle. MCU notifications 1, 8, 9, 10, 13, 14 and 15 signal this.
see Register 0x18 |
0x00250000 | GetPowerInterruptHistory |
0x00260000 | CheckRegister02hBit0 |
0x00270000 | ClearRegister02hBit0 (does nothing since the register is not writable) |
0x00280000 | CheckRegister02hBit1 |
0x00290000 | ClearRegister02hBit1 |
0x002A0000 | GetShellState. This writes the value of I2C-MCU register 0xf bit1 to u8 cmdreply[2]. |
0x002B0000 | GetAdapterState. This writes the value of I2C-MCU register 0xf bit3 to u8 cmdreply[2]. |
0x002C0000 | GetBatteryChargeState. This writes the value of I2C-MCU register 0xf bit4 to u8 cmdreply[2]. |
0x002D0000 | GetBatteryLevel |
0x002E0000 | GetBatteryEmptyPatternByte0 |
0x002F0000 | GetBatteryEmptyPatternByte0_safe™ |
0x00300040 | SetLEDBrightness (see Register 0x28) |
0x00310000 | GetLEDBrightness (see Register 0x28) |
0x00320000 | PowerOff (writes 0x1 to i2c MCU device, reg 0x20) |
0x00330000 | HardwareReboot (writes 0x4 to i2c MCU device, reg 0x20) |
0x00340000 | WriteRegister reg=0x23 value=0x72 (writing to read-only registers does nothing) |
0x00350000 | Writes 0x10 to i2c MCU device, reg 0x20 (this bit of the register is not writable) |
0x00360040 | SetWatchdogTimer |
0x00370000 | GetWatchdogTimer |
0x00380042 | ReadInfoRegister(u32 unused_size, translation_param size << 4 | 0xC, u8[0x13] ptr) |
0x00390082 | WriteLoop (translation parameters too complex) |
0x003A0082 | ReadLoop (translation parameters too complex) |
0x003B0640 | SetInfoLEDPattern |
0x003C0040 | SetInfoLEDPatternHeader |
0x003D0000 | GetInfoLEDStatus |
0x003E0040 | WriteRegister50h |
0x003F0000 | ReadRegister50h |
0x00400040 | WriteRegister51h |
0x00410000 | ReadRegister51h |
0x00420040 | SetBatteryEmptyLEDPattern |
0x00430040 | SetScreenFlickerTop |
0x00440000 | GetScreenFlickerTop |
0x00450040 | SetScreenFlickerBottom |
0x00460000 | GetScreenFlickerBottom |
0x00470080 | SetVolumeSliderBounds |
0x00480000 | GetVolumeSliderBounds |
0x00490040 | SetInterruptMask (see Register 0x18) |
0x004A0000 | GetInterruptMask (see Register 0x18) |
0x004B0000 | ExitExclusiveInterruptMode |
0x004C0000 | EnterExclusiveInterruptMode |
0x004D0000 | ReadInterrupt (see Register 0x10) |
0x004E0040 | TriggerInterrupt |
0x004F0040 | SetMCUFirmUpdated(u32 flag) not used by anything |
0x00500000 | IsMCUFirmUpdated |
0x00510040 | SetSoftwareClosedFlag |
0x00520000 | GetSoftwareClosedFlag |
0x00530040 | ? |
0x00540000 | ? |
0x00550040 | ? |
0x00560000 | ? |
0x00570040 | ? |
0x00580000 | ? |
0x00590040 | SetLegacyJumpProhibitedFlag |
0x005A0000 | GetLegacyJumpProhibitedFlag |
MCU sound service "mcu::SND"
Command Header | Description |
---|---|
0x00010080 | GetSoundVolume, writes volume slider value (0-63) to IPC+8 |
0x00020040 | Set... |
0x00030000 | GetRegister25h, cmdbuf[2] is 0 on n3ds |
MCU wifi service "mcu::NWM"
Command Header | Description |
---|---|
0x0001.... | SetWirelessLedState |
0x0002.... | GetWirelessLedState |
0x0003.... | Sets GPIO 0x20 high/low? |
0x0004.... | Gets GPIO 0x20 high/low? |
0x0005.... | SetEnableWifiGpio |
0x0006.... | GetEnableWifiGpio |
0x0007.... | SetWirelessDisabledFlag |
0x0008.... | GetWirelessDisabledFlag |
MCU service "mcu::HWC"
Command Header | Description |
---|---|
0x00010082 | ReadRegister |
0x00020082 | WriteRegister |
0x00030042 | GetInfoRegisters |
0x00040000 | GetBatteryVoltage |
0x00050000 | GetBatteryLevel |
0x00060040 | SetPowerLEDPattern |
0x00070040 | SetWifiLEDState |
0x00080040 | SetCameraLEDPattern |
0x00090040 | Set3DLEDState |
0x000A0640 | This is the same as MCURTC:SetInfoLEDPattern. |
0x000B0000 | GetSoundVolume |
0x000C0040 | SetTopScreenFlicker |
0x000D0040 | SetBottomScreenFlicker |
0x000E0080 | ? |
0x000F00C0 | GetRtcTime |
0x00100000 | GetMcuFwVerHigh |
0x00110000 | GetMcuFwVerLow |
MCU service "mcu::PLS"
Beg the sysmodule to return the datetime registers in decimal form instead of as a Binary Coded Decimal
Command Header | Description |
---|---|
0x00010000 | GetDatetime (returns registers 0x30-0x36 in IPC+8) |
0x00020000 | u8 GetSeconds |
0x00030000 | u8 GetMinutes |
0x00040000 | u8 GetHour |
0x00050000 | u8 GetDayOfWeek |
0x00060000 | u8 GetDay |
0x00070000 | u8 GetMonth |
0x00080000 | u8 GetYear |
0x00090000 | u16 GetTickCounter |
MCU codec service "mcu::CDC"
Command Header | Description |
---|---|
0x00010000 | ? |
New3DS
The Old3DS/New3DS MCU sysmodules are identical except that the MCU firmware binary written via I2C is different. The size of that binary is the same. The only different words in .text are for the version of that MCU fw binary.
MCU firmware versions
These reside in mcu-module .rodata, are uploaded to MCU register 0x05 and are usually 0x4003 bytes in size (the actual firmware is 0x4000 bytes preceeded by a 3 byte RL78 assembly opcode "jhl" (or 0xffe68, #108) to switch the I2C comms into flash write mode).
Before the upload could commence, WiFi interrupts are turned off via GPIO command 0x00020080(0, 0x40000), then after the upload completed, the sysmodule waits exactly one second for the MCU to reboot, then turns WiFi interrupts back on via gpio:MCU
command 0x00020080(0x40000, 0x40000).
There exists an alternate code path where uploading is done using register 0x3B (if register 0x0F is zero meaning all peripherals are turned off, and 0x10 must be 1 (power button pressed/held)). This may be a "hack" around early versions of MCU? Register 0x3B is part of the RTC alarm registers on recent versions of MCU.
On dev-units, the user-facing representation of this firmware version is displayed by first subtracting 0x10 from the major field (raw register 0x00). It is these user-facing versions that are displayed in the table below. It is unknown what bit4 (0x10) actually represents, but it is seemingly always set.
Title version | Firmware |
---|---|
New3DS v9216 (New2DSXL) | 3.65 |
New3DS v8192/safe v9217 (latest) | 3.56 |
Old3DS v6145 to v8192 (latest) | 2.37 |
Old3DS v5122 | 2.35 |
Old3DS v4102 | 2.30 |
Old3DS v3072 | 2.16 |
Old3DS v2048 | 1.52 |
Old3DS v1026 | 1.51 |
Old3DS v0/safe v0 | 1.20 |
Old3DS factory | 1.07 |