516
edits
Changes
Jump to navigation
Jump to search
Line 8:
Line 8: − + Line 14:
Line 14: − + − + − + − + − + − | ?+ − | 0x10140102 − | 2 − | − |- − | style="background: green" | Yes − Line 38:
Line 32: − + + − + − + − | 0x10140108 − | 2 − | TwlBg − |- − | style="background: green" | Yes − | Related to [[HID_Registers|HID_?]] Line 70:
Line 59: − + − + Line 80:
Line 69: − + Line 86:
Line 75: − + Line 114:
Line 103: − |-style="border-top: double" − | style="background: green" | Yes − | CFG11_GPU_STATUS − | 0x10141000 − | 2 − | Kernel11, TwlBg − |- − | style="background: green" | Yes − | CFG11_PTM_0 − | 0x10141008 − | 4 − | [[PTM Services]], [[PDN Services]] − |- − | style="background: green" | Yes − | CFG11_PTM_1 − | 0x1014100C − | 4 − | [[PTM Services]], TwlBg, [[PDN Services]] − |-style="border-top: double" − | style="background: green" | Yes − | [[#CFG11_TWLMODE_0|CFG11_TWLMODE_0]] − | 0x10141100 − | 2 − | TwlProcess9, TwlBg − |- − | style="background: green" | Yes − | [[#CFG11_TWLMODE_1|CFG11_TWLMODE_1]] − | 0x10141104 − | 2 − | TwlBg − |- − | style="background: green" | Yes − | [[#CFG11_TWLMODE_2|CFG11_TWLMODE_2]] − | 0x10141108 − | 2 − | TwlBg − |- − | style="background: green" | Yes − | [[#CFG11_TWLMODE_HID|CFG11_TWLMODE_HID]] − | 0x1014110A − | 2 − | TwlBg − |- − | style="background: green" | Yes − | [[#CFG11_WIFIUNK|CFG11_WIFIUNK]] − | 0x1014110C − | 1 − | [[NWM Services]] − |- − | style="background: green" | Yes − | ? − | 0x10141110 − | 2 − | TwlBg − |- − | style="background: green" | Yes − | ? − | 0x10141112 − | 2 − | TwlBg − |- − | style="background: green" | Yes − | [[#CFG11_CODEC|CFG11_CODEC_0]] − | 0x10141114 − | 2 − | [[Codec Services]], TwlBg − |- − | style="background: green" | Yes − | [[#CFG11_CODEC|CFG11_CODEC_1]] − | 0x10141116 − | 2 − | [[Codec Services]], TwlBg − |- − | style="background: green" | Yes − | ? − | 0x10141118 − | 1 − | TwlBg − |- − | style="background: green" | Yes − | ? − | 0x10141119 − | 1 − | TwlBg − |- − | style="background: green" | Yes − | ? − | 0x10141120 − | 1 − | TwlBg − |- − |-style="border-top: double" − | style="background: green" | Yes − | [[#CFG11_GPU_CNT|CFG11_GPU_CNT]] − | 0x10141200 − | 4 − | Boot11, Kernel11, [[PDN Services]], TwlBg − |- − | style="background: green" | Yes − | [[#CFG11_GPU_CNT2|CFG11_GPU_CNT2]] − | 0x10141204 − | 4 − | Boot11, Kernel11, TwlBg − |- − | style="background: green" | Yes − | CFG11_GPU_FCRAM_CNT − | 0x10141210 − | 2 − | Kernel11, TwlBg − |- − | style="background: green" | Yes − | [[#CFG11_CODEC_CNT|CFG11_CODEC_CNT]] − | 0x10141220 − | 1 − | Boot11, TwlBg, [[PDN Services]] − |- − | style="background: green" | Yes − | [[#CFG11_CAMERA_CNT|CFG11_CAMERA_CNT]] − | 0x10141224 − | 1 − | [[PDN Services]] − |- − | style="background: green" | Yes − | [[#CFG11_DSP_CNT|CFG11_DSP_CNT]] − | 0x10141230 − | 1 − | Process9, [[PDN Services]] − |-style="border-top: double" − | style="background: red" | No − | [[#CFG11_MPCORE_CLKCNT|CFG11_MPCORE_CLKCNT]] − | 0x10141300 − | 2 − | NewKernel11 − |- − | style="background: red" | No − | [[#CFG11_MPCORE_CNT|CFG11_MPCORE_CNT]] − | 0x10141304 − | 2 − | NewKernel11 − |- − | style="background: red" | No − | [[#CFG11_MPCORE_BOOTCNT<0-3>|CFG11_MPCORE_BOOTCNT]]<0-3> − | 0x10141310 − | 1*4 − | NewKernel11 − + Line 269:
Line 113: − + Line 281:
Line 125: − + Line 289:
Line 133: − + Line 301:
Line 145: − + − Writing bit1 to this register disables FIQ interrupts. − − This bit is set upon receipt of a FIQ interrupt and when [[SVC|svcUnbindInterrupt]] is called on the FIQ-abstraction [[ARM11_Interrupts#Private_Interrupts|software interrupt]] for the current core. − It is cleared when binding that software interrupt to an event and just before that event is signaled. − − == CFG11_SPI_CNT == − When the corresponding bit is 0, the bus has to be accessed using the DS SPI registers. Otherwise it has to be accessed using the 3DS SPI registers. Line 314:
Line 151: − + − + − + − |- − | 2 − | Enable [[SPI Registers]] 0x10143000. − + − Bit0: Enable bootrom overlay functionality.+ + + − == CFG11_BOOTROM_OVERLAY_VAL ==+ − The 32-bit value to overlay data-reads to bootrom with. See [[#CFG11_MPCORE_BOOTCNT|CFG11_MPCORE_BOOTCNT]]. − + − Read-only register.+ − ! Used by − + − | Boot11 − + − + + + − + − + − | Kernel11 − + − This is used for configuring the New3DS ARM11 CPU clock-rate. This register is New3DS-only: reading from here on Old3DS always returns all-zeros even when one tried writing data here prior to the read.+ − − + − + − + − + − + − + − [[SVC#KernelSetState|svcKernelSetState]] type10, only implemented on New3DS, uses this register. That code writes the following values to this register, depending on the input Param0 bit0 state, and the state of CFG11_SOCINFO:+ − + − ! Higher-clockrate bit set in svcKernelSetState Param0 − ! CFG11_SOCINFO bit2 set − ! MPCore timer/watchdog prescaler value, prior to subtracting it by 0x1 when writing it into hw/state − ! Clock-rate multiplier − + − + − | Yes − | 0x01 − | 1x − | 268MHz − + − + − | No − | 0x01 − | 1x − | 268MHz − |- − | 0x05 − | Yes − | Yes − | 0x03 − | 3x − | 804MHz − |- − | 0x03 − | Yes − | No − | 0x02 − | 2x − | 536MHz (tested on New3DS) − Note that the above CFG11_SOCINFO bit is 1 on New3DS, and 0 on Old3DS. Since this SVC is only available with the New3DS ARM11-kernel, the only additional available clock-rate is 804MHz when running on New3DS(with official kernel code).+ − − The following register value(s) were tested on New3DS by patching the kernel: − * 0x00: Entire system hangs. − * 0x02: Entire system hangs. − * 0x03: ARM11 runs at 536MHz. − * 0x04: Entire system hangs. − * 0x06: Entire system hangs. − * 0x07: Same result as 0x05. − * 0x08: Entire system hangs. − * 0x09: Entire system hangs. − * 0x0A: Entire system hangs. − * 0x0B: Same result as 0x03. − * 0x0C: Entire system hangs. − * 0x0D: Same result as 0x05. − * 0x0E: Entire system hangs. − * 0x0F: Same result as 0x05. − * 0x1F, 0x2F, 0x4F, 0x8F, 0xFF: Same result as 0x05. − − − + − + − + − + − + − Kernel11 sets this to 0x101 when bit 2 in [[#CFG11_SOCINFO|CFG11_SOCINFO]] is set otherwise 1.+ + + + + + + + + + + + + + − == CFG11_MPCORE_BOOTCNT<0-3> == + − + + − + + − + − + − |-+ − | 5 − − − The normal ARM11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS ARM11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS. − − Bit1 in register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000. All _data reads_ made to those regions now read the 32-bit value provided in [[#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]]. − − Bit0 enables a bootrom instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads). Jumping randomly into the 0xFFFF0000-0xFFFF1000 region works fine and jumps to the value provided by the data overlay [[#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]]. Thus we may predict that the entire bootrom region is filled by: − ldr pc, [pc] − − Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the ARM pipeline, and might help us identify what instructions are placed by the instruction-overlay. Line 516:
Line 308: − − ==CFG11_TWLMODE_0== − Observed 0x8001 when running under TWL_ and AGB_FIRM, 0 NATIVE_FIRM. − − This address is poked from ARM7 to signal that it has booted and begun executing code. The ARM7-mode address for this register is 0x4700000. − − The very last 3DS-mode register poke the [[FIRM|TWL_FIRM]] Process9 does before it gets switched into TWL-mode, is writing 0x8000 to this register. Before writing this register, TWL Process9 waits for ARM7 to change the value of this register. The Process9 code for this runs from ITCM, since switching into TWL-mode includes remapping all ARM9 physical memory. − − Writing 0x8000 to here from the ARM9 with NATIVE_FIRM running doesn't seem to do anything, other reg-pokes likely need done first. − − ==CFG11_TWLMODE_1== − Observed 0x8000 when running under TWL_FIRM, 0 NATIVE_FIRM. − − ==CFG11_TWLMODE_2== − Bitfield. − − ==CFG11_TWLMODE_HID== − The value of this register is copied to [[HID_Registers|HID_?]] under certain conditions. − − ==CFG11_WIFIUNK== − {| class="wikitable" border="1" − ! Old3DS − ! Bits − ! Description − |- − | style="background: green" | Yes − | 4 − | Wifi-related? Set to 1 very early in NWM-module. − |} − − ==CFG11_GPU_CNT== − This one seems to control the LCD/GPU/Backlight. − − Bit0: Enable GPU registers at 0x10400000+. − Bit16: Turn on LCD backlight. − − ==CFG11_GPU_CNT2== − Bit0: Power on GPU? − − ==CFG11_GPU_FCRAM_CNT== − Bit1: Enable/disable FCRAM. − Bit2: Enable/disable operation in progress. − − ==CFG11_CODEC== − The following is the only time the ARM11 CODEC module uses any 0x1EC41XXX registers. In one case CODEC module clears bit1 in register 0x1EC41114, in the other case CODEC module sets bit1 in registers 0x1EC41114 and 0x1EC41116. − − ==CFG11_CODEC_CNT== − This is the power register used for the [[CFG11_Services|PDN]] CODEC service. − − bit0 = unknown, bit1 = turn on/off DSP, rest = always 0. − − ==CFG11_CAMERA_CNT== − This is the power register used for the [[CFG11_Services|PDN]] camera service. − − bit0 = unknown, bit1 = turn on/off cameras, rest = always 0. − − ==CFG11_DSP_CNT== − This is the power register used for the [[CFG11_Services|PDN Services]] DSP service. − − bit0: NRESET (active low). Unset to reset/hold reset. − bit1: enable bit. − − PDN services holds reset for 0x30 Arm11 cycles.
→CFG11_SOCINFO
|-
|-
| style="background: green" | Yes
| style="background: green" | Yes
| [[#CFG11_SHAREDWRAM_32K_DATA|CFG11_SHAREDWRAM_32K_DATA]]<0-7>
| [[#CFG11_SHAREDWRAM_32K_CODE|CFG11_SHAREDWRAM_32K_CODE]]<0-7>
| 0x10140000
| 0x10140000
| 1*8
| 1*8
|-
|-
| style="background: green" | Yes
| style="background: green" | Yes
| [[#CFG11_SHAREDWRAM_32K_CODE|CFG11_SHAREDWRAM_32K_CODE]]<0-7>
| [[#CFG11_SHAREDWRAM_32K_DATA|CFG11_SHAREDWRAM_32K_DATA]]<0-7>
| 0x10140008
| 0x10140008
| 1*8
| 1*8
| Boot11, Process9, [[DSP Services]]
| Boot11, Process9, [[DSP Services]]
|-
|-style="border-top: double"
| style="background: green" | Yes
| style="background: green" | Yes
| ?
| [[#CFG11_NULLPAGE_CNT|CFG11_NULLPAGE_CNT]]
| 0x10140100
| 0x10140100
| 2
| 4
|
|
|-
|-
| style="background: green" | Yes
| style="background: green" | Yes
| [[#CFG11_FIQ_MASK|CFG11_FIQ_MASK]]
| [[#CFG11_FIQ_CNT|CFG11_FIQ_CNT]]
| 0x10140104
| 0x10140104
| 1
| 1
|-
|-
| style="background: green" | Yes
| style="background: green" | Yes
| ?
| Debug related bitfield?
Observed: 0b1100(N3DS)/0b0000(O3DS)
| 0x10140105
| 0x10140105
| 1
| 1
| Kernel11.
|
|-
|-
| style="background: green" | Yes
| style="background: green" | Yes
| Related to [[HID_Registers|HID_?]]
| [[#CFG11_CDMA_CNT|CFG_CDMA_CNT]]
| 0x1014010C
| 0x1014010C
| 2
| 2
| [[#CFG11_SPI_CNT|CFG11_SPI_CNT]]
| [[#CFG11_SPI_CNT|CFG11_SPI_CNT]]
| 0x101401C0
| 0x101401C0
| 4
| 2
| [[SPI Services]], TwlBg
| [[SPI Services]], TwlBg
|-
|-style="border-top: double"
| style="background: green" | Yes
| style="background: green" | Yes
| ?
| ?
|-style="border-top: double"
|-style="border-top: double"
| style="background: red" | No
| style="background: red" | No
| Clock related?
| [[#CFG11_GPU_N3DS_CNT|CFG11_GPU_N3DS_CNT]]
| 0x10140400
| 0x10140400
| 1
| 1
|-
|-
| style="background: red" | No
| style="background: red" | No
| Clock related?
| [[#CFG11_CDMA_PERIPHERALS|CFG11_CDMA_PERIPHERALS]]
| 0x10140410
| 0x10140410
| 4
| 4
| 2
| 2
| Boot11, Kernel11
| Boot11, Kernel11
|}
|}
== CFG11_SHAREDWRAM_32K_DATA ==
== CFG11_SHAREDWRAM_32K_CODE ==
Used for mapping 32K chunks of shared WRAM for DSP data.
Used for mapping 32K chunks of shared WRAM for DSP data.
|-
|-
| 0-1
| 0-1
| Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/data)
| Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/code)
|-
|-
| 2-4
| 2-4
|}
|}
== CFG11_SHAREDWRAM_32K_CODE ==
== CFG11_SHAREDWRAM_32K_DATA ==
Used for mapping 32K chunks of shared WRAM for DSP data.
Used for mapping 32K chunks of shared WRAM for DSP data.
|-
|-
| 0-1
| 0-1
| Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/code)
| Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/data)
|-
|-
| 2-4
| 2-4
|}
|}
== CFG11_FIQ_CNT ==
== CFG11_NULLPAGE_CNT ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Bit
! Bit
|-
|-
| 0
| 0
| Enable [[SPI Registers]] 0x10160000.
| Trap all ''data'' accesses to physmem addresses 0x0000 to 0x1000
|-
|-
| 1
| 16
| Enable [[SPI Registers]] 0x10142000.
| Unknown
|}
|}
== CFG11_BOOTROM_OVERLAY_CNT ==
The reset value of this register is 0x10000.
== CFG11_FIQ_MASK ==
Write bit N to mask FIQ interrutps on core N? (judging from what Kernel11 does -- it only ever configures FIQ for core1)
Reset value: 0xF
== CFG11_SOCINFO ==
== CFG11_CDMA_CNT ==
Write 1 to enable, to disable.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Bits
! Bits
! Description
! Description
|-
|-
| 0
| 0
| 1 on both Old3DS and New3DS.
| Enable Microphone DMA (CDMA 0x00)
|-
|-
| 1
| 1
| 1 on New3DS.
| Enable NTRCARD DMA on Arm11 side (CDMA 0x01)
| Kernel11
|-
| 2-4
| ?
|-
|-
| 2
| 5
| Clock modifier: if set, use a 3x multiplier, otherwise 2x
| WiFi. Enabled during kernel init since 11.4.
|}
|}
== CFG11_MPCORE_CLKCNT ==
== CFG11_SPI_CNT ==
When the corresponding bit is 0, the bus has to be accessed using the DS SPI registers. Otherwise it has to be accessed using the 3DS SPI registers.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Bits
! Bit
! Description
! Description
|-
|-
| 0
| 0
| Enable clock multiplier? This must be set to 1 before writing a non-zero value to bit1-2, otherwise freeze. This enables the New 3DS FCRAM extension.
| Enable [[SPI Registers]] 0x10160800.
|-
|-
| 1-2
| 1
| Clock multiplier (0=1x, 1=2x, 2=3x, 3=hang)
| Enable [[SPI Registers]] 0x10142800.
|-
|-
| 15
| 2
| Busy
| Enable [[SPI Registers]] 0x10143800.
|}
|}
== CFG11_GPU_N3DS_CNT ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Register value
! Bit
! Description
! Description
|-
|-
| 0x01
| 0
| No
| Enable N3DS mode? (enables access to the extra N3DS FCRAM banks, etc.)
|-
|-
| 0x02
| 1
| No
| Texture related? (observing texture glitches when disabling this bit)
|}
|}
== CFG11_CDMA_PERIPHERALS ==
== CFG11_MPCORE_CNT ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Bits
! Bit
! Description
! Description
|-
|-
| 0
| 0-17
| ?
| CDMA Peripheral 0x00-0x11 data request target (0=Old CDMA, 1=New CDMA)
|-
|-
| 8
| 18-31
| ?
| Unused
|}
|}
== CFG11_BOOTROM_OVERLAY_CNT ==
Bit0: Enable bootrom overlay functionality.
== CFG11_BOOTROM_OVERLAY_VAL ==
The 32-bit value to overlay data-reads to bootrom with. See [[PDN Registers#PDN_LGR_CPU_CNT<0-3>|PDN_LGR_CPU_CNT]]<0-3>.
== CFG11_SOCINFO ==
Read-only register. Identifies the maximum mode-switching capabilities of the SoC.
* CTR: O3DS
* LGR1: N3DS prototype, 4 cores (orginally 2), up to 535MHz, no L2C (see below)
* LGR2: retail N3DS, 4 cores, up to 804MHz, has L2C
Kernel code suggests that devices that support LGR1 but not LGR2 only had 2 cores. All cores (the number of which can be read from MPCORE SCU registers) are usable in LGR1 mode.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Bits
! Bits
! Description
! Description
! Used by
|-
|-
| 0
| 0
| Enable bootrom instruction overlay, maybe? This bit is only writable for core2 and core3.
| CTR mode (1 on all 3DSes)
| Boot11
|-
|-
| 1
| 1
| Enable bootrom data overlay. This bit is only writable for core2 and core3.
| LGR1 (1 on all N3DSes, orginally 2 cores, and 2x clockrate)
| Kernel11
|-
|-
| 4
| 2
| Has core booted maybe?
| LGR2 (1 on all released N3DSes, 4 cores and 3x clockrate)
| Kernel11
| Always 1?
|}
|}
==CFG11_GPUPROT==
==CFG11_GPUPROT==
| Enable wifi subsystem
| Enable wifi subsystem
|}
|}