Difference between revisions of "CONFIG9 Registers"
Jump to navigation
Jump to search
(→0x10000010: Was unable to confirm 0x80 detected when the cart is inserted (reading this register just returned 0x00). 0x01 was detected when the cart was removed.) |
(Misled) |
||
| (9 intermediate revisions by 4 users not shown) | |||
| Line 8: | Line 8: | ||
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | [[# | + | | [[#CFG9_SYSPROT9|CFG9_SYSPROT9]] |
| 0x10000000 | | 0x10000000 | ||
| 1 | | 1 | ||
| Line 14: | Line 14: | ||
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | [[# | + | | [[#CFG9_SYSPROT11|CFG9_SYSPROT11]] |
| 0x10000001 | | 0x10000001 | ||
| 1 | | 1 | ||
| Line 20: | Line 20: | ||
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | | + | | [[#CFG9_RST11|CFG9_RST11]] |
| + | | 0x10000002 | ||
| + | | 1 | ||
| + | | Boot9 | ||
| + | |- | ||
| + | | style="background: green" | Yes | ||
| + | | CFG9_DEBUGCTL | ||
| 0x10000004 | | 0x10000004 | ||
| 4 | | 4 | ||
| Line 29: | Line 35: | ||
| 0x10000008 | | 0x10000008 | ||
| 1 | | 1 | ||
| − | | TwlProcess9 | + | | Boot9, Process9, TwlProcess9 |
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | [[# | + | | [[#CFG9_CARDCTL|CFG9_CARDCTL]] |
| 0x1000000C | | 0x1000000C | ||
| 2 | | 2 | ||
| − | | | + | | Process9 |
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | | + | | [[#CFG9_CARDSTATUS|CFG9_CARDSTATUS]] |
| 0x10000010 | | 0x10000010 | ||
| 1 | | 1 | ||
| − | | | + | | Process9 |
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | | + | | CFG9_CARDCYCLES0 |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| 0x10000012 | | 0x10000012 | ||
| 2 | | 2 | ||
| − | | | + | | Boot9, Process9 |
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | | + | | CFG9_CARDCYCLES1 |
| 0x10000014 | | 0x10000014 | ||
| 2 | | 2 | ||
| − | | | + | | Boot9, Process9 |
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| Line 74: | Line 74: | ||
|- | |- | ||
| style="background: red" | No | | style="background: red" | No | ||
| − | | [[# | + | | [[#CFG9_EXTMEMCNT9|CFG9_EXTMEMCNT9]] |
| 0x10000200 | | 0x10000200 | ||
| 1 | | 1 | ||
| Line 80: | Line 80: | ||
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | [[# | + | | [[#CFG9_MPCORECFG|CFG9_MPCORECFG]] |
| 0x10000FFC | | 0x10000FFC | ||
| 4 | | 4 | ||
| Line 86: | Line 86: | ||
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | [[# | + | | [[#CFG9_BOOTENV|CFG9_BOOTENV]] |
| 0x10010000 | | 0x10010000 | ||
| 4 | | 4 | ||
| Line 92: | Line 92: | ||
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | [[# | + | | [[#CFG9_UNITINFO|CFG9_UNITINFO]] |
| 0x10010010 | | 0x10010010 | ||
| 1 | | 1 | ||
| Line 98: | Line 98: | ||
|- | |- | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| − | | [[# | + | | [[#CFG9_TWLUNITINFO|CFG9_TWLUNITINFO]] |
| 0x10010014 | | 0x10010014 | ||
| 1 | | 1 | ||
| Line 104: | Line 104: | ||
|} | |} | ||
| − | == | + | == CFG9_SYSPROT9 == |
| − | + | CFG9_SYSPROT9 is used to permanently disable certain security-sensitive ARM9 memory areas until the next hard reset. | |
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
! Bit | ! Bit | ||
! Description | ! Description | ||
| + | ! Used by | ||
|- | |- | ||
| 0 | | 0 | ||
| − | | Disables ARM9 [[Memory_layout|bootrom]](+0x8000) when set to 1. | + | | Disables ARM9 [[Memory_layout|bootrom]](+0x8000) when set to 1, and enables access to [[Memory_layout|FCRAM]]. Cannot be cleared to 0 once set to 1. |
| + | | Boot9 | ||
|- | |- | ||
| 1 | | 1 | ||
| − | | Disables [[OTP_Registers|OTP area]] when set to 1. | + | | Disables [[OTP_Registers|OTP area]] when set to 1. Cannot be cleared to 0 once set to 1. |
| + | | NewKernel9Loader, Process9 | ||
| + | |- | ||
| + | | 31-2 | ||
| + | | Not used | ||
| + | | | ||
|} | |} | ||
| − | On Old 3DS, NATIVE_FIRM reads | + | On Old 3DS, NATIVE_FIRM reads CFG9_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data. After setting the TWL console-unique keys, NATIVE_FIRM sets CFG9_SYSPROT9 bit 1 to disable the OTP area. In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step. |
On New 3DS, the above is instead done by the [[FIRM#New_3DS_FIRM|Kernel9 loader]]. In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM. The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible. | On New 3DS, the above is instead done by the [[FIRM#New_3DS_FIRM|Kernel9 loader]]. In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM. The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible. | ||
| − | + | == CFG9_SYSPROT11 == | |
| + | |||
| + | {| class="wikitable" border="1" | ||
| + | ! Bit | ||
| + | ! Description | ||
| + | ! Used by | ||
| + | |- | ||
| + | | 0 | ||
| + | | Disables ARM11 [[Memory_layout|bootrom]](+0x8000) when set to 1, and enables access to [[Memory_layout|FCRAM]]. Cannot be cleared to 0 once set to 1. | ||
| + | | Boot9 | ||
| + | |- | ||
| + | | 31-1 | ||
| + | | Not used | ||
| + | | | ||
| + | |} | ||
| + | |||
| + | == CFG9_RST11 == | ||
| + | |||
| + | {| class="wikitable" border="1" | ||
| + | ! Bit | ||
| + | ! Description | ||
| + | ! Used by | ||
| + | |- | ||
| + | | 0 | ||
| + | | Presumably takes ARM11 out of reset. Cannot be set to 1 once it has been cleared. | ||
| + | | Boot9 | ||
| + | |- | ||
| + | | 31-1 | ||
| + | | Not used | ||
| + | | | ||
| + | |} | ||
| − | == | + | == 0x10000008 == |
| − | + | {| class="wikitable" border="1" | |
| + | ! Bit | ||
| + | ! Description | ||
| + | ! Used by | ||
| + | |- | ||
| + | | 1-0 | ||
| + | | ? | ||
| + | | | ||
| + | |- | ||
| + | | 3-2 | ||
| + | | AES related? Value 3 written after write to AES_CTL. | ||
| + | | Boot9, Process9, TwlProcess9 | ||
| + | |- | ||
| + | | 31-4 | ||
| + | | Reserved | ||
| + | | | ||
| + | |} | ||
| − | == | + | == CFG9_CARDCTL == |
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
! Bit | ! Bit | ||
! Description | ! Description | ||
| + | ! Used by | ||
|- | |- | ||
| 1-0 | | 1-0 | ||
| − | | Gamecard active controller select (0=NTRCARD, 1=?, 2= | + | | Gamecard active controller select (0=NTRCARD, 1=?, 2=CTRCARD0, 3=CTRCARD1) |
| + | | Process9 | ||
|- | |- | ||
| 8 | | 8 | ||
| − | | ? | + | | Enable gamecard eject IRQ, maybe? |
| + | | Process9 | ||
|} | |} | ||
Depending on the gamecard controller that has been selected, one of the following gamecard registers will become active: | Depending on the gamecard controller that has been selected, one of the following gamecard registers will become active: | ||
* Selecting NTRCARD will activate the register space at [[NTRCARD|0x10164000]]. | * Selecting NTRCARD will activate the register space at [[NTRCARD|0x10164000]]. | ||
| − | * Selecting | + | * Selecting CTRCARD0 will activate the register space at [[CTRCARD|0x10004000]]. |
| − | * Selecting | + | * Selecting CTRCARD1 will activate the register space at [[CTRCARD|0x10005000]]. |
| − | == | + | == CFG9_CARDSTATUS == |
| − | + | {| class="wikitable" border="1" | |
| + | ! Bit | ||
| + | ! Description | ||
| + | ! Used by | ||
| + | |- | ||
| + | | 0 | ||
| + | | Cartridge-slot empty (0=inserted, 1=empty) | ||
| + | | Process9 | ||
| + | |- | ||
| + | | 3-2 | ||
| + | | ? | ||
| + | | Process9 | ||
| + | |} | ||
| − | == | + | == CFG9_EXTMEMCNT9 == |
| − | This register is | + | This register is New3DS-only. |
| − | + | {| class="wikitable" border="1" | |
| − | + | ! Bit | |
| − | + | ! Description | |
| + | ! Used by | ||
| + | |- | ||
| + | | 0 | ||
| + | | Hide extended ARM9 memory (0=hidden, 1=shown) | ||
| + | | Kernel9 (New3DS) | ||
| + | |- | ||
| + | | 31-1 | ||
| + | | Reserved | ||
| + | | | ||
| + | |} | ||
| − | == | + | == CFG9_MPCORECFG == |
Identical to [[PDN#PDN_MPCORE_CFG|PDN_MPCORE_CFG]]. | Identical to [[PDN#PDN_MPCORE_CFG|PDN_MPCORE_CFG]]. | ||
| − | == | + | == CFG9_BOOTENV == |
This register is used to determine what the previous running FIRM was. Its value is kept following an MCU reboot. Its initial value (on a cold boot) is 0. NATIVE_FIRM [[Development_Services_PXI|sets it to 1]] on shutdown/FIRM launch. [[Legacy_FIRM_PXI|LGY FIRM]] writes value 3 here when launching a TWL title, and writes value 7 when launching an AGB title. | This register is used to determine what the previous running FIRM was. Its value is kept following an MCU reboot. Its initial value (on a cold boot) is 0. NATIVE_FIRM [[Development_Services_PXI|sets it to 1]] on shutdown/FIRM launch. [[Legacy_FIRM_PXI|LGY FIRM]] writes value 3 here when launching a TWL title, and writes value 7 when launching an AGB title. | ||
NATIVE_FIRM will only launch titles if this is not value 0, and will only save the [[Flash_Filesystem|AGB_FIRM savegame]] to SD if this is value 7. | NATIVE_FIRM will only launch titles if this is not value 0, and will only save the [[Flash_Filesystem|AGB_FIRM savegame]] to SD if this is value 7. | ||
| − | == | + | == CFG9_UNITINFO == |
This 8-bit register is value zero for retail, non-zero for dev/debug units. | This 8-bit register is value zero for retail, non-zero for dev/debug units. | ||
| − | == | + | == CFG9_TWLUNITINFO == |
In the console-unique TWL key-init/etc function the ARM9 copies the u8 value from REG_UNITINFO to this register. | In the console-unique TWL key-init/etc function the ARM9 copies the u8 value from REG_UNITINFO to this register. | ||
This is also used by TWL_FIRM Process9. | This is also used by TWL_FIRM Process9. | ||
Revision as of 20:20, 25 May 2017
Registers
| Old3DS | Name | Address | Width | Used by |
|---|---|---|---|---|
| Yes | CFG9_SYSPROT9 | 0x10000000 | 1 | Boot9 |
| Yes | CFG9_SYSPROT11 | 0x10000001 | 1 | Boot9 |
| Yes | CFG9_RST11 | 0x10000002 | 1 | Boot9 |
| Yes | CFG9_DEBUGCTL | 0x10000004 | 4 | |
| Yes | ? | 0x10000008 | 1 | Boot9, Process9, TwlProcess9 |
| Yes | CFG9_CARDCTL | 0x1000000C | 2 | Process9 |
| Yes | CFG9_CARDSTATUS | 0x10000010 | 1 | Process9 |
| Yes | CFG9_CARDCYCLES0 | 0x10000012 | 2 | Boot9, Process9 |
| Yes | CFG9_CARDCYCLES1 | 0x10000014 | 2 | Boot9, Process9 |
| Yes | ? | 0x10000020 | 2 | |
| Yes | ? | 0x10000100 | 2 | |
| No | CFG9_EXTMEMCNT9 | 0x10000200 | 1 | NewKernel9 |
| Yes | CFG9_MPCORECFG | 0x10000FFC | 4 | |
| Yes | CFG9_BOOTENV | 0x10010000 | 4 | |
| Yes | CFG9_UNITINFO | 0x10010010 | 1 | Process9 |
| Yes | CFG9_TWLUNITINFO | 0x10010014 | 1 | Process9 |
CFG9_SYSPROT9
CFG9_SYSPROT9 is used to permanently disable certain security-sensitive ARM9 memory areas until the next hard reset.
| Bit | Description | Used by |
|---|---|---|
| 0 | Disables ARM9 bootrom(+0x8000) when set to 1, and enables access to FCRAM. Cannot be cleared to 0 once set to 1. | Boot9 |
| 1 | Disables OTP area when set to 1. Cannot be cleared to 0 once set to 1. | NewKernel9Loader, Process9 |
| 31-2 | Not used |
On Old 3DS, NATIVE_FIRM reads CFG9_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data. After setting the TWL console-unique keys, NATIVE_FIRM sets CFG9_SYSPROT9 bit 1 to disable the OTP area. In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step.
On New 3DS, the above is instead done by the Kernel9 loader. In addition to using the OTP data for initializing the TWL console-unique keys, the Kernel9 loader will generate the decryption key for NATIVE_FIRM. The final keyslot for NATIVE_FIRM is preserved, so that at a non-reset FIRM launch, the keyslot can be reused, since the OTP would then be inaccessible.
CFG9_SYSPROT11
| Bit | Description | Used by |
|---|---|---|
| 0 | Disables ARM11 bootrom(+0x8000) when set to 1, and enables access to FCRAM. Cannot be cleared to 0 once set to 1. | Boot9 |
| 31-1 | Not used |
CFG9_RST11
| Bit | Description | Used by |
|---|---|---|
| 0 | Presumably takes ARM11 out of reset. Cannot be set to 1 once it has been cleared. | Boot9 |
| 31-1 | Not used |
0x10000008
| Bit | Description | Used by |
|---|---|---|
| 1-0 | ? | |
| 3-2 | AES related? Value 3 written after write to AES_CTL. | Boot9, Process9, TwlProcess9 |
| 31-4 | Reserved |
CFG9_CARDCTL
| Bit | Description | Used by |
|---|---|---|
| 1-0 | Gamecard active controller select (0=NTRCARD, 1=?, 2=CTRCARD0, 3=CTRCARD1) | Process9 |
| 8 | Enable gamecard eject IRQ, maybe? | Process9 |
Depending on the gamecard controller that has been selected, one of the following gamecard registers will become active:
- Selecting NTRCARD will activate the register space at 0x10164000.
- Selecting CTRCARD0 will activate the register space at 0x10004000.
- Selecting CTRCARD1 will activate the register space at 0x10005000.
CFG9_CARDSTATUS
| Bit | Description | Used by |
|---|---|---|
| 0 | Cartridge-slot empty (0=inserted, 1=empty) | Process9 |
| 3-2 | ? | Process9 |
CFG9_EXTMEMCNT9
This register is New3DS-only.
| Bit | Description | Used by |
|---|---|---|
| 0 | Hide extended ARM9 memory (0=hidden, 1=shown) | Kernel9 (New3DS) |
| 31-1 | Reserved |
CFG9_MPCORECFG
Identical to PDN_MPCORE_CFG.
CFG9_BOOTENV
This register is used to determine what the previous running FIRM was. Its value is kept following an MCU reboot. Its initial value (on a cold boot) is 0. NATIVE_FIRM sets it to 1 on shutdown/FIRM launch. LGY FIRM writes value 3 here when launching a TWL title, and writes value 7 when launching an AGB title.
NATIVE_FIRM will only launch titles if this is not value 0, and will only save the AGB_FIRM savegame to SD if this is value 7.
CFG9_UNITINFO
This 8-bit register is value zero for retail, non-zero for dev/debug units.
CFG9_TWLUNITINFO
In the console-unique TWL key-init/etc function the ARM9 copies the u8 value from REG_UNITINFO to this register.
This is also used by TWL_FIRM Process9.