Difference between revisions of "PDN Registers"

From 3dbrew
Jump to navigation Jump to search
(Cleanup)
 
(5 intermediate revisions by the same user not shown)
Line 8: Line 8:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#PDN_CNT|PDN_CNT]]
+
| [[#PDN_SLEEP_CNT|PDN_SLEEP_CNT]]
 
| 0x10141000
 
| 0x10141000
 
| 2
 
| 2
Line 32: Line 32:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#LGY_SLEEP|LGY_SLEEP]]
+
| [[#LGY_SLEEP_CNT|LGY_SLEEP_CNT]]
 
| 0x10141104
 
| 0x10141104
 
| 2
 
| 2
Line 44: Line 44:
 
|-
 
|-
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| [[#LGY_PADCNT|LGY_PADCNT]]
+
| [[#LGY_PAD_CNT|LGY_PAD_CNT]]
 
| 0x1014110A
 
| 0x1014110A
 
| 2
 
| 2
Line 160: Line 160:
  
 
=Sleep registers=
 
=Sleep registers=
==PDN_CNT==
+
==PDN_SLEEP_CNT==
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
!  Bits
 
!  Bits
Line 183: Line 183:
 
|-
 
|-
 
| 1
 
| 1
| [[HID_Registers#HID_PADCNT|HID_PADCNT]]
+
| [[HID_Registers#HID_PAD_CNT|HID_PAD_CNT]]
 
|-
 
|-
 
| 3
 
| 3
Line 237: Line 237:
 
The very last 3DS-mode register poke the [[FIRM|TWL_FIRM]] Process9 does before it gets switched into TWL-mode, is writing 0x8000 to this register. Before writing this register, TWL Process9 waits for ARM7 to change the value of this register. The Process9 code for this runs from ITCM, since switching into TWL-mode includes remapping all ARM9 physical memory.
 
The very last 3DS-mode register poke the [[FIRM|TWL_FIRM]] Process9 does before it gets switched into TWL-mode, is writing 0x8000 to this register. Before writing this register, TWL Process9 waits for ARM7 to change the value of this register. The Process9 code for this runs from ITCM, since switching into TWL-mode includes remapping all ARM9 physical memory.
  
==LGY_SLEEP==
+
==LGY_SLEEP_CNT==
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
!  Bits
 
!  Bits
Line 262: Line 262:
 
[[ARM11_Interrupts|Arm11 interrupt]] enable bits for legacy interrupts, same bit layout as the GPIOEMU regs below.
 
[[ARM11_Interrupts|Arm11 interrupt]] enable bits for legacy interrupts, same bit layout as the GPIOEMU regs below.
  
==LGY_PADCNT==
+
==LGY_PAD_CNT==
 
Also named "KEYCNT" on certain other DS(i)/GBA documentations.
 
Also named "KEYCNT" on certain other DS(i)/GBA documentations.
The value of this register is copied to [[HID_Registers|HID_PADCNT]] when GBA mode enters sleep.
+
The value of this register is copied to [[HID_Registers|HID_PAD_CNT]] when GBA mode enters sleep.
  
 
==LGY_HIDEMU_MASK==
 
==LGY_HIDEMU_MASK==
Line 429: Line 429:
 
   0=CTR+256MHz
 
   0=CTR+256MHz
 
   1=LGR2+256MHz, 5=LGR2+804MHz
 
   1=LGR2+256MHz, 5=LGR2+804MHz
   2=LGR+256MHz, 3=LGR+536MHz
+
   2=LGR1+256MHz, 3=LGR1+536MHz
  
 
N3DS modes (LGR1/LGR2) enable the New 3DS FCRAM extension and are needed to access N3DS-only devices.
 
N3DS modes (LGR1/LGR2) enable the New 3DS FCRAM extension and are needed to access N3DS-only devices.
  
* CTR: O3DSS
+
* CTR: O3DS
* LGR1: N3DS prototype, 2 cores, no L2C
+
* LGR1: N3DS prototype, 4 cores (originally 2), no L2C
 
* LGR2: retail N3DS, 4 cores, has L2C
 
* LGR2: retail N3DS, 4 cores, has L2C
 
|-
 
|-
 
| 15
 
| 15
| Busy
+
| Interrupt status (read) / clear (write)
 
|}
 
|}
  
On firmlaunch, the kernel sets the mode to O3DS.
+
'''All currently powered-on cores must be (and remain) in WFI state to trigger the SoC mode switch.'''
  
[[SVC#KernelSetState|svcKernelSetState]] type10, only implemented on New3DS, uses this register. That code writes the following values to this register, depending on the input Param0 bit0 state, and the state of [[CONFIG11 Registers#CFG11_SOCINFO|CFG11_SOCINFO]]:
+
Kernel code suggests that devices that support LGR1 but not LGR2 only had 2 cores. All cores (the number of which can be read from MPCORE SCU registers) are usable in LGR1 mode.
{| class="wikitable" border="1"
 
!  Register value
 
!  Higher-clockrate bit set in svcKernelSetState Param0
 
!  CFG11_SOCINFO bit2 set
 
!  MPCore timer/watchdog prescaler value, prior to subtracting it by 0x1 when writing it into hw/state
 
!  Clock-rate multiplier
 
!  Description
 
|-
 
| 0x01
 
| No
 
| Yes
 
| 0x01
 
| 1x
 
| 268MHz
 
|-
 
| 0x02
 
| No
 
| No
 
| 0x01
 
| 1x
 
| 268MHz
 
|-
 
| 0x05
 
| Yes
 
| Yes
 
| 0x03
 
| 3x
 
| 804MHz
 
|-
 
| 0x03
 
| Yes
 
| No
 
| 0x02
 
| 2x
 
| 536MHz (tested on New3DS)
 
|}
 
  
Note that the above CFG11_SOCINFO bit is 1 on New3DS, and 0 on Old3DS. Since this SVC is only available with the New3DS ARM11-kernel, the only additional available clock-rate is 804MHz when running on New3DS(with official kernel code).
+
On firmlaunch, the kernel sets the mode to O3DS.
  
The following register value(s) were tested on New3DS by patching the kernel:
+
[[SVC#KernelSetState|svcKernelSetState]] type10, only implemented on New3DS, uses this register. This piece of code choses the mode matching the input Param0 bit0 state (1 for higher clock), using the state of [[CONFIG11 Registers#CFG11_SOCINFO|CFG11_SOCINFO]] to determine which mode is the best (which is always LGR2 on all released New 3DS units).
* 0x00: Entire system hangs.
 
* 0x02: Entire system hangs.
 
* 0x03: ARM11 runs at 536MHz.
 
* 0x04: Entire system hangs.
 
* 0x06: Entire system hangs.
 
* 0x07: Same result as 0x05.
 
* 0x08: Entire system hangs.
 
* 0x09: Entire system hangs.
 
* 0x0A: Entire system hangs.
 
* 0x0B: Same result as 0x03.
 
* 0x0C: Entire system hangs.
 
* 0x0D: Same result as 0x05.
 
* 0x0E: Entire system hangs.
 
* 0x0F: Same result as 0x05.
 
* 0x1F, 0x2F, 0x4F, 0x8F, 0xFF: Same result as 0x05.
 
  
 
== PDN_LGR_CNT ==
 
== PDN_LGR_CNT ==
Line 520: Line 469:
 
|-
 
|-
 
| 0
 
| 0
| nRESET, 0 = reset. Also enable the bootrom instruction overlay.
+
| Power request: 0 = power off, 1 = power on
 
|-
 
|-
 
| 1
 
| 1
| Enable bootrom data overlay
+
| Handshake bit
 +
Needs to be set before powering on the core. It is meant to be cleared by software on the powered-on core, to signal itself.
 
|-
 
|-
 
| 4
 
| 4
| Reset operation in progress
+
| Power status: 0 = off, 1 = on
 
|-
 
|-
 
| 5
 
| 5
| Always 1?
+
| Core present?
 
|}
 
|}
  
Only usable for core2 and core3.
+
Only usable for core2 and core3. Core 0 and 1 have a fixed, read-only value of 0x30 for this register.
 +
 
 +
* On power-on, software should switch the affected core to Normal Mode on the SCU
 +
* On power-off, software '''must''' switch the affected core to Powered Off mode on the SCU (otherwise the core won't go off)
  
 
The normal Arm11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS Arm11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.
 
The normal Arm11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS Arm11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.
  
Bit1 in register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000. All _data reads_ made to those regions now read the 32-bit value provided in [[CONFIG11 Registers #CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].
+
The overlay should be enabled by setting bit0 in [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_CNT|CFG11_BOOTROM_OVERLAY_CNT]] and configured by setting the entrypoint address to [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].
  
Bit0 sets the core out of reset and enables a bootrom instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads). Jumping randomly into the 0xFFFF0000-0xFFFF1000 region works fine and jumps to the value provided by the data overlay [[CONFIG11 Registers #CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]]. Thus we may predict that the entire bootrom region is filled by:
+
The overlay overrides all ''instruction'' reads from phyiscal addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000 to the following (figured out by using low exception vectors and configuring the b11 veeners accordingly):
ldr pc, [pc]
+
  ldr pc, [pc, #(0x20 - 8)]
  
Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the Arm pipeline, and might help us identify what instructions are placed by the instruction-overlay.
+
and all ''data'' reads from the same ranges to [[CONFIG11_Registers#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].

Latest revision as of 01:32, 27 January 2021

Register table[edit]

Old3DS Name Address Width Used by
Yes PDN_SLEEP_CNT 0x10141000 2 Kernel11
Yes PDN_WAKE_ENABLE 0x10141008 4 PTM Services, PDN Services
Yes PDN_WAKE_REASON 0x1014100C 4 PTM Services, TwlBg, PDN Services
Yes LGY_MODE 0x10141100 2 TwlProcess9, TwlBg
Yes LGY_SLEEP_CNT 0x10141104 2 TwlBg
Yes LGY_IRQ_ENABLE 0x10141108 2 TwlBg
Yes LGY_PAD_CNT 0x1014110A 2 TwlBg
Yes LGY_HIDEMU_MASK 0x10141110 2 TwlBg
Yes LGY_HIDEMU_PAD 0x10141112 2 TwlBg
Yes LGY_GPIOEMU_MASK 0x10141114 2 Codec Services, TwlBg
Yes LGY_GPIOEMU_DATA 0x10141116 2 Codec Services, TwlBg
Yes LGY_CARDDETECTEMU_MASK 0x10141118 1 TwlBg
Yes LGY_CARDDETECTEMU_DATA 0x10141119 1 TwlBg
Yes LGY_? 0x10141120 1 TwlBg
Yes PDN_GPU_CNT 0x10141200 4 Boot11, Kernel11, PDN Services, TwlBg
Yes PDN_VRAM_CNT 0x10141204 1 Boot11, Kernel11, TwlBg
Yes PDN_LCD_CNT 0x10141208 1 Boot11
Yes PDN_FCRAM_CNT 0x10141210 2 Kernel11, TwlBg
Yes PDN_I2S_CNT 0x10141220 1 Boot11, TwlBg, PDN Services
Yes PDN_CAMERA_CNT 0x10141224 1 PDN Services
Yes PDN_DSP_CNT 0x10141230 1 Process9, PDN Services
No PDN_MVD_CNT 0x10141240 1
No PDN_LGR_SOCMODE 0x10141300 2 NewKernel11
No PDN_LGR_CNT 0x10141304 2 NewKernel11
No PDN_LGR_CPU_CNT<0-3> 0x10141310 1*4 NewKernel11

Sleep registers[edit]

PDN_SLEEP_CNT[edit]

Bits Description
0 1 = Enter sleep mode
2-14 Unused.
15 1 = VRAM is powered down

Kernel11 powers down VRAM (it's unclear whether bit15 is power-down or self-refresh mode) by first disabling the 8 banks using GX register 0x10400030, then by disabling the GPU clock using PDN_GPU_CNT bit 16 and finally writes to and polls this register.

PDN_WAKE_ENABLE[edit]

Bits Description
1 HID_PAD_CNT
3 Shell opened
4 Headphones not plugged in
8 WiFi (?)
19 Shell GPIO (?)
26 MCU interrupt
30 Touch screen pressed
31 CTR gamecard inserted/removed

List in progress.

This is a OR list of wake triggers that will wake up the console from sleep and raise IRQ 0x58.

PDN_WAKE_REASON[edit]

Same layout as PDN_WAKE_ENABLE.

This is a OR list of the wake triggers that actually woke up the console.

For each bit, write 1 to acknowledge, and 0 to clear (?).

Legacy registers[edit]

LGY_MODE[edit]

Bits Description
0-1 Read only legacy mode set on reg 0x10018000.
2-14 Unused.
15 1 = enable legacy mode.

To boot into DSi or GBA mode first set register 0x10018000 to the desired mode and setup LgyFb. Then disable FCRAM by clearing bit 0 in reg 0x10201000, writing 0 to PDN_FCRAM_CNT followed by 1 and waiting for bit 2 to clear.

The very last 3DS-mode register poke the TWL_FIRM Process9 does before it gets switched into TWL-mode, is writing 0x8000 to this register. Before writing this register, TWL Process9 waits for ARM7 to change the value of this register. The Process9 code for this runs from ITCM, since switching into TWL-mode includes remapping all ARM9 physical memory.

LGY_SLEEP_CNT[edit]

Bits Description
0 Write 1 to wakeup GBA mode.
1 Sleep state/ack. 1 when GBA mode entered sleep. Write 1 to ack.
2 ?
3-14 Unused.
15 1 = IRQ enable (IRQ 0x59)

When a GBA game enters sleep mode and bit 15 is 1, IRQ 0x59 fires and bit 1 is set. Bit 1 must be acknowledged/written together with bit 0 otherwise GBA mode wakes up from sleep early sometimes.

LGY_IRQ_ENABLE[edit]

Arm11 interrupt enable bits for legacy interrupts, same bit layout as the GPIOEMU regs below.

LGY_PAD_CNT[edit]

Also named "KEYCNT" on certain other DS(i)/GBA documentations. The value of this register is copied to HID_PAD_CNT when GBA mode enters sleep.

LGY_HIDEMU_MASK[edit]

Set bits will use the corresponding values from LGY_HIDEMU_PAD instead of allowing the hardware to read it from HID_PAD.

This is set to 0x1FFF (all buttons and the debug key) and LGY_HIDEMU_PAD is set to 0 when the "Close this software and return to HOME Menu?" dialog is shown to prevent the button presses from propagating to the DS/GBA CPU.

LGY_HIDEMU_PAD[edit]

Works the same way as HID_PAD, but the values set here are only replaced in the HID_PAD seen by the DS/GBA CPU when the corresponding bits in LGY_HIDEMU_MASK are set.

LGY_GPIOEMU_MASK[edit]

Set bits will read bits from LGY_GPIOEMU_DATA (override).

This is used to trigger things like the TWL MCU interrupt in TWL mode.

LGY_GPIOEMU_DATA[edit]

See above

LGY_CARDDETECTEMU_MASK[edit]

Set bits will read bits from LGY_CARDDETECTEMU_DATA (override).

Bit0 signals cartridge removal.

LGY_CARDDETECTEMU_DATA[edit]

See above

Clock and reset registers[edit]

PDN_GPU_CNT[edit]

Bits Description
0 GPU main block + VRAM + LCD reset. 0 = reset.
1 PSC block reset? 0 = reset.
2 Geoshader block reset? 0 = reset.
3 Rasterization block reset? 0 = reset.
4 PPF block reset. 0 = reset.
5 PDC block reset? 0 = reset.
6 PDC related reset. 0 = reset.
7-15 Unused.
16 Clock enable for all blocks, VRAM and LCD. 1 = enable.

PDN uses a 12 ARM11 cycle delay to deassert reset.

PDN_VRAM_CNT[edit]

Bits Description
0 Clock. 1 = enable, 0 = disable

This register seems to be unimplemented in released models: while it is used in tandem with PDN_GPU_CNT.bit16 in Boot11 screeninit code, Kernel11 only uses PDN_GPU_CNT.bit16 to power-off VRAM before going to sleep.

PDN_LCD_CNT[edit]

Bits Description
0 Clock. 1 = enable, 0 = disable

This register seems to be unimplemented in released models, only to be used in Boot11, as PDN_GPU_CNT.bit16 also drives the LCD clock.

PDN_FCRAM_CNT[edit]

Bits Description
0 Reset. 0 = reset.
1 Clock. 1 = enable, 0 = disable
2 Acknowledge clock request. Gets set or unset when toggling bit 1.

Twl-/AgbBg use this to disable FCRAM for the GBA rom in GBA mode or DSi main RAM in DSi mode. AgbBg clears bit 0 in reg 0x10201000 before touching this reg.

Kernel11 uses it to put the FCRAM in self-refresh mode (clock disable) before going to sleep.

PDN_I2S_CNT[edit]

Bits Description
0 I2S1 Clock (maybe?) 1 = enable, 0 = disable
1 I2S2 Clock. 1 = enable, 0 = disable

I2S1 clock enable bit seems to be unimplemented. Maybe it's because DSP clock enable drives it?

PDN_CAMERA_CNT[edit]

Bits Description
0 Clock. 1 = enable, 0 = disable

PDN_DSP_CNT[edit]

Bits Description
0 Reset. 0 = reset.
1 Clock. 1 = enable, 0 = disable

PDN services holds reset for 0x30 Arm11 cycles.

PDN_MVD_CNT[edit]

Bits Description
0 Reset. 0 = reset

This doesn't seem to be used by anything, but does have a clear effect on the hardware.

The reset value for this register is 1 (out-of-reset at boot).

N3DS SoC (LGR) registers[edit]

PDN_LGR_SOCMODE[edit]

This is used for configuring the New3DS ARM11 CPU clock-rate. This register is New3DS-only: reading from here on Old3DS always returns all-zeros even when one tried writing data here prior to the read.

Bits Description
0-2 SoC mode.

Possible values:

 0=CTR+256MHz
 1=LGR2+256MHz, 5=LGR2+804MHz
 2=LGR1+256MHz, 3=LGR1+536MHz

N3DS modes (LGR1/LGR2) enable the New 3DS FCRAM extension and are needed to access N3DS-only devices.

  • CTR: O3DS
  • LGR1: N3DS prototype, 4 cores (originally 2), no L2C
  • LGR2: retail N3DS, 4 cores, has L2C
15 Interrupt status (read) / clear (write)

All currently powered-on cores must be (and remain) in WFI state to trigger the SoC mode switch.

Kernel code suggests that devices that support LGR1 but not LGR2 only had 2 cores. All cores (the number of which can be read from MPCORE SCU registers) are usable in LGR1 mode.

On firmlaunch, the kernel sets the mode to O3DS.

svcKernelSetState type10, only implemented on New3DS, uses this register. This piece of code choses the mode matching the input Param0 bit0 state (1 for higher clock), using the state of CFG11_SOCINFO to determine which mode is the best (which is always LGR2 on all released New 3DS units).

PDN_LGR_CNT[edit]

Bits Description
0 Enables the N3DS extramem block
8 Enables the L2C block (LGR2 only)

Kernel11 sets this to 0x101 when bit 2 in CFG11_SOCINFO (LGR2 supported) is set otherwise 1.

PDN_LGR_CPU_CNT<0-3>[edit]

Bits Description
0 Power request: 0 = power off, 1 = power on
1 Handshake bit

Needs to be set before powering on the core. It is meant to be cleared by software on the powered-on core, to signal itself.

4 Power status: 0 = off, 1 = on
5 Core present?

Only usable for core2 and core3. Core 0 and 1 have a fixed, read-only value of 0x30 for this register.

  • On power-on, software should switch the affected core to Normal Mode on the SCU
  • On power-off, software must switch the affected core to Powered Off mode on the SCU (otherwise the core won't go off)

The normal Arm11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS Arm11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.

The overlay should be enabled by setting bit0 in CFG11_BOOTROM_OVERLAY_CNT and configured by setting the entrypoint address to CFG11_BOOTROM_OVERLAY_VAL.

The overlay overrides all instruction reads from phyiscal addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000 to the following (figured out by using low exception vectors and configuring the b11 veeners accordingly):

 ldr pc, [pc, #(0x20 - 8)]

and all data reads from the same ranges to CFG11_BOOTROM_OVERLAY_VAL.