Difference between revisions of "PDN Registers"

From 3dbrew
Jump to navigation Jump to search
(Legacy regs)
(LGR is what's written on the SoC in N3DS teardowns →‎PDN_MPCORE_SOCMODE)
Line 386: Line 386:
 
| 0-2
 
| 0-2
 
| SoC mode.
 
| SoC mode.
0=O3DS (2 cores, 256MHz),<br/>
+
Possible values:
1=N3DS (4 cores, 256MHz), 5=N3DS (4 cores, 804MHz),<br/>
+
  0=O3DS (2 cores, 256MHz)
2=N3DS prototype (2 cores, 256MHz), 3=N3DS prototype (2 cores, 536MHz).<br/>
+
  1=N3DS (LGR2?, 4 cores, 256MHz), 5=N3DS (LGR2?, 4 cores, 804MHz)
 +
  2=N3DS prototype (LGR, 2 cores, 256MHz), 3=N3DS prototype (LGR, 2 cores, 536MHz)
 +
 
 
N3DS modes enable the New 3DS FCRAM extension and are needed to access N3DS-only devices.
 
N3DS modes enable the New 3DS FCRAM extension and are needed to access N3DS-only devices.
 
|-
 
|-

Revision as of 23:29, 17 January 2021

Registers

Old3DS Name Address Width Used by
Yes PDN_CNT 0x10141000 2 Kernel11, TwlBg
Yes PDN_WAKE_ENABLE 0x10141008 4 PTM Services, PDN Services
Yes PDN_WAKE_REASON 0x1014100C 4 PTM Services, TwlBg, PDN Services
Yes LGY_MODE 0x10141100 2 TwlProcess9, TwlBg
Yes LGY_SLEEP 0x10141104 2 TwlBg
Yes LGY_IRQ_ENABLE 0x10141108 2 TwlBg
Yes LGY_PADCNT 0x1014110A 2 TwlBg
Yes PDN_WIFI_UNK 0x1014110C 1 NWM Services
Yes LGY_HIDEMU_MASK 0x10141110 2 TwlBg
Yes LGY_HIDEMU_PAD 0x10141112 2 TwlBg
Yes LGY_GPIOEMU_MASK 0x10141114 2 Codec Services, TwlBg
Yes LGY_GPIOEMU_DATA 0x10141116 2 Codec Services, TwlBg
Yes LGY_CARDDETECTEMU_MASK 0x10141118 1 TwlBg
Yes LGY_CARDDETECTEMU_DATA 0x10141119 1 TwlBg
Yes LGY_? 0x10141120 1 TwlBg
Yes PDN_GPU_CNT 0x10141200 4 Boot11, Kernel11, PDN Services, TwlBg
Yes PDN_VRAM_CNT 0x10141204 4 Boot11, Kernel11, TwlBg
Yes PDN_FCRAM_CNT 0x10141210 2 Kernel11, TwlBg
Yes PDN_CODEC_CNT 0x10141220 1 Boot11, TwlBg, PDN Services
Yes PDN_CAMERA_CNT 0x10141224 1 PDN Services
Yes PDN_DSP_CNT 0x10141230 1 Process9, PDN Services
No PDN_MPCORE_SOCMODE 0x10141300 2 NewKernel11
No PDN_MPCORE_CNT 0x10141304 2 NewKernel11
No PDN_MPCORE_BOOTCNT<0-3> 0x10141310 1*4 NewKernel11

PDN_CNT

Bits Description
0 1 = Enter sleep mode
2-14 Unused.
15 1 = VRAM is in self-refresh mode

Kernel11 puts VRAM in self-refresh mode (before going to sleep) by first disabling the 8 banks using GX register 0x10400030, then by disabling the GPU clock using PDN_GPU_CNT bit 16 and finally polls this register.

PDN_WAKE_ENABLE

Bits Description
1 HID_PADCNT
3 Shell opened
4 Headphones not plugged in
8 WiFi (?)
19 Shell GPIO (?)
26 MCU interrupt
30 Touch screen pressed
31 CTR gamecard inserted/removed

List in progress.

This is a OR list of wake triggers that will wake up the console from sleep and raise IRQ 0x58.

PDN_WAKE_REASON

Same layout as PDN_WAKE_ENABLE.

This is a OR list of the wake triggers that actually woke up the console.

For each bit, write 1 to acknowledge, and 0 to clear (?).

PDN_WIFICNT

Old3DS Bits Description
Yes 0 Enable wifi subsystem

LGY_MODE

Bits Description
0-1 Read only legacy mode set on reg 0x10018000.
2-14 Unused.
15 1 = enable legacy mode.

To boot into DSi or GBA mode first set register 0x10018000 to the desired mode and setup LgyFb. Then disable FCRAM by clearing bit 0 in reg 0x10201000, writing 0 to PDN_FCRAM_CNT followed by 1 and waiting for bit 2 to clear.

The very last 3DS-mode register poke the TWL_FIRM Process9 does before it gets switched into TWL-mode, is writing 0x8000 to this register. Before writing this register, TWL Process9 waits for ARM7 to change the value of this register. The Process9 code for this runs from ITCM, since switching into TWL-mode includes remapping all ARM9 physical memory.

LGY_SLEEP

Bits Description
0 Write 1 to wakeup GBA mode.
1 Sleep state/ack. 1 when GBA mode entered sleep. Write 1 to ack.
2 ?
3-14 Unused.
15 1 = IRQ enable (IRQ 0x59)

When a GBA game enters sleep mode and bit 15 is 1, IRQ 0x59 fires and bit 1 is set. Bit 1 must be acknowledged/written together with bit 0 otherwise GBA mode wakes up from sleep early sometimes.

LGY_IRQ_ENABLE

Arm11 interrupt enable bits for legacy interrupts, same bit layout as the GPIOEMU regs below.

LGY_PADCNT

Also named "KEYCNT" on certain other DS(i)/GBA documentations. The value of this register is copied to HID_PADCNT when GBA mode enters sleep.

PDN_WIFIUNK

Old3DS Bits Description
Yes 4 Wifi-related? Set to 1 very early in NWM-module.

LGY_HIDEMU_MASK

Set bits will use the corresponding values from LGY_HIDEMU_PAD instead of allowing the hardware to read it from HID_PAD.

This is set to 0x1FFF (all buttons and the debug key) and LGY_HIDEMU_PAD is set to 0 when the "Close this software and return to HOME Menu?" dialog is shown to prevent the button presses from propagating to the DS/GBA CPU.

LGY_HIDEMU_PAD

Works the same way as HID_PAD, but the values set here are only replaced in the HID_PAD seen by the DS/GBA CPU when the corresponding bits in LGY_HIDEMU_MASK are set.

LGY_GPIOEMU_MASK

Set bits will read bits from LGY_GPIOEMU_DATA (override).

This is used to trigger things like the TWL MCU interrupt in TWL mode.

LGY_GPIOEMU_DATA

See above

LGY_CARDDETECTEMU_MASK

Set bits will read bits from LGY_CARDDETECTEMU_DATA (override).

Bit0 signals cartridge removal.

LGY_CARDDETECTEMU_DATA

See above

PDN_GPU_CNT

Bits Description
0 GPU External register block reset. 0 = reset.
1 PSC block reset? 0 = reset.
2 Geoshader block reset? 0 = reset.
3 Rasterization block reset? 0 = reset.
4 PPF block reset. 0 = reset.
5 PDC block reset? 0 = reset.
6 PDC related reset. 0 = reset.
7-15 Unused.
16 Clock enable for all blocks and VRAM. 1 = enable.

Bit0: main (?) nRESET (active low), unset to reset (when not on reset, external GPU registers at 0x10400000+ are enabled). When this is unset VRAM is not accessible and triggers exceptions.

PDN uses a 12 ARM11 cycle delay to deassert reset.

PDN_VRAM_CNT

Bit0: Enable VRAM clock in older models??

This register seems to be unimplemented in released models: while it is used in tandem with PDN_GPU_CNT.bit16 in boot11 screeninit code, Kernel11 only uses PDN_GPU_CNT.bit16 to put VRAM in self-refresh mode.

PDN_FCRAM_CNT

Bits Description
0 Reset. 0 = reset.
1 Clock. 1 = enable, 0 = disable
2 Acknowledge clock request. Gets set or unset when toggling bit 1.

Twl-/AgbBg use this to disable FCRAM for the GBA rom in GBA mode or DSi main RAM in DSi mode. Agb-/TwlBg clears bit 0 in reg 0x10201000 before touching this reg.

Kernel11 uses it before going to sleep. It does a dummy read before touching this reg.

PDN_CAMERA_CNT

This is the power register used for the PDN camera service.

bit0 = unknown, bit1 = turn on/off cameras, rest = always 0.

PDN_DSP_CNT

This is the power register used for the PDN Services DSP service.

bit0: NRESET (active low). Unset to reset/hold reset. bit1: enable bit.

PDN services holds reset for 0x30 Arm11 cycles.

PDN_MPCORE_SOCMODE

This is used for configuring the New3DS ARM11 CPU clock-rate. This register is New3DS-only: reading from here on Old3DS always returns all-zeros even when one tried writing data here prior to the read.

Bits Description
0-2 SoC mode.

Possible values:

 0=O3DS (2 cores, 256MHz)
 1=N3DS (LGR2?, 4 cores, 256MHz), 5=N3DS (LGR2?, 4 cores, 804MHz)
 2=N3DS prototype (LGR, 2 cores, 256MHz), 3=N3DS prototype (LGR, 2 cores, 536MHz)

N3DS modes enable the New 3DS FCRAM extension and are needed to access N3DS-only devices.

15 Busy

On firmlaunch, the kernel sets the mode to O3DS.

svcKernelSetState type10, only implemented on New3DS, uses this register. That code writes the following values to this register, depending on the input Param0 bit0 state, and the state of CFG11_SOCINFO:

Register value Higher-clockrate bit set in svcKernelSetState Param0 CFG11_SOCINFO bit2 set MPCore timer/watchdog prescaler value, prior to subtracting it by 0x1 when writing it into hw/state Clock-rate multiplier Description
0x01 No Yes 0x01 1x 268MHz
0x02 No No 0x01 1x 268MHz
0x05 Yes Yes 0x03 3x 804MHz
0x03 Yes No 0x02 2x 536MHz (tested on New3DS)

Note that the above CFG11_SOCINFO bit is 1 on New3DS, and 0 on Old3DS. Since this SVC is only available with the New3DS ARM11-kernel, the only additional available clock-rate is 804MHz when running on New3DS(with official kernel code).

The following register value(s) were tested on New3DS by patching the kernel:

  • 0x00: Entire system hangs.
  • 0x02: Entire system hangs.
  • 0x03: ARM11 runs at 536MHz.
  • 0x04: Entire system hangs.
  • 0x06: Entire system hangs.
  • 0x07: Same result as 0x05.
  • 0x08: Entire system hangs.
  • 0x09: Entire system hangs.
  • 0x0A: Entire system hangs.
  • 0x0B: Same result as 0x03.
  • 0x0C: Entire system hangs.
  • 0x0D: Same result as 0x05.
  • 0x0E: Entire system hangs.
  • 0x0F: Same result as 0x05.
  • 0x1F, 0x2F, 0x4F, 0x8F, 0xFF: Same result as 0x05.

PDN_MPCORE_CNT

Bits Description
0 Enables the N3DS extramem block
8 Enables the L2C block

Kernel11 sets this to 0x101 when bit 2 in CFG11_SOCINFO is set otherwise 1.

PDN_MPCORE_BOOTCNT<0-3>

Bits Description
0 nRESET, 0 = reset. Also enable the bootrom instruction overlay.
1 Enable bootrom data overlay
4 Reset operation in progress
5 Always 1?

Only usable for core2 and core3.

The normal Arm11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS Arm11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.

Bit1 in register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000. All _data reads_ made to those regions now read the 32-bit value provided in CFG11_BOOTROM_OVERLAY_VAL.

Bit0 sets the core out of reset and enables a bootrom instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads). Jumping randomly into the 0xFFFF0000-0xFFFF1000 region works fine and jumps to the value provided by the data overlay CFG11_BOOTROM_OVERLAY_VAL. Thus we may predict that the entire bootrom region is filled by: ldr pc, [pc]

Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the Arm pipeline, and might help us identify what instructions are placed by the instruction-overlay.