I2C Registers

Revision as of 21:19, 4 October 2023 by MarcusD (talk | contribs) (Add more confirmed info about controller 0x01)

Registers

Old3DS Name Address Width Used by
Yes I2C1_DATA 0x10161000 1 I2C bus 1 devices
Yes I2C1_CNT 0x10161001 1 I2C bus 1 devices
Yes I2C1_CNTEX 0x10161002 2 I2C bus 1 devices
Yes I2C1_SCL 0x10161004 2 I2C bus 1 devices
Yes I2C2_DATA 0x10144000 1 I2C bus 2 devices
Yes I2C2_CNT 0x10144001 1 I2C bus 2 devices
Yes I2C2_CNTEX 0x10144002 2 I2C bus 2 devices
Yes I2C2_SCL 0x10144004 2 I2C bus 2 devices
Yes I2C3_DATA 0x10148000 1 I2C bus 3 devices
Yes I2C3_CNT 0x10148001 1 I2C bus 3 devices
Yes I2C3_CNTEX 0x10148002 2 I2C bus 3 devices
Yes I2C3_SCL 0x10148004 2 I2C bus 3 devices

I2C_CNT

BIT DESCRIPTION
0 Stop (0=No, 1=Stop/last byte)
1 Start (0=No, 1=Start/first byte)
2 Pause (0=Transfer Data, 1=Pause after Error, used with/after Stop)
4 Ack Flag (0=Error, 1=Okay) (For DataRead: W, for DataWrite: R)
5 Data Direction (0=Write, 1=Read)
6 Interrupt Enable (0=Disable, 1=Enable)
7 Start/busy (0=Ready, 1=Start/busy)

I2C_CNTEX

BIT DESCRIPTION
0-1 ? Set to 2 normally.

I2C_SCL

BIT DESCRIPTION
0-5 ?
8-12 ? Set to 5 normally.

I2C Devices

Device id Device bus id Device Write Address Accessible via I2C service Device description
0 1 0x4a "i2c::MCU" Power management?(same device addr as the DSi power-management)
1 1 0x7a "i2c::CAM" Camera0?(same dev-addr as DSi cam0)
2 1 0x78 "i2c::CAM" Camera1?(same dev-addr as DSi cam1)
3 2 0x4a "i2c::MCU" MCU
4 2 0x78 "i2c::CAM" ?
5 2 0x2c "i2c::LCD" ?
6 2 0x2e "i2c::LCD" ?
7 2 0x40 "i2c::DEB" ?
8 2 0x44 "i2c::DEB" ?
9 3 0xa6 "i2c::HID" Gyroscope. The device table in I2C-module had the device address changed from 0xA6 to 0xD6 with 8.0.0-18.
10 3 0xd0 "i2c::HID" Gyroscope (old3DS)
11 3 0xd2 "i2c::HID" Gyroscope (2DS, new3DSXL, new2DSXL)
12 3 0xa4 "i2c::HID" DebugPad (slightly modified Wii Classic Controller Pro)
13 3 0x9a "i2c::IR" IR
14 3 0xa0 "i2c::EEP" HWCAL EEPROM (only present on dev units where SHA256 is used for HWCAL verification)
15 2 0xee "i2c::NFC" New3DS-only NFC
16 1 0x40 "i2c::QTM" New3DS-only QTM
17 3 0x54 "i2c::IR" Used by IR-module starting with 8.0.0-18, for New3DS-only HID via "ir:rst". This deviceid doesn't seem to be supported by i2c module on 8.0.0-18(actual support was later added in New3DS i2c module).

Notice: These device addresses are used for writing to the respective device, for reading bit0 must be set (see I2C protocol). Thus, the actual device address is >> 1.

Device 3

 ro = read-only (writing is no-op)
 rw = read-write
 wo = write-only (reading will yield 00, FF, or unpredictable data)
 d* = dynamic register (explaination below this table)
 s* = shared register (explaination below this table)
 ds = dynamic shared (explaination below this table)

Reading or writing multiple bytes from/to single-byte registers increments the register ID along with it. For example reading two bytes from reg 0x00 reads regs 0x00 and 0x01.

This is not the case for multibyte regs (0x29, 0x2D, 0x4F, 0x61 and 0x7F), plus reg 0x60.

REGISTER WIDTH INFO DESCRIPTION
0x00 s ro Version high
0x01 s ro Version low
0x02 d rw For bit0 and 1 values, writing will mask away/"acknowledge" the event, set to 3 by mcuMainLoop on reset if reset source is Watchdog
 bit0: RTC clock value got reset to defaults
 bit1: Watchdog reset happened
 bit5: TWL MCU reg: volume mode (0: 8-step, 1: 32-step)
 bit6: TWL MCU reg: NTR (0) vs TWL mode (1)
 bit7: TWL MCU reg: Uses NAND
0x03 ds rw Top screen Vcom
0x04 ds rw Bottom screen Vcom
0x05

- 0x07

s rw Danger zone - MCU unlock sequence is written here.
0x08 s ro Raw 3D slider position
0x09 s ro Volume slider state (0x00 - 0x3F)

This is the same value returned by MCUHWC:GetSoundVolume

0x0A s ro Battery temperature (in Celcius?)
0x0B s ro Battery percentage
0x0C s ro Battery percentage, fractional part (seems to have a resolution of around 0.1% according to tests)
0x0D s ro System voltage
0x0E s ro ?
0x0F s ro Flags: bit7-5 are read via mcu::GPU. The rest of them are read via mcu::RTC.
 bit01: ShellState
 bit03: AdapterState
 bit04: BatteryChargeState
 bit05: Bottom screen backlight on
 bit06: Top screen backlight on
 bit07: GPU on(?)
0x10

- 0x13

s ro Received interrupt bitmask, see register 0x18 for possible values

If no interrupt was received this register is 0

0x14 s ro Unused and unwritable byte :(
0x15

- 0x17

s rw Unused and unreferenced free RAM! Good for userdata.
0x18

- 0x1B

s rw Interrupt mask for register 0x10 (0=enabled,1=disabled)
 bit00: Power button press (for 27 "ticks")
 bit01: Power button held (for 375 "ticks"; the 3DS turns off regardless after a fixed time)
 bit02: HOME button press (for 5 "ticks")
 bit03: HOME button release
 bit04: WiFi switch button
 bit05: Shell close
 bit06: Shell open
 bit07: Fatal hardware condition(?) (sent when the MCU gets reset by the Watchdog timer)
 bit08: Charger removed
 bit09: Charger plugged in
 bit10: RTC alarm (when some conditions are met it's sent when the current day and month and year matches the current RTC time)
 bit11: ??? (accelerometer related)
 bit12: HID update
 bit13: Battery percentage status change (triggered at 10%, 5%, and 0% while discharging)
 bit14: Battery stopped charging (independent of charger state)
 bit15: Battery started charging

Nonmaskable(?) interrupts

 bit16: ???
 bit17: ??? (opposite even for bit16)
 bit22: Volume slider position change
 bit23: ??? Register 0x0E update
 bit24: GPU off
 bit25: GPU on
 bit26: bottom backlight off
 bit27: bottom backlight on
 bit28: top backlight off
 bit29: top backlight on
 bit30: bit set by mcu sysmodule
 bit31: bit set by mcu sysmodule
0x1C

- 0x1F

s rw Unused and unreferenced free RAM! Good for userdata.
0x20 d wo System power control:
 bit0: power off
 bit1: full reboot (unused). Discards things like CFG9_BOOTENV
   - Asserts RESET1 via PMIC command (?) (deasserts nRESET1). This could be the reset that controls some CFG9 registers
   - Asserts RESET2 (P0.1 = 0, PM0.1 = 0 (output)) (deasserts nRESET2)
   - Asserts FCRAM_RESET (P3.0 = 0) (deasserts nFCRAM_RESET)
 bit2: normal reboot. Preserves CFG9_BOOTENV, etc.
   - Asserts RESET2 (P0.1 = 0, PM0.1 = 0)
   - If in NTR emulation mode (see reg 0x02), asserts FCRAM_RESET (P3.0 = 0)
   - Resets TWL MCU i2c registers
 bit3: FCRAM reset (present in by LgyBg. Unused because a system reboot does the same thing & a PDN reg also possibly implements this function)
   - Asserts FCRAM_RESET (P3.0 = 0)
 bit4: signal that sleep mode is about to be entered (used by PTM)

Bit 4 sets a bit at a RAM address which seems to control the watcdog timer state, then this bit is immediately unmasked. This field has a bitmask of 0x0F.

If any of the reset bits is set, the MCU waits for 5ms, then deasserts RESET1 (via PMIC), RESET2 (PM0.1 = 1 (input)) and FCRAM_RESET (P3.0 = 1), and reinitializes some other various registers after a 100ms delay.

0x21 d wo Used in legacy mode to signal events for TWL MCU "emulation" (written to REG[0x5D])? Software then asserts the TWL MCU IRQ pin via Legacy I/O registers.
 bit0: Signal TWL POWER button click
 bit1: Signal TWL reset
 bit2: Signal TWL power off
 bit3: Signal TWL battery low
 bit4: Signal TWL battery empty
 bit5: Signal TWL volume button click
0x22 d wo Used to set LCD states
 bit0: don't push to LCDs
 bit1: push to LCDs
 bit2: bottom screen backlight off
 bit3: bottom screen backlight on
 bit4: top screen backlight off
 bit5: top screen backlight on

Bits 4 and 5 have no effect on a 2DS because the backlight source is the bottom screen. The rest of the bits are masked away.

0x23 d wo Writing 0x72 ('r') resets the MCU, but this is stubbed on retail?
0x24 s rw Watchdog timer. This must be set *before* the timer is triggered, otherwise the old value is used. Value zero disables the watchdog.
0x25 s rw ?
0x26 s rw ?
0x27 sd rw Raw volume slider state
0x28 s rw Brightness of the WiFi/Power LED
0x29 sd(5) rw Power mode indicator state (read-write)
 1 = forced default blue
 2 = sleep mode animation
 3 = "power off" mode
 4 = disable blue power LED and turn on red power LED
 5 = disable red power LED and turn on blue power LED
 6 = animate blue power LED off and flash red power LED
 anything else = automatic mode

The other 4 bytes (32bits) affect the pattern of the red power LED (write only)

0x2A s rw WiFi LED state, non-0 value turns on the WiFi LED, 4 bits wide
0x2B s rw Camera LED state, 4bits wide,
 0, 3, 6-0xF = off
 1 = slowly blinking
 2 = constantly on
 3 = "TWL" mode
 4 = flash once
 5 = delay before changing to 2
0x2C s rw 3D LED state, 4 bits wide
0x2D 0x64 wo This is used for controlling the notification LED (see MCURTC:SetInfoLEDPatternHeader as well), when this register is written. It's possible to write data here with size less than 0x64, and only that portion of the pattern data will get overwritten. Reading from this register only returns zeroes, so it's considered write-only. Writing past the size of this register seems to do nothing.
0x2E s ro This returns the notification LED status when read (1 means new cycle started)
0x2F s wo? ??? The write function for this register is stubbed.
0x30

- 0x36

ds rw RTC time (system clock). 7 bytes are read from this. The upper nibble of each byte encodes 10s (BCD), so each byte is post-processed with (byte & 0xF) + (10 * (byte >> 4)).
 byte 0: seconds
 byte 1: minutes
 byte 2: hours
 byte 3: current week (unused)
 byte 4: days
 byte 5: months
 byte 6: years
0x37 s rw RTC time byte 7: leap year counter / "watch error correction" register (unused in code)
0x38

- 0x3C

s rw RTC alarm registers
 byte 0: minutes
 byte 1: hours
 byte 2: day
 byte 3: month
 byte 4: year
0x3B s rw Could be used on extremely old MCU_FIRM versions to upload MCU firmware if reg 0xF == 0 and reg 0x10 == 1 (presumably major and minor version fields for mcufw 0.1 which largely predates factory firm).
0x3D

0x3E

ds ro RTC tick counter / "ITMC" (when resets to 0 the seconds increase)

Only reading 0x3D will update the in-RAM value

0x3F d wo 2 bits
 bit0: Asserts RESET1 (P0.0 = 0, PM0.0 = 0 (output)) but does NOT deassert it (wtf?). This seems to kill the entire SoC: is it because it doesn't deassert it, or does it not deassert it because the SoC hangs anyway? This is the pin that controls some security-critical regs like CFG9_BOOTENV!
 bit1: turns on a prohibited bit in an RTC Control register and turns P12 into an output
0x40 s rw Tilt sensor sampling mode. Bits 0 and 1 control the mode. If bits 0 or 1 are set then the tilt sensor is enabled and sampled.
0x41 s rw Index selector for register 0x44
0x42 s rw Unused?
0x43 s rw Unused???, accelometer related
0x44 s rw ???, pedoometer related(?)
0x45

- 0x4A

s ro Tilt sensor 3D rotation from the 12bit ADC, left shifted 4 to fit in a 16bit signed short, relative to the 3DS bottom screen
AXIS V=0x00 V=0x40 V=0xC0
X (left/right) held up vertically rotated left 90° like a steering wheel rotated right 90° like a steering wheel
Y (forwards/backwards) laid flat on the desk with the screen facing up held up vertically held up vertically with screen facing upside-down
Z (???) ??? ??? ???
0x4B s rw PedometerStepCount (for the current day)
0x4C

0x4D

?? ?? ??
0x4E d rw ??? this = (0xFFE9E & 1) ? 0x10 : 0
0x4F d(6) ro
0x50 s rw ???
0x51 s rw ???
0x52

- 0x57

s rw ?
0x58 s rw Register-mapped ADC register

DSP volume slider 0% volume offset (setting this to 0xFF will esentially mute the DSP as it's the volume slider's maximum raw value)

0x59 s rw Register-mapped ADC register

DSP volume slider 100% volume offset (setting both this and the above to 0 will disable the volume slider with 100% volume, setting this to a lower value than the above will make the volume slider have only 2 states; on and off)

0x5A s ro/rw Invalid, do not use! On newer MCU_FIRM versions this is unused, but on older MCU_FIRM versions this is a read-only counter.
0x5B

- 0x5F

s - These registers are out of bounds (0xFFC00 and up), they don't exist, writing is no-op, reading will yield FFs.
0x60 d rw Free register bank address (index) select

Selects the index to read from in the free register bank, up to 200. Used in conjunction with reg 0x61.

 byte 0: bit0 = "WirelessDisabled", bit1 = "SoftwareClosed", bit2 = "PowerOffInitiated", bit3 = "LgyNativeResolution", bit4 = "LegacyJumpProhibited"
 byte 1: Legacy LCD data
 bytes 2 and 3: Local Friend Code counter
 bytes 4 and 5: UUID clock sequence
 bytes 6 and 7: Unused
 bytes 8 to 175: Playtime data for legacy titles
 bytes 176 to 188: Playtime data
 bytes 188 to 199: Unused
0x61 d(200) rw Free register bank, data is read from/written to here.

Accessing N bytes of this register increments the selected index by N.

0x62 - 0x7E s - These registers don't exist, writing is no-op, reading will yield FFs.
0x7F d(9-0x13) ro Various system state information (debug pointer table)
 byte 0x00: Console type, see here
 byte 0x01: PMIC vendor code
 byte 0x02: Battery vendor code
 byte 0x03: MGIC version (major?)
 byte 0x04: MGIC version (minor?)
 byte 0x05: RCOMP(?)
 byte 0x06: battery related? (seems to decrease while charging and increase while discharging)
 byte 0x09: system model (see Cfg:GetSystemModel for values)
 byte 0x0A: Red Power LED mode (0 = off, 1 = on)
 byte 0x0B: Blue Power LED intensity  (0x00 - 0xFF)
 byte 0x0D: RGB LED red intensity
 byte 0x0E: RGB LED green intensity
 byte 0x0F: RGB LED blue intensity
 byte 0x11: WiFi LED brightness
 byte 0x12: raw button states?
   bit0: unset while Power button is held
   bit1: unset while HOME button is held
   bit2: unset while WiFi slider is held
   bit5: unset while the charging LED is active
   bit6: unset while charger is plugged in

On MCU_FIRM major version 1 the size of this is 9, reading past the 9th byte will yield AA instead of FF.

0x80

- 0xFF

s - These registers don't exist, writing is no-op, reading will yield FFs.

Shared register: the letter "s" means that the given register is in a "shared register pool", meaning the resgister is in the register pool in RAM at address 0xFFBA4 + registernumber.

Dynamic register: these registers aren't in the shared pool, they just "pretend" to be there. These registers often don't retain their set value, change rapidly, or control various hardware.

Non-shared (dynamic) register: it's a register whose contents separate from the shared register pool. Messing with these registers will not affect the shared register pool at all.

On old versions of MCU_FIRM none of the invalid registers are masked away by the read handler function, but are still read-only. Newer MCU_FIRM versions return the hardcoded value FF instead.

Device 5 & 6

These are the chip-on-glass display controllers, also known as I2CLCD.

Shared registers

These registers are the same across all known I2CLCD controllers (except Controller ID 0x00).

Register Name Valid bits Description
0x01 Display enable 0x11 Values:
 - 0x00 - screen off, slow burn-in
 - 0x01 - screen off, fast burn-in
 - 0x10 - screen on, color input used
 - 0x11 - screen on, color input not used, High-Z (display turns black or white depending on interface config)
0x40 Read address Write to this register to set the read address.

Reading from I2CLCD is non-standard. When you read, it returns pairs of the currently read address, and then the data byte at that address. The read address auto-increments.

0x54 Checksum? trigger 0x01 When transitioning bit0 from 0 to 1, it seems to trigger some sort of checksum calcuation. Broken on controller 0x01, where it's oneshot.
0x55 ??? 0x03 (all) /

0x07 (2DS)

Unknown. When toggling 0x54 bit0 from 0 to 1, this register gets changed to 0x01 (all) / 0x05 (2DS).

This register is sometimes seen with a value of 0x02 at initialization time on the top screen.

0x56 Checksum? Unknown. Read-writable with no effect (old3DS) / read-only (all).

A random value is written here when 0x54 bit0 is changed from 0 to 1. Constantly updates with a seemingly random value, except on Controller ID 0x01, where it's oneshot/bugged.

0x60 ??? 0x01 Unknown. 0x00 is written here during init. Seems to have no effect.
0x61 Register checksum Some - but not all - register values are combined using an unknown algorithm into this register.

It's unknown which registers influence this value, as some registers which influence this value are read-only.

0x62 ??? 0x01 Unknown, does nothing on known controllers. During init, gsp waits for this to become 0x01.
0xFE ??? Unknown, does nothing. 0xAA is written here during init.
0xFF Controller ID Upper 4bits is manufacturer. Lower 4bits is unknown, most likely revision, possibly encoded as a Johnson counter.

Known IDs:

 - 0xC7 - new3DS, new3DSXL, new2DSXL, and some select newer old3DSXL
 - 0xC3 - older old3DSXL
 - 0xE1 - 2DS
 - 0x10 - some select new3DS and new3DSXL with IPS screens
 - 0x01 - old3DS
 - 0x00 - unknown, gsp compares for this exact Controller ID for an alternate initialization path

Manufacturers:

 - 0xC - SHARP (TN)
 - 0x1 - JDI (LTPS IPS), found in select new3DS and new3DSXL consoles
 - 0xE - unknown, found in 2DS only
 - 0x0 - unknown, found in old3DS (non-XL) only


Custom registers for controller 0x00

This Controller ID is fully unknown, and the only reason we know about its existance is due to gsp having special handling code for it.

Register Name Valid bits Description
0x11 ??? Unknown. Write 0x10 to initialize.
0x50 ??? Unknown. Write 0x01 to initialize.


Custom registers for controller 0x01

Register Name Valid bits Description
0x10 Interface config 0xF7 Regonfigures the input pins and pin behavior of the controller.
bit0 - color value invert
bit1 - color format remap
bit2 - ???
bit4 - ???
bit5 - ???
bit6 - ???
bit7 - DS-style undriven screen (it will be white instead of black, see shared register 0x01)
0x11 Image config 0x7F Image filters and pixel clock control.
bit0 - Horizontal Flip (scan from right to left)
bit1 - red-blue swap
bit2 - ???
bit3 - ???
bit4 - ???
bit5 - ???
bit6 - ???
0x50 ??? 0x11 Unknown. Has no effect on bottom screen. On the top screen, bit4 blanks out the display (LVDS disable?).
0x53 ??? 0x73 Unknown. While other bits seem to have no effect, bit0 kills the controller until a power cycle.

Custom registers for controller 0xC3

Basically the same as Controller ID 0xC7.


Custom registers for controller 0xC7

This is the most common non-old3DS display controller. Quite overclockable.

Note: on the 0xC7 controller unlocking the factory controls at register 0x03 glitches out most of the standard controls (like registers 0x50 to 0x56), so use with caution.

Register Name Valid bits Description
0x03 Factory key 2 Write 0xAA here to unlock a second set of factory controls.
0xAF Factory key Write 0xAA here to unlock factory controls.


Custom registers for controller 0xE1

This controller is designed to drive a split panel. As such, the factory controls have been slightly altered to accomodate this.

This is the only I2CLCD which responds on both I2CLCD addresses. The dominant screen is the bottom one.

Register Name Valid bits Description
0x03 Factory key 2 Write 0xAA here to unlock a 2nd set of factory controls.
0xAF Factory key Write 0xAA here to unlock factory controls.


Custom registers for controller 0x10

JDI IPS controller.

Warning: on the JDI controller, unlocking any of the factory mode registers overshadows some other registers, so don't write to "standard" locations (other than register 0x40) before locking factory mode back!

Register Name Valid bits Description
0x03 Factory key 2 Write 0xAA here to unlock advanced IPS curve controls.
0xAF Factory key Write 0xAA here to unlock factory controls.

Factory mode registers unlocked by register 0xAF:

  • 0x41 - 0x4F
  • 0x58 - 0x5F
  • 0x67 - 0x6F
  • 0xD0 - 0xEF
  • unknown...

Factory mode registers unlocked by register 0x03:

  • 0x04 - 0x0F
  • unknown...
Register Name Valid bits Description
0x70-0x7F Driving curve 1-1
0x80-0x8F Driving curve 1-2
0x90-0x9F Driving curve 2-1
0xA0-0xAF Driving curve 2-2
0xB0-0xBF Driving curve 3-1
0xC0-0xCF Driving curve 3-2

Device 10

See the datasheet linked to on the Hardware page for reference.

Device 11

See the datasheet linked to on the Hardware page for reference.

Device 12

REGISTER WIDTH DESCRIPTION
0x0 21 DebugPad state.

This is a Wii Classic Controller Pro which was slightly modified to have an encrypted device type of 0xF0 instead of 0xFD.

See here for the HID shared memory report format.

Device 13

Raw I2C register address Internal register address Width Description
0x0 0x0 0x40 RHR / THR (data receive/send FIFO)
0x8 0x1 0x1 IER
0x10 0x2 0x1 FCR/IIR
0x18 0x3 0x1 LCR
0x20 0x4 0x1 MCR
0x28 0x5 0x1 LSR
0x30 0x6 0x1 MSR/TCR
0x38 0x7 0x1 SPR/TLR
0x40 0x8 0x1 TXLVL
0x48 0x9 0x1 RXLVL
0x50 0xA 0x1 IODir
0x58 0xB 0x1 IOState
0x60 0xC 0x1 IoIntEna
0x68 0xD 0x1 reserved
0x70 0xE 0x1 IOControl
0x78 0xF 0x1 EFCR

See the datasheet linked to on the Hardware page for reference. From that datasheet, for the structure of the I2C register address u8: "Bit 0 is not used, bits 2:1 select the channel, bits 6:3 select one of the UART internal registers. Bit 7 is not used with the I2C-bus interface, but it is used by the SPI interface to indicate a read or a write operation."

Device 14

Used by Cfg-sysmodule via the i2c::EEP service. This is presumably EEPROM going by the service name.

The Cfg-module code which loads the CCAL(nandro:/sys/{HWCAL0.dat/HWCAL1.dat}) file from NAND will load it from I2C instead, if a certain state flag is non-zero. Likewise for the function which writes CCAL to NAND. HMAC/hash verification after loading is skipped when the CCAL was loaded from I2C.

Device 15

This the New3DS NFC controller "I2C" interface. This device is accessed via the WriteDeviceRaw/ReadDeviceRaw I2C service commands.

Since the *Raw commands are used with this, this device has no I2C registers. Instead, raw data is transfered after the I2C device is selected. Hence, WriteDeviceRaw is used for sending commands to the controller, while ReadDeviceRaw is for receiving responses from the controller. Certain commands may return multiple command responses.

Command request / response structure:

Offset Size Description
0x0 0x1 Normally 0x10?
0x1 0x1 Command source / destination.
0x2 0x1 CmdID
0x3 0x1 Payload size.

Following the above header is the payload data(when payload size is non-zero), with the size specified in the header. The command response payload is usually at least 1-byte, where that byte appears to be normally 0x0. For command requests the payload data is the command parameters.

For command requests sent to the NFC tag itself, Cmd[1]=0x0 and CmdID=0x0. The command request payload data here is the actual command request data for the NFC tag, starting with the CmdID u8 at payload+0.

During NFC module startup, a certain command is sent to the controller which eventually(after various cmd-reply headers etc) returns the following the payload after the first byte in the payload:

000000: 44 65 63 20 32 32 20 32 30 31 32 31 34 3a 35 33  Dec 22 201214:53 
000010: 3a 35 30 01 05 0d 46 05 1b 79 20 07 32 30 37 39  :50...F..y .2079
000020: 31 42 35                                         1B5

Or that is: "Dec 22 201214:53:50<binary>20791B5". Therefore, this appears to return the part-number of the NFC controller(other command request(s) / response(s) use this part-number value too).

NFC controller commands

CmdRequest[1] CmdID Payload data for parameters Description
0x2E 0x2F Firmware image for this chunk, size varies. This is used during NFC module startup to upload the firmware image to the NFC controller. This is used repeatedly to upload multiple chunks of the image.