Changes

Jump to navigation Jump to search
10,876 bytes removed ,  21:09, 1 June 2020
Split
Line 114: Line 114:  
| 2
 
| 2
 
| Boot11, Kernel11
 
| Boot11, Kernel11
|-style="border-top: double"
  −
| style="background: green" | Yes
  −
| CFG11_PDN_CNT
  −
| 0x10141000
  −
| 2
  −
| Kernel11, TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| CFG11_PDN_WAKE_ENABLE
  −
| 0x10141008
  −
| 4
  −
| [[PTM Services]], [[PDN Services]]
  −
|-
  −
| style="background: green" | Yes
  −
| CFG11_PDN_WAKE_REASON
  −
| 0x1014100C
  −
| 4
  −
| [[PTM Services]], TwlBg, [[PDN Services]]
  −
|-style="border-top: double"
  −
| style="background: green" | Yes
  −
| [[#LGY_MODE|LGY_MODE]]
  −
| 0x10141100
  −
| 2
  −
| TwlProcess9, TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#LGY_SLEEP|LGY_SLEEP]]
  −
| 0x10141104
  −
| 2
  −
| TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#LGY_IRQ_?|LGY_IRQ_?]]
  −
| 0x10141108
  −
| 2
  −
| TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#LGY_PADCNT|LGY_PADCNT]]
  −
| 0x1014110A
  −
| 2
  −
| TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_WIFIUNK|CFG11_WIFIUNK]]
  −
| 0x1014110C
  −
| 1
  −
| [[NWM Services]]
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_TWLAGB_HIDEMU_MASK|CFG11_TWLAGB_HIDEMU_MASK]]
  −
| 0x10141110
  −
| 2
  −
| TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_TWLAGB_HIDEMU_PAD|CFG11_TWLAGB_HIDEMU_PAD]]
  −
| 0x10141112
  −
| 2
  −
| TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_CODEC|CFG11_CODEC_0]]
  −
| 0x10141114
  −
| 2
  −
| [[Codec Services]], TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_CODEC|CFG11_CODEC_1]]
  −
| 0x10141116
  −
| 2
  −
| [[Codec Services]], TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| ?
  −
| 0x10141118
  −
| 1
  −
| TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| ?
  −
| 0x10141119
  −
| 1
  −
| TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| ?
  −
| 0x10141120
  −
| 1
  −
| TwlBg
  −
|-
  −
|-style="border-top: double"
  −
| style="background: green" | Yes
  −
| [[#CFG11_GPU_CNT|CFG11_GPU_CNT]]
  −
| 0x10141200
  −
| 4
  −
| Boot11, Kernel11, [[PDN Services]], TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_GPU_CNT2|CFG11_GPU_CNT2]]
  −
| 0x10141204
  −
| 4
  −
| Boot11, Kernel11, TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| CFG11_FCRAM_CNT
  −
| 0x10141210
  −
| 2
  −
| Kernel11, TwlBg
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_CODEC_CNT|CFG11_CODEC_CNT]]
  −
| 0x10141220
  −
| 1
  −
| Boot11, TwlBg, [[PDN Services]]
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_CAMERA_CNT|CFG11_CAMERA_CNT]]
  −
| 0x10141224
  −
| 1
  −
| [[PDN Services]]
  −
|-
  −
| style="background: green" | Yes
  −
| [[#CFG11_DSP_CNT|CFG11_DSP_CNT]]
  −
| 0x10141230
  −
| 1
  −
| Process9, [[PDN Services]]
  −
|-style="border-top: double"
  −
| style="background: red" | No
  −
| [[#CFG11_MPCORE_CLKCNT|CFG11_MPCORE_CLKCNT]]
  −
| 0x10141300
  −
| 2
  −
| NewKernel11
  −
|-
  −
| style="background: red" | No
  −
| [[#CFG11_MPCORE_CNT|CFG11_MPCORE_CNT]]
  −
| 0x10141304
  −
| 2
  −
| NewKernel11
  −
|-
  −
| style="background: red" | No
  −
| [[#CFG11_MPCORE_BOOTCNT<0-3>|CFG11_MPCORE_BOOTCNT]]<0-3>
  −
| 0x10141310
  −
| 1*4
  −
| NewKernel11
   
|}
 
|}
   Line 301: Line 156:  
|}
 
|}
   −
== CFG11_FIQ_CNT ==
+
== CFG11_FIQ_MASK ==
Writing bit1 to this register disables FIQ interrupts.
+
Write bit N to mask FIQ interrutps on core N? (judging from what Kernel11 does -- it only ever configures FIQ for core1)
 
  −
This bit is set upon receipt of a FIQ interrupt and when [[SVC|svcUnbindInterrupt]] is called on the FIQ-abstraction [[ARM11_Interrupts#Private_Interrupts|software interrupt]] for the current core.
  −
It is cleared when binding that software interrupt to an event and just before that event is signaled.
      
== CFG11_SPI_CNT ==
 
== CFG11_SPI_CNT ==
Line 327: Line 179:     
== CFG11_BOOTROM_OVERLAY_VAL ==
 
== CFG11_BOOTROM_OVERLAY_VAL ==
The 32-bit value to overlay data-reads to bootrom with. See [[#CFG11_MPCORE_BOOTCNT|CFG11_MPCORE_BOOTCNT]].
+
The 32-bit value to overlay data-reads to bootrom with. See [[PDN Registers#PDN_MPCORE_BOOTCNT|PDN_MPCORE_BOOTCNT]].
    
== CFG11_SOCINFO ==
 
== CFG11_SOCINFO ==
Line 350: Line 202:  
|}
 
|}
   −
== CFG11_MPCORE_CLKCNT ==
  −
This is used for configuring the New3DS ARM11 CPU clock-rate. This register is New3DS-only: reading from here on Old3DS always returns all-zeros even when one tried writing data here prior to the read.
  −
  −
{| class="wikitable" border="1"
  −
!  Bits
  −
!  Description
  −
|-
  −
| 0
  −
| Enable clock multiplier? This must be set to 1 before writing a non-zero value to bit1-2, otherwise freeze. This enables the New 3DS FCRAM extension.
  −
|-
  −
| 1-2
  −
| Clock multiplier (0=1x, 1=2x, 2=3x, 3=hang)
  −
|-
  −
| 15
  −
| Busy
  −
|}
  −
  −
[[SVC#KernelSetState|svcKernelSetState]] type10, only implemented on New3DS, uses this register. That code writes the following values to this register, depending on the input Param0 bit0 state, and the state of CFG11_SOCINFO:
  −
{| class="wikitable" border="1"
  −
!  Register value
  −
!  Higher-clockrate bit set in svcKernelSetState Param0
  −
!  CFG11_SOCINFO bit2 set
  −
!  MPCore timer/watchdog prescaler value, prior to subtracting it by 0x1 when writing it into hw/state
  −
!  Clock-rate multiplier
  −
!  Description
  −
|-
  −
| 0x01
  −
| No
  −
| Yes
  −
| 0x01
  −
| 1x
  −
| 268MHz
  −
|-
  −
| 0x02
  −
| No
  −
| No
  −
| 0x01
  −
| 1x
  −
| 268MHz
  −
|-
  −
| 0x05
  −
| Yes
  −
| Yes
  −
| 0x03
  −
| 3x
  −
| 804MHz
  −
|-
  −
| 0x03
  −
| Yes
  −
| No
  −
| 0x02
  −
| 2x
  −
| 536MHz (tested on New3DS)
  −
|}
  −
  −
Note that the above CFG11_SOCINFO bit is 1 on New3DS, and 0 on Old3DS. Since this SVC is only available with the New3DS ARM11-kernel, the only additional available clock-rate is 804MHz when running on New3DS(with official kernel code).
  −
  −
The following register value(s) were tested on New3DS by patching the kernel:
  −
* 0x00: Entire system hangs.
  −
* 0x02: Entire system hangs.
  −
* 0x03: ARM11 runs at 536MHz.
  −
* 0x04: Entire system hangs.
  −
* 0x06: Entire system hangs.
  −
* 0x07: Same result as 0x05.
  −
* 0x08: Entire system hangs.
  −
* 0x09: Entire system hangs.
  −
* 0x0A: Entire system hangs.
  −
* 0x0B: Same result as 0x03.
  −
* 0x0C: Entire system hangs.
  −
* 0x0D: Same result as 0x05.
  −
* 0x0E: Entire system hangs.
  −
* 0x0F: Same result as 0x05.
  −
* 0x1F, 0x2F, 0x4F, 0x8F, 0xFF: Same result as 0x05.
  −
  −
== CFG11_MPCORE_CNT ==
  −
{| class="wikitable" border="1"
  −
!  Bits
  −
!  Description
  −
|-
  −
| 0
  −
| ?
  −
|-
  −
| 8
  −
| ?
  −
|}
  −
  −
Kernel11 sets this to 0x101 when bit 2 in [[#CFG11_SOCINFO|CFG11_SOCINFO]] is set otherwise 1.
  −
  −
== CFG11_MPCORE_BOOTCNT<0-3> ==
  −
{| class="wikitable" border="1"
  −
!  Bits
  −
!  Description
  −
|-
  −
| 0
  −
| Enable bootrom instruction overlay, maybe? This bit is only writable for core2 and core3.
  −
|-
  −
| 1
  −
| Enable bootrom data overlay. This bit is only writable for core2 and core3.
  −
|-
  −
| 4
  −
| Has core booted maybe?
  −
|-
  −
| 5
  −
| Always 1?
  −
|}
  −
  −
The normal ARM11 bootrom checks cpuid and hangs if cpuid >= 2. This is a problem when booting the 2 additional New3DS ARM11 MPCores. NewKernel11 solves this by using a hardware feature to overlay the bootrom with a configurable branch to a kernel function. This overlay feature was added with the New3DS.
  −
  −
Bit1 in register above enables a bootrom data-override for physical addresses 0xFFFF0000-0xFFFF1000 and 0x10000-0x11000. All _data reads_ made to those regions now read the 32-bit value provided in [[#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]].
  −
  −
Bit0 enables a bootrom instruction-overlay which means that _instruction reads_ made to the bootrom region are overridden. We have not been able to dump what instructions are actually placed at bootrom by this switch (because reading the area only yields data-reads). Jumping randomly into the 0xFFFF0000-0xFFFF1000 region works fine and jumps to the value provided by the data overlay [[#CFG11_BOOTROM_OVERLAY_VAL|CFG11_BOOTROM_OVERLAY_VAL]]. Thus we may predict that the entire bootrom region is filled by:
  −
ldr pc, [pc]
  −
  −
Or equivalent. However, jumping to some high addresses such as 0xFFFF0FF0+ will crash the core. This may be explained by prefetching in the ARM pipeline, and might help us identify what instructions are placed by the instruction-overlay.
      
==CFG11_GPUPROT==
 
==CFG11_GPUPROT==
Line 516: Line 254:  
| Enable wifi subsystem
 
| Enable wifi subsystem
 
|}
 
|}
  −
==LGY_MODE==
  −
{| class="wikitable" border="1"
  −
!  Bits
  −
!  Description
  −
|-
  −
| 0-1
  −
| Read only legacy mode set on reg 0x10018000.
  −
|-
  −
| 2-14
  −
| Unused.
  −
|-
  −
| 15
  −
| 1 = enable legacy mode.
  −
|}
  −
To boot into DSi or GBA mode first set register 0x10018000 to the desired mode and setup LgyFb. Then disable FCRAM by clearing bit 0 in reg 0x10201000, writing 0 to CFG11_FCRAM_CNT followed by 1 and waiting for bit 2 to clear.
  −
  −
The very last 3DS-mode register poke the [[FIRM|TWL_FIRM]] Process9 does before it gets switched into TWL-mode, is writing 0x8000 to this register. Before writing this register, TWL Process9 waits for ARM7 to change the value of this register. The Process9 code for this runs from ITCM, since switching into TWL-mode includes remapping all ARM9 physical memory.
  −
  −
==LGY_SLEEP==
  −
{| class="wikitable" border="1"
  −
!  Bits
  −
!  Description
  −
|-
  −
| 0
  −
| Write 1 to wakeup GBA mode.
  −
|-
  −
| 1
  −
| Sleep state/ack. 1 when GBA mode entered sleep. Write 1 to ack.
  −
|-
  −
| 2
  −
| ?
  −
|-
  −
| 3-14
  −
| Unused.
  −
|-
  −
| 15
  −
| 1 = IRQ enable (IRQ 0x59)
  −
|}
  −
When a GBA game enters sleep mode and bit 15 is 1, IRQ 0x59 fires and bit 1 is set. Bit 1 must be acknowledged/written together with bit 0 otherwise GBA mode wakes up from sleep early sometimes.
  −
  −
==LGY_IRQ_?==
  −
Bitfield.
  −
  −
==LGY_PADCNT==
  −
Also named "KEYCNT" on certain other DS(i)/GBA documentations.
  −
The value of this register is copied to [[HID_Registers|HID_PADCNT]] when GBA mode enters sleep.
  −
  −
==CFG11_WIFIUNK==
  −
{| class="wikitable" border="1"
  −
!  Old3DS
  −
!  Bits
  −
!  Description
  −
|-
  −
| style="background: green" | Yes
  −
| 4
  −
| Wifi-related? Set to 1 very early in NWM-module.
  −
|}
  −
  −
==CFG11_TWLAGB_HIDEMU_MASK==
  −
Set bits will use the corresponding values from [[#CFG11_TWLAGB_HIDEMU_PAD|CFG11_TWLAGB_HIDEMU_PAD]] instead of allowing the hardware to read it from [[HID_Registers#HID_PAD|HID_PAD]].
  −
  −
This is set to 0x1FFF (all buttons and the debug key) and [[#CFG11_TWLAGB_HIDEMU_PAD|CFG11_TWLAGB_HIDEMU_PAD]] is set to 0 when the "Close this software and return to HOME Menu?" dialog is shown to prevent the button presses from propagating to the DS/GBA CPU.
  −
  −
==CFG11_TWLAGB_HIDEMU_PAD==
  −
Works the same way as [[HID_Registers#HID_PAD|HID_PAD]], but the values set here are only replaced in the HID_PAD seen by the DS/GBA CPU when the corresponding bits in [[#CFG11_TWLAGB_HIDEMU_MASK|CFG11_TWLAGB_HIDEMU_MASK]] are set.
  −
  −
==CFG11_GPU_CNT==
  −
{| class="wikitable" border="1"
  −
!  Bits
  −
!  Description
  −
|-
  −
| 0
  −
| Unknown reset. 0 = reset.
  −
|-
  −
| 1
  −
| PSC block reset? 0 = reset.
  −
|-
  −
| 2
  −
| Geoshader block reset? 0 = reset.
  −
|-
  −
| 3
  −
| Rasterization block reset? 0 = reset.
  −
|-
  −
| 4
  −
| PPF block reset. 0 = reset.
  −
|-
  −
| 5
  −
| PDC block reset? 0 = reset.
  −
|-
  −
| 6
  −
| PDC related reset. 0 = reset.
  −
|-
  −
| 7-15
  −
| Unused.
  −
|-
  −
| 16
  −
| Clock enable for all blocks. 1 = enable.
  −
|}
  −
Bit0: main (?) nRESET (active low), unset to reset (when not on reset, external GPU registers at 0x10400000+ are enabled).
  −
When this is unset VRAM is not accessible and triggers exceptions.
  −
  −
PDN uses a 12 ARM11 cycle delay to deassert reset.
  −
  −
==CFG11_GPU_CNT2==
  −
Bit0: Power on GPU?
  −
  −
==CFG11_FCRAM_CNT==
  −
{| class="wikitable" border="1"
  −
!  Bits
  −
!  Description
  −
|-
  −
| 0
  −
| Reset. 0 = reset.
  −
|-
  −
| 1
  −
| Enable something. 1 = enable.
  −
|-
  −
| 2
  −
| Acknowledge? Gets set or unset when toggling bit 1.
  −
|}
  −
Twl-/AgbBg use this to disable FCRAM for the GBA rom in GBA mode or DSi main RAM in DSi mode. Agb-/TwlBg clears bit 0 in reg 0x10201000 before touching this reg.
  −
  −
==CFG11_CODEC==
  −
The following is the only time the ARM11 CODEC module uses any 0x1EC41XXX registers. In one case CODEC module clears bit1 in register 0x1EC41114, in the other case CODEC module sets bit1 in registers 0x1EC41114 and 0x1EC41116.
  −
  −
==CFG11_CODEC_CNT==
  −
This is the power register used for the [[CFG11_Services|PDN]] CODEC service.
  −
  −
bit0 = unknown, bit1 = turn on/off DSP, rest = always 0.
  −
  −
==CFG11_CAMERA_CNT==
  −
This is the power register used for the [[CFG11_Services|PDN]] camera service.
  −
  −
bit0 = unknown, bit1 = turn on/off cameras, rest = always 0.
  −
  −
==CFG11_DSP_CNT==
  −
This is the power register used for the [[CFG11_Services|PDN Services]] DSP service.
  −
  −
bit0: NRESET (active low). Unset to reset/hold reset.
  −
bit1: enable bit.
  −
  −
PDN services holds reset for 0x30 Arm11 cycles.
 

Navigation menu